ved: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59GFVSJN000902; Thu, 16 Oct 2025 15:31:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59GFVSP2000899; Thu, 16 Oct 2025 15:31:28 GMT (envelope-from git) Date: Thu, 16 Oct 2025 15:31:28 GMT Message-Id: <202510161531.59GFVSP2000899@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Jason A. Harmening" Subject: git: a498c5e1a111 - main - unionfs: avoid vdrop()ing a locked but doomed vnode List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jah X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a498c5e1a111ae8c48b8e7028daff861785c2bf2 Auto-Submitted: auto-generated The branch main has been updated by jah: URL: https://cgit.FreeBSD.org/src/commit/?id=a498c5e1a111ae8c48b8e7028daff861785c2bf2 commit a498c5e1a111ae8c48b8e7028daff861785c2bf2 Author: Jason A. Harmening AuthorDate: 2025-10-14 19:40:39 +0000 Commit: Jason A. Harmening CommitDate: 2025-10-16 15:30:34 +0000 unionfs: avoid vdrop()ing a locked but doomed vnode unionfs_lock() unconditionally calls vdrop() on the target vnode after locking it, but it's possible this vnode may be doomed. In that case, vdrop() may free the vnode, which in certain cases requires taking the vnode lock. Commit a7aac8c20497d added an assert to this effect, which unionfs_lock() now trips over. Fix this by lightly reworking the flow of unionfs_lock() so that the target vnode is vdrop()ed after being unlocked in the case where the unionfs lock operation needs to be restarted (which will happen if the unionfs vnode has been doomed, which is a prerequisite for the target vnode in the underlying filesystem to have been doomed). While here, get rid of a superfluous vhold/vdrop sequence in unionfs_unlock() that was probably inherited from nullfs and whose nullfs equivalent was recently removed. MFC after: 1 week Reviewed by: kib, markj, olce Tested by: pho Differential Revision: https://reviews.freebsd.org/D53107 --- sys/fs/unionfs/union_vnops.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/sys/fs/unionfs/union_vnops.c b/sys/fs/unionfs/union_vnops.c index 26fa14603c85..66fee97a07d5 100644 --- a/sys/fs/unionfs/union_vnops.c +++ b/sys/fs/unionfs/union_vnops.c @@ -2208,7 +2208,6 @@ unionfs_lock_restart: vholdnz(tvp); VI_UNLOCK(vp); error = VOP_LOCK(tvp, flags); - vdrop(tvp); if (error == 0 && (lvp_locked || VTOUNIONFS(vp) == NULL)) { /* * After dropping the interlock above, there exists a window @@ -2234,6 +2233,7 @@ unionfs_lock_restart: unp = VTOUNIONFS(vp); if (unp == NULL || unp->un_uppervp != NULL) { VOP_UNLOCK(tvp); + vdrop(tvp); /* * If we previously held the lock, the upgrade may * have temporarily dropped the lock, in which case @@ -2249,6 +2249,7 @@ unionfs_lock_restart: goto unionfs_lock_restart; } } + vdrop(tvp); return (error); } @@ -2259,7 +2260,6 @@ unionfs_unlock(struct vop_unlock_args *ap) struct vnode *vp; struct vnode *tvp; struct unionfs_node *unp; - int error; KASSERT_UNIONFS_VNODE(ap->a_vp); @@ -2271,11 +2271,7 @@ unionfs_unlock(struct vop_unlock_args *ap) tvp = (unp->un_uppervp != NULL ? unp->un_uppervp : unp->un_lowervp); - vholdnz(tvp); - error = VOP_UNLOCK(tvp); - vdrop(tvp); - - return (error); + return (VOP_UNLOCK(tvp)); } static int