Re: nfsd oops on Linus' current tree.

From: Myklebust, Trond
Date: Thu Jan 03 2013 - 18:26:58 EST

On Thu, 2013-01-03 at 18:11 -0500, Trond Myklebust wrote:
+AD4- That's interesting... I wonder if we may have been hitting that issue.
+AD4- From what I can see, we do actually free the write RPC task (and hence
+AD4- the work+AF8-struct) before we call the asynchronous unlink completion...
+AD4- Dros, can you see if reverting commit
+AD4- 324d003b0cd82151adbaecefef57b73f7959a469 +- commit
+AD4- 168e4b39d1afb79a7e3ea6c3bb246b4c82c6bdb9 and then applying the attached
+AD4- patch also fixes the hang on a pristine 3.7.x kernel?

Actually, we probably also need to look at rpc+AF8-free+AF8-task, so the
following patch, instead...

Trond Myklebust
Linux NFS client maintainer

diff --git a/fs/nfs/read.c b/fs/nfs/read.c
index b6bdb18..400f7ec 100644
--- a/fs/nfs/read.c
+++ b/fs/nfs/read.c
@@ -91,12 +91,13 @@ void nfs_readdata_release(struct nfs_read_data *rdata)
if (rdata->pages.pagevec != rdata->pages.page_array)
- if (rdata != &read_header->rpc_data)
- kfree(rdata);
- else
+ if (rdata == &read_header->rpc_data) {
rdata->header = NULL;
+ rdata = NULL;
+ }
if (atomic_dec_and_test(&hdr->refcnt))
+ kfree(rdata);

diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index b673be3..45d9250 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -126,12 +126,13 @@ void nfs_writedata_release(struct nfs_write_data *wdata)
if (wdata->pages.pagevec != wdata->pages.page_array)
- if (wdata != &write_header->rpc_data)
- kfree(wdata);
- else
+ if (wdata == &write_header->rpc_data) {
wdata->header = NULL;
+ wdata = NULL;
+ }
if (atomic_dec_and_test(&hdr->refcnt))
+ kfree(wdata);

diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index d17a704..500407a 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -936,14 +936,13 @@ struct rpc_task *rpc_new_task(const struct rpc_task_setup *setup_data)

static void rpc_free_task(struct rpc_task *task)
- const struct rpc_call_ops *tk_ops = task->tk_ops;
- void *calldata = task->tk_calldata;
+ unsigned short tk_flags = task->tk_flags;

- if (task->tk_flags & RPC_TASK_DYNAMIC) {
+ rpc_release_calldata(task->tk_ops, task->tk_calldata);
+ if (tk_flags & RPC_TASK_DYNAMIC) {
dprintk("RPC: %5u freeing task\n", task->tk_pid);
mempool_free(task, rpc_task_mempool);
- rpc_release_calldata(tk_ops, calldata);

static void rpc_async_release(struct work_struct *work)