Author: markj Date: Tue Oct 17 19:41:45 2017 New Revision: 324704 URL: https://svnweb.freebsd.org/changeset/base/324704
Log: Fix a racy VI_DOOMED check in MNT_VNODE_FOREACH_ALL(). MNT_VNODE_FOREACH_ALL() is supposed to avoid returning doomed vnodes, but the VI_DOOMED check it used was done without the vnode interlock held, so it could race with a concurrent vgone(). Submitted by: Don Morris <don.mor...@isilon.com> Reviewed by: kib, mckusick MFC after: 1 week Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D12704 Modified: head/sys/kern/vfs_subr.c Modified: head/sys/kern/vfs_subr.c ============================================================================== --- head/sys/kern/vfs_subr.c Tue Oct 17 19:11:29 2017 (r324703) +++ head/sys/kern/vfs_subr.c Tue Oct 17 19:41:45 2017 (r324704) @@ -5299,12 +5299,18 @@ __mnt_vnode_next_all(struct vnode **mvp, struct mount kern_yield(PRI_USER); MNT_ILOCK(mp); KASSERT((*mvp)->v_mount == mp, ("marker vnode mount list mismatch")); - vp = TAILQ_NEXT(*mvp, v_nmntvnodes); - while (vp != NULL && (vp->v_type == VMARKER || - (vp->v_iflag & VI_DOOMED) != 0)) - vp = TAILQ_NEXT(vp, v_nmntvnodes); - - /* Check if we are done */ + for (vp = TAILQ_NEXT(*mvp, v_nmntvnodes); vp != NULL; + vp = TAILQ_NEXT(vp, v_nmntvnodes)) { + /* Allow a racy peek at VI_DOOMED to save a lock acquisition. */ + if (vp->v_type == VMARKER || (vp->v_iflag & VI_DOOMED) != 0) + continue; + VI_LOCK(vp); + if ((vp->v_iflag & VI_DOOMED) != 0) { + VI_UNLOCK(vp); + continue; + } + break; + } if (vp == NULL) { __mnt_vnode_markerfree_all(mvp, mp); /* MNT_IUNLOCK(mp); -- done in above function */ @@ -5313,7 +5319,6 @@ __mnt_vnode_next_all(struct vnode **mvp, struct mount } TAILQ_REMOVE(&mp->mnt_nvnodelist, *mvp, v_nmntvnodes); TAILQ_INSERT_AFTER(&mp->mnt_nvnodelist, vp, *mvp, v_nmntvnodes); - VI_LOCK(vp); MNT_IUNLOCK(mp); return (vp); } @@ -5326,14 +5331,20 @@ __mnt_vnode_first_all(struct vnode **mvp, struct mount *mvp = malloc(sizeof(struct vnode), M_VNODE_MARKER, M_WAITOK | M_ZERO); MNT_ILOCK(mp); MNT_REF(mp); + (*mvp)->v_mount = mp; (*mvp)->v_type = VMARKER; - vp = TAILQ_FIRST(&mp->mnt_nvnodelist); - while (vp != NULL && (vp->v_type == VMARKER || - (vp->v_iflag & VI_DOOMED) != 0)) - vp = TAILQ_NEXT(vp, v_nmntvnodes); - - /* Check if we are done */ + TAILQ_FOREACH(vp, &mp->mnt_nvnodelist, v_nmntvnodes) { + /* Allow a racy peek at VI_DOOMED to save a lock acquisition. */ + if (vp->v_type == VMARKER || (vp->v_iflag & VI_DOOMED) != 0) + continue; + VI_LOCK(vp); + if ((vp->v_iflag & VI_DOOMED) != 0) { + VI_UNLOCK(vp); + continue; + } + break; + } if (vp == NULL) { MNT_REL(mp); MNT_IUNLOCK(mp); @@ -5341,13 +5352,10 @@ __mnt_vnode_first_all(struct vnode **mvp, struct mount *mvp = NULL; return (NULL); } - (*mvp)->v_mount = mp; TAILQ_INSERT_AFTER(&mp->mnt_nvnodelist, vp, *mvp, v_nmntvnodes); - VI_LOCK(vp); MNT_IUNLOCK(mp); return (vp); } - void __mnt_vnode_markerfree_all(struct vnode **mvp, struct mount *mp) _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
