Merge branch 'fortglx/3.7/time' of git://git.linaro.org/people/jstultz/linux into timers/core

16 files changed, 247 insertions, 181 deletions

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index ba233499b9a..a3946cf13fc 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -398,7 +398,7 @@ fsloc_parse(char **mesg, char *buf, struct nfsd4_fs_locations *fsloc)
         int migrated, i, err;
 
         /* listsize */
-        err = get_int(mesg, &fsloc->locations_count);
+        err = get_uint(mesg, &fsloc->locations_count);
         if (err)
                 return err;
         if (fsloc->locations_count > MAX_FS_LOCATIONS)
@@ -456,7 +456,7 @@ static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp)
                 return -EINVAL;
 
         for (f = exp->ex_flavors; f < exp->ex_flavors + listsize; f++) {
-                err = get_int(mesg, &f->pseudoflavor);
+                err = get_uint(mesg, &f->pseudoflavor);
                 if (err)
                         return err;
                 /*
@@ -465,7 +465,7 @@ static int secinfo_parse(char **mesg, char *buf, struct svc_export *exp)
                  * problem at export time instead of when a client fails
                  * to authenticate.
                  */
-                err = get_int(mesg, &f->flags);
+                err = get_uint(mesg, &f->flags);
                 if (err)
                         return err;
                 /* Only some flags are allowed to differ between flavors: */
@@ -929,7 +929,7 @@ struct svc_export *
 rqst_exp_get_by_name(struct svc_rqst *rqstp, struct path *path)
 {
         struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT);
-        struct nfsd_net *nn = net_generic(rqstp->rq_xprt->xpt_net, nfsd_net_id);
+        struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
         struct cache_detail *cd = nn->svc_export_cache;
 
         if (rqstp->rq_client == NULL)
@@ -960,7 +960,7 @@ struct svc_export *
 rqst_exp_find(struct svc_rqst *rqstp, int fsid_type, u32 *fsidv)
 {
         struct svc_export *gssexp, *exp = ERR_PTR(-ENOENT);
-        struct nfsd_net *nn = net_generic(rqstp->rq_xprt->xpt_net, nfsd_net_id);
+        struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
         struct cache_detail *cd = nn->svc_export_cache;
 
         if (rqstp->rq_client == NULL)
diff --git a/fs/nfsd/netns.h b/fs/nfsd/netns.h
index 39365636b24..65c2431ea32 100644
--- a/fs/nfsd/netns.h
+++ b/fs/nfsd/netns.h
@@ -34,6 +34,10 @@ struct nfsd_net {
 
         struct cache_detail *idtoname_cache;
         struct cache_detail *nametoid_cache;
+
+        struct lock_manager nfsd4_manager;
+        bool grace_ended;
+        time_t boot_time;
 };
 
 extern int nfsd_net_id;
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index a5fd6b982f2..4c7bd35b187 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -651,12 +651,12 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
 
         if (clp->cl_minorversion == 0) {
                 if (!clp->cl_cred.cr_principal &&
-                                (clp->cl_flavor >= RPC_AUTH_GSS_KRB5))
+                                (clp->cl_cred.cr_flavor >= RPC_AUTH_GSS_KRB5))
                         return -EINVAL;
                 args.client_name = clp->cl_cred.cr_principal;
                 args.prognumber = conn->cb_prog,
                 args.protocol = XPRT_TRANSPORT_TCP;
-                args.authflavor = clp->cl_flavor;
+                args.authflavor = clp->cl_cred.cr_flavor;
                 clp->cl_cb_ident = conn->cb_ident;
         } else {
                 if (!conn->cb_xprt)
@@ -756,7 +756,6 @@ static void do_probe_callback(struct nfs4_client *clp)
  */
 void nfsd4_probe_callback(struct nfs4_client *clp)
 {
-        /* XXX: atomicity?  Also, should we be using cl_flags? */
         clp->cl_cb_state = NFSD4_CB_UNKNOWN;
         set_bit(NFSD4_CLIENT_CB_UPDATE, &clp->cl_flags);
         do_probe_callback(clp);
diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c
index dae36f1dee9..fdc91a6fc9c 100644
--- a/fs/nfsd/nfs4idmap.c
+++ b/fs/nfsd/nfs4idmap.c
@@ -546,7 +546,7 @@ idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen
                 .type = type,
         };
         int ret;
-        struct nfsd_net *nn = net_generic(rqstp->rq_xprt->xpt_net, nfsd_net_id);
+        struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
 
         if (namelen + 1 > sizeof(key.name))
                 return nfserr_badowner;
@@ -571,7 +571,7 @@ idmap_id_to_name(struct svc_rqst *rqstp, int type, uid_t id, char *name)
                 .type = type,
         };
         int ret;
-        struct nfsd_net *nn = net_generic(rqstp->rq_xprt->xpt_net, nfsd_net_id);
+        struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
 
         strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname));
         ret = idmap_lookup(rqstp, idtoname_lookup, &key, nn->idtoname_cache, &item);
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 987e719fbae..c9c1c0a2541 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -354,10 +354,10 @@ nfsd4_open(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
         /* Openowner is now set, so sequence id will get bumped.  Now we need
          * these checks before we do any creates: */
         status = nfserr_grace;
-        if (locks_in_grace() && open->op_claim_type != NFS4_OPEN_CLAIM_PREVIOUS)
+        if (locks_in_grace(SVC_NET(rqstp)) && open->op_claim_type != NFS4_OPEN_CLAIM_PREVIOUS)
                 goto out;
         status = nfserr_no_grace;
-        if (!locks_in_grace() && open->op_claim_type == NFS4_OPEN_CLAIM_PREVIOUS)
+        if (!locks_in_grace(SVC_NET(rqstp)) && open->op_claim_type == NFS4_OPEN_CLAIM_PREVIOUS)
                 goto out;
 
         switch (open->op_claim_type) {
@@ -686,7 +686,8 @@ nfsd4_read(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 
         nfs4_lock_state();
         /* check stateid */
-        if ((status = nfs4_preprocess_stateid_op(cstate, &read->rd_stateid,
+        if ((status = nfs4_preprocess_stateid_op(SVC_NET(rqstp),
+                                                 cstate, &read->rd_stateid,
                                                  RD_STATE, &read->rd_filp))) {
                 dprintk("NFSD: nfsd4_read: couldn't process stateid!\n");
                 goto out;
@@ -741,7 +742,7 @@ nfsd4_remove(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 {
         __be32 status;
 
-        if (locks_in_grace())
+        if (locks_in_grace(SVC_NET(rqstp)))
                 return nfserr_grace;
         status = nfsd_unlink(rqstp, &cstate->current_fh, 0,
                              remove->rm_name, remove->rm_namelen);
@@ -760,8 +761,8 @@ nfsd4_rename(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 
         if (!cstate->save_fh.fh_dentry)
                 return status;
-        if (locks_in_grace() && !(cstate->save_fh.fh_export->ex_flags
-                                        & NFSEXP_NOSUBTREECHECK))
+        if (locks_in_grace(SVC_NET(rqstp)) &&
+                !(cstate->save_fh.fh_export->ex_flags & NFSEXP_NOSUBTREECHECK))
                 return nfserr_grace;
         status = nfsd_rename(rqstp, &cstate->save_fh, rename->rn_sname,
                              rename->rn_snamelen, &cstate->current_fh,
@@ -845,7 +846,7 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 
         if (setattr->sa_iattr.ia_valid & ATTR_SIZE) {
                 nfs4_lock_state();
-                status = nfs4_preprocess_stateid_op(cstate,
+                status = nfs4_preprocess_stateid_op(SVC_NET(rqstp), cstate,
                         &setattr->sa_stateid, WR_STATE, NULL);
                 nfs4_unlock_state();
                 if (status) {
@@ -890,7 +891,8 @@ nfsd4_write(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
                 return nfserr_inval;
 
         nfs4_lock_state();
-        status = nfs4_preprocess_stateid_op(cstate, stateid, WR_STATE, &filp);
+        status = nfs4_preprocess_stateid_op(SVC_NET(rqstp),
+                                        cstate, stateid, WR_STATE, &filp);
         if (filp)
                 get_file(filp);
         nfs4_unlock_state();
diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index 5ff0b7b9fc0..43295d45cc2 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -154,6 +154,10 @@ nfsd4_create_clid_dir(struct nfs4_client *clp)
         if (status < 0)
                 return;
 
+        status = mnt_want_write_file(rec_file);
+        if (status)
+                return;
+
         dir = rec_file->f_path.dentry;
         /* lock the parent */
         mutex_lock(&dir->d_inode->i_mutex);
@@ -173,11 +177,7 @@ nfsd4_create_clid_dir(struct nfs4_client *clp)
                  * as well be forgiving and just succeed silently.
                  */
                 goto out_put;
-        status = mnt_want_write_file(rec_file);
-        if (status)
-                goto out_put;
         status = vfs_mkdir(dir->d_inode, dentry, S_IRWXU);
-        mnt_drop_write_file(rec_file);
 out_put:
         dput(dentry);
 out_unlock:
@@ -189,6 +189,7 @@ out_unlock:
                                 " (err %d); please check that %s exists"
                                 " and is writeable", status,
                                 user_recovery_dirname);
+        mnt_drop_write_file(rec_file);
         nfs4_reset_creds(original_cred);
 }
 
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 94effd5bc4a..cc894eda385 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -38,18 +38,21 @@
 #include <linux/namei.h>
 #include <linux/swap.h>
 #include <linux/pagemap.h>
+#include <linux/ratelimit.h>
 #include <linux/sunrpc/svcauth_gss.h>
 #include <linux/sunrpc/clnt.h>
 #include "xdr4.h"
 #include "vfs.h"
 #include "current_stateid.h"
+#include "fault_inject.h"
+
+#include "netns.h"
 
 #define NFSDDBG_FACILITY                NFSDDBG_PROC
 
 /* Globals */
 time_t nfsd4_lease = 90;     /* default lease time */
 time_t nfsd4_grace = 90;
-static time_t boot_time;
 
 #define all_ones {{~0,~0},~0}
 static const stateid_t one_stateid = {
@@ -862,6 +865,11 @@ static __be32 nfsd4_new_conn(struct svc_rqst *rqstp, struct nfsd4_session *ses,
         if (ret)
                 /* oops; xprt is already down: */
                 nfsd4_conn_lost(&conn->cn_xpt_user);
+        if (ses->se_client->cl_cb_state == NFSD4_CB_DOWN &&
+                dir & NFS4_CDFC4_BACK) {
+                /* callback channel may be back up */
+                nfsd4_probe_callback(ses->se_client);
+        }
         return nfs_ok;
 }
 
@@ -1047,12 +1055,12 @@ renew_client(struct nfs4_client *clp)
 
 /* SETCLIENTID and SETCLIENTID_CONFIRM Helper functions */
 static int
-STALE_CLIENTID(clientid_t *clid)
+STALE_CLIENTID(clientid_t *clid, struct nfsd_net *nn)
 {
-        if (clid->cl_boot == boot_time)
+        if (clid->cl_boot == nn->boot_time)
                 return 0;
         dprintk("NFSD stale clientid (%08x/%08x) boot_time %08lx\n",
-                clid->cl_boot, clid->cl_id, boot_time);
+                clid->cl_boot, clid->cl_id, nn->boot_time);
         return 1;
 }
 
@@ -1215,7 +1223,7 @@ static bool groups_equal(struct group_info *g1, struct group_info *g2)
         return true;
 }
 
-static int
+static bool
 same_creds(struct svc_cred *cr1, struct svc_cred *cr2)
 {
         if ((cr1->cr_flavor != cr2->cr_flavor)
@@ -1227,14 +1235,15 @@ same_creds(struct svc_cred *cr1, struct svc_cred *cr2)
                 return true;
         if (!cr1->cr_principal || !cr2->cr_principal)
                 return false;
-        return 0 == strcmp(cr1->cr_principal, cr1->cr_principal);
+        return 0 == strcmp(cr1->cr_principal, cr2->cr_principal);
 }
 
 static void gen_clid(struct nfs4_client *clp)
 {
         static u32 current_clientid = 1;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
-        clp->cl_clientid.cl_boot = boot_time;
+        clp->cl_clientid.cl_boot = nn->boot_time;
         clp->cl_clientid.cl_id = current_clientid++; 
 }
 
@@ -2217,8 +2226,9 @@ nfsd4_setclientid_confirm(struct svc_rqst *rqstp,
         nfs4_verifier confirm = setclientid_confirm->sc_confirm; 
         clientid_t * clid = &setclientid_confirm->sc_clientid;
         __be32 status;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
-        if (STALE_CLIENTID(clid))
+        if (STALE_CLIENTID(clid, nn))
                 return nfserr_stale_clientid;
         nfs4_lock_state();
 
@@ -2577,8 +2587,9 @@ nfsd4_process_open1(struct nfsd4_compound_state *cstate,
         unsigned int strhashval;
         struct nfs4_openowner *oo = NULL;
         __be32 status;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
-        if (STALE_CLIENTID(&open->op_clientid))
+        if (STALE_CLIENTID(&open->op_clientid, nn))
                 return nfserr_stale_clientid;
         /*
          * In case we need it later, after we've already created the
@@ -2876,7 +2887,8 @@ static void nfsd4_open_deleg_none_ext(struct nfsd4_open *open, int status)
  * Attempt to hand out a delegation.
  */
 static void
-nfs4_open_delegation(struct svc_fh *fh, struct nfsd4_open *open, struct nfs4_ol_stateid *stp)
+nfs4_open_delegation(struct net *net, struct svc_fh *fh,
+                     struct nfsd4_open *open, struct nfs4_ol_stateid *stp)
 {
         struct nfs4_delegation *dp;
         struct nfs4_openowner *oo = container_of(stp->st_stateowner, struct nfs4_openowner, oo_owner);
@@ -2897,7 +2909,7 @@ nfs4_open_delegation(struct svc_fh *fh, struct nfsd4_open *open, struct nfs4_ol_
                 case NFS4_OPEN_CLAIM_NULL:
                         /* Let's not give out any delegations till everyone's
                          * had the chance to reclaim theirs.... */
-                        if (locks_in_grace())
+                        if (locks_in_grace(net))
                                 goto out;
                         if (!cb_up || !(oo->oo_flags & NFS4_OO_CONFIRMED))
                                 goto out;
@@ -3007,14 +3019,12 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf
                 status = nfs4_get_vfs_file(rqstp, fp, current_fh, open);
                 if (status)
                         goto out;
+                status = nfsd4_truncate(rqstp, current_fh, open);
+                if (status)
+                        goto out;
                 stp = open->op_stp;
                 open->op_stp = NULL;
                 init_open_stateid(stp, fp, open);
-                status = nfsd4_truncate(rqstp, current_fh, open);
-                if (status) {
-                        release_open_stateid(stp);
-                        goto out;
-                }
         }
         update_stateid(&stp->st_stid.sc_stateid);
         memcpy(&open->op_stateid, &stp->st_stid.sc_stateid, sizeof(stateid_t));
@@ -3033,7 +3043,7 @@ nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf
         * Attempt to hand out a delegation. No error return, because the
         * OPEN succeeds even if we fail.
         */
-        nfs4_open_delegation(current_fh, open, stp);
+        nfs4_open_delegation(SVC_NET(rqstp), current_fh, open, stp);
 nodeleg:
         status = nfs_ok;
 
@@ -3087,12 +3097,13 @@ nfsd4_renew(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 {
         struct nfs4_client *clp;
         __be32 status;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
         nfs4_lock_state();
         dprintk("process_renew(%08x/%08x): starting\n", 
                         clid->cl_boot, clid->cl_id);
         status = nfserr_stale_clientid;
-        if (STALE_CLIENTID(clid))
+        if (STALE_CLIENTID(clid, nn))
                 goto out;
         clp = find_confirmed_client(clid);
         status = nfserr_expired;
@@ -3111,22 +3122,19 @@ out:
         return status;
 }
 
-static struct lock_manager nfsd4_manager = {
-};
-
-static bool grace_ended;
-
 static void
-nfsd4_end_grace(void)
+nfsd4_end_grace(struct net *net)
 {
+        struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
         /* do nothing if grace period already ended */
-        if (grace_ended)
+        if (nn->grace_ended)
                 return;
 
         dprintk("NFSD: end of grace period\n");
-        grace_ended = true;
-        nfsd4_record_grace_done(&init_net, boot_time);
-        locks_end_grace(&nfsd4_manager);
+        nn->grace_ended = true;
+        nfsd4_record_grace_done(net, nn->boot_time);
+        locks_end_grace(&nn->nfsd4_manager);
         /*
          * Now that every NFSv4 client has had the chance to recover and
          * to see the (possibly new, possibly shorter) lease time, we
@@ -3149,7 +3157,7 @@ nfs4_laundromat(void)
         nfs4_lock_state();
 
         dprintk("NFSD: laundromat service - starting\n");
-        nfsd4_end_grace();
+        nfsd4_end_grace(&init_net);
         INIT_LIST_HEAD(&reaplist);
         spin_lock(&client_lock);
         list_for_each_safe(pos, next, &client_lru) {
@@ -3231,9 +3239,9 @@ static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_ol_stateid *s
 }
 
 static int
-STALE_STATEID(stateid_t *stateid)
+STALE_STATEID(stateid_t *stateid, struct nfsd_net *nn)
 {
-        if (stateid->si_opaque.so_clid.cl_boot == boot_time)
+        if (stateid->si_opaque.so_clid.cl_boot == nn->boot_time)
                 return 0;
         dprintk("NFSD: stale stateid " STATEID_FMT "!\n",
                 STATEID_VAL(stateid));
@@ -3273,11 +3281,11 @@ out:
 }
 
 static inline __be32
-check_special_stateids(svc_fh *current_fh, stateid_t *stateid, int flags)
+check_special_stateids(struct net *net, svc_fh *current_fh, stateid_t *stateid, int flags)
 {
         if (ONE_STATEID(stateid) && (flags & RD_STATE))
                 return nfs_ok;
-        else if (locks_in_grace()) {
+        else if (locks_in_grace(net)) {
                 /* Answer in remaining cases depends on existence of
                  * conflicting state; so we must wait out the grace period. */
                 return nfserr_grace;
@@ -3294,9 +3302,9 @@ check_special_stateids(svc_fh *current_fh, stateid_t *stateid, int flags)
  * that are not able to provide mandatory locking.
  */
 static inline int
-grace_disallows_io(struct inode *inode)
+grace_disallows_io(struct net *net, struct inode *inode)
 {
-        return locks_in_grace() && mandatory_lock(inode);
+        return locks_in_grace(net) && mandatory_lock(inode);
 }
 
 /* Returns true iff a is later than b: */
@@ -3333,18 +3341,26 @@ static __be32 check_stateid_generation(stateid_t *in, stateid_t *ref, bool has_s
         return nfserr_old_stateid;
 }
 
-__be32 nfs4_validate_stateid(struct nfs4_client *cl, stateid_t *stateid)
+static __be32 nfsd4_validate_stateid(struct nfs4_client *cl, stateid_t *stateid)
 {
         struct nfs4_stid *s;
         struct nfs4_ol_stateid *ols;
         __be32 status;
 
-        if (STALE_STATEID(stateid))
-                return nfserr_stale_stateid;
-
+        if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+                return nfserr_bad_stateid;
+        /* Client debugging aid. */
+        if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) {
+                char addr_str[INET6_ADDRSTRLEN];
+                rpc_ntop((struct sockaddr *)&cl->cl_addr, addr_str,
+                                 sizeof(addr_str));
+                pr_warn_ratelimited("NFSD: client %s testing state ID "
+                                        "with incorrect client ID\n", addr_str);
+                return nfserr_bad_stateid;
+        }
         s = find_stateid(cl, stateid);
         if (!s)
-                 return nfserr_stale_stateid;
+                return nfserr_bad_stateid;
         status = check_stateid_generation(stateid, &s->sc_stateid, 1);
         if (status)
                 return status;
@@ -3360,10 +3376,11 @@ __be32 nfs4_validate_stateid(struct nfs4_client *cl, stateid_t *stateid)
 static __be32 nfsd4_lookup_stateid(stateid_t *stateid, unsigned char typemask, struct nfs4_stid **s)
 {
         struct nfs4_client *cl;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
         if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
                 return nfserr_bad_stateid;
-        if (STALE_STATEID(stateid))
+        if (STALE_STATEID(stateid, nn))
                 return nfserr_stale_stateid;
         cl = find_confirmed_client(&stateid->si_opaque.so_clid);
         if (!cl)
@@ -3379,7 +3396,7 @@ static __be32 nfsd4_lookup_stateid(stateid_t *stateid, unsigned char typemask, s
 * Checks for stateid operations
 */
 __be32
-nfs4_preprocess_stateid_op(struct nfsd4_compound_state *cstate,
+nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate,
                            stateid_t *stateid, int flags, struct file **filpp)
 {
         struct nfs4_stid *s;
@@ -3392,11 +3409,11 @@ nfs4_preprocess_stateid_op(struct nfsd4_compound_state *cstate,
         if (filpp)
                 *filpp = NULL;
 
-        if (grace_disallows_io(ino))
+        if (grace_disallows_io(net, ino))
                 return nfserr_grace;
 
         if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
-                return check_special_stateids(current_fh, stateid, flags);
+                return check_special_stateids(net, current_fh, stateid, flags);
 
         status = nfsd4_lookup_stateid(stateid, NFS4_DELEG_STID|NFS4_OPEN_STID|NFS4_LOCK_STID, &s);
         if (status)
@@ -3463,7 +3480,8 @@ nfsd4_test_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 
         nfs4_lock_state();
         list_for_each_entry(stateid, &test_stateid->ts_stateid_list, ts_id_list)
-                stateid->ts_id_status = nfs4_validate_stateid(cl, &stateid->ts_id_stateid);
+                stateid->ts_id_status =
+                        nfsd4_validate_stateid(cl, &stateid->ts_id_stateid);
         nfs4_unlock_state();
 
         return nfs_ok;
@@ -3750,12 +3768,19 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
         nfsd4_close_open_stateid(stp);
         oo->oo_last_closed_stid = stp;
 
-        /* place unused nfs4_stateowners on so_close_lru list to be
-         * released by the laundromat service after the lease period
-         * to enable us to handle CLOSE replay
-         */
-        if (list_empty(&oo->oo_owner.so_stateids))
-                move_to_close_lru(oo);
+        if (list_empty(&oo->oo_owner.so_stateids)) {
+                if (cstate->minorversion) {
+                        release_openowner(oo);
+                        cstate->replay_owner = NULL;
+                } else {
+                        /*
+                         * In the 4.0 case we need to keep the owners around a
+                         * little while to handle CLOSE replay.
+                         */
+                        if (list_empty(&oo->oo_owner.so_stateids))
+                                move_to_close_lru(oo);
+                }
+        }
 out:
         if (!cstate->replay_owner)
                 nfs4_unlock_state();
@@ -4027,6 +4052,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
         bool new_state = false;
         int lkflg;
         int err;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
         dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
                 (long long) lock->lk_offset,
@@ -4044,11 +4070,6 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
         nfs4_lock_state();
 
         if (lock->lk_is_new) {
-                /*
-                 * Client indicates that this is a new lockowner.
-                 * Use open owner and open stateid to create lock owner and
-                 * lock stateid.
-                 */
                 struct nfs4_ol_stateid *open_stp = NULL;
 
                 if (nfsd4_has_session(cstate))
@@ -4058,7 +4079,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
                                 sizeof(clientid_t));
 
                 status = nfserr_stale_clientid;
-                if (STALE_CLIENTID(&lock->lk_new_clientid))
+                if (STALE_CLIENTID(&lock->lk_new_clientid, nn))
                         goto out;
 
                 /* validate and update open stateid and open seqid */
@@ -4075,17 +4096,13 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
                         goto out;
                 status = lookup_or_create_lock_state(cstate, open_stp, lock,
                                                         &lock_stp, &new_state);
-                if (status)
-                        goto out;
-        } else {
-                /* lock (lock owner + lock stateid) already exists */
+        } else
                 status = nfs4_preprocess_seqid_op(cstate,
                                        lock->lk_old_lock_seqid,
                                        &lock->lk_old_lock_stateid,
                                        NFS4_LOCK_STID, &lock_stp);
-                if (status)
-                        goto out;
-        }
+        if (status)
+                goto out;
         lock_sop = lockowner(lock_stp->st_stateowner);
 
         lkflg = setlkflg(lock->lk_type);
@@ -4094,10 +4111,10 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
                 goto out;
 
         status = nfserr_grace;
-        if (locks_in_grace() && !lock->lk_reclaim)
+        if (locks_in_grace(SVC_NET(rqstp)) && !lock->lk_reclaim)
                 goto out;
         status = nfserr_no_grace;
-        if (!locks_in_grace() && lock->lk_reclaim)
+        if (!locks_in_grace(SVC_NET(rqstp)) && lock->lk_reclaim)
                 goto out;
 
         locks_init_lock(&file_lock);
@@ -4196,8 +4213,9 @@ nfsd4_lockt(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
         struct file_lock file_lock;
         struct nfs4_lockowner *lo;
         __be32 status;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
-        if (locks_in_grace())
+        if (locks_in_grace(SVC_NET(rqstp)))
                 return nfserr_grace;
 
         if (check_lock_length(lockt->lt_offset, lockt->lt_length))
@@ -4206,7 +4224,7 @@ nfsd4_lockt(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
         nfs4_lock_state();
 
         status = nfserr_stale_clientid;
-        if (!nfsd4_has_session(cstate) && STALE_CLIENTID(&lockt->lt_clientid))
+        if (!nfsd4_has_session(cstate) && STALE_CLIENTID(&lockt->lt_clientid, nn))
                 goto out;
 
         if ((status = fh_verify(rqstp, &cstate->current_fh, S_IFREG, 0)))
@@ -4355,6 +4373,7 @@ nfsd4_release_lockowner(struct svc_rqst *rqstp,
         struct list_head matches;
         unsigned int hashval = ownerstr_hashval(clid->cl_id, owner);
         __be32 status;
+        struct nfsd_net *nn = net_generic(&init_net, nfsd_net_id);
 
         dprintk("nfsd4_release_lockowner clientid: (%08x/%08x):\n",
                 clid->cl_boot, clid->cl_id);
@@ -4362,7 +4381,7 @@ nfsd4_release_lockowner(struct svc_rqst *rqstp,
         /* XXX check for lease expiration */
 
         status = nfserr_stale_clientid;
-        if (STALE_CLIENTID(clid))
+        if (STALE_CLIENTID(clid, nn))
                 return status;
 
         nfs4_lock_state();
@@ -4564,7 +4583,7 @@ void nfsd_forget_openowners(u64 num)
         printk(KERN_INFO "NFSD: Forgot %d open owners", count);
 }
 
-int nfsd_process_n_delegations(u64 num, void (*deleg_func)(struct nfs4_delegation *))
+int nfsd_process_n_delegations(u64 num, struct list_head *list)
 {
         int i, count = 0;
         struct nfs4_file *fp, *fnext;
@@ -4573,7 +4592,7 @@ int nfsd_process_n_delegations(u64 num, void (*deleg_func)(struct nfs4_delegatio
         for (i = 0; i < FILE_HASH_SIZE; i++) {
                 list_for_each_entry_safe(fp, fnext, &file_hashtbl[i], fi_hash) {
                         list_for_each_entry_safe(dp, dnext, &fp->fi_delegations, dl_perfile) {
-                                deleg_func(dp);
+                                list_move(&dp->dl_recall_lru, list);
                                 if (++count == num)
                                         return count;
                         }
@@ -4586,9 +4605,16 @@ int nfsd_process_n_delegations(u64 num, void (*deleg_func)(struct nfs4_delegatio
 void nfsd_forget_delegations(u64 num)
 {
         unsigned int count;
+        LIST_HEAD(victims);
+        struct nfs4_delegation *dp, *dnext;
+
+        spin_lock(&recall_lock);
+        count = nfsd_process_n_delegations(num, &victims);
+        spin_unlock(&recall_lock);
 
         nfs4_lock_state();
-        count = nfsd_process_n_delegations(num, unhash_delegation);
+        list_for_each_entry_safe(dp, dnext, &victims, dl_recall_lru)
+                unhash_delegation(dp);
         nfs4_unlock_state();
 
         printk(KERN_INFO "NFSD: Forgot %d delegations", count);
@@ -4597,12 +4623,16 @@ void nfsd_forget_delegations(u64 num)
 void nfsd_recall_delegations(u64 num)
 {
         unsigned int count;
+        LIST_HEAD(victims);
+        struct nfs4_delegation *dp, *dnext;
 
-        nfs4_lock_state();
         spin_lock(&recall_lock);
-        count = nfsd_process_n_delegations(num, nfsd_break_one_deleg);
+        count = nfsd_process_n_delegations(num, &victims);
+        list_for_each_entry_safe(dp, dnext, &victims, dl_recall_lru) {
+                list_del(&dp->dl_recall_lru);
+                nfsd_break_one_deleg(dp);
+        }
         spin_unlock(&recall_lock);
-        nfs4_unlock_state();
 
         printk(KERN_INFO "NFSD: Recalled %d delegations", count);
 }
@@ -4665,6 +4695,8 @@ set_max_delegations(void)
 int
 nfs4_state_start(void)
 {
+        struct net *net = &init_net;
+        struct nfsd_net *nn = net_generic(net, nfsd_net_id);
         int ret;
 
         /*
@@ -4674,11 +4706,11 @@ nfs4_state_start(void)
          * to that instead and then do most of the rest of this on a per-net
          * basis.
          */
-        get_net(&init_net);
-        nfsd4_client_tracking_init(&init_net);
-        boot_time = get_seconds();
-        locks_start_grace(&nfsd4_manager);
-        grace_ended = false;
+        get_net(net);
+        nfsd4_client_tracking_init(net);
+        nn->boot_time = get_seconds();
+        locks_start_grace(net, &nn->nfsd4_manager);
+        nn->grace_ended = false;
         printk(KERN_INFO "NFSD: starting %ld-second grace period\n",
                nfsd4_grace);
         ret = set_callback_cred();
@@ -4700,8 +4732,8 @@ nfs4_state_start(void)
 out_free_laundry:
         destroy_workqueue(laundry_wq);
 out_recovery:
-        nfsd4_client_tracking_exit(&init_net);
-        put_net(&init_net);
+        nfsd4_client_tracking_exit(net);
+        put_net(net);
         return ret;
 }
 
@@ -4742,9 +4774,12 @@ __nfs4_state_shutdown(void)
 void
 nfs4_state_shutdown(void)
 {
+        struct net *net = &init_net;
+        struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
         cancel_delayed_work_sync(&laundromat_work);
         destroy_workqueue(laundry_wq);
-        locks_end_grace(&nfsd4_manager);
+        locks_end_grace(&nn->nfsd4_manager);
         nfs4_lock_state();
         __nfs4_state_shutdown();
         nfs4_unlock_state();
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 4949667c84e..6322df36031 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2259,7 +2259,7 @@ out_acl:
         if (bmval0 & FATTR4_WORD0_CASE_INSENSITIVE) {
                 if ((buflen -= 4) < 0)
                         goto out_resource;
-                WRITE32(1);
+                WRITE32(0);
         }
         if (bmval0 & FATTR4_WORD0_CASE_PRESERVING) {
                 if ((buflen -= 4) < 0)
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index c55298ed577..fa49cff5ee6 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -673,9 +673,7 @@ static ssize_t __write_ports_addfd(char *buf)
 
         err = svc_addsock(nfsd_serv, fd, buf, SIMPLE_TRANSACTION_LIMIT);
         if (err < 0) {
-                if (nfsd_serv->sv_nrthreads == 1)
-                        svc_shutdown_net(nfsd_serv, net);
-                svc_destroy(nfsd_serv);
+                nfsd_destroy(net);
                 return err;
         }
 
@@ -744,9 +742,7 @@ out_close:
                 svc_xprt_put(xprt);
         }
 out_err:
-        if (nfsd_serv->sv_nrthreads == 1)
-                svc_shutdown_net(nfsd_serv, net);
-        svc_destroy(nfsd_serv);
+        nfsd_destroy(net);
         return err;
 }
 
diff --git a/fs/nfsd/nfsd.h b/fs/nfsd/nfsd.h
index 1671429ffa6..2244222368a 100644
--- a/fs/nfsd/nfsd.h
+++ b/fs/nfsd/nfsd.h
@@ -72,6 +72,19 @@ int		nfsd_nrthreads(void);
 int             nfsd_nrpools(void);
 int             nfsd_get_nrthreads(int n, int *);
 int             nfsd_set_nrthreads(int n, int *);
+int             nfsd_pool_stats_open(struct inode *, struct file *);
+int             nfsd_pool_stats_release(struct inode *, struct file *);
+
+static inline void nfsd_destroy(struct net *net)
+{
+        int destroy = (nfsd_serv->sv_nrthreads == 1);
+
+        if (destroy)
+                svc_shutdown_net(nfsd_serv, net);
+        svc_destroy(nfsd_serv);
+        if (destroy)
+                nfsd_serv = NULL;
+}
 
 #if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
 #ifdef CONFIG_NFSD_V2_ACL
diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index cc793005a87..032af381b3a 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -635,6 +635,7 @@ fh_put(struct svc_fh *fhp)
                 fhp->fh_post_saved = 0;
 #endif
         }
+        fh_drop_write(fhp);
         if (exp) {
                 exp_put(exp);
                 fhp->fh_export = NULL;
diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
index e15dc45fc5e..aad6d457b9e 100644
--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -196,6 +196,7 @@ nfsd_proc_create(struct svc_rqst *rqstp, struct nfsd_createargs *argp,
         struct dentry   *dchild;
         int             type, mode;
         __be32          nfserr;
+        int             hosterr;
         dev_t           rdev = 0, wanted = new_decode_dev(attr->ia_size);
 
         dprintk("nfsd: CREATE   %s %.*s\n",
@@ -214,6 +215,12 @@ nfsd_proc_create(struct svc_rqst *rqstp, struct nfsd_createargs *argp,
         nfserr = nfserr_exist;
         if (isdotent(argp->name, argp->len))
                 goto done;
+        hosterr = fh_want_write(dirfhp);
+        if (hosterr) {
+                nfserr = nfserrno(hosterr);
+                goto done;
+        }
+
         fh_lock_nested(dirfhp, I_MUTEX_PARENT);
         dchild = lookup_one_len(argp->name, dirfhp->fh_dentry, argp->len);
         if (IS_ERR(dchild)) {
@@ -330,7 +337,7 @@ nfsd_proc_create(struct svc_rqst *rqstp, struct nfsd_createargs *argp,
 out_unlock:
         /* We don't really need to unlock, as fh_put does it. */
         fh_unlock(dirfhp);
-
+        fh_drop_write(dirfhp);
 done:
         fh_put(dirfhp);
         return nfsd_return_dirop(nfserr, resp);
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index ee709fc8f58..240473cb708 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -254,8 +254,6 @@ static void nfsd_shutdown(void)
 
 static void nfsd_last_thread(struct svc_serv *serv, struct net *net)
 {
-        /* When last nfsd thread exits we need to do some clean-up */
-        nfsd_serv = NULL;
         nfsd_shutdown();
 
         svc_rpcb_cleanup(serv, net);
@@ -332,6 +330,7 @@ static int nfsd_get_default_max_blksize(void)
 int nfsd_create_serv(void)
 {
         int error;
+        struct net *net = current->nsproxy->net_ns;
 
         WARN_ON(!mutex_is_locked(&nfsd_mutex));
         if (nfsd_serv) {
@@ -346,7 +345,7 @@ int nfsd_create_serv(void)
         if (nfsd_serv == NULL)
                 return -ENOMEM;
 
-        error = svc_bind(nfsd_serv, current->nsproxy->net_ns);
+        error = svc_bind(nfsd_serv, net);
         if (error < 0) {
                 svc_destroy(nfsd_serv);
                 return error;
@@ -427,11 +426,7 @@ int nfsd_set_nrthreads(int n, int *nthreads)
                 if (err)
                         break;
         }
-
-        if (nfsd_serv->sv_nrthreads == 1)
-                svc_shutdown_net(nfsd_serv, net);
-        svc_destroy(nfsd_serv);
-
+        nfsd_destroy(net);
         return err;
 }
 
@@ -478,9 +473,7 @@ out_shutdown:
         if (error < 0 && !nfsd_up_before)
                 nfsd_shutdown();
 out_destroy:
-        if (nfsd_serv->sv_nrthreads == 1)
-                svc_shutdown_net(nfsd_serv, net);
-        svc_destroy(nfsd_serv);         /* Release server */
+        nfsd_destroy(net);              /* Release server */
 out:
         mutex_unlock(&nfsd_mutex);
         return error;
@@ -563,12 +556,13 @@ nfsd(void *vrqstp)
         nfsdstats.th_cnt --;
 
 out:
-        if (rqstp->rq_server->sv_nrthreads == 1)
-                svc_shutdown_net(rqstp->rq_server, &init_net);
+        rqstp->rq_server = NULL;
 
         /* Release the thread */
         svc_exit_thread(rqstp);
 
+        nfsd_destroy(&init_net);
+
         /* Release module */
         mutex_unlock(&nfsd_mutex);
         module_put_and_exit(0);
@@ -682,9 +676,7 @@ int nfsd_pool_stats_release(struct inode *inode, struct file *file)
 
         mutex_lock(&nfsd_mutex);
         /* this function really, really should have been called svc_put() */
-        if (nfsd_serv->sv_nrthreads == 1)
-                svc_shutdown_net(nfsd_serv, net);
-        svc_destroy(nfsd_serv);
+        nfsd_destroy(net);
         mutex_unlock(&nfsd_mutex);
         return ret;
 }
diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
index 849091e16ea..22bd0a66c35 100644
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -231,7 +231,6 @@ struct nfs4_client {
         nfs4_verifier           cl_verifier;    /* generated by client */
         time_t                  cl_time;        /* time of last lease renewal */
         struct sockaddr_storage cl_addr;        /* client ipaddress */
-        u32                     cl_flavor;      /* setclientid pseudoflavor */
         struct svc_cred         cl_cred;        /* setclientid principal */
         clientid_t              cl_clientid;    /* generated by server */
         nfs4_verifier           cl_confirm;     /* generated by server */
@@ -450,8 +449,10 @@ static inline struct nfs4_ol_stateid *openlockstateid(struct nfs4_stid *s)
 #define WR_STATE                0x00000020
 
 struct nfsd4_compound_state;
+struct nfsd_net;
 
-extern __be32 nfs4_preprocess_stateid_op(struct nfsd4_compound_state *cstate,
+extern __be32 nfs4_preprocess_stateid_op(struct net *net,
+                struct nfsd4_compound_state *cstate,
                 stateid_t *stateid, int flags, struct file **filp);
 extern void nfs4_lock_state(void);
 extern void nfs4_unlock_state(void);
@@ -475,7 +476,6 @@ extern __be32 nfs4_make_rec_clidname(char *clidname, struct xdr_netobj *clname);
 extern int nfs4_client_to_reclaim(const char *name);
 extern int nfs4_has_reclaimed_state(const char *name, bool use_exchange_id);
 extern void release_session_client(struct nfsd4_session *);
-extern __be32 nfs4_validate_stateid(struct nfs4_client *, stateid_t *);
 extern void nfsd4_purge_closed_stateid(struct nfs4_stateowner *);
 
 /* nfs4recover operations */
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index c8bd9c3be7f..a9269f142cc 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -745,7 +745,7 @@ __be32
 nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
                         int may_flags, struct file **filp)
 {
-        struct dentry   *dentry;
+        struct path     path;
         struct inode    *inode;
         int             flags = O_RDONLY|O_LARGEFILE;
         __be32          err;
@@ -757,13 +757,22 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
          * If we get here, then the client has already done an "open",
          * and (hopefully) checked permission - so allow OWNER_OVERRIDE
          * in case a chmod has now revoked permission.
+         *
+         * Arguably we should also allow the owner override for
+         * directories, but we never have and it doesn't seem to have
+         * caused anyone a problem.  If we were to change this, note
+         * also that our filldir callbacks would need a variant of
+         * lookup_one_len that doesn't check permissions.
          */
-        err = fh_verify(rqstp, fhp, type, may_flags | NFSD_MAY_OWNER_OVERRIDE);
+        if (type == S_IFREG)
+                may_flags |= NFSD_MAY_OWNER_OVERRIDE;
+        err = fh_verify(rqstp, fhp, type, may_flags);
         if (err)
                 goto out;
 
-        dentry = fhp->fh_dentry;
-        inode = dentry->d_inode;
+        path.mnt = fhp->fh_export->ex_path.mnt;
+        path.dentry = fhp->fh_dentry;
+        inode = path.dentry->d_inode;
 
         /* Disallow write access to files with the append-only bit set
          * or any access when mandatory locking enabled
@@ -792,8 +801,7 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
                 else
                         flags = O_WRONLY|O_LARGEFILE;
         }
-        *filp = dentry_open(dget(dentry), mntget(fhp->fh_export->ex_path.mnt),
-                            flags, current_cred());
+        *filp = dentry_open(&path, flags, current_cred());
         if (IS_ERR(*filp))
                 host_err = PTR_ERR(*filp);
         else {
@@ -1276,6 +1284,10 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
          * If it has, the parent directory should already be locked.
          */
         if (!resfhp->fh_dentry) {
+                host_err = fh_want_write(fhp);
+                if (host_err)
+                        goto out_nfserr;
+
                 /* called from nfsd_proc_mkdir, or possibly nfsd3_proc_create */
                 fh_lock_nested(fhp, I_MUTEX_PARENT);
                 dchild = lookup_one_len(fname, dentry, flen);
@@ -1319,17 +1331,14 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
                 goto out;
         }
 
-        host_err = fh_want_write(fhp);
-        if (host_err)
-                goto out_nfserr;
-
         /*
          * Get the dir op function pointer.
          */
         err = 0;
+        host_err = 0;
         switch (type) {
         case S_IFREG:
-                host_err = vfs_create(dirp, dchild, iap->ia_mode, NULL);
+                host_err = vfs_create(dirp, dchild, iap->ia_mode, true);
                 if (!host_err)
                         nfsd_check_ignore_resizing(iap);
                 break;
@@ -1343,10 +1352,8 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
                 host_err = vfs_mknod(dirp, dchild, iap->ia_mode, rdev);
                 break;
         }
-        if (host_err < 0) {
-                fh_drop_write(fhp);
+        if (host_err < 0)
                 goto out_nfserr;
-        }
 
         err = nfsd_create_setattr(rqstp, resfhp, iap);
 
@@ -1358,7 +1365,6 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
         err2 = nfserrno(commit_metadata(fhp));
         if (err2)
                 err = err2;
-        fh_drop_write(fhp);
         /*
          * Update the file handle to get the new inode info.
          */
@@ -1417,6 +1423,11 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
         err = nfserr_notdir;
         if (!dirp->i_op->lookup)
                 goto out;
+
+        host_err = fh_want_write(fhp);
+        if (host_err)
+                goto out_nfserr;
+
         fh_lock_nested(fhp, I_MUTEX_PARENT);
 
         /*
@@ -1449,9 +1460,6 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
                 v_atime = verifier[1]&0x7fffffff;
         }
         
-        host_err = fh_want_write(fhp);
-        if (host_err)
-                goto out_nfserr;
         if (dchild->d_inode) {
                 err = 0;
 
@@ -1492,7 +1500,7 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
                 goto out;
         }
 
-        host_err = vfs_create(dirp, dchild, iap->ia_mode, NULL);
+        host_err = vfs_create(dirp, dchild, iap->ia_mode, true);
         if (host_err < 0) {
                 fh_drop_write(fhp);
                 goto out_nfserr;
@@ -1522,7 +1530,6 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
         if (!err)
                 err = nfserrno(commit_metadata(fhp));
 
-        fh_drop_write(fhp);
         /*
          * Update the filehandle to get the new inode info.
          */
@@ -1533,6 +1540,7 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
         fh_unlock(fhp);
         if (dchild && !IS_ERR(dchild))
                 dput(dchild);
+        fh_drop_write(fhp);
         return err;
  
  out_nfserr:
@@ -1613,6 +1621,11 @@ nfsd_symlink(struct svc_rqst *rqstp, struct svc_fh *fhp,
         err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE);
         if (err)
                 goto out;
+
+        host_err = fh_want_write(fhp);
+        if (host_err)
+                goto out_nfserr;
+
         fh_lock(fhp);
         dentry = fhp->fh_dentry;
         dnew = lookup_one_len(fname, dentry, flen);
@@ -1620,10 +1633,6 @@ nfsd_symlink(struct svc_rqst *rqstp, struct svc_fh *fhp,
         if (IS_ERR(dnew))
                 goto out_nfserr;
 
-        host_err = fh_want_write(fhp);
-        if (host_err)
-                goto out_nfserr;
-
         if (unlikely(path[plen] != 0)) {
                 char *path_alloced = kmalloc(plen+1, GFP_KERNEL);
                 if (path_alloced == NULL)
@@ -1683,6 +1692,12 @@ nfsd_link(struct svc_rqst *rqstp, struct svc_fh *ffhp,
         if (isdotent(name, len))
                 goto out;
 
+        host_err = fh_want_write(tfhp);
+        if (host_err) {
+                err = nfserrno(host_err);
+                goto out;
+        }
+
         fh_lock_nested(ffhp, I_MUTEX_PARENT);
         ddir = ffhp->fh_dentry;
         dirp = ddir->d_inode;
@@ -1694,18 +1709,13 @@ nfsd_link(struct svc_rqst *rqstp, struct svc_fh *ffhp,
 
         dold = tfhp->fh_dentry;
 
-        host_err = fh_want_write(tfhp);
-        if (host_err) {
-                err = nfserrno(host_err);
-                goto out_dput;
-        }
         err = nfserr_noent;
         if (!dold->d_inode)
-                goto out_drop_write;
+                goto out_dput;
         host_err = nfsd_break_lease(dold->d_inode);
         if (host_err) {
                 err = nfserrno(host_err);
-                goto out_drop_write;
+                goto out_dput;
         }
         host_err = vfs_link(dold, dirp, dnew);
         if (!host_err) {
@@ -1718,12 +1728,11 @@ nfsd_link(struct svc_rqst *rqstp, struct svc_fh *ffhp,
                 else
                         err = nfserrno(host_err);
         }
-out_drop_write:
-        fh_drop_write(tfhp);
 out_dput:
         dput(dnew);
 out_unlock:
         fh_unlock(ffhp);
+        fh_drop_write(tfhp);
 out:
         return err;
 
@@ -1766,6 +1775,12 @@ nfsd_rename(struct svc_rqst *rqstp, struct svc_fh *ffhp, char *fname, int flen,
         if (!flen || isdotent(fname, flen) || !tlen || isdotent(tname, tlen))
                 goto out;
 
+        host_err = fh_want_write(ffhp);
+        if (host_err) {
+                err = nfserrno(host_err);
+                goto out;
+        }
+
         /* cannot use fh_lock as we need deadlock protective ordering
          * so do it by hand */
         trap = lock_rename(tdentry, fdentry);
@@ -1796,17 +1811,14 @@ nfsd_rename(struct svc_rqst *rqstp, struct svc_fh *ffhp, char *fname, int flen,
         host_err = -EXDEV;
         if (ffhp->fh_export->ex_path.mnt != tfhp->fh_export->ex_path.mnt)
                 goto out_dput_new;
-        host_err = fh_want_write(ffhp);
-        if (host_err)
-                goto out_dput_new;
 
         host_err = nfsd_break_lease(odentry->d_inode);
         if (host_err)
-                goto out_drop_write;
+                goto out_dput_new;
         if (ndentry->d_inode) {
                 host_err = nfsd_break_lease(ndentry->d_inode);
                 if (host_err)
-                        goto out_drop_write;
+                        goto out_dput_new;
         }
         host_err = vfs_rename(fdir, odentry, tdir, ndentry);
         if (!host_err) {
@@ -1814,8 +1826,6 @@ nfsd_rename(struct svc_rqst *rqstp, struct svc_fh *ffhp, char *fname, int flen,
                 if (!host_err)
                         host_err = commit_metadata(ffhp);
         }
-out_drop_write:
-        fh_drop_write(ffhp);
  out_dput_new:
         dput(ndentry);
  out_dput_old:
@@ -1831,6 +1841,7 @@ out_drop_write:
         fill_post_wcc(tfhp);
         unlock_rename(tdentry, fdentry);
         ffhp->fh_locked = tfhp->fh_locked = 0;
+        fh_drop_write(ffhp);
 
 out:
         return err;
@@ -1856,6 +1867,10 @@ nfsd_unlink(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
         if (err)
                 goto out;
 
+        host_err = fh_want_write(fhp);
+        if (host_err)
+                goto out_nfserr;
+
         fh_lock_nested(fhp, I_MUTEX_PARENT);
         dentry = fhp->fh_dentry;
         dirp = dentry->d_inode;
@@ -1874,21 +1889,15 @@ nfsd_unlink(struct svc_rqst *rqstp, struct svc_fh *fhp, int type,
         if (!type)
                 type = rdentry->d_inode->i_mode & S_IFMT;
 
-        host_err = fh_want_write(fhp);
-        if (host_err)
-                goto out_put;
-
         host_err = nfsd_break_lease(rdentry->d_inode);
         if (host_err)
-                goto out_drop_write;
+                goto out_put;
         if (type != S_IFDIR)
                 host_err = vfs_unlink(dirp, rdentry);
         else
                 host_err = vfs_rmdir(dirp, rdentry);
         if (!host_err)
                 host_err = commit_metadata(fhp);
-out_drop_write:
-        fh_drop_write(fhp);
 out_put:
         dput(rdentry);
 
diff --git a/fs/nfsd/vfs.h b/fs/nfsd/vfs.h
index ec0611b2b73..359594c393d 100644
--- a/fs/nfsd/vfs.h
+++ b/fs/nfsd/vfs.h
@@ -110,12 +110,19 @@ int nfsd_set_posix_acl(struct svc_fh *, int, struct posix_acl *);
 
 static inline int fh_want_write(struct svc_fh *fh)
 {
-        return mnt_want_write(fh->fh_export->ex_path.mnt);
+        int ret = mnt_want_write(fh->fh_export->ex_path.mnt);
+
+        if (!ret)
+                fh->fh_want_write = 1;
+        return ret;
 }
 
 static inline void fh_drop_write(struct svc_fh *fh)
 {
-        mnt_drop_write(fh->fh_export->ex_path.mnt);
+        if (fh->fh_want_write) {
+                fh->fh_want_write = 0;
+                mnt_drop_write(fh->fh_export->ex_path.mnt);
+        }
 }
 
 #endif /* LINUX_NFSD_VFS_H */