Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 7 Nov 2016 10:55:57 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r308407 - head/sys/kern
Message-ID:  <201611071055.uA7AtvCD086721@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: kib
Date: Mon Nov  7 10:55:56 2016
New Revision: 308407
URL: https://svnweb.freebsd.org/changeset/base/308407

Log:
  vn_fullpath1() checked VV_ROOT and then unreferenced
  vp->v_mount->mnt_vnodecovered unlocked.  This allowed unmount to race.
  Lock vnode after we noticed the VV_ROOT flag.  See comments for
  explanation why unlocked check for the flag is considered safe.
  
  Reported and tested by:	avg
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week

Modified:
  head/sys/kern/vfs_cache.c

Modified: head/sys/kern/vfs_cache.c
==============================================================================
--- head/sys/kern/vfs_cache.c	Mon Nov  7 10:54:56 2016	(r308406)
+++ head/sys/kern/vfs_cache.c	Mon Nov  7 10:55:56 2016	(r308407)
@@ -2245,17 +2245,35 @@ vn_fullpath1(struct thread *td, struct v
 		slash_prefixed = 1;
 	}
 	while (vp != rdir && vp != rootvnode) {
-		if (vp->v_vflag & VV_ROOT) {
-			if (vp->v_iflag & VI_DOOMED) {	/* forced unmount */
-				vrele(vp);
+		/*
+		 * The vp vnode must be already fully constructed,
+		 * since it is either found in namecache or obtained
+		 * from VOP_VPTOCNP().  We may test for VV_ROOT safely
+		 * without obtaining the vnode lock.
+		 */
+		if ((vp->v_vflag & VV_ROOT) != 0) {
+			vn_lock(vp, LK_RETRY | LK_SHARED);
+
+			/*
+			 * With the vnode locked, check for races with
+			 * unmount, forced or not.  Note that we
+			 * already verified that vp is not equal to
+			 * the root vnode, which means that
+			 * mnt_vnodecovered can be NULL only for the
+			 * case of unmount.
+			 */
+			if ((vp->v_iflag & VI_DOOMED) != 0 ||
+			    (vp1 = vp->v_mount->mnt_vnodecovered) == NULL ||
+			    vp1->v_mountedhere != vp->v_mount) {
+				vput(vp);
 				error = ENOENT;
 				SDT_PROBE3(vfs, namecache, fullpath, return,
 				    error, vp, NULL);
 				break;
 			}
-			vp1 = vp->v_mount->mnt_vnodecovered;
+
 			vref(vp1);
-			vrele(vp);
+			vput(vp);
 			vp = vp1;
 			continue;
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611071055.uA7AtvCD086721>