kernel/linux.git/fs/nfs/write.c, branch linux-7.1.y

NFS: write_completion: dereference loop-local req, not hdr->req

2026-06-02T08:27:45+00:00

5d3869a41f36 ("NFS: fix writeback in presence of errors") introduced a dereference of hdr->req->wb_lock_context in nfs_write_completion's per-request loop. hdr->req is set once at nfs_pgheader_init() time and is not refcount-protected for the lifetime of the loop; when hdr aggregates requests from multiple page groups (common under heavy NFSv3 writeback), a parallel COMMIT on hdr->req's group can drop the last reference and free it while the outer loop is still iterating requests from other groups. KASAN catches this as an 8-byte read at offset +24 of a freed nfs_page slab object (wb_lock_context). All requests in a given pgio share the same open_context, so reading the loop-local req's wb_lock_context yields the same value and is safe -- req is still on hdr->pages and holds its writeback kref through the commit branch. Caught with kasan: BUG: KASAN: slab-use-after-free in nfs_write_completion+0x8f8/0xa50 [nfs] Read of size 8 at addr ffff888118af2058 by task kworker/u16:16/122062 CPU: 2 UID: 0 PID: 122062 Comm: kworker/u16:16 Kdump: loaded Not tainted 7.1.0-rc4+ #ge05a759574b2 PREEMPT Workqueue: nfsiod rpc_async_release Call Trace: dump_stack_lvl+0xaf/0x100 ? nfs_write_completion+0x8f8/0xa50 [nfs] print_report+0x157/0x4a1 ? __virt_addr_valid+0x1fb/0x400 ? nfs_write_completion+0x8f8/0xa50 [nfs] kasan_report+0xc2/0x190 ? nfs_write_completion+0x8f8/0xa50 [nfs] nfs_write_completion+0x8f8/0xa50 [nfs] ? nfs_commit_release_pages+0xbd0/0xbd0 [nfs] ? lock_acquire+0x182/0x2e0 ? process_one_work+0x937/0x1890 ? nfs_pgio_header_alloc+0xd0/0xd0 [nfs] rpc_free_task+0xee/0x160 rpc_async_release+0x5d/0xb0 process_one_work+0x9b0/0x1890 ? pwq_dec_nr_in_flight+0xed0/0xed0 ? rpc_final_put_task+0x140/0x140 worker_thread+0x75a/0x10a0 ? process_one_work+0x1890/0x1890 ? kthread+0x1af/0x4d0 ? process_one_work+0x1890/0x1890 kthread+0x3d3/0x4d0 ? kthread_affine_node+0x2c0/0x2c0 ret_from_fork+0x669/0xa50 ? native_tss_update_io_bitmap+0x660/0x660 ? __switch_to+0x9dd/0x1310 ? kthread_affine_node+0x2c0/0x2c0 ret_from_fork_asm+0x11/0x20 Allocated by task 121997 on cpu 3 at 31643.290294s: kasan_save_stack+0x1e/0x40 kasan_save_track+0x13/0x60 __kasan_slab_alloc+0x62/0x70 kmem_cache_alloc_noprof+0x1ab/0x4e0 nfs_page_create+0x152/0x460 [nfs] nfs_page_create_from_folio+0x7e/0x210 [nfs] nfs_update_folio+0x7a9/0x32a0 [nfs] nfs_write_end+0x290/0xc60 [nfs] generic_perform_write+0x4ce/0x990 nfs_file_write+0x6b3/0xce0 [nfs] vfs_write+0x63c/0xfa0 ksys_write+0x122/0x240 do_syscall_64+0xc3/0x13f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 122046 on cpu 0 at 31647.037964s: kasan_save_stack+0x1e/0x40 kasan_save_track+0x13/0x60 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x3b/0x60 kmem_cache_free+0x11b/0x5a0 nfs_page_group_destroy+0x13a/0x210 [nfs] nfs_unlock_and_release_request+0x64/0x90 [nfs] nfs_commit_release_pages+0x339/0xbd0 [nfs] nfs_commit_release+0x51/0xb0 [nfs] rpc_free_task+0xee/0x160 rpc_async_release+0x5d/0xb0 process_one_work+0x9b0/0x1890 worker_thread+0x75a/0x10a0 kthread+0x3d3/0x4d0 ret_from_fork+0x669/0xa50 ret_from_fork_asm+0x11/0x20 The buggy address belongs to the object at ffff888118af2040\x0a which belongs to the cache nfs_page of size 96 The buggy address is located 24 bytes inside of\x0a freed 96-byte region [ffff888118af2040, ffff888118af20a0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118af2 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x4000000000000040(head|zone=2) page_type: f5(slab) raw: 4000000000000040 ffff88818cf2c4c0 ffffea000e61b990 ffffea0004e7d110 raw: 0000000000000000 0000000800190019 00000000f5000000 0000000000000000 head: 4000000000000040 ffff88818cf2c4c0 ffffea000e61b990 ffffea0004e7d110 head: 0000000000000000 0000000800190019 00000000f5000000 0000000000000000 head: 4000000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 121997, tgid 121997 (rsync), ts 31643290274577, free_ts 31642154777182 post_alloc_hook+0xd1/0x100 get_page_from_freelist+0xbad/0x2910 __alloc_frozen_pages_noprof+0x1c6/0x4a0 allocate_slab+0x330/0x620 ___slab_alloc+0xe9/0x930 kmem_cache_alloc_noprof+0x35b/0x4e0 nfs_page_create+0x152/0x460 [nfs] nfs_page_create_from_folio+0x7e/0x210 [nfs] nfs_update_folio+0x7a9/0x32a0 [nfs] nfs_write_end+0x290/0xc60 [nfs] generic_perform_write+0x4ce/0x990 nfs_file_write+0x6b3/0xce0 [nfs] vfs_write+0x63c/0xfa0 ksys_write+0x122/0x240 do_syscall_64+0xc3/0x13f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 page last free pid 122202 tgid 122202 stack trace: __free_frozen_pages+0x6da/0xf30 qlist_free_all+0x53/0x130 kasan_quarantine_reduce+0x198/0x1f0 __kasan_slab_alloc+0x46/0x70 kmem_cache_alloc_noprof+0x1ab/0x4e0 __alloc_object+0x2f/0x230 __create_object+0x22/0x80 kmem_cache_alloc_node_noprof+0x416/0x4d0 __alloc_skb+0x146/0x6e0 tcp_stream_alloc_skb+0x35/0x660 tcp_sendmsg_locked+0x1746/0x4260 tcp_sendmsg+0x2f/0x40 inet_sendmsg+0x9e/0xe0 __sock_sendmsg+0xd9/0x180 sock_sendmsg+0x122/0x200 xprt_sock_sendmsg+0x4ff/0x9a0 Memory state around the buggy address: ffff888118af1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ffff888118af1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888118af2000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ^ ffff888118af2080: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888118af2100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Reviewed-by Jeff Layton Fixes: 5d3869a41f36 ("NFS: fix writeback in presence of errors") Cc: Olga Kornievskaia Cc: Trond Myklebust Cc: Anna Schumaker Cc: linux-nfs@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Dave Jones Signed-off-by: Trond Myklebust

Merge tag 'nfs-for-7.1-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

2026-04-24T21:20:03+00:00

Pull NFS client updates from Trond Myklebust: "Bugfixes: - Fix handling of ENOSPC so that if we have to resend writes, they are written synchronously - SUNRPC RDMA transport fixes from Chuck - Several fixes for delegated timestamps in NFSv4.2 - Failure to obtain a directory delegation should not cause stat() to fail with NFSv4 - Rename was failing to update timestamps when a directory delegation is held on NFSv4 - Ensure we check rsize/wsize after crossing a NFSv4 filesystem boundary - NFSv4/pnfs: - If the server is down, retry the layout returns on reboot - Fallback to MDS could result in a short write being incorrectly logged Cleanups: - Use memcpy_and_pad in decode_fh" * tag 'nfs-for-7.1-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (21 commits) NFS: Fix RCU dereference of cl_xprt in nfs_compare_super_address NFS: remove redundant __private attribute from nfs_page_class NFSv4.2: fix CLONE/COPY attrs in presence of delegated attributes NFS: fix writeback in presence of errors nfs: use memcpy_and_pad in decode_fh NFSv4.1: Apply session size limits on clone path NFSv4: retry GETATTR if GET_DIR_DELEGATION failed NFS: fix RENAME attr in presence of directory delegations pnfs/flexfiles: validate ds_versions_cnt is non-zero NFS/blocklayout: print each device used for SCSI layouts xprtrdma: Post receive buffers after RPC completion xprtrdma: Scale receive batch size with credit window xprtrdma: Replace rpcrdma_mr_seg with xdr_buf cursor xprtrdma: Decouple frwr_wp_create from frwr_map xprtrdma: Close lost-wakeup race in xprt_rdma_alloc_slot xprtrdma: Avoid 250 ms delay on backlog wakeup xprtrdma: Close sendctx get/put race that can block a transport nfs: update inode ctime after removexattr operation nfs: fix utimensat() for atime with delegated timestamps NFS: improve "Server wrote zero bytes" error ...

NFS: fix writeback in presence of errors

2026-04-22T12:53:23+00:00

After running xfstest generic/751, in certain conditions, can have a writeback IO stuck while experiencing one of the two patterns. Pattern#1: writeback IO experiences ENOSPC on an offset smaller than the filesize. Example, write offset=0 len=4096 how=unstable OK write offset=8192 len=4096 how=unstable OK write offset=12288 len=4096 how=unstable ENOSPC write offset=4096 len=4096 how=unstable ENOSPC client sends a commit and receives a verifier which is different from the last successful write. It marks pages dirty and writeback retries. But it again send writes unstable and gets into the same pattern, running into the ENOSPC error and sending a commit because writes were sent at unstable. Pattern#2: an unstable write followed by a short write and ENOSPC. write offset=0 len=4096 how=unstable OK write offset=4096 len=4096 how=unstable returns OK but count=100 write offset=4197 len=3996 how=stable returns ENOSPC client send a commit and receives a verifier different from the last unstable write. The same behaviour is retried in a loop. Instead, this patch proposes to identify those conditions and mark requests to be done synchronously instead. Previous solution tried to mark it in the nfs_page, however that's not persistent thus instead mark it in the nfs_open_context. Furthermore, the same problem occurs during localio code path so recognize that IO needs to be done sync in that case as well. Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust

NFS: improve "Server wrote zero bytes" error

2026-04-13T18:17:31+00:00

When a pnfs error occurs, the IO is retried against the MDS. However, the initial IO leads to the kernel logging "Serer wrote zero bytes" when in fact the MDS IO will not fail and thus the error misleads administrators that the system is experiencing issues. When pnfs IO fails which triggers pnfs_write_done_resent_to_mds() which would end up clearing nfs_pgio_header's pages structure (copying the content into a new one to do new RPC calls to the MDS). Thus, in nfs_writeback_result() when we have no pages to work with no need to try and also therefore skip logging the message about 0bytes. Fixes: 6c75dc0d498c ("NFS: merge _full and _partial write rpc_ops") Suggested-by: Trond Myklebust Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust

Merge tag 'vfs-7.1-rc1.writeback' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

2026-04-13T17:08:01+00:00

Pull vfs writeback updates from Christian Brauner: "This introduces writeback helper APIs and converts f2fs, gfs2 and nfs to stop accessing writeback internals directly" * tag 'vfs-7.1-rc1.writeback' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: nfs: stop using writeback internals for WB_WRITEBACK accounting gfs2: stop using writeback internals for dirty_exceeded check f2fs: stop using writeback internals for dirty_exceeded checks writeback: prep helpers for dirty-limit and writeback accounting

treewide: Replace kmalloc with kmalloc_obj for non-scalar types

2026-02-21T09:02:28+00:00

This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook

nfs: stop using writeback internals for WB_WRITEBACK accounting

2026-02-17T12:25:14+00:00

Convert NFS WB_WRITEBACK accounting to writeback helper, eliminating direct access to writeback. Suggested-by: Christoph Hellwig Signed-off-by: Kundan Kumar Signed-off-by: Anuj Gupta Link: https://patch.msgid.link/20260213054634.79785-5-kundan.kumar@samsung.com Signed-off-by: Christian Brauner

NFS: Merge CONFIG_NFS_V4_1 with CONFIG_NFS_V4

2026-01-30T16:42:21+00:00

Compiling the NFSv4 module without any minorversion support doesn't make much sense, so this patch sets NFS v4.1 as the default, always enabled NFS version allowing us to replace all the CONFIG_NFS_V4_1s scattered throughout the code with CONFIG_NFS_V4. Signed-off-by: Anna Schumaker

NFS: Fix a deadlock involving nfs_release_folio()

2026-01-05T04:03:24+00:00

Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. Reported-by: Wang Zhaolong Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page") Signed-off-by: Trond Myklebust

NFS: check if suid/sgid was cleared after a write as needed

2025-10-13T18:33:00+00:00

I noticed xfstests generic/193 and generic/355 started failing against knfsd after commit e7a8ebc305f2 ("NFSD: Offer write delegation for OPEN with OPEN4_SHARE_ACCESS_WRITE"). I ran those same tests against ONTAP (which has had write delegation support for a lot longer than knfsd) and they fail there too... so while it's a new failure against knfsd, it isn't an entirely new failure. Add the NFS_INO_REVAL_FORCED flag so that the presence of a delegation doesn't keep the inode from being revalidated to fetch the updated mode. Signed-off-by: Scott Mayhew Signed-off-by: Anna Schumaker