The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6ed373227680b016b4cfa5af1b802ef23a121513
commit 6ed373227680b016b4cfa5af1b802ef23a121513 Author: Mark Johnston <[email protected]> AuthorDate: 2026-02-25 15:31:30 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-02-26 02:54:34 +0000 nullfs: Fix handling of doomed vnodes in nullfs_unlink_lowervp() nullfs_unlink_lowervp() is called with the lower vnode locked, so the nullfs vnode is locked too. The following can occur: 1. the vunref() call decrements the usecount 2->1, 2. a different thread calls vrele() on the vnode, decrements the usecount 0->1, then blocks on the vnode lock, 3. the first thread tests vp->v_usecount == 0 and observes that it is true, 4. the first thread incorrectly unlocks the lower vnode. Fix this by testing VN_IS_DOOMED directly. Since nullfs_unlink_lowervp() holds the vnode lock, the value of the VIRF_DOOMED flag is stable. Thanks to leres@ for patiently helping to track this down. PR: 288345 MFC after: 1 week Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D55446 (cherry picked from commit 8b64d46fab87af3ae062901312187f3a04ad2d67) --- sys/fs/nullfs/null_vfsops.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/sys/fs/nullfs/null_vfsops.c b/sys/fs/nullfs/null_vfsops.c index 8b9e04775449..cb637c98673e 100644 --- a/sys/fs/nullfs/null_vfsops.c +++ b/sys/fs/nullfs/null_vfsops.c @@ -465,16 +465,12 @@ nullfs_unlink_lowervp(struct mount *mp, struct vnode *lowervp) vhold(vp); vunref(vp); - if (vp->v_usecount == 0) { + if (VN_IS_DOOMED(vp)) { /* - * If vunref() dropped the last use reference on the - * nullfs vnode, it must be reclaimed, and its lock - * was split from the lower vnode lock. Need to do - * extra unlock before allowing the final vdrop() to - * free the vnode. + * If the vnode is doomed, its lock was split from the lower + * vnode lock. Therefore we need to do an extra unlock before + * allowing the final vdrop() to free the vnode. */ - KASSERT(VN_IS_DOOMED(vp), - ("not reclaimed nullfs vnode %p", vp)); VOP_UNLOCK(vp); } else { /* @@ -484,8 +480,6 @@ nullfs_unlink_lowervp(struct mount *mp, struct vnode *lowervp) * relevant for future reclamations. */ ASSERT_VOP_ELOCKED(vp, "unlink_lowervp"); - KASSERT(!VN_IS_DOOMED(vp), - ("reclaimed nullfs vnode %p", vp)); xp->null_flags &= ~NULLV_NOUNLOCK; } vdrop(vp);
