From 2a974425e57fb882c93709c6072bf66d04431635 Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Sun, 20 Nov 2016 13:13:54 -0500
Subject: [PATCH] NFSv4: Ignore LAYOUTRETURN result if the layout doesn't match
 or is invalid

Fix a potential race with CB_LAYOUTRECALL in which the server recalls the
remaining layout segments while our LAYOUTRETURN is still in transit.

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
---
 fs/nfs/nfs4proc.c | 3 +--
 fs/nfs/pnfs.c     | 8 +++++++-
 fs/nfs/pnfs.h     | 2 +-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 561b21e4a930..87972cfa62bc 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -8574,8 +8574,7 @@ static void nfs4_layoutreturn_release(void *calldata)
 	struct pnfs_layout_hdr *lo = lrp->args.layout;
 
 	dprintk("--> %s\n", __func__);
-	pnfs_layoutreturn_free_lsegs(lo, &lrp->args.range,
-			be32_to_cpu(lrp->args.stateid.seqid),
+	pnfs_layoutreturn_free_lsegs(lo, &lrp->args.stateid, &lrp->args.range,
 			lrp->res.lrs_present ? &lrp->res.stateid : NULL);
 	nfs4_sequence_free_slot(&lrp->res.seq_res);
 	pnfs_put_layout_hdr(lrp->args.layout);
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 555151b6d31b..471018f27c8d 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -961,20 +961,26 @@ static void pnfs_clear_layoutreturn_waitbit(struct pnfs_layout_hdr *lo)
 }
 
 void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo,
+		const nfs4_stateid *arg_stateid,
 		const struct pnfs_layout_range *range,
-		u32 seq,
 		const nfs4_stateid *stateid)
 {
 	struct inode *inode = lo->plh_inode;
 	LIST_HEAD(freeme);
 
 	spin_lock(&inode->i_lock);
+	if (!pnfs_layout_is_valid(lo) || !arg_stateid ||
+	    !nfs4_stateid_match_other(&lo->plh_stateid, arg_stateid))
+		goto out_unlock;
 	if (stateid) {
+		u32 seq = be32_to_cpu(arg_stateid->seqid);
+
 		pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq);
 		pnfs_free_returned_lsegs(lo, &freeme, range, seq);
 		pnfs_set_layout_stateid(lo, stateid, true);
 	} else
 		pnfs_mark_layout_stateid_invalid(lo, &freeme);
+out_unlock:
 	pnfs_clear_layoutreturn_waitbit(lo);
 	spin_unlock(&inode->i_lock);
 	pnfs_free_lseg_list(&freeme);
diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
index a382710edf40..bc9a3aa31d3c 100644
--- a/fs/nfs/pnfs.h
+++ b/fs/nfs/pnfs.h
@@ -295,8 +295,8 @@ struct pnfs_layout_segment *pnfs_update_layout(struct inode *ino,
 					       bool strict_iomode,
 					       gfp_t gfp_flags);
 void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo,
+		const nfs4_stateid *arg_stateid,
 		const struct pnfs_layout_range *range,
-		u32 seq,
 		const nfs4_stateid *stateid);
 
 void pnfs_generic_layout_insert_lseg(struct pnfs_layout_hdr *lo,
-- 
2.11.0