can someone test this? and eyeball the use of a pointer as data to get mixed into the hash?
Index: ufs_quota.c =================================================================== RCS file: /cvs/src/sys/ufs/ufs/ufs_quota.c,v retrieving revision 1.35 diff -u -p -r1.35 ufs_quota.c --- ufs_quota.c 13 Oct 2014 03:46:33 -0000 1.35 +++ ufs_quota.c 17 Nov 2014 00:59:49 -0000 @@ -53,6 +53,9 @@ #include <sys/queue.h> +#include <dev/rndvar.h> +#include <crypto/siphash.h> + /* * The following structure records disk usage for a user or group on a * filesystem. There is one allocated for each quota that exists on any @@ -805,9 +808,8 @@ qsync(struct mount *mp) /* * Code pertaining to management of the in-core dquot data structures. */ -#define DQHASH(dqvp, id) \ - (&dqhashtbl[((((long)(dqvp)) >> 8) + id) & dqhash]) LIST_HEAD(dqhash, dquot) *dqhashtbl; +SIPHASH_KEY dqhashkey; u_long dqhash; /* @@ -824,6 +826,7 @@ void ufs_quota_init(void) { dqhashtbl = hashinit(desiredvnodes, M_DQUOT, M_WAITOK, &dqhash); + arc4random_buf(&dqhashkey, sizeof(dqhashkey)); TAILQ_INIT(&dqfreelist); } @@ -835,6 +838,7 @@ int dqget(struct vnode *vp, u_long id, struct ufsmount *ump, int type, struct dquot **dqp) { + SIPHASH_CTX ctx; struct proc *p = curproc; struct dquot *dq; struct dqhash *dqh; @@ -851,7 +855,11 @@ dqget(struct vnode *vp, u_long id, struc /* * Check the cache first. */ - dqh = DQHASH(dqvp, id); + SipHash24_Init(&ctx, &dqhashkey); + SipHash24_Update(&ctx, &dqvp, sizeof(dqvp)); + SipHash24_Update(&ctx, &id, sizeof(id)); + dqh = &dqhashtbl[SipHash24_End(&ctx) & dqhash]; + LIST_FOREACH(dq, dqh, dq_hash) { if (dq->dq_id != id || dq->dq_vp != dqvp)