Fix a racy VI_DOOMED check in MNT_VNODE_FOREACH_ALL().

MNT_VNODE_FOREACH_ALL() is supposed to avoid returning doomed vnodes,
but the VI_DOOMED check it used was done without the vnode interlock
held, so it could race with a concurrent vgone().

Submitted by:	Don Morris <don.morris@isilon.com>
Reviewed by:	kib, mckusick
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D12704
This commit is contained in:
markj 2017-10-17 19:41:45 +00:00
parent 3bddb3ba3b
commit 9fce266679

View File

@ -5299,12 +5299,18 @@ __mnt_vnode_next_all(struct vnode **mvp, struct mount *mp)
kern_yield(PRI_USER);
MNT_ILOCK(mp);
KASSERT((*mvp)->v_mount == mp, ("marker vnode mount list mismatch"));
vp = TAILQ_NEXT(*mvp, v_nmntvnodes);
while (vp != NULL && (vp->v_type == VMARKER ||
(vp->v_iflag & VI_DOOMED) != 0))
vp = TAILQ_NEXT(vp, v_nmntvnodes);
/* Check if we are done */
for (vp = TAILQ_NEXT(*mvp, v_nmntvnodes); vp != NULL;
vp = TAILQ_NEXT(vp, v_nmntvnodes)) {
/* Allow a racy peek at VI_DOOMED to save a lock acquisition. */
if (vp->v_type == VMARKER || (vp->v_iflag & VI_DOOMED) != 0)
continue;
VI_LOCK(vp);
if ((vp->v_iflag & VI_DOOMED) != 0) {
VI_UNLOCK(vp);
continue;
}
break;
}
if (vp == NULL) {
__mnt_vnode_markerfree_all(mvp, mp);
/* MNT_IUNLOCK(mp); -- done in above function */
@ -5313,7 +5319,6 @@ __mnt_vnode_next_all(struct vnode **mvp, struct mount *mp)
}
TAILQ_REMOVE(&mp->mnt_nvnodelist, *mvp, v_nmntvnodes);
TAILQ_INSERT_AFTER(&mp->mnt_nvnodelist, vp, *mvp, v_nmntvnodes);
VI_LOCK(vp);
MNT_IUNLOCK(mp);
return (vp);
}
@ -5326,14 +5331,20 @@ __mnt_vnode_first_all(struct vnode **mvp, struct mount *mp)
*mvp = malloc(sizeof(struct vnode), M_VNODE_MARKER, M_WAITOK | M_ZERO);
MNT_ILOCK(mp);
MNT_REF(mp);
(*mvp)->v_mount = mp;
(*mvp)->v_type = VMARKER;
vp = TAILQ_FIRST(&mp->mnt_nvnodelist);
while (vp != NULL && (vp->v_type == VMARKER ||
(vp->v_iflag & VI_DOOMED) != 0))
vp = TAILQ_NEXT(vp, v_nmntvnodes);
/* Check if we are done */
TAILQ_FOREACH(vp, &mp->mnt_nvnodelist, v_nmntvnodes) {
/* Allow a racy peek at VI_DOOMED to save a lock acquisition. */
if (vp->v_type == VMARKER || (vp->v_iflag & VI_DOOMED) != 0)
continue;
VI_LOCK(vp);
if ((vp->v_iflag & VI_DOOMED) != 0) {
VI_UNLOCK(vp);
continue;
}
break;
}
if (vp == NULL) {
MNT_REL(mp);
MNT_IUNLOCK(mp);
@ -5341,14 +5352,11 @@ __mnt_vnode_first_all(struct vnode **mvp, struct mount *mp)
*mvp = NULL;
return (NULL);
}
(*mvp)->v_mount = mp;
TAILQ_INSERT_AFTER(&mp->mnt_nvnodelist, vp, *mvp, v_nmntvnodes);
VI_LOCK(vp);
MNT_IUNLOCK(mp);
return (vp);
}
void
__mnt_vnode_markerfree_all(struct vnode **mvp, struct mount *mp)
{