nfs4.1: prevent race that allowed use of freed layout in _pnfs_return_layout

mark_matching_lsegs_invalid could put the last ref to the layout, so
the get_layout_hdr needs to be called first.

Signed-off-by: Fred Isaman <iisaman@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 8f95822..730d4db 100644 (file)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -640,10 +640,10 @@ _pnfs_return_layout(struct inode *ino)
                return status;
        }
        stateid = nfsi->layout->plh_stateid;
-       mark_matching_lsegs_invalid(lo, &tmp_list, NULL);
-       lo->plh_block_lgets++;
        /* Reference matched in nfs4_layoutreturn_release */
        get_layout_hdr(lo);
+       mark_matching_lsegs_invalid(lo, &tmp_list, NULL);
+       lo->plh_block_lgets++;
        spin_unlock(&ino->i_lock);
        pnfs_free_lseg_list(&tmp_list);