Re: [PATCH] nfsd: fix inverted cp_ttl check in async copy reaper

Next message: Danilo Krummrich: "Re: [PATCH 2/9] drm/nouveau: tegra: Explicitly specify PMC instance to use"
Previous message: Benjamin Tissoires: "Re: [PATCH] HID: u2fzero: fix general protection fault in u2fzero_recv"
In reply to: Jeff Layton: "Re: [PATCH] nfsd: fix inverted cp_ttl check in async copy reaper"
Next in thread: Jeff Layton: "Re: [PATCH] nfsd: fix inverted cp_ttl check in async copy reaper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paulo Alcantara

Date: Thu May 21 2026 - 10:52:02 EST

Jeff Layton <jlayton@xxxxxxxxxx> writes:

> nfsd4_async_copy_reaper() is supposed to keep completed async copy
> state around for NFSD_COPY_INITIAL_TTL (10) laundromat ticks so
> that OFFLOAD_STATUS can report the result, then reap the state once
> the countdown expires.
>
> The TTL predicate is inverted: `if (--copy->cp_ttl)` is true while
> ticks remain and false when the counter reaches zero. This causes
> the copy to be reaped on the very first tick (cp_ttl goes from 10
> to 9, which is non-zero) instead of after all 10 ticks elapse.
> Once reaped, OFFLOAD_STATUS returns NFS4ERR_BAD_STATEID because
> the copy state has already been freed.
>
> A secondary consequence: if cp_ttl ever reached zero (not possible
> with the current initial value of 10 since the copy is reaped at
> 9), the copy would never be added to the reaplist and would leak
> indefinitely on clp->async_copies.
>
> Fix by negating the test so that cleanup runs when the TTL expires.
>
> Fixes: 26e6e6939369 ("NFSD: Add nfsd4_copy time-to-live")

Wouldn't aa0ebd21df9c be the correct commit id?