xref: /titanic_51/usr/src/uts/common/fs/nfs/nfs4_recovery.c (revision 81d2f16decea68b37031d78bb59a281bf486e420)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * NFS Version 4 state recovery code.
 */

#include <nfs/nfs4_clnt.h>
#include <nfs/nfs4.h>
#include <nfs/rnode4.h>
#include <sys/cmn_err.h>
#include <sys/cred.h>
#include <sys/systm.h>
#include <sys/flock.h>
#include <sys/dnlc.h>
#include <sys/ddi.h>
#include <sys/disp.h>
#include <sys/list.h>
#include <sys/sdt.h>
#include <sys/mount.h>
#include <sys/door.h>
#include <nfs/nfssys.h>
#include <nfs/nfsid_map.h>
#include <nfs/nfs4_idmap_impl.h>

extern r4hashq_t *rtable4;

/*
 * Information that describes what needs to be done for recovery.  It is
 * passed to a client recovery thread as well as passed to various recovery
 * routines.  rc_mi, rc_vp1, and rc_vp2 refer to the filesystem and
 * vnode(s) affected by recovery.  rc_vp1 and rc_vp2 are references (use
 * VN_HOLD) or NULL.  rc_lost_rqst contains information about the lost
 * lock or open/close request, and it holds reference counts for the
 * various objects (vnode, etc.).  The recovery thread also uses flags set
 * in the mntinfo4_t or vnode_t to tell it what to do.  rc_error is used
 * to save the error that originally triggered the recovery event -- will
 * later be used to set mi_error if recovery doesn't work.  rc_bseqid_rqst
 * contains information about the request that got NFS4ERR_BAD_SEQID, and
 * it holds reference count for the various objects (vnode, open owner,
 * open stream, lock owner).
 */

typedef struct {
	mntinfo4_t *rc_mi;
	vnode_t *rc_vp1;
	vnode_t *rc_vp2;
	nfs4_recov_t rc_action;
	stateid4 rc_stateid;
	bool_t rc_srv_reboot;		/* server has rebooted */
	nfs4_lost_rqst_t *rc_lost_rqst;
	nfs4_error_t rc_orig_errors;	/* original errors causing recovery */
	int rc_error;
	nfs4_bseqid_entry_t *rc_bseqid_rqst;
	vnode_t *rc_moved_vp;
	char *rc_moved_nm;
} recov_info_t;

/*
 * How long to wait before trying again if there is an error doing
 * recovery, in seconds.
 */

static int recov_err_delay = 1;

/*
 * How long to wait when processing NFS4ERR_GRACE or NFS4ERR_DELAY
 * errors.  Expressed in seconds.  Default is defined as
 * NFS4ERR_DELAY_TIME and this variable is initialized in nfs4_subr_init()
 */
time_t nfs4err_delay_time = 0;

/*
 * Tuneable to limit how many time "exempt" ops go OTW
 * after a recovery error.  Exempt op hints are OH_CLOSE,
 * OH_LOCKU, OH_DELEGRETURN.  These previously always went
 * OTW even after rnode was "dead" due to recovery errors.
 *
 * The tuneable below limits the number of times a start_fop
 * invocation will retry the exempt hints.  After the limit
 * is reached, nfs4_start_fop will return an error just like
 * it would for non-exempt op hints.
 */
int nfs4_max_recov_error_retry = 3;

/*
 * Number of seconds the recovery thread should pause before retry when the
 * filesystem has been forcibly unmounted.
 */

int nfs4_unmount_delay = 1;

#ifdef DEBUG

/*
 * How long to wait (in seconds) between recovery operations on a given
 * file.  Normally zero, but could be set longer for testing purposes.
 */
static int nfs4_recovdelay = 0;

/*
 * Switch that controls whether to go into the debugger when recovery
 * fails.
 */
static int nfs4_fail_recov_stop = 0;

/*
 * Tuneables to debug client namespace interaction with server
 * mount points:
 *
 *	nfs4_srvmnt_fail_cnt:
 *		number of times EACCES returned because client
 *		attempted to cross server mountpoint
 *
 *	nfs4_srvmnt_debug:
 *		trigger console printf whenever client attempts
 *		to cross server mountpoint
 */
int nfs4_srvmnt_fail_cnt = 0;
int nfs4_srvmnt_debug = 0;
#endif

extern zone_key_t	nfs4clnt_zone_key;

/* forward references, in alphabetic order */
static void close_after_open_resend(vnode_t *, cred_t *, uint32_t,
	nfs4_error_t *);
static void errs_to_action(recov_info_t *,
	nfs4_server_t *, mntinfo4_t *, stateid4 *, nfs4_lost_rqst_t *, int,
	nfs_opnum4, nfs4_bseqid_entry_t *);
static void flush_reinstate(nfs4_lost_rqst_t *);
static void free_milist(mntinfo4_t **, int);
static mntinfo4_t **make_milist(nfs4_server_t *, int *);
static int nfs4_check_recov_err(vnode_t *, nfs4_op_hint_t,
	nfs4_recov_state_t *, int, char *);
static char *nfs4_getsrvnames(mntinfo4_t *, size_t *);
static void nfs4_recov_fh_fail(vnode_t *, int, nfsstat4);
static void nfs4_recov_thread(recov_info_t *);
static void nfs4_remove_lost_rqsts(mntinfo4_t *, nfs4_server_t *);
static void nfs4_resend_lost_rqsts(recov_info_t *, nfs4_server_t *);
static cred_t *pid_to_cr(pid_t);
static void reclaim_one_lock(vnode_t *, flock64_t *, nfs4_error_t *, int *);
static void recov_bad_seqid(recov_info_t *);
static void recov_badstate(recov_info_t *, vnode_t *, nfsstat4);
static void recov_clientid(recov_info_t *, nfs4_server_t *);
static void recov_done(mntinfo4_t *, recov_info_t *);
static void recov_filehandle(nfs4_recov_t, mntinfo4_t *, vnode_t *);
static void recov_newserver(recov_info_t *, nfs4_server_t **, bool_t *);
static void recov_openfiles(recov_info_t *, nfs4_server_t *);
static void recov_stale(mntinfo4_t *, vnode_t *);
static void nfs4_free_lost_rqst(nfs4_lost_rqst_t *, nfs4_server_t *);
static void recov_throttle(recov_info_t *, vnode_t *);
static void relock_skip_pid(vnode_t *, locklist_t *, pid_t);
static void resend_lock(nfs4_lost_rqst_t *, nfs4_error_t *);
static void resend_one_op(nfs4_lost_rqst_t *, nfs4_error_t *, mntinfo4_t *,
	nfs4_server_t *);
static void save_bseqid_rqst(nfs4_bseqid_entry_t *, recov_info_t *);
static void start_recovery(recov_info_t *, mntinfo4_t *, vnode_t *, vnode_t *,
	nfs4_server_t *, vnode_t *, char *);
static void start_recovery_action(nfs4_recov_t, bool_t, mntinfo4_t *, vnode_t *,
	vnode_t *);
static int wait_for_recovery(mntinfo4_t *, nfs4_op_hint_t);

/*
 * Return non-zero if the given errno, status, and rpc status codes
 * in the nfs4_error_t indicate that client recovery is needed.
 * "stateful" indicates whether the call that got the error establishes or
 * removes state on the server (open, close, lock, unlock, delegreturn).
 */

int
nfs4_needs_recovery(nfs4_error_t *ep, bool_t stateful, vfs_t *vfsp)
{
	int recov = 0;
	mntinfo4_t *mi;

	/*
	 * Try failover if the error values justify it and if
	 * it's a failover mount.  Don't try if the mount is in
	 * progress, failures are handled explicitly by nfs4rootvp.
	 */
	if (nfs4_try_failover(ep)) {
		mi = VFTOMI4(vfsp);
		mutex_enter(&mi->mi_lock);
		recov = FAILOVER_MOUNT4(mi) && !(mi->mi_flags & MI4_MOUNTING);
		mutex_exit(&mi->mi_lock);
		if (recov)
			return (recov);
	}

	if (ep->error == EINTR || NFS4_FRC_UNMT_ERR(ep->error, vfsp)) {
		/*
		 * The server may have gotten the request, so for stateful
		 * ops we need to resynchronize and possibly back out the
		 * op.
		 */
		return (stateful);
	}
	if (ep->error != 0)
		return (0);

	/* stat values are listed alphabetically */
	/*
	 * There are two lists here: the errors for which we have code, and
	 * the errors for which we plan to have code before FCS.  For the
	 * second list, print a warning message but don't attempt recovery.
	 */
	switch (ep->stat) {
	case NFS4ERR_BADHANDLE:
	case NFS4ERR_BAD_SEQID:
	case NFS4ERR_BAD_STATEID:
	case NFS4ERR_DELAY:
	case NFS4ERR_EXPIRED:
	case NFS4ERR_FHEXPIRED:
	case NFS4ERR_GRACE:
	case NFS4ERR_OLD_STATEID:
	case NFS4ERR_RESOURCE:
	case NFS4ERR_STALE_CLIENTID:
	case NFS4ERR_STALE_STATEID:
	case NFS4ERR_WRONGSEC:
	case NFS4ERR_STALE:
		recov = 1;
		break;
#ifdef DEBUG
	case NFS4ERR_LEASE_MOVED:
	case NFS4ERR_MOVED:
		zcmn_err(VFTOMI4(vfsp)->mi_zone->zone_id,
		    CE_WARN, "!Can't yet recover from NFS status %d",
		    ep->stat);
		break;
#endif
	}

	return (recov);
}

/*
 * Some operations such as DELEGRETURN want to avoid invoking
 * recovery actions that will only mark the file dead.  If
 * better handlers are invoked for any of these errors, this
 * routine should be modified.
 */
int
nfs4_recov_marks_dead(nfsstat4 status)
{
	if (status == NFS4ERR_BAD_SEQID ||
	    status == NFS4ERR_EXPIRED ||
	    status == NFS4ERR_BAD_STATEID ||
	    status == NFS4ERR_OLD_STATEID)
		return (1);
	return (0);
}

/*
 * Transfer the state recovery information in recovp to mi's resend queue,
 * and mark mi as having a lost state request.
 */
static void
nfs4_enqueue_lost_rqst(recov_info_t *recovp, mntinfo4_t *mi)
{
	nfs4_lost_rqst_t *lrp = recovp->rc_lost_rqst;

	ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
	    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));

	ASSERT(lrp != NULL && lrp->lr_op != 0);

	NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE,
	    "nfs4_enqueue_lost_rqst %p, op %d",
	    (void *)lrp, lrp->lr_op));

	mutex_enter(&mi->mi_lock);
	mi->mi_recovflags |= MI4R_LOST_STATE;
	if (lrp->lr_putfirst)
		list_insert_head(&mi->mi_lost_state, lrp);
	else
		list_insert_tail(&mi->mi_lost_state, lrp);
	recovp->rc_lost_rqst = NULL;
	mutex_exit(&mi->mi_lock);

	nfs4_queue_event(RE_LOST_STATE, mi, NULL, lrp->lr_op, lrp->lr_vp,
	    lrp->lr_dvp, 0, NULL, 0, TAG_NONE, TAG_NONE, 0, 0);
}

/*
 * Transfer the bad seqid recovery information in recovp to mi's
 * bad seqid queue, and mark mi as having a bad seqid request.
 */
void
enqueue_bseqid_rqst(recov_info_t *recovp, mntinfo4_t *mi)
{
	ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
	    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));
	ASSERT(recovp->rc_bseqid_rqst != NULL);

	mutex_enter(&mi->mi_lock);
	mi->mi_recovflags |= MI4R_BAD_SEQID;
	list_insert_tail(&mi->mi_bseqid_list, recovp->rc_bseqid_rqst);
	recovp->rc_bseqid_rqst = NULL;
	mutex_exit(&mi->mi_lock);
}

/*
 * Initiate recovery.
 *
 * The nfs4_error_t contains the return codes that triggered a recovery
 * attempt.  mi, vp1, and vp2 refer to the filesystem and files that were
 * being operated on.  vp1 and vp2 may be NULL.
 *
 * Multiple calls are okay.  If recovery is already underway, the call
 * updates the information about what state needs recovery but does not
 * start a new thread.  The caller should hold mi->mi_recovlock as a reader
 * for proper synchronization with any recovery thread.
 *
 * This will return TRUE if recovery was aborted, and FALSE otherwise.
 */
bool_t
nfs4_start_recovery(nfs4_error_t *ep, mntinfo4_t *mi, vnode_t *vp1,
    vnode_t *vp2, stateid4 *sid, nfs4_lost_rqst_t *lost_rqstp, nfs_opnum4 op,
    nfs4_bseqid_entry_t *bsep, vnode_t *moved_vp, char *moved_nm)
{
	recov_info_t *recovp;
	nfs4_server_t *sp;
	bool_t abort = FALSE;
	bool_t gone = FALSE;

	ASSERT(nfs_zone() == mi->mi_zone);
	mutex_enter(&mi->mi_lock);
	/*
	 * If there is lost state, we need to kick off recovery even if the
	 * filesystem has been unmounted or the zone is shutting down.
	 */
	gone = FS_OR_ZONE_GONE4(mi->mi_vfsp);
	if (gone) {
		ASSERT(ep->error != EINTR || lost_rqstp != NULL);
		if (ep->error == EIO && lost_rqstp == NULL) {
			/* failed due to forced unmount, no new lost state */
			abort = TRUE;
		}
		if ((ep->error == 0 || ep->error == ETIMEDOUT) &&
		    !(mi->mi_recovflags & MI4R_LOST_STATE)) {
			/* some other failure, no existing lost state */
			abort = TRUE;
		}
		if (abort) {
			mutex_exit(&mi->mi_lock);
			NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
			    "nfs4_start_recovery: fs unmounted"));
			return (TRUE);
		}
	}
	mi->mi_in_recovery++;
	mutex_exit(&mi->mi_lock);

	recovp = kmem_alloc(sizeof (recov_info_t), KM_SLEEP);
	recovp->rc_orig_errors = *ep;
	sp = find_nfs4_server(mi);
	errs_to_action(recovp, sp, mi, sid, lost_rqstp, gone, op, bsep);
	if (sp != NULL)
		mutex_exit(&sp->s_lock);
	start_recovery(recovp, mi, vp1, vp2, sp, moved_vp, moved_nm);
	if (sp != NULL)
		nfs4_server_rele(sp);
	return (FALSE);
}

/*
 * Internal version of nfs4_start_recovery.  The difference is that the
 * caller specifies the recovery action, rather than the errors leading to
 * recovery.
 */
static void
start_recovery_action(nfs4_recov_t what, bool_t reboot, mntinfo4_t *mi,
    vnode_t *vp1, vnode_t *vp2)
{
	recov_info_t *recovp;

	ASSERT(nfs_zone() == mi->mi_zone);
	mutex_enter(&mi->mi_lock);
	mi->mi_in_recovery++;
	mutex_exit(&mi->mi_lock);

	recovp = kmem_zalloc(sizeof (recov_info_t), KM_SLEEP);
	recovp->rc_action = what;
	recovp->rc_srv_reboot = reboot;
	recovp->rc_error = EIO;
	start_recovery(recovp, mi, vp1, vp2, NULL, NULL, NULL);
}

static void
start_recovery(recov_info_t *recovp, mntinfo4_t *mi,
    vnode_t *vp1, vnode_t *vp2, nfs4_server_t *sp,
    vnode_t *moved_vp, char *moved_nm)
{
	NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
	    "start_recovery: mi %p, what %s", (void*)mi,
	    nfs4_recov_action_to_str(recovp->rc_action)));

	/*
	 * Bump the reference on the vfs so that we can pass it to the
	 * recovery thread.
	 */
	VFS_HOLD(mi->mi_vfsp);
	MI4_HOLD(mi);
again:
	switch (recovp->rc_action) {
	case NR_FAILOVER:
		ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
		    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));
		if (mi->mi_servers->sv_next == NULL)
			goto out_no_thread;
		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags |= MI4R_NEED_NEW_SERVER;
		mutex_exit(&mi->mi_lock);

		if (recovp->rc_lost_rqst != NULL)
			nfs4_enqueue_lost_rqst(recovp, mi);
		break;

	case NR_CLIENTID:
		/*
		 * If the filesystem has been unmounted, punt.
		 */
		if (sp == NULL)
			goto out_no_thread;

		/*
		 * If nobody else is working on the clientid, mark the
		 * clientid as being no longer set.  Then mark the specific
		 * filesystem being worked on.
		 */
		if (!nfs4_server_in_recovery(sp)) {
			mutex_enter(&sp->s_lock);
			sp->s_flags &= ~N4S_CLIENTID_SET;
			mutex_exit(&sp->s_lock);
		}
		ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
		    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));
		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags |= MI4R_NEED_CLIENTID;
		if (recovp->rc_srv_reboot)
			mi->mi_recovflags |= MI4R_SRV_REBOOT;
		mutex_exit(&mi->mi_lock);
		break;

	case NR_OPENFILES:
		ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
		    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));
		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags |= MI4R_REOPEN_FILES;
		if (recovp->rc_srv_reboot)
			mi->mi_recovflags |= MI4R_SRV_REBOOT;
		mutex_exit(&mi->mi_lock);
		break;

	case NR_WRONGSEC:
		ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
		    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));
		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags |= MI4R_NEED_SECINFO;
		mutex_exit(&mi->mi_lock);
		break;

	case NR_EXPIRED:
		if (vp1 != NULL)
			recov_badstate(recovp, vp1, NFS4ERR_EXPIRED);
		if (vp2 != NULL)
			recov_badstate(recovp, vp2, NFS4ERR_EXPIRED);
		goto out_no_thread;	/* no further recovery possible */

	case NR_BAD_STATEID:
		if (vp1 != NULL)
			recov_badstate(recovp, vp1, NFS4ERR_BAD_STATEID);
		if (vp2 != NULL)
			recov_badstate(recovp, vp2, NFS4ERR_BAD_STATEID);
		goto out_no_thread;	/* no further recovery possible */

	case NR_FHEXPIRED:
	case NR_BADHANDLE:
		if (vp1 != NULL)
			recov_throttle(recovp, vp1);
		if (vp2 != NULL)
			recov_throttle(recovp, vp2);
		/*
		 * Recover the filehandle now, rather than using a
		 * separate thread.  We can do this because filehandle
		 * recovery is independent of any other state, and because
		 * we know that we are not competing with the recovery
		 * thread at this time.  recov_filehandle will deal with
		 * threads that are competing to recover this filehandle.
		 */
		ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
		    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));
		if (vp1 != NULL)
			recov_filehandle(recovp->rc_action, mi, vp1);
		if (vp2 != NULL)
			recov_filehandle(recovp->rc_action, mi, vp2);
		goto out_no_thread;	/* no further recovery needed */

	case NR_STALE:
		/*
		 * NFS4ERR_STALE handling
		 * recov_stale() could set MI4R_NEED_NEW_SERVER to
		 * indicate that we can and should failover.
		 */
		ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_READER) ||
		    nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));

		if (vp1 != NULL)
			recov_stale(mi, vp1);
		if (vp2 != NULL)
			recov_stale(mi, vp2);
		mutex_enter(&mi->mi_lock);
		if ((mi->mi_recovflags & MI4R_NEED_NEW_SERVER) == 0) {
			mutex_exit(&mi->mi_lock);
			goto out_no_thread;
		}
		mutex_exit(&mi->mi_lock);
		recovp->rc_action = NR_FAILOVER;
		goto again;

	case NR_BAD_SEQID:
		if (recovp->rc_bseqid_rqst) {
			enqueue_bseqid_rqst(recovp, mi);
			break;
		}

		if (vp1 != NULL)
			recov_badstate(recovp, vp1, NFS4ERR_BAD_SEQID);
		if (vp2 != NULL)
			recov_badstate(recovp, vp2, NFS4ERR_BAD_SEQID);
		goto out_no_thread; /* no further recovery possible */

	case NR_OLDSTATEID:
		if (vp1 != NULL)
			recov_badstate(recovp, vp1, NFS4ERR_OLD_STATEID);
		if (vp2 != NULL)
			recov_badstate(recovp, vp2, NFS4ERR_OLD_STATEID);
		goto out_no_thread;	/* no further recovery possible */

	case NR_GRACE:
		nfs4_set_grace_wait(mi);
		goto out_no_thread; /* no further action required for GRACE */

	case NR_DELAY:
		if (vp1)
			nfs4_set_delay_wait(vp1);
		goto out_no_thread; /* no further action required for DELAY */

	case NR_LOST_STATE_RQST:
	case NR_LOST_LOCK:
		nfs4_enqueue_lost_rqst(recovp, mi);
		break;
	default:
		nfs4_queue_event(RE_UNEXPECTED_ACTION, mi, NULL,
		    recovp->rc_action, NULL, NULL, 0, NULL, 0, TAG_NONE,
		    TAG_NONE, 0, 0);
		goto out_no_thread;
	}

	/*
	 * If either file recently went through the same recovery, wait
	 * awhile.  This is in case there is some sort of bug; we might not
	 * be able to recover properly, but at least we won't bombard the
	 * server with calls, and we won't tie up the client.
	 */
	if (vp1 != NULL)
		recov_throttle(recovp, vp1);
	if (vp2 != NULL)
		recov_throttle(recovp, vp2);

	/*
	 * If there's already a recovery thread, don't start another one.
	 */

	mutex_enter(&mi->mi_lock);
	if (mi->mi_flags & MI4_RECOV_ACTIV) {
		mutex_exit(&mi->mi_lock);
		goto out_no_thread;
	}
	mi->mi_flags |= MI4_RECOV_ACTIV;
	mutex_exit(&mi->mi_lock);
	NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
	    "start_recovery: starting new thread for mi %p", (void*)mi));

	recovp->rc_mi = mi;
	recovp->rc_vp1 = vp1;
	if (vp1 != NULL) {
		ASSERT(VTOMI4(vp1) == mi);
		VN_HOLD(recovp->rc_vp1);
	}
	recovp->rc_vp2 = vp2;
	if (vp2 != NULL) {
		ASSERT(VTOMI4(vp2) == mi);
		VN_HOLD(recovp->rc_vp2);
	}
	recovp->rc_moved_vp = moved_vp;
	recovp->rc_moved_nm = moved_nm;

	(void) zthread_create(NULL, 0, nfs4_recov_thread, recovp, 0,
	    minclsyspri);
	return;

	/* not reached by thread creating call */
out_no_thread:
	mutex_enter(&mi->mi_lock);
	mi->mi_in_recovery--;
	if (mi->mi_in_recovery == 0)
		cv_broadcast(&mi->mi_cv_in_recov);
	mutex_exit(&mi->mi_lock);

	VFS_RELE(mi->mi_vfsp);
	MI4_RELE(mi);
	/*
	 * Free up resources that were allocated for us.
	 */
	kmem_free(recovp, sizeof (recov_info_t));
}

static int
nfs4_check_recov_err(vnode_t *vp, nfs4_op_hint_t op,
    nfs4_recov_state_t *rsp, int retry_err_cnt, char *str)
{
	rnode4_t *rp;
	int error = 0;
	int exempt;

	if (vp == NULL)
		return (0);

	exempt = (op == OH_CLOSE || op == OH_LOCKU || op == OH_DELEGRETURN);
	rp = VTOR4(vp);
	mutex_enter(&rp->r_statelock);

	/*
	 * If there was a recovery error, then allow op hints "exempt" from
	 * recov errors to retry (currently 3 times).  Either r_error or
	 * EIO is returned for non-exempt op hints.
	 */
	if (rp->r_flags & R4RECOVERR) {
		if (exempt && rsp->rs_num_retry_despite_err <=
		    nfs4_max_recov_error_retry) {

			/*
			 * Check to make sure that we haven't already inc'd
			 * rs_num_retry_despite_err for current nfs4_start_fop
			 * instance.  We don't want to double inc (if we were
			 * called with vp2, then the vp1 call could have
			 * already incremented.
			 */
			if (retry_err_cnt == rsp->rs_num_retry_despite_err)
				rsp->rs_num_retry_despite_err++;

			NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
			    "nfs4_start_fop: %s %p DEAD, cnt=%d", str,
			    (void *)vp, rsp->rs_num_retry_despite_err));
		} else {
			error = (rp->r_error ? rp->r_error : EIO);
			/*
			 * An ESTALE error on a non-regular file is not
			 * "sticky".  Return the ESTALE error once, but
			 * clear the condition to allow future operations
			 * to go OTW.  This will allow the client to
			 * recover if the server has merely unshared then
			 * re-shared the file system.  For regular files,
			 * the unshare has destroyed the open state at the
			 * server and we aren't willing to do a reopen (yet).
			 */
			if (error == ESTALE && vp->v_type != VREG) {
				rp->r_flags &=
				    ~(R4RECOVERR|R4RECOVERRP|R4STALE);
				rp->r_error = 0;
				error = ESTALE;
			}
			NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
			    "nfs4_start_fop: %s %p DEAD, cnt=%d error=%d",
			    str, (void *)vp,
			    rsp->rs_num_retry_despite_err, error));
		}
	}

	mutex_exit(&rp->r_statelock);
	return (error);
}

/*
 * Initial setup code that every operation should call if it might invoke
 * client recovery.  Can block waiting for recovery to finish on a
 * filesystem.  Either vnode ptr can be NULL.
 *
 * Returns 0 if there are no outstanding errors.  Can return an
 * errno value under various circumstances (e.g., failed recovery, or
 * interrupted while waiting for recovery to finish).
 *
 * There must be a corresponding call to nfs4_end_op() to free up any locks
 * or resources allocated by this call (assuming this call succeeded),
 * using the same rsp that's passed in here.
 *
 * The open and lock seqid synchronization must be stopped before calling this
 * function, as it could lead to deadlock when trying to reopen a file or
 * reclaim a lock.  The synchronization is obtained with calls to:
 *   nfs4_start_open_seqid_sync()
 *   nfs4_start_lock_seqid_sync()
 *
 * *startrecovp is set TRUE if the caller should not bother with the
 * over-the-wire call, and just initiate recovery for the given request.
 * This is typically used for state-releasing ops if the filesystem has
 * been forcibly unmounted.  startrecovp may be NULL for
 * non-state-releasing ops.
 */

int
nfs4_start_fop(mntinfo4_t *mi, vnode_t *vp1, vnode_t *vp2, nfs4_op_hint_t op,
    nfs4_recov_state_t *rsp, bool_t *startrecovp)
{
	int error = 0, rerr_cnt;
	nfs4_server_t *sp = NULL;
	nfs4_server_t *tsp;
	nfs4_error_t e = { 0, NFS4_OK, RPC_SUCCESS };
	uint_t droplock_cnt;
#ifdef DEBUG
	void *fop_caller;
#endif

	ASSERT(vp1 == NULL || vp1->v_vfsp == mi->mi_vfsp);
	ASSERT(vp2 == NULL || vp2->v_vfsp == mi->mi_vfsp);

#ifdef	DEBUG
	if ((fop_caller = tsd_get(nfs4_tsd_key)) != NULL) {
		cmn_err(CE_PANIC, "Missing nfs4_end_fop: last caller %p",
		    fop_caller);
	}
	(void) tsd_set(nfs4_tsd_key, caller());
#endif

	rsp->rs_sp = NULL;
	rsp->rs_flags &= ~NFS4_RS_RENAME_HELD;
	rerr_cnt = rsp->rs_num_retry_despite_err;

	/*
	 * Process the items that may delay() based on server response
	 */
	error = nfs4_wait_for_grace(mi, rsp);
	if (error)
		goto out;

	if (vp1 != NULL) {
		error = nfs4_wait_for_delay(vp1, rsp);
		if (error)
			goto out;
	}

	/* Wait for a delegation recall to complete. */

	error = wait_for_recall(vp1, vp2, op, rsp);
	if (error)
		goto out;

	/*
	 * Wait for any current recovery actions to finish.  Note that a
	 * recovery thread can still start up after wait_for_recovery()
	 * finishes.  We don't block out recovery operations until we
	 * acquire s_recovlock and mi_recovlock.
	 */
	error = wait_for_recovery(mi, op);
	if (error)
		goto out;

	/*
	 * Check to see if the rnode is already marked with a
	 * recovery error.  If so, return it immediately.  But
	 * always pass CLOSE, LOCKU, and DELEGRETURN so we can
	 * clean up state on the server.
	 */

	if (vp1 != NULL) {
		if (error = nfs4_check_recov_err(vp1, op, rsp, rerr_cnt, "vp1"))
			goto out;
		nfs4_check_remap(mi, vp1, NFS4_REMAP_CKATTRS, &e);
	}

	if (vp2 != NULL) {
		if (error = nfs4_check_recov_err(vp2, op, rsp, rerr_cnt, "vp2"))
			goto out;
		nfs4_check_remap(mi, vp2, NFS4_REMAP_CKATTRS, &e);
	}

	/*
	 * The lock order calls for us to acquire s_recovlock before
	 * mi_recovlock, but we have to hold mi_recovlock to look up sp (to
	 * prevent races with the failover/migration code).  So acquire
	 * mi_recovlock, look up sp, drop mi_recovlock, acquire
	 * s_recovlock and mi_recovlock, then verify that sp is still the
	 * right object.  XXX Can we find a simpler way to deal with this?
	 */
	if (nfs_rw_enter_sig(&mi->mi_recovlock, RW_READER,
	    mi->mi_flags & MI4_INT)) {
		error = EINTR;
		goto out;
	}
get_sp:
	sp = find_nfs4_server(mi);
	if (sp != NULL) {
		sp->s_otw_call_count++;
		mutex_exit(&sp->s_lock);
		droplock_cnt = mi->mi_srvset_cnt;
	}
	nfs_rw_exit(&mi->mi_recovlock);

	if (sp != NULL) {
		if (nfs_rw_enter_sig(&sp->s_recovlock, RW_READER,
		    mi->mi_flags & MI4_INT)) {
			error = EINTR;
			goto out;
		}
	}
	if (nfs_rw_enter_sig(&mi->mi_recovlock, RW_READER,
	    mi->mi_flags & MI4_INT)) {
		if (sp != NULL)
			nfs_rw_exit(&sp->s_recovlock);
		error = EINTR;
		goto out;
	}
	/*
	 * If the mntinfo4_t hasn't changed nfs4_sever_ts then
	 * there's no point in double checking to make sure it
	 * has switched.
	 */
	if (sp == NULL || droplock_cnt != mi->mi_srvset_cnt) {
		tsp = find_nfs4_server(mi);
		if (tsp != sp) {
			/* try again */
			if (tsp != NULL) {
				mutex_exit(&tsp->s_lock);
				nfs4_server_rele(tsp);
				tsp = NULL;
			}
			if (sp != NULL) {
				nfs_rw_exit(&sp->s_recovlock);
				mutex_enter(&sp->s_lock);
				sp->s_otw_call_count--;
				mutex_exit(&sp->s_lock);
				nfs4_server_rele(sp);
				sp = NULL;
			}
			goto get_sp;
		} else {
			if (tsp != NULL) {
				mutex_exit(&tsp->s_lock);
				nfs4_server_rele(tsp);
				tsp = NULL;
			}
		}
	}

	if (sp != NULL) {
		rsp->rs_sp = sp;
	}

	/*
	 * If the fileystem uses volatile filehandles, obtain a lock so
	 * that we synchronize with renames.  Exception: mount operations
	 * can change mi_fh_expire_type, which could be a problem, since
	 * the end_op code needs to be consistent with the start_op code
	 * about mi_rename_lock.  Since mounts don't compete with renames,
	 * it's simpler to just not acquire the rename lock for mounts.
	 */
	if (NFS4_VOLATILE_FH(mi) && op != OH_MOUNT) {
		if (nfs_rw_enter_sig(&mi->mi_rename_lock,
		    op == OH_VFH_RENAME ? RW_WRITER : RW_READER,
		    mi->mi_flags & MI4_INT)) {
			nfs_rw_exit(&mi->mi_recovlock);
			if (sp != NULL)
				nfs_rw_exit(&sp->s_recovlock);
			error = EINTR;
			goto out;
		}
		rsp->rs_flags |= NFS4_RS_RENAME_HELD;
	}

	if (OH_IS_STATE_RELE(op)) {
		/*
		 * For forced unmount, letting the request proceed will
		 * almost always delay response to the user, so hand it off
		 * to the recovery thread.  For exiting lwp's, we don't
		 * have a good way to tell if the request will hang.  We
		 * generally want processes to handle their own requests so
		 * that they can be done in parallel, but if there is
		 * already a recovery thread, hand the request off to it.
		 * This will improve user response at no cost to overall
		 * system throughput.  For zone shutdown, we'd prefer
		 * the recovery thread to handle this as well.
		 */
		ASSERT(startrecovp != NULL);
		mutex_enter(&mi->mi_lock);
		if (FS_OR_ZONE_GONE4(mi->mi_vfsp))
			*startrecovp = TRUE;
		else if ((curthread->t_proc_flag & TP_LWPEXIT) &&
		    (mi->mi_flags & MI4_RECOV_ACTIV))
			*startrecovp = TRUE;
		else
			*startrecovp = FALSE;
		mutex_exit(&mi->mi_lock);
	} else
		if (startrecovp != NULL)
			*startrecovp = FALSE;

	ASSERT(error == 0);
	return (error);

out:
	ASSERT(error != 0);
	if (sp != NULL) {
		mutex_enter(&sp->s_lock);
		sp->s_otw_call_count--;
		mutex_exit(&sp->s_lock);
		nfs4_server_rele(sp);
		rsp->rs_sp = NULL;
	}
	nfs4_end_op_recall(vp1, vp2, rsp);

#ifdef	DEBUG
	(void) tsd_set(nfs4_tsd_key, NULL);
#endif
	return (error);
}

/*
 * It is up to the caller to determine if rsp->rs_sp being NULL
 * is detrimental or not.
 */
int
nfs4_start_op(mntinfo4_t *mi, vnode_t *vp1, vnode_t *vp2,
    nfs4_recov_state_t *rsp)
{
	ASSERT(rsp->rs_num_retry_despite_err == 0);
	rsp->rs_num_retry_despite_err = 0;
	return (nfs4_start_fop(mi, vp1, vp2, OH_OTHER, rsp, NULL));
}

/*
 * Release any resources acquired by nfs4_start_op().
 * 'sp' should be the nfs4_server pointer returned by nfs4_start_op().
 *
 * The operation hint is used to avoid a deadlock by bypassing delegation
 * return logic for writes, which are done while returning a delegation.
 */

void
nfs4_end_fop(mntinfo4_t *mi, vnode_t *vp1, vnode_t *vp2, nfs4_op_hint_t op,
    nfs4_recov_state_t *rsp, bool_t needs_recov)
{
	nfs4_server_t *sp = rsp->rs_sp;
	rnode4_t *rp = NULL;

#ifdef	lint
	/*
	 * The op hint isn't used any more, but might be in
	 * the future.
	 */
	op = op;
#endif

#ifdef	DEBUG
	ASSERT(tsd_get(nfs4_tsd_key) != NULL);
	(void) tsd_set(nfs4_tsd_key, NULL);
#endif

	nfs4_end_op_recall(vp1, vp2, rsp);

	if (rsp->rs_flags & NFS4_RS_RENAME_HELD)
		nfs_rw_exit(&mi->mi_rename_lock);

	if (!needs_recov) {
		if (rsp->rs_flags & NFS4_RS_DELAY_MSG) {
			/* may need to clear the delay interval */
			if (vp1 != NULL) {
				rp = VTOR4(vp1);
				mutex_enter(&rp->r_statelock);
				rp->r_delay_interval = 0;
				mutex_exit(&rp->r_statelock);
			}
		}
		rsp->rs_flags &= ~(NFS4_RS_GRACE_MSG|NFS4_RS_DELAY_MSG);
	}

	/*
	 * If the corresponding nfs4_start_op() found a sp,
	 * then there must still be a sp.
	 */
	if (sp != NULL) {
		nfs_rw_exit(&mi->mi_recovlock);
		nfs_rw_exit(&sp->s_recovlock);
		mutex_enter(&sp->s_lock);
		sp->s_otw_call_count--;
		cv_broadcast(&sp->s_cv_otw_count);
		mutex_exit(&sp->s_lock);
		nfs4_server_rele(sp);
	} else {
		nfs_rw_exit(&mi->mi_recovlock);
	}
}

void
nfs4_end_op(mntinfo4_t *mi, vnode_t *vp1, vnode_t *vp2,
    nfs4_recov_state_t *rsp, bool_t needrecov)
{
	nfs4_end_fop(mi, vp1, vp2, OH_OTHER, rsp, needrecov);
}

/*
 * If the filesystem is going through client recovery, block until
 * finished.
 * Exceptions:
 * - state-releasing ops (CLOSE, LOCKU, DELEGRETURN) are allowed to proceed
 *   if the filesystem has been forcibly unmounted or the lwp is exiting.
 *
 * Return value:
 * - 0 if no errors
 * - EINTR if the call was interrupted
 * - EIO if the filesystem has been forcibly unmounted (non-state-releasing
 *   op)
 * - the errno value from the recovery thread, if recovery failed
 */

static int
wait_for_recovery(mntinfo4_t *mi, nfs4_op_hint_t op_hint)
{
	int error = 0;

	mutex_enter(&mi->mi_lock);

	while (mi->mi_recovflags != 0) {
		klwp_t *lwp = ttolwp(curthread);

		if ((mi->mi_vfsp->vfs_flag & VFS_UNMOUNTED) ||
		    (mi->mi_flags & MI4_RECOV_FAIL))
			break;
		if (OH_IS_STATE_RELE(op_hint) &&
		    (curthread->t_proc_flag & TP_LWPEXIT))
			break;

		if (lwp != NULL)
			lwp->lwp_nostop++;
		/* XXX - use different cv? */
		if (cv_wait_sig(&mi->mi_failover_cv, &mi->mi_lock) == 0) {
			error = EINTR;
			if (lwp != NULL)
				lwp->lwp_nostop--;
			break;
		}
		if (lwp != NULL)
			lwp->lwp_nostop--;
	}

	if ((mi->mi_vfsp->vfs_flag & VFS_UNMOUNTED) &&
	    !OH_IS_STATE_RELE(op_hint)) {
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "wait_for_recovery: forced unmount"));
		error = EIO;
	} else if (mi->mi_flags & MI4_RECOV_FAIL) {
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "wait_for_recovery: fail since RECOV FAIL"));
		error = mi->mi_error;
	}

	mutex_exit(&mi->mi_lock);

	return (error);
}

/*
 * If the client received NFS4ERR_GRACE for this particular mount,
 * the client blocks here until it is time to try again.
 *
 * Return value:
 * - 0 if wait was successful
 * - EINTR if the call was interrupted
 */

int
nfs4_wait_for_grace(mntinfo4_t *mi, nfs4_recov_state_t *rsp)
{
	int error = 0;
	time_t curtime, time_to_wait;

	/* do a unprotected check to reduce mi_lock contention */
	if (mi->mi_grace_wait != 0) {
		mutex_enter(&mi->mi_lock);

		if (mi->mi_grace_wait != 0) {
			if (!(rsp->rs_flags & NFS4_RS_GRACE_MSG))
				rsp->rs_flags |= NFS4_RS_GRACE_MSG;

			curtime = gethrestime_sec();

			if (curtime < mi->mi_grace_wait) {

				time_to_wait = mi->mi_grace_wait - curtime;

				mutex_exit(&mi->mi_lock);

				delay(SEC_TO_TICK(time_to_wait));

				curtime = gethrestime_sec();

				mutex_enter(&mi->mi_lock);

				if (curtime >= mi->mi_grace_wait)
					mi->mi_grace_wait = 0;
			} else {
				mi->mi_grace_wait = 0;
			}
		}
		mutex_exit(&mi->mi_lock);
	}

	return (error);
}

/*
 * If the client received NFS4ERR_DELAY for an operation on a vnode,
 * the client blocks here until it is time to try again.
 *
 * Return value:
 * - 0 if wait was successful
 * - EINTR if the call was interrupted
 */

int
nfs4_wait_for_delay(vnode_t *vp, nfs4_recov_state_t *rsp)
{
	int error = 0;
	time_t curtime, time_to_wait;
	rnode4_t *rp;

	ASSERT(vp != NULL);

	rp = VTOR4(vp);

	/* do a unprotected check to reduce r_statelock contention */
	if (rp->r_delay_wait != 0) {
		mutex_enter(&rp->r_statelock);

		if (rp->r_delay_wait != 0) {

			if (!(rsp->rs_flags & NFS4_RS_DELAY_MSG)) {
				rsp->rs_flags |= NFS4_RS_DELAY_MSG;
				nfs4_mi_kstat_inc_delay(VTOMI4(vp));
			}

			curtime = gethrestime_sec();

			if (curtime < rp->r_delay_wait) {

				time_to_wait = rp->r_delay_wait - curtime;

				mutex_exit(&rp->r_statelock);

				delay(SEC_TO_TICK(time_to_wait));

				curtime = gethrestime_sec();

				mutex_enter(&rp->r_statelock);

				if (curtime >= rp->r_delay_wait)
					rp->r_delay_wait = 0;
			} else {
				rp->r_delay_wait = 0;
			}
		}
		mutex_exit(&rp->r_statelock);
	}

	return (error);
}

/*
 * The recovery thread.
 */

static void
nfs4_recov_thread(recov_info_t *recovp)
{
	mntinfo4_t *mi = recovp->rc_mi;
	nfs4_server_t *sp;
	int done = 0, error = 0;
	bool_t recov_fail = FALSE;
	callb_cpr_t cpr_info;
	kmutex_t cpr_lock;

	nfs4_queue_event(RE_START, mi, NULL, mi->mi_recovflags,
	    recovp->rc_vp1, recovp->rc_vp2, 0, NULL, 0, TAG_NONE, TAG_NONE,
	    0, 0);

	mutex_init(&cpr_lock, NULL, MUTEX_DEFAULT, NULL);
	CALLB_CPR_INIT(&cpr_info, &cpr_lock, callb_generic_cpr, "nfsv4Recov");

	mutex_enter(&mi->mi_lock);
	mi->mi_recovthread = curthread;
	mutex_exit(&mi->mi_lock);

	/*
	 * We don't really need protection here against failover or
	 * migration, since the current thread is the one that would make
	 * any changes, but hold mi_recovlock anyway for completeness (and
	 * to satisfy any ASSERTs).
	 */
	(void) nfs_rw_enter_sig(&mi->mi_recovlock, RW_READER, 0);
	sp = find_nfs4_server(mi);
	if (sp != NULL)
		mutex_exit(&sp->s_lock);
	nfs_rw_exit(&mi->mi_recovlock);

	/*
	 * Do any necessary recovery, based on the information in recovp
	 * and any recovery flags.
	 */

	do {
		mutex_enter(&mi->mi_lock);
		if (FS_OR_ZONE_GONE4(mi->mi_vfsp)) {
			bool_t activesrv;

			NFS4_DEBUG(nfs4_client_recov_debug &&
			    mi->mi_vfsp->vfs_flag & VFS_UNMOUNTED, (CE_NOTE,
			    "nfs4_recov_thread: file system has been "
			    "unmounted"));
			NFS4_DEBUG(nfs4_client_recov_debug &&
			    zone_status_get(curproc->p_zone) >=
			    ZONE_IS_SHUTTING_DOWN, (CE_NOTE,
			    "nfs4_recov_thread: zone shutting down"));
			/*
			 * If the server has lost its state for us and
			 * the filesystem is unmounted, then the filesystem
			 * can be tossed, even if there are lost lock or
			 * lost state calls in the recovery queue.
			 */
			if (mi->mi_recovflags &
			    (MI4R_NEED_CLIENTID | MI4R_REOPEN_FILES)) {
				NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
				"nfs4_recov_thread: bailing out"));
				mi->mi_flags |= MI4_RECOV_FAIL;
				mi->mi_error = recovp->rc_error;
				recov_fail = TRUE;
			}
			/*
			 * We don't know if the server has any state for
			 * us, and the filesystem has been unmounted.  If
			 * there are "lost state" recovery items, keep
			 * trying to process them until there are no more
			 * mounted filesystems for the server.  Otherwise,
			 * bail out.  The reason we don't mark the
			 * filesystem as failing recovery is in case we
			 * have to do "lost state" recovery later (e.g., a
			 * user process exits).
			 */
			if (!(mi->mi_recovflags & MI4R_LOST_STATE)) {
				done = 1;
				mutex_exit(&mi->mi_lock);
				break;
			}
			mutex_exit(&mi->mi_lock);

			if (sp == NULL)
				activesrv = FALSE;
			else {
				mutex_enter(&sp->s_lock);
				activesrv = nfs4_fs_active(sp);
			}
			if (!activesrv) {
				NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
				    "no active fs for server %p",
				    (void *)sp));
				mutex_enter(&mi->mi_lock);
				mi->mi_flags |= MI4_RECOV_FAIL;
				mi->mi_error = recovp->rc_error;
				mutex_exit(&mi->mi_lock);
				recov_fail = TRUE;
				if (sp != NULL) {
					/*
					 * Mark the server instance as
					 * dead, so that nobody will attach
					 * a new filesystem.
					 */
					nfs4_mark_srv_dead(sp);
				}
			}
			if (sp != NULL)
				mutex_exit(&sp->s_lock);
		} else {
			mutex_exit(&mi->mi_lock);
		}

		/*
		 * Check if we need to select a new server for a
		 * failover.  Choosing a new server will force at
		 * least a check of the clientid.
		 */
		mutex_enter(&mi->mi_lock);
		if (!recov_fail &&
		    (mi->mi_recovflags & MI4R_NEED_NEW_SERVER)) {
			mutex_exit(&mi->mi_lock);
			recov_newserver(recovp, &sp, &recov_fail);
		} else
			mutex_exit(&mi->mi_lock);

		/*
		 * Check if we need to recover the clientid.  This
		 * must be done before file and lock recovery, and it
		 * potentially affects the recovery threads for other
		 * filesystems, so it gets special treatment.
		 */
		if (sp != NULL && recov_fail == FALSE) {
			mutex_enter(&sp->s_lock);
			if (!(sp->s_flags & N4S_CLIENTID_SET)) {
				mutex_exit(&sp->s_lock);
				recov_clientid(recovp, sp);
			} else {
				/*
				 * Unset this flag in case another recovery
				 * thread successfully recovered the clientid
				 * for us already.
				 */
				mutex_enter(&mi->mi_lock);
				mi->mi_recovflags &= ~MI4R_NEED_CLIENTID;
				mutex_exit(&mi->mi_lock);
				mutex_exit(&sp->s_lock);
			}
		}

		/*
		 * Check if we need to get the security information.
		 */
		mutex_enter(&mi->mi_lock);
		if ((mi->mi_recovflags & MI4R_NEED_SECINFO) &&
		    !(mi->mi_flags & MI4_RECOV_FAIL)) {
			mutex_exit(&mi->mi_lock);
			(void) nfs_rw_enter_sig(&mi->mi_recovlock,
			    RW_WRITER, 0);
			error = nfs4_secinfo_recov(recovp->rc_mi,
			    recovp->rc_vp1, recovp->rc_vp2);
			/*
			 * If error, nothing more can be done, stop
			 * the recovery.
			 */
			if (error) {
				mutex_enter(&mi->mi_lock);
				mi->mi_flags |= MI4_RECOV_FAIL;
				mi->mi_error = recovp->rc_error;
				mutex_exit(&mi->mi_lock);
				nfs4_queue_event(RE_WRONGSEC, mi, NULL,
				    error, recovp->rc_vp1, recovp->rc_vp2,
				    0, NULL, 0, TAG_NONE, TAG_NONE, 0, 0);
			}
			nfs_rw_exit(&mi->mi_recovlock);
		} else
			mutex_exit(&mi->mi_lock);

		/*
		 * Check if there's a bad seqid to recover.
		 */
		mutex_enter(&mi->mi_lock);
		if ((mi->mi_recovflags & MI4R_BAD_SEQID) &&
		    !(mi->mi_flags & MI4_RECOV_FAIL)) {
			mutex_exit(&mi->mi_lock);
			(void) nfs_rw_enter_sig(&mi->mi_recovlock,
			    RW_WRITER, 0);
			recov_bad_seqid(recovp);
			nfs_rw_exit(&mi->mi_recovlock);
		} else
			mutex_exit(&mi->mi_lock);

		/*
		 * Next check for recovery that affects the entire
		 * filesystem.
		 */
		if (sp != NULL) {
			mutex_enter(&mi->mi_lock);
			if ((mi->mi_recovflags & MI4R_REOPEN_FILES) &&
			    !(mi->mi_flags & MI4_RECOV_FAIL)) {
				mutex_exit(&mi->mi_lock);
				recov_openfiles(recovp, sp);
			} else
				mutex_exit(&mi->mi_lock);
		}

		/*
		 * Send any queued state recovery requests.
		 */
		mutex_enter(&mi->mi_lock);
		if (sp != NULL &&
		    (mi->mi_recovflags & MI4R_LOST_STATE) &&
		    !(mi->mi_flags & MI4_RECOV_FAIL)) {
			mutex_exit(&mi->mi_lock);
			(void) nfs_rw_enter_sig(&mi->mi_recovlock,
			    RW_WRITER, 0);
			nfs4_resend_lost_rqsts(recovp, sp);
			if (list_head(&mi->mi_lost_state) == NULL) {
				/* done */
				mutex_enter(&mi->mi_lock);
				mi->mi_recovflags &= ~MI4R_LOST_STATE;
				mutex_exit(&mi->mi_lock);
			}
			nfs_rw_exit(&mi->mi_recovlock);
		} else {
			mutex_exit(&mi->mi_lock);
		}

		/*
		 * See if there is anything more to do.  If not, announce
		 * that we are done and exit.
		 *
		 * Need mi_recovlock to keep 'sp' valid.  Must grab
		 * mi_recovlock before mi_lock to preserve lock ordering.
		 */
		(void) nfs_rw_enter_sig(&mi->mi_recovlock, RW_READER, 0);
		mutex_enter(&mi->mi_lock);
		if ((mi->mi_recovflags & ~MI4R_SRV_REBOOT) == 0 ||
		    (mi->mi_flags & MI4_RECOV_FAIL)) {
			list_t local_lost_state;
			nfs4_lost_rqst_t *lrp;

			/*
			 * We need to remove the lost requests before we
			 * unmark the mi as no longer doing recovery to
			 * avoid a race with a new thread putting new lost
			 * requests on the same mi (and the going away
			 * thread would remove the new lost requests).
			 *
			 * Move the lost requests to a local list since
			 * nfs4_remove_lost_rqst() drops mi_lock, and
			 * dropping the mi_lock would make our check to
			 * see if recovery is done no longer valid.
			 */
			list_create(&local_lost_state,
			    sizeof (nfs4_lost_rqst_t),
			    offsetof(nfs4_lost_rqst_t, lr_node));
			list_move_tail(&local_lost_state, &mi->mi_lost_state);

			done = 1;
			mutex_exit(&mi->mi_lock);
			/*
			 * Now officially free the "moved"
			 * lost requests.
			 */
			while ((lrp = list_head(&local_lost_state)) != NULL) {
				list_remove(&local_lost_state, lrp);
				nfs4_free_lost_rqst(lrp, sp);
			}
			list_destroy(&local_lost_state);
		} else
			mutex_exit(&mi->mi_lock);
		nfs_rw_exit(&mi->mi_recovlock);

		/*
		 * If the filesystem has been forcibly unmounted, there is
		 * probably no point in retrying immediately.  Furthermore,
		 * there might be user processes waiting for a chance to
		 * queue up "lost state" requests, so that they can exit.
		 * So pause here for a moment.  Same logic for zone shutdown.
		 */
		if (!done && FS_OR_ZONE_GONE4(mi->mi_vfsp)) {
			mutex_enter(&mi->mi_lock);
			cv_broadcast(&mi->mi_failover_cv);
			mutex_exit(&mi->mi_lock);
			delay(SEC_TO_TICK(nfs4_unmount_delay));
		}

	} while (!done);

	if (sp != NULL)
		nfs4_server_rele(sp);

	/*
	 * Return all recalled delegations
	 */
	nfs4_dlistclean();

	mutex_enter(&mi->mi_lock);
	recov_done(mi, recovp);
	mutex_exit(&mi->mi_lock);

	/*
	 * Free up resources that were allocated for us.
	 */
	if (recovp->rc_vp1 != NULL)
		VN_RELE(recovp->rc_vp1);
	if (recovp->rc_vp2 != NULL)
		VN_RELE(recovp->rc_vp2);

	/* now we are done using the mi struct, signal the waiters */
	mutex_enter(&mi->mi_lock);
	mi->mi_in_recovery--;
	if (mi->mi_in_recovery == 0)
		cv_broadcast(&mi->mi_cv_in_recov);
	mutex_exit(&mi->mi_lock);

	VFS_RELE(mi->mi_vfsp);
	MI4_RELE(mi);
	kmem_free(recovp, sizeof (recov_info_t));
	mutex_enter(&cpr_lock);
	CALLB_CPR_EXIT(&cpr_info);
	mutex_destroy(&cpr_lock);
	zthread_exit();
}

/*
 * Log the end of recovery and notify any waiting threads.
 */

static void
recov_done(mntinfo4_t *mi, recov_info_t *recovp)
{

	ASSERT(MUTEX_HELD(&mi->mi_lock));

	nfs4_queue_event(RE_END, mi, NULL, 0, recovp->rc_vp1,
	    recovp->rc_vp2, 0, NULL, 0, TAG_NONE, TAG_NONE, 0, 0);
	mi->mi_recovthread = NULL;
	mi->mi_flags &= ~MI4_RECOV_ACTIV;
	mi->mi_recovflags &= ~MI4R_SRV_REBOOT;
	cv_broadcast(&mi->mi_failover_cv);
}

/*
 * State-specific recovery routines, by state.
 */

/*
 * Failover.
 *
 * Replaces *spp with a reference to the new server, which must
 * eventually be freed.
 */

static void
recov_newserver(recov_info_t *recovp, nfs4_server_t **spp, bool_t *recov_fail)
{
	mntinfo4_t *mi = recovp->rc_mi;
	servinfo4_t *svp = NULL;
	nfs4_server_t *osp = *spp;
	CLIENT *cl;
	enum clnt_stat status;
	struct timeval tv;
	int error;
	int oncethru = 0;
	rnode4_t *rp;
	int index;
	nfs_fh4 fh;
	char *snames;
	size_t len;

	(void) nfs_rw_enter_sig(&mi->mi_recovlock, RW_WRITER, 0);

	tv.tv_sec = 2;
	tv.tv_usec = 0;

#ifdef lint
	/*
	 * Lint can't follow the logic, so thinks that snames and len
	 * can be used before being set.  They can't, but lint can't
	 * figure it out.  To address the lint warning, initialize
	 * snames and len for lint.
	 */
	snames = NULL;
	len = 0;
#endif

	/*
	 * Ping the null NFS procedure of every server in
	 * the list until one responds.  We always start
	 * at the head of the list and always skip the one
	 * that is current, since it's caused us a problem.
	 */
	while (svp == NULL) {
		for (svp = mi->mi_servers; svp; svp = svp->sv_next) {

			mutex_enter(&mi->mi_lock);
			if (FS_OR_ZONE_GONE4(mi->mi_vfsp)) {
				mi->mi_flags |= MI4_RECOV_FAIL;
				mutex_exit(&mi->mi_lock);
				(void) nfs_rw_exit(&mi->mi_recovlock);
				*recov_fail = TRUE;
				if (oncethru)
					kmem_free(snames, len);
				return;
			}
			mutex_exit(&mi->mi_lock);

			(void) nfs_rw_enter_sig(&svp->sv_lock, RW_READER, 0);
			if (svp->sv_flags & SV4_NOTINUSE) {
				nfs_rw_exit(&svp->sv_lock);
				continue;
			}
			nfs_rw_exit(&svp->sv_lock);

			if (!oncethru && svp == mi->mi_curr_serv)
				continue;

			error = clnt_tli_kcreate(svp->sv_knconf, &svp->sv_addr,
			    NFS_PROGRAM, NFS_V4, 0, 1, CRED(), &cl);
			if (error)
				continue;

			if (!(mi->mi_flags & MI4_INT))
				cl->cl_nosignal = TRUE;
			status = CLNT_CALL(cl, RFS_NULL, xdr_void, NULL,
			    xdr_void, NULL, tv);
			if (!(mi->mi_flags & MI4_INT))
				cl->cl_nosignal = FALSE;
			AUTH_DESTROY(cl->cl_auth);
			CLNT_DESTROY(cl);
			if (status == RPC_SUCCESS) {
				nfs4_queue_event(RE_FAILOVER, mi,
				    svp == mi->mi_curr_serv ? NULL :
				    svp->sv_hostname, 0, NULL, NULL, 0,
				    NULL, 0, TAG_NONE, TAG_NONE, 0, 0);
				break;
			}
		}

		if (svp == NULL) {
			if (!oncethru) {
				snames = nfs4_getsrvnames(mi, &len);
				nfs4_queue_fact(RF_SRVS_NOT_RESPOND, mi,
				    0, 0, 0, FALSE, snames, 0, NULL);
				oncethru = 1;
			}
			delay(hz);
		}
	}

	if (oncethru) {
		nfs4_queue_fact(RF_SRVS_OK, mi, 0, 0, 0, FALSE, snames,
		    0, NULL);
		kmem_free(snames, len);
	}

#if DEBUG
	(void) nfs_rw_enter_sig(&svp->sv_lock, RW_READER, 0);
	ASSERT((svp->sv_flags & SV4_NOTINUSE) == 0);
	nfs_rw_exit(&svp->sv_lock);
#endif

	mutex_enter(&mi->mi_lock);
	mi->mi_recovflags &= ~MI4R_NEED_NEW_SERVER;
	if (svp != mi->mi_curr_serv) {
		servinfo4_t *osvp = mi->mi_curr_serv;

		mutex_exit(&mi->mi_lock);

		/*
		 * Update server-dependent fields in the root vnode.
		 */
		index = rtable4hash(mi->mi_rootfh);
		rw_enter(&rtable4[index].r_lock, RW_WRITER);

		rp = r4find(&rtable4[index], mi->mi_rootfh, mi->mi_vfsp);
		if (rp != NULL) {
			NFS4_DEBUG(nfs4_client_failover_debug, (CE_NOTE,
			    "recov_newserver: remapping %s", rnode4info(rp)));
			mutex_enter(&rp->r_statelock);
			rp->r_server = svp;
			PURGE_ATTRCACHE4_LOCKED(rp);
			mutex_exit(&rp->r_statelock);
			(void) nfs4_free_data_reclaim(rp);
			nfs4_purge_rddir_cache(RTOV4(rp));
			rw_exit(&rtable4[index].r_lock);
			NFS4_DEBUG(nfs4_client_failover_debug, (CE_NOTE,
			    "recov_newserver: done with %s",
			    rnode4info(rp)));
			VN_RELE(RTOV4(rp));
		} else
			rw_exit(&rtable4[index].r_lock);
		(void) dnlc_purge_vfsp(mi->mi_vfsp, 0);

		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags |= MI4R_REOPEN_FILES | MI4R_REMAP_FILES;
		if (recovp->rc_srv_reboot)
			mi->mi_recovflags |= MI4R_SRV_REBOOT;
		mi->mi_curr_serv = svp;
		mi->mi_failover++;
		mi->mi_flags &= ~MI4_BADOWNER_DEBUG;
		mutex_exit(&mi->mi_lock);

		(void) nfs_rw_enter_sig(&svp->sv_lock, RW_READER, 0);
		fh.nfs_fh4_len = svp->sv_fhandle.fh_len;
		fh.nfs_fh4_val = svp->sv_fhandle.fh_buf;
		sfh4_update(mi->mi_rootfh, &fh);
		fh.nfs_fh4_len = svp->sv_pfhandle.fh_len;
		fh.nfs_fh4_val = svp->sv_pfhandle.fh_buf;
		sfh4_update(mi->mi_srvparentfh, &fh);
		nfs_rw_exit(&svp->sv_lock);

		*spp = nfs4_move_mi(mi, osvp, svp);
		if (osp != NULL)
			nfs4_server_rele(osp);
	} else
		mutex_exit(&mi->mi_lock);
	(void) nfs_rw_exit(&mi->mi_recovlock);
}

/*
 * Clientid.
 */

static void
recov_clientid(recov_info_t *recovp, nfs4_server_t *sp)
{
	mntinfo4_t *mi = recovp->rc_mi;
	int error = 0;
	int still_stale;
	int need_new_s;

	ASSERT(sp != NULL);

	/*
	 * Acquire the recovery lock and then verify that the clientid
	 * still needs to be recovered.  (Note that s_recovlock is supposed
	 * to be acquired before s_lock.)  Since the thread holds the
	 * recovery lock, no other thread will recover the clientid.
	 */
	(void) nfs_rw_enter_sig(&sp->s_recovlock, RW_WRITER, 0);
	(void) nfs_rw_enter_sig(&mi->mi_recovlock, RW_WRITER, 0);
	mutex_enter(&sp->s_lock);
	still_stale = ((sp->s_flags & N4S_CLIENTID_SET) == 0);
	mutex_exit(&sp->s_lock);

	if (still_stale) {
		nfs4_error_t n4e;

		nfs4_error_zinit(&n4e);
		nfs4setclientid(mi, kcred, TRUE, &n4e);
		error = n4e.error;
		if (error != 0) {

			/*
			 * nfs4setclientid may have set MI4R_NEED_NEW_SERVER,
			 * if so, just return and let recov_thread drive
			 * failover.
			 */
			mutex_enter(&mi->mi_lock);
			need_new_s = mi->mi_recovflags & MI4R_NEED_NEW_SERVER;
			mutex_exit(&mi->mi_lock);

			if (need_new_s) {
				nfs_rw_exit(&mi->mi_recovlock);
				nfs_rw_exit(&sp->s_recovlock);
				return;
			}

			nfs4_queue_event(RE_CLIENTID, mi, NULL, n4e.error, NULL,
			    NULL, n4e.stat, NULL, 0, TAG_NONE, TAG_NONE, 0, 0);
			mutex_enter(&mi->mi_lock);
			mi->mi_flags |= MI4_RECOV_FAIL;
			mi->mi_error = recovp->rc_error;
			mutex_exit(&mi->mi_lock);
			/* don't destroy the nfs4_server, let umount do it */
		}
	}

	if (error == 0) {
		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags &= ~MI4R_NEED_CLIENTID;
		/*
		 * If still_stale isn't true, then another thread already
		 * recovered the clientid.  And that thread that set the
		 * clientid will have initiated reopening files on all the
		 * filesystems for the server, so we should not initiate
		 * reopening for this filesystem here.
		 */
		if (still_stale) {
			mi->mi_recovflags |= MI4R_REOPEN_FILES;
			if (recovp->rc_srv_reboot)
				mi->mi_recovflags |= MI4R_SRV_REBOOT;
		}
		mutex_exit(&mi->mi_lock);
	}

	nfs_rw_exit(&mi->mi_recovlock);

	if (error != 0) {
		nfs_rw_exit(&sp->s_recovlock);
		mutex_enter(&mi->mi_lock);
		if ((mi->mi_flags & MI4_RECOV_FAIL) == 0)
			delay(SEC_TO_TICK(recov_err_delay));
		mutex_exit(&mi->mi_lock);
	} else {
		mntinfo4_t **milist;
		mntinfo4_t *tmi;
		int nummi, i;

		/*
		 * Initiate recovery of open files for other filesystems.
		 * We create an array of filesystems, rather than just
		 * walking the filesystem list, to avoid deadlock issues
		 * with s_lock and mi_recovlock.
		 */
		milist = make_milist(sp, &nummi);
		for (i = 0; i < nummi; i++) {
			tmi = milist[i];
			if (tmi != mi) {
				(void) nfs_rw_enter_sig(&tmi->mi_recovlock,
				    RW_READER, 0);
				start_recovery_action(NR_OPENFILES, TRUE, tmi,
				    NULL, NULL);
				nfs_rw_exit(&tmi->mi_recovlock);
			}
		}
		free_milist(milist, nummi);

		nfs_rw_exit(&sp->s_recovlock);
	}
}

/*
 * Return an array of filesystems associated with the given server.  The
 * caller should call free_milist() to free the references and memory.
 */

static mntinfo4_t **
make_milist(nfs4_server_t *sp, int *nummip)
{
	int nummi, i;
	mntinfo4_t **milist;
	mntinfo4_t *tmi;

	mutex_enter(&sp->s_lock);
	nummi = 0;
	for (tmi = sp->mntinfo4_list; tmi != NULL; tmi = tmi->mi_clientid_next)
		nummi++;

	milist = kmem_alloc(nummi * sizeof (mntinfo4_t *), KM_SLEEP);

	for (i = 0, tmi = sp->mntinfo4_list; tmi != NULL; i++,
	    tmi = tmi->mi_clientid_next) {
		milist[i] = tmi;
		VFS_HOLD(tmi->mi_vfsp);
	}
	mutex_exit(&sp->s_lock);

	*nummip = nummi;
	return (milist);
}

/*
 * Free the filesystem list created by make_milist().
 */

static void
free_milist(mntinfo4_t **milist, int nummi)
{
	mntinfo4_t *tmi;
	int i;

	for (i = 0; i < nummi; i++) {
		tmi = milist[i];
		VFS_RELE(tmi->mi_vfsp);
	}
	kmem_free(milist, nummi * sizeof (mntinfo4_t *));
}

/*
 * Filehandle
 */

/*
 * Lookup the filehandle for the given vnode and update the rnode if it has
 * changed.
 *
 * Errors:
 * - if the filehandle could not be updated because of an error that
 *   requires further recovery, initiate that recovery and return.
 * - if the filehandle could not be updated because of a signal, pretend we
 *   succeeded and let someone else deal with it.
 * - if the filehandle could not be updated and the filesystem has been
 *   forcibly unmounted, pretend we succeeded, and let the caller deal with
 *   the forced unmount (to retry or not to retry, that is the question).
 * - if the filehandle could not be updated because of some other error,
 *   mark the rnode bad and return.
 */
static void
recov_filehandle(nfs4_recov_t action, mntinfo4_t *mi, vnode_t *vp)
{
	rnode4_t *rp = VTOR4(vp);
	nfs4_error_t e = { 0, NFS4_OK, RPC_SUCCESS };
	bool_t needrecov;

	mutex_enter(&rp->r_statelock);

	if (rp->r_flags & R4RECOVERR) {
		mutex_exit(&rp->r_statelock);
		return;
	}

	/*
	 * If someone else is updating the filehandle, wait for them to
	 * finish and then let our caller retry.
	 */
	if (rp->r_flags & R4RECEXPFH) {
		while (rp->r_flags & R4RECEXPFH) {
			cv_wait(&rp->r_cv, &rp->r_statelock);
		}
		mutex_exit(&rp->r_statelock);
		return;
	}
	rp->r_flags |= R4RECEXPFH;
	mutex_exit(&rp->r_statelock);

	if (action == NR_BADHANDLE) {
		/* shouldn't happen */
		nfs4_queue_event(RE_BADHANDLE, mi, NULL, 0,
		    vp, NULL, 0, NULL, 0, TAG_NONE, TAG_NONE, 0, 0);
	}

	nfs4_remap_file(mi, vp, 0, &e);
	needrecov = nfs4_needs_recovery(&e, FALSE, mi->mi_vfsp);

	/*
	 * If we get BADHANDLE, FHEXPIRED or STALE in their handler,
	 * something is broken. Don't try to recover, just mark the
	 * file dead.
	 */
	DTRACE_PROBE2(recov__filehandle, nfs4_error_t, &e, vnode_t, vp);
	if (needrecov) {
		if (e.error == 0) {
			switch (e.stat) {
			case NFS4ERR_BADHANDLE:
			case NFS4ERR_FHEXPIRED:
			case NFS4ERR_STALE:
				goto norec;	/* Unrecoverable errors */
			default:
				break;
			}
		}
		(void) nfs4_start_recovery(&e, mi, vp, NULL,
		    NULL, NULL, OP_LOOKUP, NULL, NULL, NULL);

	} else if (e.error != EINTR &&
	    !NFS4_FRC_UNMT_ERR(e.error, mi->mi_vfsp) &&
	    (e.error != 0 || e.stat != NFS4_OK)) {
		nfs4_recov_fh_fail(vp, e.error, e.stat);
		/*
		 * Don't set r_error to ESTALE. Higher-level code (e.g.,
		 * cstatat_getvp()) retries on ESTALE, which would cause
		 * an infinite loop.
		 */
	}
norec:
	mutex_enter(&rp->r_statelock);
	rp->r_flags &= ~R4RECEXPFH;
	cv_broadcast(&rp->r_cv);
	mutex_exit(&rp->r_statelock);
}

/*
 * Stale Filehandle
 */

/*
 * A stale filehandle can happen when an individual file has
 * been removed, or when an entire filesystem has been taken
 * offline.  To distinguish these cases, we do this:
 * - if a GETATTR with the current filehandle is okay, we do
 *   nothing (this can happen with two-filehandle ops)
 * - if the GETATTR fails, but a GETATTR of the root filehandle
 *   succeeds, mark the rnode with R4STALE, which will stop use
 * - if the GETATTR fails, and a GETATTR of the root filehandle
 *   also fails, we consider the problem filesystem-wide, so:
 *   - if we can failover, we should
 *   - if we can't failover, we should mark both the original
 *     vnode and the root bad
 */
static void
recov_stale(mntinfo4_t *mi, vnode_t *vp)
{
	rnode4_t *rp = VTOR4(vp);
	vnode_t *rootvp = NULL;
	nfs4_error_t e = { 0, NFS4_OK, RPC_SUCCESS };
	nfs4_ga_res_t gar;
	char *fail_msg = "failed to recover from NFS4ERR_STALE";
	bool_t needrecov;

	mutex_enter(&rp->r_statelock);

	if (rp->r_flags & R4RECOVERR) {
		mutex_exit(&rp->r_statelock);
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "recov_stale: already marked dead, rp %s",
		    rnode4info(rp)));
		return;
	}

	if (rp->r_flags & R4STALE) {
		mutex_exit(&rp->r_statelock);
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "recov_stale: already marked stale, rp %s",
		    rnode4info(rp)));
		return;
	}

	mutex_exit(&rp->r_statelock);

	/* Try a GETATTR on this vnode */
	nfs4_getattr_otw_norecovery(vp, &gar, &e, CRED(), 0);

	/*
	 * Handle non-STALE recoverable errors
	 */
	needrecov = nfs4_needs_recovery(&e, FALSE, vp->v_vfsp);
	if (needrecov) {
		if (e.error == 0) {
			switch (e.stat) {
			case NFS4ERR_STALE:
			case NFS4ERR_BADHANDLE:
				goto norec;	/* Unrecoverable */
			default:
				break;
			}
		}
		(void) nfs4_start_recovery(&e, mi, vp, NULL,
		    NULL, NULL, OP_GETATTR, NULL, NULL, NULL);
		goto out;
	}
norec:
	/* Are things OK for this vnode? */
	if (!e.error && e.stat == NFS4_OK) {
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "recov_stale: file appears fine, rp %s",
		    rnode4info(rp)));
		goto out;
	}

	/* Did we get an unrelated non-recoverable error? */
	if (e.error || e.stat != NFS4ERR_STALE) {
		nfs4_fail_recov(vp, fail_msg, e.error, e.stat);
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "recov_stale: unrelated fatal error, rp %s",
		    rnode4info(rp)));
		goto out;
	}

	/*
	 * If we don't appear to be dealing with the root node, find it.
	 */
	if ((vp->v_flag & VROOT) == 0) {
		nfs4_error_zinit(&e);
		e.error = VFS_ROOT(vp->v_vfsp, &rootvp);
		if (e.error) {
			nfs4_fail_recov(vp, fail_msg, 0, NFS4ERR_STALE);
			NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
			    "recov_stale: can't find root node for rp %s",
			    rnode4info(rp)));
			goto out;
		}
	}

	/* Try a GETATTR on the root vnode */
	if (rootvp != NULL) {
		nfs4_error_zinit(&e);
		nfs4_getattr_otw_norecovery(rootvp, &gar, &e, CRED(), 0);

		needrecov = nfs4_needs_recovery(&e, FALSE, vp->v_vfsp);
		if (needrecov) {
			if (e.error == 0) {
				switch (e.stat) {
				case NFS4ERR_STALE:
				case NFS4ERR_BADHANDLE:
					goto unrec;	/* Unrecoverable */
				default:
					break;
				}
			}
			(void) nfs4_start_recovery(&e, mi, rootvp, NULL,
			    NULL, NULL, OP_GETATTR, NULL, NULL, NULL);
		}
unrec:
		/*
		 * Check to see if a failover attempt is warranted
		 * NB: nfs4_try_failover doesn't check for STALE
		 * because recov_stale gets a shot first.  Now that
		 * recov_stale has failed, go ahead and try failover.
		 *
		 * If the getattr on the root filehandle was successful,
		 * then mark recovery as failed for 'vp' and exit.
		 */
		if (nfs4_try_failover(&e) == 0 && e.stat != NFS4ERR_STALE) {
			/*
			 * pass the original error to fail_recov, not
			 * the one from trying the root vnode.
			 */
			nfs4_fail_recov(vp, fail_msg, 0, NFS4ERR_STALE);
			NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
			    "recov_stale: root node OK, marking "
			    "dead rp %s", rnode4info(rp)));
			goto out;
		}
	}

	/*
	 * Here, we know that both the original file and the
	 * root filehandle (which may be the same) are stale.
	 * We want to fail over if we can, and if we can't, we
	 * want to mark everything in sight bad.
	 */
	if (FAILOVER_MOUNT4(mi)) {
		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags |= MI4R_NEED_NEW_SERVER;
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "recov_stale: failing over due to rp %s",
		    rnode4info(rp)));
		mutex_exit(&mi->mi_lock);
	} else {
		rnode4_t *rootrp;
		servinfo4_t *svp;

		/*
		 * Can't fail over, so mark things dead.
		 *
		 * If rootvp is set, we know we have a distinct
		 * non-root vnode which can be marked dead in
		 * the usual way.
		 *
		 * Then we want to mark the root vnode dead.
		 * Note that if rootvp wasn't set, our vp is
		 * actually the root vnode.
		 */
		if (rootvp != NULL) {
			NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
			    "recov_stale: can't fail over, marking dead rp %s",
			    rnode4info(rp)));
			nfs4_fail_recov(vp, fail_msg, 0, NFS4ERR_STALE);
		} else {
			rootvp = vp;
			VN_HOLD(rootvp);
		}

		/*
		 * Mark root dead, but quietly - since
		 * the root rnode is frequently recreated,
		 * we can encounter this at every access.
		 * Also mark recovery as failed on this VFS.
		 */
		rootrp = VTOR4(rootvp);
		NFS4_DEBUG(nfs4_client_recov_debug, (CE_CONT,
		    "recov_stale: marking dead root rp %s",
		    rnode4info(rootrp)));
		mutex_enter(&rootrp->r_statelock);
		rootrp->r_flags |= (R4RECOVERR | R4STALE);
		rootrp->r_error = ESTALE;
		mutex_exit(&rootrp->r_statelock);
		mutex_enter(&mi->mi_lock);
		mi->mi_error = ESTALE;
		mutex_exit(&mi->mi_lock);

		svp = mi->mi_curr_serv;
		(void) nfs_rw_enter_sig(&svp->sv_lock, RW_WRITER, 0);
		svp->sv_flags |= SV4_ROOT_STALE;
		nfs_rw_exit(&svp->sv_lock);
	}

out:
	if (rootvp)
		VN_RELE(rootvp);
}

/*
 * Locks.
 */

/*
 * Reclaim all the active (acquired) locks for the given file.
 * If a process lost a lock, the process is sent a SIGLOST.  This is not
 * considered an error.
 *
 * Return values:
 * Errors and status are returned via the nfs4_error_t parameter
 * If an error indicates that recovery is needed, the caller is responsible
 * for dealing with it.
 */

static void
relock_file(vnode_t *vp, mntinfo4_t *mi, nfs4_error_t *ep,
    fattr4_change pre_change)
{
	locklist_t *locks, *llp;
	rnode4_t *rp;

	ASSERT(ep != NULL);
	nfs4_error_zinit(ep);

	if (VTOMI4(vp)->mi_flags & MI4_LLOCK)
		return;

	nfs4_flush_lock_owners(VTOR4(vp));

	/*
	 * If we get an error that requires recovery actions, just bail out
	 * and let the top-level recovery code handle it.
	 *
	 * If we get some other error, kill the process that owned the lock
	 * and mark its remaining locks (if any) as belonging to NOPID, so
	 * that we don't make any more reclaim requests for that process.
	 */

	rp = VTOR4(vp);
	locks = flk_active_locks_for_vp(vp);
	for (llp = locks; llp != NULL; llp = llp->ll_next) {
		int did_reclaim = 1;

		ASSERT(llp->ll_vp == vp);
		if (llp->ll_flock.l_pid == NOPID)
			continue;
		reclaim_one_lock(vp, &llp->ll_flock, ep, &did_reclaim);
		/*
		 * If we need to restart recovery, stop processing the
		 * list.  Some errors would be recoverable under other
		 * circumstances, but if they happen here we just give up
		 * on the lock.
		 */
		if (nfs4_needs_recovery(ep, TRUE, vp->v_vfsp)) {
			if (ep->error != 0)
				break;
			if (!nfs4_recov_marks_dead(ep->stat))
				break;
		}
		/*
		 *   In case the server isn't offering us a grace period, or
		 * if we missed it, we might have opened & locked from scratch,
		 * rather than reopened/reclaimed.
		 *   We need to ensure that the object hadn't been otherwise
		 * changed during this time, by comparing the changeinfo.
		 *   We get passed the changeinfo from before the reopen by our
		 * caller, in pre_change.
		 *   The changeinfo from after the reopen is in rp->r_change,
		 * courtesy of the GETATTR in the reopen.
		 *   If they're different, then the file has changed, and we
		 * have to SIGLOST the app.
		 */
		if (ep->error == 0 && ep->stat == NFS4_OK && !did_reclaim) {
			mutex_enter(&rp->r_statelock);
			if (pre_change != rp->r_change)
				ep->stat = NFS4ERR_NO_GRACE;
			mutex_exit(&rp->r_statelock);
		}
		if (ep->error != 0 || ep->stat != NFS4_OK) {
			if (ep->error != 0)
				nfs4_queue_event(RE_FAIL_RELOCK, mi,
				    NULL, ep->error, vp, NULL, 0, NULL,
				    llp->ll_flock.l_pid, TAG_NONE, TAG_NONE,
				    0, 0);
			else
				nfs4_queue_event(RE_FAIL_RELOCK, mi,
				    NULL, 0, vp, NULL, ep->stat, NULL,
				    llp->ll_flock.l_pid, TAG_NONE, TAG_NONE,
				    0, 0);
			nfs4_send_siglost(llp->ll_flock.l_pid, mi, vp, TRUE,
			    ep->error, ep->stat);
			relock_skip_pid(vp, llp, llp->ll_flock.l_pid);

			/* Reinitialize the nfs4_error and continue */
			nfs4_error_zinit(ep);
		}
	}

	if (locks != NULL)
		flk_free_locklist(locks);
}

/*
 * Reclaim the given lock.
 *
 * Errors are returned via the nfs4_error_t parameter.
 */
static void
reclaim_one_lock(vnode_t *vp, flock64_t *flk, nfs4_error_t *ep,
    int *did_reclaimp)
{
	cred_t *cr;
	rnode4_t *rp = VTOR4(vp);

	cr = pid_to_cr(flk->l_pid);
	if (cr == NULL) {
		nfs4_error_init(ep, ESRCH);
		return;
	}

	do {
		mutex_enter(&rp->r_statelock);
		if (rp->r_flags & R4RECOVERR) {
			mutex_exit(&rp->r_statelock);
			nfs4_error_init(ep, ESTALE);
			break;
		}
		mutex_exit(&rp->r_statelock);

		nfs4frlock(NFS4_LCK_CTYPE_RECLAIM, vp, F_SETLK, flk, cr, ep,
		    NULL, did_reclaimp);
		if (ep->error == 0 && ep->stat == NFS4ERR_FHEXPIRED)
			start_recovery_action(NR_FHEXPIRED, TRUE, VTOMI4(vp),
			    vp, NULL);
	} while (ep->error == 0 && ep->stat == NFS4ERR_FHEXPIRED);

	crfree(cr);
}

/*
 * Open files.
 */

/*
 * Verifies if the nfsstat4 is a valid error for marking this vnode dead.
 * Returns 1 if the error is valid; 0 otherwise.
 */
static int
nfs4_valid_recov_err_for_vp(vnode_t *vp, nfsstat4 stat)
{
	/*
	 * We should not be marking non-regular files as dead,
	 * except in very rare cases (eg: BADHANDLE or NFS4ERR_BADNAME).
	 */
	if (vp->v_type != VREG && stat != NFS4ERR_BADHANDLE &&
	    stat != NFS4ERR_BADNAME)
		return (0);

	return (1);
}

/*
 * Failed attempting to recover a filehandle.  If 'stat' is valid for 'vp',
 * then mark the object dead.  Since we've had to do a lookup for
 * filehandle recovery, we will mark the object dead if we got NOENT.
 */
static void
nfs4_recov_fh_fail(vnode_t *vp, int error, nfsstat4 stat)
{
	ASSERT(vp != NULL);

	if ((error == 0) && (stat != NFS4ERR_NOENT) &&
	    (!nfs4_valid_recov_err_for_vp(vp, stat)))
		return;

	nfs4_fail_recov(vp, "can't recover filehandle", error, stat);
}

/*
 * Recovery from a "shouldn't happen" error.  In the long term, we'd like
 * to mark only the data structure(s) that provided the bad value as being
 * bad.  But for now we'll just mark the entire file.
 */

static void
recov_badstate(recov_info_t *recovp, vnode_t *vp, nfsstat4 stat)
{
	ASSERT(vp != NULL);
	recov_throttle(recovp, vp);

	if (!nfs4_valid_recov_err_for_vp(vp, stat))
		return;

	nfs4_fail_recov(vp, "", 0, stat);
}

/*
 * Free up the information saved for a lost state request.
 */
static void
nfs4_free_lost_rqst(nfs4_lost_rqst_t *lrp, nfs4_server_t *sp)
{
	component4 *filep;
	nfs4_open_stream_t *osp;
	int have_sync_lock;

	NFS4_DEBUG(nfs4_lost_rqst_debug,
	    (CE_NOTE, "nfs4_free_lost_rqst:"));

	switch (lrp->lr_op) {
	case OP_OPEN:
		filep = &lrp->lr_ofile;
		if (filep->utf8string_val) {
			kmem_free(filep->utf8string_val, filep->utf8string_len);
			filep->utf8string_val = NULL;
		}
		break;
	case OP_DELEGRETURN:
		nfs4delegreturn_cleanup(VTOR4(lrp->lr_vp), sp);
		break;
	case OP_CLOSE:
		osp = lrp->lr_osp;
		ASSERT(osp != NULL);
		mutex_enter(&osp->os_sync_lock);
		have_sync_lock = 1;
		if (osp->os_pending_close) {
			/* clean up the open file state. */
			osp->os_pending_close = 0;
			nfs4close_notw(lrp->lr_vp, osp, &have_sync_lock);
		}
		if (have_sync_lock)
			mutex_exit(&osp->os_sync_lock);
		break;
	}

	lrp->lr_op = 0;
	if (lrp->lr_oop != NULL) {
		open_owner_rele(lrp->lr_oop);
		lrp->lr_oop = NULL;
	}
	if (lrp->lr_osp != NULL) {
		open_stream_rele(lrp->lr_osp, VTOR4(lrp->lr_vp));
		lrp->lr_osp = NULL;
	}
	if (lrp->lr_lop != NULL) {
		lock_owner_rele(lrp->lr_lop);
		lrp->lr_lop = NULL;
	}
	if (lrp->lr_flk != NULL) {
		kmem_free(lrp->lr_flk, sizeof (flock64_t));
		lrp->lr_flk = NULL;
	}
	if (lrp->lr_vp != NULL) {
		VN_RELE(lrp->lr_vp);
		lrp->lr_vp = NULL;
	}
	if (lrp->lr_dvp != NULL) {
		VN_RELE(lrp->lr_dvp);
		lrp->lr_dvp = NULL;
	}
	if (lrp->lr_cr != NULL) {
		crfree(lrp->lr_cr);
		lrp->lr_cr = NULL;
	}

	kmem_free(lrp, sizeof (nfs4_lost_rqst_t));
}

/*
 * Remove any lost state requests and free them.
 */
static void
nfs4_remove_lost_rqsts(mntinfo4_t *mi, nfs4_server_t *sp)
{
	nfs4_lost_rqst_t *lrp;

	mutex_enter(&mi->mi_lock);
	while ((lrp = list_head(&mi->mi_lost_state)) != NULL) {
		list_remove(&mi->mi_lost_state, lrp);
		mutex_exit(&mi->mi_lock);
		nfs4_free_lost_rqst(lrp, sp);
		mutex_enter(&mi->mi_lock);
	}
	mutex_exit(&mi->mi_lock);
}

/*
 * Reopen all the files for the given filesystem and reclaim any locks.
 */

static void
recov_openfiles(recov_info_t *recovp, nfs4_server_t *sp)
{
	mntinfo4_t *mi = recovp->rc_mi;
	nfs4_opinst_t *reopenlist = NULL, *rep;
	nfs4_error_t e = { 0, NFS4_OK, RPC_SUCCESS };
	open_claim_type4 claim;
	int remap;
	char *fail_msg = "No such file or directory on replica";
	rnode4_t *rp;
	fattr4_change pre_change;

	ASSERT(sp != NULL);

	/*
	 * This check is to allow a 10ms pause before we reopen files
	 * it should allow the server time to have received the CB_NULL
	 * reply and update its internal structures such that (if
	 * applicable) we are granted a delegation on reopened files.
	 */
	mutex_enter(&sp->s_lock);
	if ((sp->s_flags & (N4S_CB_PINGED | N4S_CB_WAITER)) == 0) {
		sp->s_flags |= N4S_CB_WAITER;
		(void) cv_reltimedwait(&sp->wait_cb_null, &sp->s_lock,
		    drv_usectohz(N4S_CB_PAUSE_TIME), TR_CLOCK_TICK);
	}
	mutex_exit(&sp->s_lock);

	(void) nfs_rw_enter_sig(&sp->s_recovlock, RW_READER, 0);
	(void) nfs_rw_enter_sig(&mi->mi_recovlock, RW_WRITER, 0);

	if (NFS4_VOLATILE_FH(mi)) {
		nfs4_remap_root(mi, &e, 0);
		if (nfs4_needs_recovery(&e, FALSE, mi->mi_vfsp)) {
			(void) nfs4_start_recovery(&e, mi, NULL,
			    NULL, NULL, NULL, OP_LOOKUP, NULL, NULL, NULL);
		}
	}

	mutex_enter(&mi->mi_lock);
	if (recovp->rc_srv_reboot || (mi->mi_recovflags & MI4R_SRV_REBOOT))
		claim = CLAIM_PREVIOUS;
	else
		claim = CLAIM_NULL;
	mutex_exit(&mi->mi_lock);

	if (e.error == 0 && e.stat == NFS4_OK) {
		/*
		 * Get a snapshot of open files in the filesystem.  Note
		 * that new opens will stall until the server's grace
		 * period is done.
		 */
		reopenlist = r4mkopenlist(mi);

		mutex_enter(&mi->mi_lock);
		remap = mi->mi_recovflags & MI4R_REMAP_FILES;
		mutex_exit(&mi->mi_lock);
		/*
		 * Since we are re-establishing state on the
		 * server, its ok to blow away the saved lost
		 * requests since we don't need to reissue it.
		 */
		nfs4_remove_lost_rqsts(mi, sp);

		for (rep = reopenlist; rep; rep = rep->re_next) {

			if (remap) {
				nfs4_remap_file(mi, rep->re_vp,
				    NFS4_REMAP_CKATTRS, &e);
			}
			DTRACE_PROBE2(recov__openfiles, nfs4_error_t, &e,
			    vnode_t, rep->re_vp);
			if (e.error == ENOENT || e.stat == NFS4ERR_NOENT) {
				/*
				 * The current server does not have the file
				 * that is to be remapped.  This is most
				 * likely due to an improperly maintained
				 * replica.   The files that are missing from
				 * the server will be marked dead and logged
				 * in order to make sys admins aware of the
				 * problem.
				 */
				nfs4_fail_recov(rep->re_vp,
				    fail_msg, e.error, e.stat);
				/*
				 * We've already handled the error so clear it.
				 */
				nfs4_error_zinit(&e);
				continue;
			} else if (e.error == 0 && e.stat == NFS4_OK) {
				int j;

				rp = VTOR4(rep->re_vp);
				mutex_enter(&rp->r_statelock);
				pre_change = rp->r_change;
				mutex_exit(&rp->r_statelock);

				for (j = 0; j < rep->re_numosp; j++) {
					nfs4_reopen(rep->re_vp, rep->re_osp[j],
					    &e, claim, FALSE, TRUE);
					if (e.error != 0 || e.stat != NFS4_OK)
						break;
				}
				if (nfs4_needs_recovery(&e, TRUE,
				    mi->mi_vfsp)) {
					(void) nfs4_start_recovery(&e, mi,
					    rep->re_vp, NULL, NULL, NULL,
					    OP_OPEN, NULL, NULL, NULL);
					break;
				}
			}
#ifdef DEBUG
			if (nfs4_recovdelay > 0)
				delay(MSEC_TO_TICK(nfs4_recovdelay * 1000));
#endif
			if (e.error == 0 && e.stat == NFS4_OK) {
				relock_file(rep->re_vp, mi, &e, pre_change);

				if (nfs4_needs_recovery(&e, TRUE, mi->mi_vfsp))
					(void) nfs4_start_recovery(&e, mi,
					    rep->re_vp, NULL, NULL, NULL,
					    OP_LOCK, NULL, NULL, NULL);
			}

			if (e.error != 0 || e.stat != NFS4_OK)
				break;
		}

		/*
		 * Check to see if we need to remap files passed in
		 * via the recovery arguments; this will have been
		 * done for open files.  A failure here is not fatal.
		 */
		if (remap) {
			nfs4_error_t ignore;
			nfs4_check_remap(mi, recovp->rc_vp1, NFS4_REMAP_CKATTRS,
			    &ignore);
			nfs4_check_remap(mi, recovp->rc_vp2, NFS4_REMAP_CKATTRS,
			    &ignore);
		}
	}

	if (e.error == 0 && e.stat == NFS4_OK) {
		mutex_enter(&mi->mi_lock);
		mi->mi_recovflags &= ~(MI4R_REOPEN_FILES | MI4R_REMAP_FILES);
		mutex_exit(&mi->mi_lock);
	}

	nfs_rw_exit(&mi->mi_recovlock);
	nfs_rw_exit(&sp->s_recovlock);

	if (reopenlist != NULL)
		r4releopenlist(reopenlist);
}

/*
 * Resend the queued state recovery requests in "rqsts".
 */

static void
nfs4_resend_lost_rqsts(recov_info_t *recovp, nfs4_server_t *sp)
{
	nfs4_lost_rqst_t	*lrp, *tlrp;
	mntinfo4_t		*mi = recovp->rc_mi;
	nfs4_error_t		n4e;
#ifdef NOTYET
	uint32_t		deny_bits = 0;
#endif

	NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE, "nfs4_resend_lost_rqsts"));

	ASSERT(mi != NULL);
	ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));

	mutex_enter(&mi->mi_lock);
	lrp = list_head(&mi->mi_lost_state);
	mutex_exit(&mi->mi_lock);
	while (lrp != NULL) {
		nfs4_error_zinit(&n4e);
		resend_one_op(lrp, &n4e, mi, sp);
		NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE,
		    "nfs4_resend_lost_rqsts: resend request: for vp %p got "
		    "error %d stat %d", (void *)lrp->lr_vp, n4e.error,
		    n4e.stat));

		/*
		 * If we get a recovery error that we can actually
		 * recover from (such as ETIMEDOUT, FHEXPIRED), we
		 * return and let the recovery thread redrive the call.
		 * Don't requeue unless the zone is still healthy.
		 */
		if (zone_status_get(curproc->p_zone) < ZONE_IS_SHUTTING_DOWN &&
		    nfs4_needs_recovery(&n4e, TRUE, mi->mi_vfsp) &&
		    (nfs4_try_failover(&n4e) ||
		    NFS4_FRC_UNMT_ERR(n4e.error, mi->mi_vfsp) ||
		    (n4e.error == 0 && n4e.stat != NFS4ERR_BADHANDLE &&
		    !nfs4_recov_marks_dead(n4e.stat)))) {
			/*
			 * For these three errors, we want to delay a bit
			 * instead of pounding the server into submission.
			 * We have to do this manually; the normal
			 * processing for these errors only works for
			 * non-recovery requests.
			 */
			if ((n4e.error == 0 && n4e.stat == NFS4ERR_DELAY) ||
			    (n4e.error == 0 && n4e.stat == NFS4ERR_GRACE) ||
			    (n4e.error == 0 && n4e.stat == NFS4ERR_RESOURCE) ||
			    NFS4_FRC_UNMT_ERR(n4e.error, mi->mi_vfsp)) {
				delay(SEC_TO_TICK(nfs4err_delay_time));
			} else {
				(void) nfs4_start_recovery(&n4e,
				    mi, lrp->lr_dvp, lrp->lr_vp, NULL, NULL,
				    lrp->lr_op, NULL, NULL, NULL);
			}
			return;
		}

		mutex_enter(&mi->mi_lock);
		list_remove(&mi->mi_lost_state, lrp);
		tlrp = lrp;
		lrp = list_head(&mi->mi_lost_state);
		mutex_exit(&mi->mi_lock);
		nfs4_free_lost_rqst(tlrp, sp);
	}
}

/*
 * Resend the given op, and issue any necessary undo call.
 * errors are returned via the nfs4_error_t parameter.
 */

static void
resend_one_op(nfs4_lost_rqst_t *lrp, nfs4_error_t *ep,
    mntinfo4_t *mi, nfs4_server_t *sp)
{
	vnode_t *vp;
	nfs4_open_stream_t *osp;
	cred_t *cr;
	uint32_t acc_bits;

	vp = lrp->lr_vp;
	NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE, "resend_one_op: "
	    "have a lost open/close request for vp %p", (void *)vp));

	switch (lrp->lr_op) {
	case OP_OPEN:
		nfs4_resend_open_otw(&vp, lrp, ep);
		break;
	case OP_OPEN_DOWNGRADE:
		ASSERT(lrp->lr_oop != NULL);
		ep->error = nfs4_start_open_seqid_sync(lrp->lr_oop, mi);
		ASSERT(!ep->error);	/* recov thread always succeeds */
		ASSERT(lrp->lr_osp != NULL);
		mutex_enter(&lrp->lr_osp->os_sync_lock);
		nfs4_open_downgrade(lrp->lr_dg_acc, lrp->lr_dg_deny,
		    lrp->lr_oop, lrp->lr_osp, vp, lrp->lr_cr, lrp,
		    ep, NULL, NULL);
		mutex_exit(&lrp->lr_osp->os_sync_lock);
		nfs4_end_open_seqid_sync(lrp->lr_oop);
		break;
	case OP_CLOSE:
		osp = lrp->lr_osp;
		cr = lrp->lr_cr;
		acc_bits = 0;
		mutex_enter(&osp->os_sync_lock);
		if (osp->os_share_acc_read)
			acc_bits |= OPEN4_SHARE_ACCESS_READ;
		if (osp->os_share_acc_write)
			acc_bits |= OPEN4_SHARE_ACCESS_WRITE;
		mutex_exit(&osp->os_sync_lock);
		nfs4close_one(vp, osp, cr, acc_bits, lrp, ep,
		    CLOSE_RESEND, 0, 0, 0);
		break;
	case OP_LOCK:
	case OP_LOCKU:
		resend_lock(lrp, ep);
		goto done;
	case OP_DELEGRETURN:
		nfs4_resend_delegreturn(lrp, ep, sp);
		goto done;
	default:
#ifdef DEBUG
		cmn_err(CE_PANIC, "resend_one_op: unexpected op: %d",
		    lrp->lr_op);
#endif
		nfs4_queue_event(RE_LOST_STATE_BAD_OP, mi, NULL,
		    lrp->lr_op, lrp->lr_vp, lrp->lr_dvp, NFS4_OK, NULL, 0,
		    TAG_NONE, TAG_NONE, 0, 0);
		nfs4_error_init(ep, EINVAL);
		return;
	}

	/*
	 * No need to retry nor send an "undo" CLOSE in the
	 * event the server rebooted.
	 */
	if (ep->error == 0 && (ep->stat == NFS4ERR_STALE_CLIENTID ||
	    ep->stat == NFS4ERR_STALE_STATEID || ep->stat == NFS4ERR_EXPIRED))
		goto done;

	/*
	 * If we resent a CLOSE or OPEN_DOWNGRADE, there's nothing
	 * to undo.  Undoing locking operations was handled by
	 * resend_lock().
	 */
	if (lrp->lr_op == OP_OPEN_DOWNGRADE || lrp->lr_op == OP_CLOSE)
		goto done;

	/*
	 * If we get any other error for OPEN, then don't attempt
	 * to undo the resend of the open (since it was never
	 * successful!).
	 */
	ASSERT(lrp->lr_op == OP_OPEN);
	if (ep->error || ep->stat != NFS4_OK)
		goto done;

	/*
	 * Now let's undo our OPEN.
	 */
	nfs4_error_zinit(ep);
	close_after_open_resend(vp, lrp->lr_cr, lrp->lr_oacc, ep);
	NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE, "resend_one_op: "
	    "nfs4close_one: for vp %p got error %d stat %d",
	    (void *)vp, ep->error, ep->stat));

done:
	if (vp != lrp->lr_vp)
		VN_RELE(vp);
}

/*
 * Close a file that was opened via a resent OPEN.
 * Most errors are passed back to the caller (via the return value and
 * *statp), except for FHEXPIRED, which is retried.
 *
 * It might be conceptually cleaner to push the CLOSE request onto the
 * front of the resend queue, rather than sending it here.  That would
 * match the way we undo lost lock requests.  On the other
 * hand, we've already got something that works, and there's no reason to
 * change it at this time.
 */

static void
close_after_open_resend(vnode_t *vp, cred_t *cr, uint32_t acc_bits,
    nfs4_error_t *ep)
{

	for (;;) {
		nfs4close_one(vp, NULL, cr, acc_bits, NULL, ep,
		    CLOSE_AFTER_RESEND, 0, 0, 0);
		if (ep->error == 0 && ep->stat == NFS4_OK)
			break;		/* success; done */
		if (ep->error != 0 || ep->stat != NFS4ERR_FHEXPIRED)
			break;
		/* else retry FHEXPIRED */
	}

}

/*
 * Resend the given lost lock request.  Return an errno value.  If zero,
 * *statp is set to the NFS status code for the call.
 *
 * Issue a SIGLOST and mark the rnode dead if we get a non-recovery error or
 * a recovery error that we don't actually recover from yet (eg: BAD_SEQID).
 * Let the recovery thread redrive the call if we get a recovery error that
 * we can actually recover from.
 */
static void
resend_lock(nfs4_lost_rqst_t *lrp, nfs4_error_t *ep)
{
	bool_t		send_siglost = FALSE;
	vnode_t		*vp = lrp->lr_vp;

	NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE, "resend_lock:"));
	ASSERT(lrp->lr_ctype == NFS4_LCK_CTYPE_REINSTATE ||
	    lrp->lr_ctype == NFS4_LCK_CTYPE_RESEND);

	nfs4frlock(lrp->lr_ctype, vp, F_SETLK, lrp->lr_flk, lrp->lr_cr, ep,
	    lrp, NULL);

	NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE, "resend_lock: "
	    "nfs4frlock for vp %p returned error %d, stat %d",
	    (void *)vp, ep->error, ep->stat));

	if (ep->error == 0 && ep->stat == 0)
		goto done;
	if (ep->error == 0 && ep->stat == NFS4ERR_DENIED &&
	    lrp->lr_ctype == NFS4_LCK_CTYPE_RESEND)
		goto done;

	/*
	 * If we failed with a non-recovery error, send SIGLOST and
	 * mark the file dead.
	 */
	if (!nfs4_needs_recovery(ep, TRUE, vp->v_vfsp))
		send_siglost = TRUE;
	else {
		/*
		 * Done with recovering LOST LOCK in the event the
		 * server rebooted or we've lost the lease.
		 */
		if (ep->error == 0 && (ep->stat == NFS4ERR_STALE_CLIENTID ||
		    ep->stat == NFS4ERR_STALE_STATEID ||
		    ep->stat == NFS4ERR_EXPIRED)) {
			goto done;
		}

		/*
		 * BAD_STATEID on an unlock indicates that the server has
		 * forgotten about the lock anyway, so act like the call
		 * was successful.
		 */
		if (ep->error == 0 && ep->stat == NFS4ERR_BAD_STATEID &&
		    lrp->lr_op == OP_LOCKU)
			goto done;

		/*
		 * If we got a recovery error that we don't actually
		 * recover from, send SIGLOST.  If the filesystem was
		 * forcibly unmounted, we skip the SIGLOST because (a) it's
		 * unnecessary noise, and (b) there could be a new process
		 * with the same pid as the one that had generated the lost
		 * state request.
		 */
		if (ep->error == 0 && (ep->stat == NFS4ERR_BADHANDLE ||
		    nfs4_recov_marks_dead(ep->stat))) {
			if (!(vp->v_vfsp->vfs_flag & VFS_UNMOUNTED))
				send_siglost = TRUE;
			goto done;
		}

		/*
		 * If the filesystem was forcibly unmounted, we
		 * still need to synchronize with the server and
		 * release state.  Try again later.
		 */
		if (NFS4_FRC_UNMT_ERR(ep->error, vp->v_vfsp))
			goto done;

		/*
		 * If we get a recovery error that we can actually
		 * recover from (such as ETIMEDOUT, FHEXPIRED),
		 * return and let the recovery thread redrive the call.
		 *
		 * For the three errors below, we want to delay a bit
		 * instead of pounding the server into submission.
		 */
		if ((ep->error == 0 && ep->stat == NFS4ERR_DELAY) ||
		    (ep->error == 0 && ep->stat == NFS4ERR_GRACE) ||
		    (ep->error == 0 && ep->stat == NFS4ERR_RESOURCE))
			delay(SEC_TO_TICK(recov_err_delay));
		goto done;
	}

done:
	if (send_siglost) {
		cred_t *sv_cred;

		/*
		 * Must be root or the actual thread being issued the
		 * SIGLOST for this to work, so just become root.
		 */
		sv_cred = curthread->t_cred;
		curthread->t_cred = kcred;
		nfs4_send_siglost(lrp->lr_flk->l_pid, VTOMI4(vp), vp, FALSE,
		    ep->error, ep->stat);
		curthread->t_cred = sv_cred;

		/*
		 * Flush any additional reinstantiation requests for
		 * this operation.  Sending multiple SIGLOSTs to the user
		 * process is unlikely to help and may cause trouble.
		 */
		if (lrp->lr_ctype == NFS4_LCK_CTYPE_REINSTATE)
			flush_reinstate(lrp);
	}
}

/*
 * Remove any lock reinstantiation requests that correspond to the given
 * lost request.  We only remove items that follow lrp in the queue,
 * assuming that lrp will be removed by the generic lost state code.
 */

static void
flush_reinstate(nfs4_lost_rqst_t *lrp)
{
	vnode_t *vp;
	pid_t pid;
	mntinfo4_t *mi;
	nfs4_lost_rqst_t *nlrp;

	vp = lrp->lr_vp;
	mi = VTOMI4(vp);
	pid = lrp->lr_flk->l_pid;

	/*
	 * If there are any more reinstantation requests to get rid of,
	 * they should all be clustered at the front of the lost state
	 * queue.
	 */
	mutex_enter(&mi->mi_lock);
	for (lrp = list_next(&mi->mi_lost_state, lrp); lrp != NULL;
	    lrp = nlrp) {
		nlrp = list_next(&mi->mi_lost_state, lrp);
		if (lrp->lr_op != OP_LOCK && lrp->lr_op != OP_LOCKU)
			break;
		if (lrp->lr_ctype != NFS4_LCK_CTYPE_REINSTATE)
			break;
		ASSERT(lrp->lr_vp == vp);
		ASSERT(lrp->lr_flk->l_pid == pid);
		NFS4_DEBUG(nfs4_lost_rqst_debug, (CE_NOTE,
		    "remove reinstantiation %p", (void *)lrp));
		list_remove(&mi->mi_lost_state, lrp);
		nfs4_free_lost_rqst(lrp, NULL);
	}
	mutex_exit(&mi->mi_lock);
}

/*
 * End of state-specific recovery routines.
 */

/*
 * Allocate a lost request struct, initialize it from lost_rqstp (including
 * bumping the reference counts for the referenced vnode, etc.), and hang
 * it off of recovp.
 */

static void
nfs4_save_lost_rqst(nfs4_lost_rqst_t *lost_rqstp, recov_info_t *recovp,
    nfs4_recov_t *action, mntinfo4_t *mi)
{
	nfs4_lost_rqst_t *destp;

	ASSERT(recovp->rc_lost_rqst == NULL);

	destp = kmem_alloc(sizeof (nfs4_lost_rqst_t), KM_SLEEP);
	recovp->rc_lost_rqst = destp;

	if (lost_rqstp->lr_op == OP_LOCK ||
	    lost_rqstp->lr_op == OP_LOCKU) {
		ASSERT(lost_rqstp->lr_lop);
		*action = NR_LOST_LOCK;
		destp->lr_ctype = lost_rqstp->lr_ctype;
		destp->lr_locktype = lost_rqstp->lr_locktype;
	} else if (lost_rqstp->lr_op == OP_OPEN) {
		component4 *srcfp, *destfp;

		destp->lr_oacc = lost_rqstp->lr_oacc;
		destp->lr_odeny = lost_rqstp->lr_odeny;
		destp->lr_oclaim = lost_rqstp->lr_oclaim;
		if (lost_rqstp->lr_oclaim == CLAIM_DELEGATE_CUR)
			destp->lr_ostateid = lost_rqstp->lr_ostateid;

		srcfp = &lost_rqstp->lr_ofile;
		destfp = &destp->lr_ofile;
		/*
		 * Consume caller's utf8string
		 */
		destfp->utf8string_len = srcfp->utf8string_len;
		destfp->utf8string_val = srcfp->utf8string_val;
		srcfp->utf8string_len = 0;
		srcfp->utf8string_val = NULL;	/* make sure not reused */

		*action = NR_LOST_STATE_RQST;
	} else if (lost_rqstp->lr_op == OP_OPEN_DOWNGRADE) {
		destp->lr_dg_acc = lost_rqstp->lr_dg_acc;
		destp->lr_dg_deny = lost_rqstp->lr_dg_deny;

		*action = NR_LOST_STATE_RQST;
	} else if (lost_rqstp->lr_op == OP_CLOSE) {
		ASSERT(lost_rqstp->lr_oop);
		*action = NR_LOST_STATE_RQST;
	} else if (lost_rqstp->lr_op == OP_DELEGRETURN) {
		*action = NR_LOST_STATE_RQST;
	} else {
#ifdef DEBUG
		cmn_err(CE_PANIC, "nfs4_save_lost_rqst: bad op %d",
		    lost_rqstp->lr_op);
#endif
		nfs4_queue_event(RE_LOST_STATE_BAD_OP, mi, NULL,
		    lost_rqstp->lr_op, lost_rqstp->lr_vp, lost_rqstp->lr_dvp,
		    NFS4_OK, NULL, curproc->p_pid, TAG_NONE, TAG_NONE, 0, 0);
		*action = NR_UNUSED;
		recovp->rc_lost_rqst = NULL;
		kmem_free(destp, sizeof (nfs4_lost_rqst_t));
		return;
	}

	destp->lr_op = lost_rqstp->lr_op;
	destp->lr_vp = lost_rqstp->lr_vp;
	if (destp->lr_vp)
		VN_HOLD(destp->lr_vp);
	destp->lr_dvp = lost_rqstp->lr_dvp;
	if (destp->lr_dvp)
		VN_HOLD(destp->lr_dvp);
	destp->lr_oop = lost_rqstp->lr_oop;
	if (destp->lr_oop)
		open_owner_hold(destp->lr_oop);
	destp->lr_osp = lost_rqstp->lr_osp;
	if (destp->lr_osp)
		open_stream_hold(destp->lr_osp);
	destp->lr_lop = lost_rqstp->lr_lop;
	if (destp->lr_lop)
		lock_owner_hold(destp->lr_lop);
	destp->lr_cr = lost_rqstp->lr_cr;
	if (destp->lr_cr)
		crhold(destp->lr_cr);
	if (lost_rqstp->lr_flk == NULL)
		destp->lr_flk = NULL;
	else {
		destp->lr_flk = kmem_alloc(sizeof (flock64_t), KM_SLEEP);
		*destp->lr_flk = *lost_rqstp->lr_flk;
	}
	destp->lr_putfirst = lost_rqstp->lr_putfirst;
}

/*
 * Map the given return values (errno and nfs4 status code) to a recovery
 * action and fill in the following fields of recovp: rc_action,
 * rc_srv_reboot, rc_stateid, rc_lost_rqst.
 */

void
errs_to_action(recov_info_t *recovp,
    nfs4_server_t *sp, mntinfo4_t *mi, stateid4 *sidp,
    nfs4_lost_rqst_t *lost_rqstp, int unmounted, nfs_opnum4 op,
    nfs4_bseqid_entry_t *bsep)
{
	nfs4_recov_t action = NR_UNUSED;
	bool_t reboot = FALSE;
	int try_f;
	int error = recovp->rc_orig_errors.error;
	nfsstat4 stat = recovp->rc_orig_errors.stat;

	bzero(&recovp->rc_stateid, sizeof (stateid4));
	recovp->rc_lost_rqst = NULL;
	recovp->rc_bseqid_rqst = NULL;

	try_f = nfs4_try_failover(&recovp->rc_orig_errors) &&
	    FAILOVER_MOUNT4(mi);

	/*
	 * We start recovery for EINTR only in the lost lock
	 * or lost open/close case.
	 */

	if (try_f || error == EINTR || (error == EIO && unmounted)) {
		recovp->rc_error = (error != 0 ? error : geterrno4(stat));
		if (lost_rqstp) {
			ASSERT(lost_rqstp->lr_op != 0);
			nfs4_save_lost_rqst(lost_rqstp, recovp, &action, mi);
		}
		if (try_f)
			action = NR_FAILOVER;
	} else if (error != 0) {
		recovp->rc_error = error;
		nfs4_queue_event(RE_UNEXPECTED_ERRNO, mi, NULL, error, NULL,
		    NULL, 0, NULL, 0, TAG_NONE, TAG_NONE, 0, 0);
		action = NR_CLIENTID;
	} else {
		recovp->rc_error = geterrno4(stat);
		switch (stat) {
#ifdef notyet
		case NFS4ERR_LEASE_MOVED:
			action = xxx;
			break;
#endif
		case NFS4ERR_MOVED:
			action = NR_MOVED;
			break;
		case NFS4ERR_BADHANDLE:
			action = NR_BADHANDLE;
			break;
		case NFS4ERR_BAD_SEQID:
			if (bsep)
				save_bseqid_rqst(bsep, recovp);
			action = NR_BAD_SEQID;
			break;
		case NFS4ERR_OLD_STATEID:
			action = NR_OLDSTATEID;
			break;
		case NFS4ERR_WRONGSEC:
			action = NR_WRONGSEC;
			break;
		case NFS4ERR_FHEXPIRED:
			action = NR_FHEXPIRED;
			break;
		case NFS4ERR_BAD_STATEID:
			if (sp == NULL || (sp != NULL && inlease(sp))) {

				action = NR_BAD_STATEID;
				if (sidp)
					recovp->rc_stateid = *sidp;
			} else
				action = NR_CLIENTID;
			break;
		case NFS4ERR_EXPIRED:
			/*
			 * The client's lease has expired, either due
			 * to a network partition or perhaps a client
			 * error.  In either case, try an NR_CLIENTID
			 * style recovery.  reboot remains false, since
			 * there is no evidence the server has rebooted.
			 * This will cause CLAIM_NULL opens and lock
			 * requests without the reclaim bit.
			 */
			action = NR_CLIENTID;

			DTRACE_PROBE4(nfs4__expired,
			    nfs4_server_t *, sp,
			    mntinfo4_t *, mi,
			    stateid4 *, sidp, int, op);

			break;
		case NFS4ERR_STALE_CLIENTID:
		case NFS4ERR_STALE_STATEID:
			action = NR_CLIENTID;
			reboot = TRUE;
			break;
		case NFS4ERR_RESOURCE:
			/*
			 * If this had been a FAILOVER mount, then
			 * we'd have tried failover.  Since it's not,
			 * just delay a while and retry.
			 */
			action = NR_DELAY;
			break;
		case NFS4ERR_GRACE:
			action = NR_GRACE;
			break;
		case NFS4ERR_DELAY:
			action = NR_DELAY;
			break;
		case NFS4ERR_STALE:
			action = NR_STALE;
			break;
		default:
			nfs4_queue_event(RE_UNEXPECTED_STATUS, mi, NULL, 0,
			    NULL, NULL, stat, NULL, 0, TAG_NONE, TAG_NONE,
			    0, 0);
			action = NR_CLIENTID;
			break;
		}
	}

	/* make sure action got set */
	ASSERT(action != NR_UNUSED);
	recovp->rc_srv_reboot = reboot;
	recovp->rc_action = action;
	nfs4_queue_fact(RF_ERR, mi, stat, action, op, reboot, NULL, error,
	    NULL);
}

/*
 * Return the (held) credential for the process with the given pid.
 * May return NULL (e.g., process not found).
 */

static cred_t *
pid_to_cr(pid_t pid)
{
	proc_t *p;
	cred_t *cr;

	mutex_enter(&pidlock);
	if ((p = prfind(pid)) == NULL) {
		mutex_exit(&pidlock);
		return (NULL);
	}

	mutex_enter(&p->p_crlock);
	crhold(cr = p->p_cred);
	mutex_exit(&p->p_crlock);
	mutex_exit(&pidlock);

	return (cr);
}

/*
 * Send SIGLOST to the given process and queue the event.
 *
 * The 'dump' boolean tells us whether this action should dump the
 * in-kernel queue of recovery messages or not.
 */

void
nfs4_send_siglost(pid_t pid, mntinfo4_t *mi, vnode_t *vp, bool_t dump,
    int error, nfsstat4 stat)
{
	proc_t *p;

	mutex_enter(&pidlock);
	p = prfind(pid);
	if (p)
		psignal(p, SIGLOST);
	mutex_exit(&pidlock);
	nfs4_queue_event(dump ? RE_SIGLOST : RE_SIGLOST_NO_DUMP, mi,
	    NULL, error, vp, NULL, stat, NULL, pid, TAG_NONE, TAG_NONE, 0, 0);
}

/*
 * Scan the lock list for entries that match the given pid.  Unregister those
 * locks that do and change their pid to NOPID.
 */

static void
relock_skip_pid(vnode_t *vp, locklist_t *llp, pid_t pid)
{
	for (; llp != NULL; llp = llp->ll_next) {
		if (llp->ll_flock.l_pid == pid) {
			int r;

			/*
			 * Unregister the lost lock.
			 */
			llp->ll_flock.l_type = F_UNLCK;
			r = reclock(vp, &llp->ll_flock, SETFLCK, FREAD | FWRITE,
			    0, NULL);
			/* The unlock cannot fail */
			ASSERT(r == 0);

			llp->ll_flock.l_pid = NOPID;
		}
	}
}

/*
 * Mark a file as having failed recovery, after making a last-ditch effort
 * to return any delegation.
 *
 * Sets r_error to EIO or ESTALE for the given vnode.
 */
void
nfs4_fail_recov(vnode_t *vp, char *why, int error, nfsstat4 stat)
{
	rnode4_t *rp = VTOR4(vp);

#ifdef DEBUG
	if (nfs4_fail_recov_stop)
		debug_enter("nfs4_fail_recov");
#endif

	mutex_enter(&rp->r_statelock);
	if (rp->r_flags & (R4RECOVERR|R4RECOVERRP)) {
		mutex_exit(&rp->r_statelock);
		return;
	}

	/*
	 * Set R4RECOVERRP to indicate that a recovery error is in
	 * progress.  This will shut down reads and writes at the top
	 * half.  Don't set R4RECOVERR until after we've returned the
	 * delegation, otherwise it will fail.
	 */

	rp->r_flags |= R4RECOVERRP;
	mutex_exit(&rp->r_statelock);

	nfs4delegabandon(rp);

	mutex_enter(&rp->r_statelock);
	rp->r_flags |= (R4RECOVERR | R4STALE);
	rp->r_error = (error == 0 && stat == NFS4ERR_STALE) ? ESTALE : EIO;
	PURGE_ATTRCACHE4_LOCKED(rp);
	if (!(vp->v_vfsp->vfs_flag & VFS_UNMOUNTED))
		nfs4_queue_event(RE_DEAD_FILE, VTOMI4(vp), NULL, error,
		    vp, NULL, stat, why, 0, TAG_NONE, TAG_NONE, 0, 0);
	mutex_exit(&rp->r_statelock);

	dnlc_purge_vp(vp);
}

/*
 * recov_throttle: if the file had the same recovery action within the
 * throttle interval, wait for the throttle interval to finish before
 * proceeding.
 *
 * Side effects: updates the rnode with the current recovery information.
 */

static void
recov_throttle(recov_info_t *recovp, vnode_t *vp)
{
	time_t curtime, time_to_wait;
	rnode4_t *rp = VTOR4(vp);

	curtime = gethrestime_sec();

	mutex_enter(&rp->r_statelock);
	NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
	    "recov_throttle: now: (%d, %ld), last: (%d, %ld)",
	    recovp->rc_action, curtime,
	    rp->r_recov_act, rp->r_last_recov));
	if (recovp->rc_action == rp->r_recov_act &&
	    rp->r_last_recov + recov_err_delay > curtime) {
		time_to_wait = rp->r_last_recov + recov_err_delay - curtime;
		mutex_exit(&rp->r_statelock);
		delay(SEC_TO_TICK(time_to_wait));
		curtime = gethrestime_sec();
		mutex_enter(&rp->r_statelock);
	}

	rp->r_last_recov = curtime;
	rp->r_recov_act = recovp->rc_action;
	mutex_exit(&rp->r_statelock);
}

/*
 * React to NFS4ERR_GRACE by setting the time we'll permit
 * the next call to this filesystem.
 */
void
nfs4_set_grace_wait(mntinfo4_t *mi)
{
	mutex_enter(&mi->mi_lock);
	/* Mark the time for the future */
	mi->mi_grace_wait = gethrestime_sec() + nfs4err_delay_time;
	mutex_exit(&mi->mi_lock);
}

/*
 * React to MFS4ERR_DELAY by setting the time we'll permit
 * the next call to this vnode.
 */
void
nfs4_set_delay_wait(vnode_t *vp)
{
	rnode4_t *rp = VTOR4(vp);

	mutex_enter(&rp->r_statelock);
	/*
	 * Calculate amount we should delay, initial
	 * delay will be short and then we will back off.
	 */
	if (rp->r_delay_interval == 0)
		rp->r_delay_interval = NFS4_INITIAL_DELAY_INTERVAL;
	else
		/* calculate next interval value */
		rp->r_delay_interval =
		    MIN(NFS4_MAX_DELAY_INTERVAL, (rp->r_delay_interval << 1));
	rp->r_delay_wait = gethrestime_sec() + rp->r_delay_interval;
	mutex_exit(&rp->r_statelock);
}

/*
 * The caller is responsible for freeing the returned string.
 */
static char *
nfs4_getsrvnames(mntinfo4_t *mi, size_t *len)
{
	servinfo4_t *svp;
	char *srvnames;
	char *namep;
	size_t length;

	/*
	 * Calculate the length of the string required to hold all
	 * of the server names plus either a comma or a null
	 * character following each individual one.
	 */
	length = 0;
	for (svp = mi->mi_servers; svp != NULL; svp = svp->sv_next) {
		(void) nfs_rw_enter_sig(&svp->sv_lock, RW_READER, 0);
		if (svp->sv_flags & SV4_NOTINUSE) {
			nfs_rw_exit(&svp->sv_lock);
			continue;
		}
		nfs_rw_exit(&svp->sv_lock);
		length += svp->sv_hostnamelen;
	}

	srvnames = kmem_alloc(length, KM_SLEEP);

	namep = srvnames;
	for (svp = mi->mi_servers; svp != NULL; svp = svp->sv_next) {
		(void) nfs_rw_enter_sig(&svp->sv_lock, RW_READER, 0);
		if (svp->sv_flags & SV4_NOTINUSE) {
			nfs_rw_exit(&svp->sv_lock);
			continue;
		}
		nfs_rw_exit(&svp->sv_lock);
		(void) strcpy(namep, svp->sv_hostname);
		namep += svp->sv_hostnamelen - 1;
		*namep++ = ',';
	}
	*--namep = '\0';

	*len = length;

	return (srvnames);
}

static void
save_bseqid_rqst(nfs4_bseqid_entry_t *bsep, recov_info_t *recovp)
{
	nfs4_bseqid_entry_t *destp;

	destp = kmem_alloc(sizeof (nfs4_bseqid_entry_t), KM_SLEEP);
	recovp->rc_bseqid_rqst = destp;

	if (bsep->bs_oop)
		open_owner_hold(bsep->bs_oop);
	destp->bs_oop = bsep->bs_oop;
	if (bsep->bs_lop)
		lock_owner_hold(bsep->bs_lop);
	destp->bs_lop = bsep->bs_lop;
	if (bsep->bs_vp)
		VN_HOLD(bsep->bs_vp);
	destp->bs_vp = bsep->bs_vp;
	destp->bs_pid = bsep->bs_pid;
	destp->bs_tag = bsep->bs_tag;
	destp->bs_seqid = bsep->bs_seqid;
}

static void
free_bseqid_rqst(nfs4_bseqid_entry_t *bsep)
{
	if (bsep->bs_oop)
		open_owner_rele(bsep->bs_oop);
	if (bsep->bs_lop)
		lock_owner_rele(bsep->bs_lop);
	if (bsep->bs_vp)
		VN_RELE(bsep->bs_vp);
	kmem_free(bsep, sizeof (nfs4_bseqid_entry_t));
}

/*
 * We don't actually fully recover from NFS4ERR_BAD_SEQID.  We
 * simply mark the open owner and open stream (if provided) as "bad".
 * Then future uses of these data structures will be limited to basically
 * just cleaning up the internal client state (no going OTW).
 *
 * The result of this is to return errors back to the app/usr when
 * we receive NFS4ERR_BAD_SEQID, but also allow future/new calls to
 * succeed so progress can be made.
 */
void
recov_bad_seqid(recov_info_t *recovp)
{
	mntinfo4_t		*mi = recovp->rc_mi;
	nfs4_open_owner_t	*bad_oop;
	nfs4_lock_owner_t	*bad_lop;
	vnode_t			*vp;
	rnode4_t		*rp = NULL;
	pid_t			pid;
	nfs4_bseqid_entry_t	*bsep, *tbsep;
	int			error;

	ASSERT(mi != NULL);
	ASSERT(nfs_rw_lock_held(&mi->mi_recovlock, RW_WRITER));

	mutex_enter(&mi->mi_lock);
	bsep = list_head(&mi->mi_bseqid_list);
	mutex_exit(&mi->mi_lock);

	/*
	 * Handle all the bad seqid entries on mi's list.
	 */
	while (bsep != NULL) {
		bad_oop = bsep->bs_oop;
		bad_lop = bsep->bs_lop;
		vp = bsep->bs_vp;
		pid = bsep->bs_pid;

		NFS4_DEBUG(nfs4_client_recov_debug, (CE_NOTE,
		    "recov_bad_seqid: mark oop %p lop %p as bad for "
		    "vp %p tag %s pid %d: last good seqid %d for tag %s",
		    (void *)bad_oop, (void *)bad_lop, (void *)vp,
		    nfs4_ctags[bsep->bs_tag].ct_str, pid,
		    bad_oop ?  bad_oop->oo_last_good_seqid : 0,
		    bad_oop ? nfs4_ctags[bad_oop->oo_last_good_op].ct_str :
		    nfs4_ctags[TAG_NONE].ct_str));

		nfs4_queue_event(RE_BAD_SEQID, mi, NULL,
		    0, vp, NULL, NFS4ERR_BAD_SEQID, NULL, pid, bsep->bs_tag,
		    bad_oop ? bad_oop->oo_last_good_op : TAG_NONE,
		    bsep->bs_seqid, bad_oop ? bad_oop->oo_last_good_seqid : 0);

		if (bad_oop) {
			/* essentially reset the open owner */
			error = nfs4_start_open_seqid_sync(bad_oop, mi);
			ASSERT(!error);	/* recov thread always succeeds */
			bad_oop->oo_name = nfs4_get_new_oo_name();
			bad_oop->oo_seqid = 0;
			nfs4_end_open_seqid_sync(bad_oop);
		}

		if (bad_lop) {
			mutex_enter(&bad_lop->lo_lock);
			bad_lop->lo_flags |= NFS4_BAD_SEQID_LOCK;
			mutex_exit(&bad_lop->lo_lock);

			ASSERT(vp != NULL);
			rp = VTOR4(vp);
			mutex_enter(&rp->r_statelock);
			rp->r_flags |= R4LODANGLERS;
			mutex_exit(&rp->r_statelock);

			nfs4_send_siglost(pid, mi, vp, TRUE,
			    0, NFS4ERR_BAD_SEQID);
		}

		mutex_enter(&mi->mi_lock);
		list_remove(&mi->mi_bseqid_list, bsep);
		tbsep = bsep;
		bsep = list_head(&mi->mi_bseqid_list);
		mutex_exit(&mi->mi_lock);
		free_bseqid_rqst(tbsep);
	}

	mutex_enter(&mi->mi_lock);
	mi->mi_recovflags &= ~MI4R_BAD_SEQID;
	mutex_exit(&mi->mi_lock);
}