NFSD: Disallow layoutget during grace period

When the server is recovering from a reboot and is in a grace period,
any operation that may result in deletion or reallocation of block
extents should not be allowed. See RFC 8881, section 18.43.3.

If multiple clients write data to the same file, rebooting the server
during writing may result in file corruption. In the worst case, the
exported XFS may also become corrupted. Observed this behavior while
testing pNFS block volume setup.

Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index d7c58aa64f06e8f15295bb5e4bf460beed5b422c..2dc8910f8f722323c237d91292d6c4e4f5e6d1cd 100644 (file)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -2435,6 +2435,7 @@ static __be32
 nfsd4_layoutget(struct svc_rqst *rqstp,
                struct nfsd4_compound_state *cstate, union nfsd4_op_u *u)
 {
+       struct net *net = SVC_NET(rqstp);
        struct nfsd4_layoutget *lgp = &u->layoutget;
        struct svc_fh *current_fh = &cstate->current_fh;
        const struct nfsd4_layout_ops *ops;
@@ -2486,6 +2487,10 @@ nfsd4_layoutget(struct svc_rqst *rqstp,
        if (lgp->lg_seg.length == 0)
                goto out;
 
+       nfserr = nfserr_grace;
+       if (locks_in_grace(net))
+               goto out;
+
        nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lgp->lg_sid,
                                                true, lgp->lg_layout_type, &ls);
        if (nfserr) {