[PATCH] nfsd: fix inverted cp_ttl check in async copy reaper
From: Jeff Layton
Date: Thu May 21 2026 - 10:11:46 EST
nfsd4_async_copy_reaper() is supposed to keep completed async copy
state around for NFSD_COPY_INITIAL_TTL (10) laundromat ticks so
that OFFLOAD_STATUS can report the result, then reap the state once
the countdown expires.
The TTL predicate is inverted: `if (--copy->cp_ttl)` is true while
ticks remain and false when the counter reaches zero. This causes
the copy to be reaped on the very first tick (cp_ttl goes from 10
to 9, which is non-zero) instead of after all 10 ticks elapse.
Once reaped, OFFLOAD_STATUS returns NFS4ERR_BAD_STATEID because
the copy state has already been freed.
A secondary consequence: if cp_ttl ever reached zero (not possible
with the current initial value of 10 since the copy is reaped at
9), the copy would never be added to the reaplist and would leak
indefinitely on clp->async_copies.
Fix by negating the test so that cleanup runs when the TTL expires.
Fixes: 26e6e6939369 ("NFSD: Add nfsd4_copy time-to-live")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Chris Mason <clm@xxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
fs/nfsd/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 85e94c30285a..72f410fd7a8a 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1467,7 +1467,7 @@ void nfsd4_async_copy_reaper(struct nfsd_net *nn)
list_for_each_safe(pos, next, &clp->async_copies) {
copy = list_entry(pos, struct nfsd4_copy, copies);
if (test_bit(NFSD4_COPY_F_OFFLOAD_DONE, ©->cp_flags)) {
- if (--copy->cp_ttl) {
+ if (!--copy->cp_ttl) {
list_del_init(©->copies);
list_add(©->copies, &reaplist);
}
---
base-commit: e91f16e59f513a1e3fc052e2b630efebeaf9a4f2
change-id: 20260521-async_copy_reaper_cp_ttl_inverted-697a0a3c850b
Best regards,
--
Jeff Layton <jlayton@xxxxxxxxxx>