From owner-svn-src-head@freebsd.org Thu Sep 14 08:47:07 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE62AE08A6E; Thu, 14 Sep 2017 08:47:07 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A7C766AD3F; Thu, 14 Sep 2017 08:47:07 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v8E8l6Ct006796; Thu, 14 Sep 2017 08:47:06 GMT (envelope-from avg@FreeBSD.org) Received: (from avg@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v8E8l6GN006794; Thu, 14 Sep 2017 08:47:06 GMT (envelope-from avg@FreeBSD.org) Message-Id: <201709140847.v8E8l6GN006794@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: avg set sender to avg@FreeBSD.org using -f From: Andriy Gapon Date: Thu, 14 Sep 2017 08:47:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r323578 - in head/sys: cddl/compat/opensolaris/kern kern X-SVN-Group: head X-SVN-Commit-Author: avg X-SVN-Commit-Paths: in head/sys: cddl/compat/opensolaris/kern kern X-SVN-Commit-Revision: 323578 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2017 08:47:08 -0000 Author: avg Date: Thu Sep 14 08:47:06 2017 New Revision: 323578 URL: https://svnweb.freebsd.org/changeset/base/323578 Log: dounmount: do not release the mount point's reference on the covered vnode As long as mnt_ref is not zero there can be a consumer that might try to access mnt_vnodecovered. For this reason the covered vnode must not be freed until mnt_ref goes to zero. So, move the release of the covered vnode to vfs_mount_destroy. Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D12329 Modified: head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c head/sys/kern/vfs_mount.c Modified: head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c ============================================================================== --- head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Thu Sep 14 05:48:23 2017 (r323577) +++ head/sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c Thu Sep 14 08:47:06 2017 (r323578) @@ -209,6 +209,7 @@ mount_snapshot(kthread_t *td, vnode_t **vpp, const cha vput(vp); vfs_unbusy(mp); vfs_freeopts(mp->mnt_optnew); + mp->mnt_vnodecovered = NULL; vfs_mount_destroy(mp); return (error); } Modified: head/sys/kern/vfs_mount.c ============================================================================== --- head/sys/kern/vfs_mount.c Thu Sep 14 05:48:23 2017 (r323577) +++ head/sys/kern/vfs_mount.c Thu Sep 14 08:47:06 2017 (r323578) @@ -507,6 +507,8 @@ vfs_mount_destroy(struct mount *mp) KASSERT(mp->mnt_ref == 0, ("%s: invalid refcount in the drain path @ %s:%d", __func__, __FILE__, __LINE__)); + if (mp->mnt_vnodecovered != NULL) + vrele(mp->mnt_vnodecovered); if (mp->mnt_writeopcount != 0) panic("vfs_mount_destroy: nonzero writeopcount"); if (mp->mnt_secondary_writes != 0) @@ -819,6 +821,7 @@ vfs_domount_first( error = VFS_MOUNT(mp); if (error != 0) { vfs_unbusy(mp); + mp->mnt_vnodecovered = NULL; vfs_mount_destroy(mp); VI_LOCK(vp); vp->v_iflag &= ~VI_MOUNT; @@ -1426,7 +1429,7 @@ dounmount(struct mount *mp, int flags, struct thread * EVENTHANDLER_INVOKE(vfs_unmounted, mp, td); if (coveredvp != NULL) { coveredvp->v_mountedhere = NULL; - vput(coveredvp); + VOP_UNLOCK(coveredvp, 0); } vfs_event_signal(NULL, VQ_UNMOUNT, 0); if (mp == rootdevmp)