From owner-svn-src-head@freebsd.org  Sun Aug 18 20:36:13 2019
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2B2EDD0569;
 Sun, 18 Aug 2019 20:36:13 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46BTNY08Vxz3RC0;
 Sun, 18 Aug 2019 20:36:13 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D6A7E79A6;
 Sun, 18 Aug 2019 20:36:12 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7IKaCxs026211;
 Sun, 18 Aug 2019 20:36:12 GMT (envelope-from kib@FreeBSD.org)
Received: (from kib@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7IKaBHS026207;
 Sun, 18 Aug 2019 20:36:11 GMT (envelope-from kib@FreeBSD.org)
Message-Id: <201908182036.x7IKaBHS026207@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org
 using -f
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Sun, 18 Aug 2019 20:36:11 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r351195 - in head/sys: fs/tmpfs kern sys
X-SVN-Group: head
X-SVN-Commit-Author: kib
X-SVN-Commit-Paths: in head/sys: fs/tmpfs kern sys
X-SVN-Commit-Revision: 351195
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2019 20:36:13 -0000

Author: kib
Date: Sun Aug 18 20:36:11 2019
New Revision: 351195
URL: https://svnweb.freebsd.org/changeset/base/351195

Log:
  Fix an issue with executing tmpfs binary.
  
  Suppose that a binary was executed from tmpfs mount, and the text
  vnode was reclaimed while the binary was still running.  It is
  possible during even the normal operations since tmpfs vnode'
  vm_object has swap type, and no references on the vnode is held.  Also
  assume that the text vnode was revived for some reason.  Then, on the
  process exit or exec, unmapping of the text mapping tries to remove
  the text reference from the vnode, but since it went from
  recycle/instantiation cycle, there is no reference kept, and assertion
  in VOP_UNSET_TEXT_CHECKED() triggers.
  
  Fix this by keeping a use reference on the tmpfs vnode for each exec
  reference.  This prevents the vnode reclamation while executable map
  entry is active.
  
  Do it by adding per-mount flag MNTK_TEXT_REFS that directs
  vop_stdset_text() to add use ref on first vnode text use, and
  per-vnode VI_TEXT_REF flag, to record the need on unref in
  vop_stdunset_text() on last vnode text use going away.  Set
  MNTK_TEXT_REFS for tmpfs mounts.
  
  Reported by:	bdrewery
  Tested by:	sbruno, pho (previous version)
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week

Modified:
  head/sys/fs/tmpfs/tmpfs_vfsops.c
  head/sys/kern/vfs_default.c
  head/sys/sys/mount.h
  head/sys/sys/vnode.h

Modified: head/sys/fs/tmpfs/tmpfs_vfsops.c
==============================================================================
--- head/sys/fs/tmpfs/tmpfs_vfsops.c	Sun Aug 18 20:24:52 2019	(r351194)
+++ head/sys/fs/tmpfs/tmpfs_vfsops.c	Sun Aug 18 20:36:11 2019	(r351195)
@@ -507,7 +507,8 @@ tmpfs_mount(struct mount *mp)
 
 	MNT_ILOCK(mp);
 	mp->mnt_flag |= MNT_LOCAL;
-	mp->mnt_kern_flag |= MNTK_LOOKUP_SHARED | MNTK_EXTENDED_SHARED;
+	mp->mnt_kern_flag |= MNTK_LOOKUP_SHARED | MNTK_EXTENDED_SHARED |
+	    MNTK_TEXT_REFS;
 	MNT_IUNLOCK(mp);
 
 	mp->mnt_data = tmp;

Modified: head/sys/kern/vfs_default.c
==============================================================================
--- head/sys/kern/vfs_default.c	Sun Aug 18 20:24:52 2019	(r351194)
+++ head/sys/kern/vfs_default.c	Sun Aug 18 20:36:11 2019	(r351195)
@@ -1082,6 +1082,7 @@ int
 vop_stdset_text(struct vop_set_text_args *ap)
 {
 	struct vnode *vp;
+	struct mount *mp;
 	int error;
 
 	vp = ap->a_vp;
@@ -1089,6 +1090,17 @@ vop_stdset_text(struct vop_set_text_args *ap)
 	if (vp->v_writecount > 0) {
 		error = ETXTBSY;
 	} else {
+		/*
+		 * If requested by fs, keep a use reference to the
+		 * vnode until the last text reference is released.
+		 */
+		mp = vp->v_mount;
+		if (mp != NULL && (mp->mnt_kern_flag & MNTK_TEXT_REFS) != 0 &&
+		    vp->v_writecount == 0) {
+			vp->v_iflag |= VI_TEXT_REF;
+			vrefl(vp);
+		}
+
 		vp->v_writecount--;
 		error = 0;
 	}
@@ -1101,16 +1113,25 @@ vop_stdunset_text(struct vop_unset_text_args *ap)
 {
 	struct vnode *vp;
 	int error;
+	bool last;
 
 	vp = ap->a_vp;
+	last = false;
 	VI_LOCK(vp);
 	if (vp->v_writecount < 0) {
+		if ((vp->v_iflag & VI_TEXT_REF) != 0 &&
+		    vp->v_writecount == -1) {
+			last = true;
+			vp->v_iflag &= ~VI_TEXT_REF;
+		}
 		vp->v_writecount++;
 		error = 0;
 	} else {
 		error = EINVAL;
 	}
 	VI_UNLOCK(vp);
+	if (last)
+		vunref(vp);
 	return (error);
 }
 

Modified: head/sys/sys/mount.h
==============================================================================
--- head/sys/sys/mount.h	Sun Aug 18 20:24:52 2019	(r351194)
+++ head/sys/sys/mount.h	Sun Aug 18 20:36:11 2019	(r351195)
@@ -398,6 +398,7 @@ void          __mnt_vnode_markerfree_active(struct vno
 #define	MNTK_MARKER		0x00001000
 #define	MNTK_UNMAPPED_BUFS	0x00002000
 #define	MNTK_USES_BCACHE	0x00004000 /* FS uses the buffer cache. */
+#define	MNTK_TEXT_REFS		0x00008000 /* Keep use ref for text */
 #define MNTK_NOASYNC	0x00800000	/* disable async */
 #define MNTK_UNMOUNT	0x01000000	/* unmount in progress */
 #define	MNTK_MWAIT	0x02000000	/* waiting for unmount to finish */

Modified: head/sys/sys/vnode.h
==============================================================================
--- head/sys/sys/vnode.h	Sun Aug 18 20:24:52 2019	(r351194)
+++ head/sys/sys/vnode.h	Sun Aug 18 20:36:11 2019	(r351195)
@@ -233,6 +233,7 @@ struct xvnode {
  *	VI_DOOMED is doubly protected by the interlock and vnode lock.  Both
  *	are required for writing but the status may be checked with either.
  */
+#define	VI_TEXT_REF	0x0001	/* Text ref grabbed use ref */
 #define	VI_MOUNT	0x0020	/* Mount in progress */
 #define	VI_DOOMED	0x0080	/* This vnode is being recycled */
 #define	VI_FREE		0x0100	/* This vnode is on the freelist */