Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Nov 2025 17:31:26 +0000
From:      Colin Percival <cperciva@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc:        Mark Johnston <markj@FreeBSD.org>
Subject:   git: 76883b793db8 - releng/15.0 - inotify: Work around the vput() bug directly
Message-ID:  <6924966e.3e9a0.3ec1daa2@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=76883b793db8385dd98bc81ac993f73eeda6164f

commit 76883b793db8385dd98bc81ac993f73eeda6164f
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-11-15 18:00:44 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-24 17:31:16 +0000

    inotify: Work around the vput() bug directly
    
    For 15.0, apply a minimal fix which at least ensures that inotify can't
    trigger the latent race described in commit 99cb3dca4773 ("vnode: Rework
    vput() to avoid holding the vnode lock after decrementing").
    
    Approved by:    re (cperciva)
    Reviewed by:    olce, kib
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53774
    
    (cherry picked from commit ebc17879f0885ca87644980f6275b9759b311eb3)
    (cherry picked from commit 1f6e3abf41718e8e4a309be122f0a6048e9c5772)
---
 sys/kern/vfs_inotify.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/kern/vfs_inotify.c b/sys/kern/vfs_inotify.c
index b265a5ff3a62..de8f99ea8d2f 100644
--- a/sys/kern/vfs_inotify.c
+++ b/sys/kern/vfs_inotify.c
@@ -380,7 +380,14 @@ inotify_unlink_watch_locked(struct inotify_softc *sc, struct inotify_watch *watc
 static void
 inotify_free_watch(struct inotify_watch *watch)
 {
-	vrele(watch->vp);
+	/*
+	 * Formally, we don't need to lock the vnode here.  However, if we
+	 * don't, and vrele() releases the last reference, it's possible the
+	 * vnode will be recycled while a different thread holds the vnode lock.
+	 * Work around this bug by acquiring the lock here.
+	 */
+	(void)vn_lock(watch->vp, LK_EXCLUSIVE | LK_RETRY);
+	vput(watch->vp);
 	free(watch, M_INOTIFY);
 }
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6924966e.3e9a0.3ec1daa2>