CVS commit: src/sys/fs/puffs

[Emmanuel Dreyfus]

Module Name:    src
Committed By:   manu
Date:           Tue Nov  4 09:10:37 UTC 2014

Modified Files:
        src/sys/fs/puffs: puffs_node.c puffs_vnops.c

Log Message:
Fix PUFFS node use-after-reclaim

When puffs_cookie2vnode() misses an entry, vcache_get()
creates a new node (puffs_vfsop_loadvnode being called to
initialize the PUFFS part), then it discovers it is VNON,
and tries to vrele() it. vrele() calls VOP_INACTIVE(),
which led us in puffs_vnop_inactive() where we sent a
request to the filesystem for a node that already had been
reclaimed.

The fix is to check for VNON nodes in puffs_vnop_inactive()
and to return without doing anyting. This is suboptimal, but
a better workaround would probably need to modify vcache API,
with an impact on other filesystems. Let us keep it simple.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/sys/fs/puffs/puffs_node.c
cvs rdiff -u -r1.196 -r1.197 src/sys/fs/puffs/puffs_vnops.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/fs/puffs/puffs_node.c
diff -u src/sys/fs/puffs/puffs_node.c:1.34 src/sys/fs/puffs/puffs_node.c:1.35
--- src/sys/fs/puffs/puffs_node.c:1.34	Tue Sep 30 10:15:03 2014
+++ src/sys/fs/puffs/puffs_node.c	Tue Nov  4 09:10:37 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: puffs_node.c,v 1.34 2014/09/30 10:15:03 hannken Exp $	*/
+/*	$NetBSD: puffs_node.c,v 1.35 2014/11/04 09:10:37 manu Exp $	*/
 
 /*
  * Copyright (c) 2005, 2006, 2007  Antti Kantee.  All Rights Reserved.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: puffs_node.c,v 1.34 2014/09/30 10:15:03 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: puffs_node.c,v 1.35 2014/11/04 09:10:37 manu Exp $");
 
 #include <sys/param.h>
 #include <sys/hash.h>
@@ -266,6 +266,7 @@ puffs_cookie2vnode(struct puffs_mount *p
 	mutex_enter((*vpp)->v_interlock);
 	if ((*vpp)->v_type == VNON) {
 		mutex_exit((*vpp)->v_interlock);
+		/* XXX vrele() calls VOP_INACTIVE() with VNON node */
 		vrele(*vpp);
 		*vpp = NULL;
 		return PUFFS_NOSUCHCOOKIE;

Index: src/sys/fs/puffs/puffs_vnops.c
diff -u src/sys/fs/puffs/puffs_vnops.c:1.196 src/sys/fs/puffs/puffs_vnops.c:1.197
--- src/sys/fs/puffs/puffs_vnops.c:1.196	Fri Oct 31 13:52:41 2014
+++ src/sys/fs/puffs/puffs_vnops.c	Tue Nov  4 09:10:37 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: puffs_vnops.c,v 1.196 2014/10/31 13:52:41 manu Exp $	*/
+/*	$NetBSD: puffs_vnops.c,v 1.197 2014/11/04 09:10:37 manu Exp $	*/
 
 /*
  * Copyright (c) 2005, 2006, 2007  Antti Kantee.  All Rights Reserved.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: puffs_vnops.c,v 1.196 2014/10/31 13:52:41 manu Exp $");
+__KERNEL_RCSID(0, "$NetBSD: puffs_vnops.c,v 1.197 2014/11/04 09:10:37 manu Exp $");
 
 #include <sys/param.h>
 #include <sys/buf.h>
@@ -1330,6 +1330,18 @@ puffs_vnop_inactive(void *v)
 	struct puffs_node *pnode;
 	bool recycle = false;
 
+	/*
+	 * When puffs_cookie2vnode() misses an entry, vcache_get()
+	 * creates a new node (puffs_vfsop_loadvnode being called to
+	 * initialize the PUFFS part), then it discovers it is VNON,
+	 * and tries to vrele() it. This leads us there, while the 
+	 * cookie was stall and the node likely already reclaimed. 
+	 */
+	if (vp->v_type == VNON) {
+		VOP_UNLOCK(vp);
+		return 0;
+	}
+
 	pnode = vp->v_data;
 	mutex_enter(&pnode->pn_sizemtx);