Bruce, I was testing your nfsd-next branch (plus my modified v3 callback address and state patch I just sent) and saw this on console after a simple test of mount, umount, mount cycle of a NFSv4.1 mount. ================================================================== [ 8523.413808] BUG: KASAN: use-after-free in find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd] [ 8523.417537] Read of size 4 at addr ffff888117a6cee8 by task nfsd/1132 [ 8523.420320] [ 8523.421012] CPU: 7 PID: 1132 Comm: nfsd Kdump: loaded Not tainted 5.13.0-rc2-bfields-nfsd+ #16 [ 8523.424499] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [ 8523.426785] Call Trace: [ 8523.427880] dump_stack+0x9c/0xcf [ 8523.429375] print_address_description.constprop.0+0x18/0x130 [ 8523.431756] ? find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd] [ 8523.434160] kasan_report.cold+0x7f/0x111 [ 8523.435795] ? find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd] [ 8523.438207] find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd] [ 8523.440519] ? _raw_write_lock_bh+0xb0/0xb0 [ 8523.442284] nfsd4_exchange_id+0x7f5/0x1730 [nfsd] [ 8523.444290] ? nfsd4_mach_creds_match+0x210/0x210 [nfsd] [ 8523.446479] ? svcauth_unix_set_client+0xab8/0x1370 [sunrpc] [ 8523.449121] nfsd4_proc_compound+0xc83/0x1f20 [nfsd] [ 8523.451187] nfsd_dispatch+0x4fd/0xa30 [nfsd] [ 8523.453053] ? svc_reserve+0x10c/0x220 [sunrpc] [ 8523.454986] svc_process_common+0xcca/0x2310 [sunrpc] [ 8523.457119] ? svc_set_num_threads+0x440/0x440 [sunrpc] [ 8523.459318] ? nfsd_svc+0x9a0/0x9a0 [nfsd] [ 8523.461044] ? svc_xprt_release+0x2fd/0x720 [sunrpc] [ 8523.463135] svc_process+0x353/0x4f0 [sunrpc] [ 8523.464998] nfsd+0x2a1/0x410 [nfsd] [ 8523.466526] ? __kthread_parkme+0x85/0x100 [ 8523.468251] ? nfsd_shutdown_threads+0x1f0/0x1f0 [nfsd] [ 8523.470409] kthread+0x31c/0x3e0 [ 8523.471725] ? __kthread_bind_mask+0x90/0x90 [ 8523.473440] ret_from_fork+0x22/0x30 [ 8523.474924] [ 8523.475571] Allocated by task 1132: [ 8523.477010] kasan_save_stack+0x1b/0x40 [ 8523.478564] __kasan_slab_alloc+0x61/0x80 [ 8523.480185] kmem_cache_alloc+0xec/0x250 [ 8523.481795] create_client+0x1bf/0xe00 [nfsd] [ 8523.483639] nfsd4_exchange_id+0x2b8/0x1730 [nfsd] [ 8523.485646] nfsd4_proc_compound+0xc83/0x1f20 [nfsd] [ 8523.487677] nfsd_dispatch+0x4fd/0xa30 [nfsd] [ 8523.489487] svc_process_common+0xcca/0x2310 [sunrpc] [ 8523.491608] svc_process+0x353/0x4f0 [sunrpc] [ 8523.493564] nfsd+0x2a1/0x410 [nfsd] [ 8523.507991] kthread+0x31c/0x3e0 [ 8523.509297] ret_from_fork+0x22/0x30 [ 8523.510734] [ 8523.511358] Last potentially related work creation: [ 8523.513263] kasan_save_stack+0x1b/0x40 [ 8523.514771] kasan_record_aux_stack+0xa5/0xb0 [ 8523.516476] insert_work+0x4a/0x350 [ 8523.517852] __queue_work+0x4db/0xc20 [ 8523.519288] queue_work_on+0x59/0x80 [ 8523.520707] nfsd4_run_cb+0x51/0x80 [nfsd] [ 8523.522799] nfsd4_shutdown_callback+0xbf/0x2a0 [nfsd] [ 8523.524889] __destroy_client+0x48a/0x6d0 [nfsd] [ 8523.526738] nfsd4_destroy_clientid+0x2da/0x4c0 [nfsd] [ 8523.528823] nfsd4_proc_compound+0xc83/0x1f20 [nfsd] [ 8523.530826] nfsd_dispatch+0x4fd/0xa30 [nfsd] [ 8523.532594] svc_process_common+0xcca/0x2310 [sunrpc] [ 8523.534988] svc_process+0x353/0x4f0 [sunrpc] [ 8523.536774] nfsd+0x2a1/0x410 [nfsd] [ 8523.538258] kthread+0x31c/0x3e0 [ 8523.539539] ret_from_fork+0x22/0x30 [ 8523.540949] [ 8523.541571] Second to last potentially related work creation: [ 8523.543778] kasan_save_stack+0x1b/0x40 [ 8523.545281] kasan_record_aux_stack+0xa5/0xb0 [ 8523.546992] insert_work+0x4a/0x350 [ 8523.548352] __queue_work+0x4db/0xc20 [ 8523.549778] queue_work_on+0x59/0x80 [ 8523.551178] nfsd4_run_cb+0x51/0x80 [nfsd] [ 8523.552830] nfsd4_probe_callback_sync+0xa/0x20 [nfsd] [ 8523.554900] nfsd4_destroy_session+0x658/0x920 [nfsd] [ 8523.556956] nfsd4_proc_compound+0xc83/0x1f20 [nfsd] [ 8523.558949] nfsd_dispatch+0x4fd/0xa30 [nfsd] [ 8523.560707] svc_process_common+0xcca/0x2310 [sunrpc] [ 8523.562777] svc_process+0x353/0x4f0 [sunrpc] [ 8523.564587] nfsd+0x2a1/0x410 [nfsd] [ 8523.566065] kthread+0x31c/0x3e0 [ 8523.567338] ret_from_fork+0x22/0x30 [ 8523.568747] [ 8523.569405] The buggy address belongs to the object at ffff888117a6ce50 [ 8523.569405] which belongs to the cache nfsd4_clients of size 1304 [ 8523.574309] The buggy address is located 152 bytes inside of [ 8523.574309] 1304-byte region [ffff888117a6ce50, ffff888117a6d368) [ 8523.578794] The buggy address belongs to the page: [ 8523.580661] page:000000005a8edc90 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888117a6ce50 pfn:0x117a68 [ 8523.584734] head:000000005a8edc90 order:3 compound_mapcount:0 compound_pincount:0 [ 8523.587613] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) [ 8523.590475] raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff88810ca21180 [ 8523.593442] raw: ffff888117a6ce50 0000000080160015 00000001ffffffff 0000000000000000 [ 8523.596406] page dumped because: kasan: bad access detected [ 8523.598551] [ 8523.599168] Memory state around the buggy address: [ 8523.601043] ffff888117a6cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 8523.603798] ffff888117a6ce00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb [ 8523.614732] >ffff888117a6ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 8523.617540] ^ [ 8523.620077] ffff888117a6cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 8523.622826] ffff888117a6cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 8523.625586] ================================================================== [ 8523.628381] Disabling lock debugging due to kernel taint
