[Devel] [PATCH vz10] nfsd: release async COPY nf_src/nf_dst when stopping a copy

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Fri Jun 12 12:48:44 MSK 2026


Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

On 6/12/26 00:13, Konstantin Khorenko wrote:
> An asynchronous server-side NFSv4 COPY (struct nfsd4_copy) pins its
> source and destination files in nf_src/nf_dst. These references are
> dropped only by cleanup_async_copy(), which runs from the offload
> reaper (for OFFLOAD_DONE copies) and from the copy setup error path.
> 
> nfsd4_stop_copy() - used to abort a copy on OFFLOAD_CANCEL and during
> client teardown via nfsd4_shutdown_copy() - stops the copy kthread and
> drops the copy refcount, but never releases nf_src/nf_dst. The aborted
> copy has already been taken off clp->async_copies (cp_clp set to NULL),
> so the reaper can no longer reach it either. As a result every
> cancelled or torn-down async COPY leaks its two nfsd_file references.
> 
> When nfsd is later shut down ("nfsdctl threads 0" -> nfsd_destroy_serv
> -> nfsd_file_cache_shutdown()) the nfsd_file kmem_cache is destroyed
> while those leaked objects are still live:
> 
>   BUG nfsd_file: Objects remaining on __kmem_cache_shutdown()
>   WARNING: CPU: 3 PID: 849411 at mm/slub.c:1126 __slab_err
>    __kmem_cache_shutdown
>    kmem_cache_destroy
>    nfsd_file_cache_shutdown [nfsd]
>    nfsd_destroy_serv [nfsd]
>    nfsd_svc [nfsd]
>    nfsd_nl_threads_set_doit [nfsd]
> 
> which panics the box under panic_on_warn. Confirmed on the vmcore: the
> remaining nfsd_file objects are the nf_src/nf_dst of two in-flight async
> nfsd4_copy structures (cp_clp == NULL, refcount 1, files still held).
> 
> Release the files in nfsd4_stop_copy() and make release_copy_files()
> idempotent (NULL the pointers after the put) so it stays safe no matter
> which path - stop or reaper - reaches the copy.
> 
> This is the leak-fix portion of mainline commit 3daab3112f039 ("nfsd:
> cancel async COPY operations when admin revokes filesystem state"); the
> larger admin-revoke feature from that commit is not backported.
> 
> https://virtuozzo.atlassian.net/browse/VSTOR-134677
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
>  fs/nfsd/nfs4proc.c | 19 +++++++++++++++++--
>  1 file changed, 17 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> index 47dba8382ede..9b9ec637ff41 100644
> --- a/fs/nfsd/nfs4proc.c
> +++ b/fs/nfsd/nfs4proc.c
> @@ -1428,6 +1428,8 @@ static void nfs4_put_copy(struct nfsd4_copy *copy)
>  	kfree(copy);
>  }
>  
> +static void release_copy_files(struct nfsd4_copy *copy);
> +
>  static void nfsd4_stop_copy(struct nfsd4_copy *copy)
>  {
>  	trace_nfsd_copy_async_cancel(copy);
> @@ -1436,6 +1438,15 @@ static void nfsd4_stop_copy(struct nfsd4_copy *copy)
>  		copy->nfserr = nfs_ok;
>  		set_bit(NFSD4_COPY_F_COMPLETED, &copy->cp_flags);
>  	}
> +
> +	/*
> +	 * The copy was removed from async_copies before this function
> +	 * was called, so the reaper cannot clean it up. Release files
> +	 * here regardless of who won the STOPPED race. If the thread
> +	 * set STOPPED, it has finished using the files. If STOPPED
> +	 * was set here, kthread_stop() waited for the thread to exit.
> +	 */
> +	release_copy_files(copy);
>  	nfs4_put_copy(copy);
>  }
>  
> @@ -1871,10 +1882,14 @@ static void dup_copy_fields(struct nfsd4_copy *src, struct nfsd4_copy *dst)
>  
>  static void release_copy_files(struct nfsd4_copy *copy)
>  {
> -	if (copy->nf_src)
> +	if (copy->nf_src) {
>  		nfsd_file_put(copy->nf_src);
> -	if (copy->nf_dst)
> +		copy->nf_src = NULL;
> +	}
> +	if (copy->nf_dst) {
>  		nfsd_file_put(copy->nf_dst);
> +		copy->nf_dst = NULL;
> +	}
>  }
>  
>  static void cleanup_async_copy(struct nfsd4_copy *copy)

-- 
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.



More information about the Devel mailing list