CVS commit: src/sys/ufs/ufs

Fri, 15 Jan 2010 11:46:41 -0800 

Module Name:    src
Committed By:   bouyer
Date:           Fri Jan 15 19:46:35 UTC 2010

Modified Files:
        src/sys/ufs/ufs: ufs_quota.c

Log Message:
vclean() actually sets v_tag to VT_NON but doesn't touch v_type.
getcleanvnode() sets v_type to VNON after releasing v_interlock.
So the thread doing quotaon(), quotaoff() or qsync() could vget()
a vnode which is being recycled in getcleanvnode(), after is has
been cleaned and v_interlock released, but before v_type has been
reset, leading to KASSERT(vp->v_usecount == 1) firing in
getnewvnode(), or qsync() dereferending a NULL pointer as in
PR kern/42205.
Fix by using the same tests as other ffs function traversing the mount
list: also check for VTOI(vp) == NULL, and VI_XLOCK in addition
to VI_CLEAN.


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 src/sys/ufs/ufs/ufs_quota.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/ufs/ufs/ufs_quota.c
diff -u src/sys/ufs/ufs/ufs_quota.c:1.64 src/sys/ufs/ufs/ufs_quota.c:1.65
--- src/sys/ufs/ufs/ufs_quota.c:1.64	Sun Aug  2 20:50:33 2009
+++ src/sys/ufs/ufs/ufs_quota.c	Fri Jan 15 19:46:35 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: ufs_quota.c,v 1.64 2009/08/02 20:50:33 bouyer Exp $	*/
+/*	$NetBSD: ufs_quota.c,v 1.65 2010/01/15 19:46:35 bouyer Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1990, 1993, 1995
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_quota.c,v 1.64 2009/08/02 20:50:33 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_quota.c,v 1.65 2010/01/15 19:46:35 bouyer Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -475,9 +475,9 @@
 	for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
 		vmark(mvp, vp);
 		mutex_enter(&vp->v_interlock);
-		if (vp->v_mount != mp || vismarker(vp) ||
+		if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
 		    vp->v_type == VNON || vp->v_writecount == 0 ||
-		    (vp->v_iflag & VI_CLEAN) != 0) {
+		    (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
 			mutex_exit(&vp->v_interlock);
 			continue;
 		}
@@ -545,8 +545,9 @@
 	for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
 		vmark(mvp, vp);
 		mutex_enter(&vp->v_interlock);
-		if (vp->v_mount != mp || vismarker(vp) || vp->v_type == VNON ||
-		    (vp->v_iflag & VI_CLEAN) != 0) {
+		if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
+		    vp->v_type == VNON ||
+		    (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
 			mutex_exit(&vp->v_interlock);
 			continue;
 		}
@@ -730,8 +731,9 @@
 	for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
 		vmark(mvp, vp);
 		mutex_enter(&vp->v_interlock);
-		if (vp->v_mount != mp || vismarker(vp) || vp->v_type == VNON ||
-		    (vp->v_iflag & VI_CLEAN) != 0) {
+		if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
+		    vp->v_type == VNON ||
+		    (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
 			mutex_exit(&vp->v_interlock);
 			continue;
 		}

Reply via email to