svn commit: r324704 - head/sys/kern
Mark Johnston
markj at FreeBSD.org
Tue Oct 17 19:41:46 UTC 2017
Author: markj
Date: Tue Oct 17 19:41:45 2017
New Revision: 324704
URL: https://svnweb.freebsd.org/changeset/base/324704
Log:
Fix a racy VI_DOOMED check in MNT_VNODE_FOREACH_ALL().
MNT_VNODE_FOREACH_ALL() is supposed to avoid returning doomed vnodes,
but the VI_DOOMED check it used was done without the vnode interlock
held, so it could race with a concurrent vgone().
Submitted by: Don Morris <don.morris at isilon.com>
Reviewed by: kib, mckusick
MFC after: 1 week
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D12704
Modified:
head/sys/kern/vfs_subr.c
Modified: head/sys/kern/vfs_subr.c
==============================================================================
--- head/sys/kern/vfs_subr.c Tue Oct 17 19:11:29 2017 (r324703)
+++ head/sys/kern/vfs_subr.c Tue Oct 17 19:41:45 2017 (r324704)
@@ -5299,12 +5299,18 @@ __mnt_vnode_next_all(struct vnode **mvp, struct mount
kern_yield(PRI_USER);
MNT_ILOCK(mp);
KASSERT((*mvp)->v_mount == mp, ("marker vnode mount list mismatch"));
- vp = TAILQ_NEXT(*mvp, v_nmntvnodes);
- while (vp != NULL && (vp->v_type == VMARKER ||
- (vp->v_iflag & VI_DOOMED) != 0))
- vp = TAILQ_NEXT(vp, v_nmntvnodes);
-
- /* Check if we are done */
+ for (vp = TAILQ_NEXT(*mvp, v_nmntvnodes); vp != NULL;
+ vp = TAILQ_NEXT(vp, v_nmntvnodes)) {
+ /* Allow a racy peek at VI_DOOMED to save a lock acquisition. */
+ if (vp->v_type == VMARKER || (vp->v_iflag & VI_DOOMED) != 0)
+ continue;
+ VI_LOCK(vp);
+ if ((vp->v_iflag & VI_DOOMED) != 0) {
+ VI_UNLOCK(vp);
+ continue;
+ }
+ break;
+ }
if (vp == NULL) {
__mnt_vnode_markerfree_all(mvp, mp);
/* MNT_IUNLOCK(mp); -- done in above function */
@@ -5313,7 +5319,6 @@ __mnt_vnode_next_all(struct vnode **mvp, struct mount
}
TAILQ_REMOVE(&mp->mnt_nvnodelist, *mvp, v_nmntvnodes);
TAILQ_INSERT_AFTER(&mp->mnt_nvnodelist, vp, *mvp, v_nmntvnodes);
- VI_LOCK(vp);
MNT_IUNLOCK(mp);
return (vp);
}
@@ -5326,14 +5331,20 @@ __mnt_vnode_first_all(struct vnode **mvp, struct mount
*mvp = malloc(sizeof(struct vnode), M_VNODE_MARKER, M_WAITOK | M_ZERO);
MNT_ILOCK(mp);
MNT_REF(mp);
+ (*mvp)->v_mount = mp;
(*mvp)->v_type = VMARKER;
- vp = TAILQ_FIRST(&mp->mnt_nvnodelist);
- while (vp != NULL && (vp->v_type == VMARKER ||
- (vp->v_iflag & VI_DOOMED) != 0))
- vp = TAILQ_NEXT(vp, v_nmntvnodes);
-
- /* Check if we are done */
+ TAILQ_FOREACH(vp, &mp->mnt_nvnodelist, v_nmntvnodes) {
+ /* Allow a racy peek at VI_DOOMED to save a lock acquisition. */
+ if (vp->v_type == VMARKER || (vp->v_iflag & VI_DOOMED) != 0)
+ continue;
+ VI_LOCK(vp);
+ if ((vp->v_iflag & VI_DOOMED) != 0) {
+ VI_UNLOCK(vp);
+ continue;
+ }
+ break;
+ }
if (vp == NULL) {
MNT_REL(mp);
MNT_IUNLOCK(mp);
@@ -5341,13 +5352,10 @@ __mnt_vnode_first_all(struct vnode **mvp, struct mount
*mvp = NULL;
return (NULL);
}
- (*mvp)->v_mount = mp;
TAILQ_INSERT_AFTER(&mp->mnt_nvnodelist, vp, *mvp, v_nmntvnodes);
- VI_LOCK(vp);
MNT_IUNLOCK(mp);
return (vp);
}
-
void
__mnt_vnode_markerfree_all(struct vnode **mvp, struct mount *mp)
More information about the svn-src-all
mailing list