nfsd: fix inverted cp_ttl check in async copy reaper

nfsd4_async_copy_reaper() is supposed to keep completed async copy
state around for NFSD_COPY_INITIAL_TTL (10) laundromat ticks so
that OFFLOAD_STATUS can report the result, then reap the state once
the countdown expires.

The TTL predicate is inverted: `if (--copy->cp_ttl)` is true while
ticks remain and false when the counter reaches zero.  This causes
the copy to be reaped on the very first tick (cp_ttl goes from 10
to 9, which is non-zero) instead of after all 10 ticks elapse.
Once reaped, OFFLOAD_STATUS returns NFS4ERR_BAD_STATEID because
the copy state has already been freed.

Fix by negating the test so that cleanup runs when the TTL expires.

Fixes: aa0ebd21df9c ("NFSD: Add nfsd4_copy time-to-live")
Cc: stable@vger.kernel.org
Reported-by: Chris Mason <clm@meta.com>
Assisted-by: kres:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 71bb2489e5a6540b2414d5a6c67e87b6d2b00ef3..14e329cfdfa621c041dc0813671bfd7e0fdf75ad 100644 (file)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1470,7 +1470,7 @@ void nfsd4_async_copy_reaper(struct nfsd_net *nn)
                list_for_each_safe(pos, next, &clp->async_copies) {
                        copy = list_entry(pos, struct nfsd4_copy, copies);
                        if (test_bit(NFSD4_COPY_F_OFFLOAD_DONE, &copy->cp_flags)) {
-                               if (--copy->cp_ttl) {
+                               if (!--copy->cp_ttl) {
                                        list_del_init(&copy->copies);
                                        list_add(&copy->copies, &reaplist);
                                }