Updating a mounted file system from read-write to read-only is racy as it is not clear when a mounted file system is read-only. Currently we set MNT_RDONLY before we call VFS_MOUNT(). If VFS_MOUNT() fails some operations may see the mounted file system read-only but this was never the case. Even if we would set MNT_RDONLY in xxx_mount() after successfull vflush() there would remain a window where operations would miss MNT_RDONLY.
Plan is to suspend the file system while the mounted file system gets updated. This way no operations run on the mounted file system during update and all operations see the state before or after the update. Vfs_suspend() with fstrans_start()/fstrans_done() is a mechanism to give one thread exclusive access to a mounted file system. Other threads trying to run vnode operations on this mounted file system will stall until the file system resumes. On a non suspended file system fstrans_start()/fstrans_done() work without locks or other atomic operations. Currently fstrans_start()/fstrans_done() is mostly used inside the file system. This has drawbacks, first it is to late to change the operations vector if the vnode gets revoked and second it does not scale well to support it for all file systems. Plan is to move fstrans_start()/fstrans_done() into vnode_if.c and enable vfs_suspend() on all file systems. Diffs are here: https://www.netbsd.org/~hannken/vnode_if/ Comments or objections anyone? -- J. Hannken-Illjes - [email protected] - TU Braunschweig (Germany)
