[PATCH v2] nfsd: reset write verifier when async COPY writeback fails

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH v2] nfsd: reset write verifier when async COPY writeback fails
@ 2026-05-22 20:37 Chuck Lever
  2026-05-22 20:56 ` Jeff Layton
  0 siblings, 1 reply; 2+ messages in thread
From: Chuck Lever @ 2026-05-22 20:37 UTC (permalink / raw)
  To: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey
  Cc: linux-nfs, Chuck Lever, stable

From: Chuck Lever <chuck.lever@oracle.com>

Async COPY captures nn->writeverf at request time and reports it to
the client via CB_OFFLOAD after the worker kthread completes. When
the post-copy vfs_fsync_range() or filemap_check_wb_err() in
_nfsd_copy_file_range() reports an error, the worker correctly
leaves NFSD4_COPY_F_COMMITTED clear so that CB_OFFLOAD encodes
wr_stable_how as NFS_UNSTABLE, but the server's write verifier is
not rotated.

A client that receives NFS_UNSTABLE in CB_OFFLOAD follows up with
COMMIT to make the copied data durable. With the verifier
unchanged, COMMIT returns the same value the client just received
via CB_OFFLOAD, and the client concludes the copy is durable --
silently dropping the data whose writeback in fact failed. This
violates the UNSTABLE+COMMIT durability contract (RFC 7862 section
15.1, RFC 8881 section 18.32) and matches the bug just fixed in
nfsd_vfs_write() and nfsd_commit().

Rotate nn->writeverf at the writeback-failure site. The async COPY
worker has no svc_rqst, so commit_reset_write_verifier() is not
available here; calling nfsd_reset_write_verifier() directly
mirrors the trace-less reset already used by
nfsd_file_check_write_error() for the same purpose. Filter out
-EAGAIN and -ESTALE, matching commit_reset_write_verifier(), since
neither indicates a durable-storage failure.

Fixes: eac0b17a77fb ("NFSD add vfs_fsync after async copy is done")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-7
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 fs/nfsd/nfs4proc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 8561540ab2db..93fcaf90d6ae 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1972,6 +1972,8 @@ static ssize_t _nfsd_copy_file_range(struct nfsd4_copy *copy,
 			status = filemap_check_wb_err(dst->f_mapping, since);
 		if (!status)
 			set_bit(NFSD4_COPY_F_COMMITTED, &copy->cp_flags);
+		else if (status != -EAGAIN && status != -ESTALE)
+			nfsd_reset_write_verifier(copy->cp_nn);
 	}
 	return bytes_copied;
 }
-- 
2.54.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] nfsd: reset write verifier when async COPY writeback fails
  2026-05-22 20:37 [PATCH v2] nfsd: reset write verifier when async COPY writeback fails Chuck Lever
@ 2026-05-22 20:56 ` Jeff Layton
  0 siblings, 0 replies; 2+ messages in thread
From: Jeff Layton @ 2026-05-22 20:56 UTC (permalink / raw)
  To: Chuck Lever, NeilBrown, Olga Kornievskaia, Dai Ngo, Tom Talpey
  Cc: linux-nfs, Chuck Lever, stable

On Fri, 2026-05-22 at 16:37 -0400, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> Async COPY captures nn->writeverf at request time and reports it to
> the client via CB_OFFLOAD after the worker kthread completes. When
> the post-copy vfs_fsync_range() or filemap_check_wb_err() in
> _nfsd_copy_file_range() reports an error, the worker correctly
> leaves NFSD4_COPY_F_COMMITTED clear so that CB_OFFLOAD encodes
> wr_stable_how as NFS_UNSTABLE, but the server's write verifier is
> not rotated.
> 
> A client that receives NFS_UNSTABLE in CB_OFFLOAD follows up with
> COMMIT to make the copied data durable. With the verifier
> unchanged, COMMIT returns the same value the client just received
> via CB_OFFLOAD, and the client concludes the copy is durable --
> silently dropping the data whose writeback in fact failed. This
> violates the UNSTABLE+COMMIT durability contract (RFC 7862 section
> 15.1, RFC 8881 section 18.32) and matches the bug just fixed in
> nfsd_vfs_write() and nfsd_commit().
> 
> Rotate nn->writeverf at the writeback-failure site. The async COPY
> worker has no svc_rqst, so commit_reset_write_verifier() is not
> available here; calling nfsd_reset_write_verifier() directly
> mirrors the trace-less reset already used by
> nfsd_file_check_write_error() for the same purpose. Filter out
> -EAGAIN and -ESTALE, matching commit_reset_write_verifier(), since
> neither indicates a durable-storage failure.
> 
> Fixes: eac0b17a77fb ("NFSD add vfs_fsync after async copy is done")
> Cc: stable@vger.kernel.org
> Assisted-by: kres:claude-opus-4-7
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
>  fs/nfsd/nfs4proc.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> index 8561540ab2db..93fcaf90d6ae 100644
> --- a/fs/nfsd/nfs4proc.c
> +++ b/fs/nfsd/nfs4proc.c
> @@ -1972,6 +1972,8 @@ static ssize_t _nfsd_copy_file_range(struct nfsd4_copy *copy,
>  			status = filemap_check_wb_err(dst->f_mapping, since);
>  		if (!status)
>  			set_bit(NFSD4_COPY_F_COMMITTED, &copy->cp_flags);
> +		else if (status != -EAGAIN && status != -ESTALE)
> +			nfsd_reset_write_verifier(copy->cp_nn);
>  	}
>  	return bytes_copied;
>  }

Reviewed-by: Jeff Layton <jlayton@kernel.org>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-22 20:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-22 20:37 [PATCH v2] nfsd: reset write verifier when async COPY writeback fails Chuck Lever
2026-05-22 20:56 ` Jeff Layton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox