From owner-svn-src-all@freebsd.org  Tue Jul 12 11:46:14 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BBA2AB93BB6;
 Tue, 12 Jul 2016 11:46:14 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7E6B91F0C;
 Tue, 12 Jul 2016 11:46:14 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u6CBkDjK000604;
 Tue, 12 Jul 2016 11:46:13 GMT (envelope-from avg@FreeBSD.org)
Received: (from avg@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u6CBkD27000603;
 Tue, 12 Jul 2016 11:46:13 GMT (envelope-from avg@FreeBSD.org)
Message-Id: <201607121146.u6CBkD27000603@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: avg set sender to avg@FreeBSD.org
 using -f
From: Andriy Gapon <avg@FreeBSD.org>
Date: Tue, 12 Jul 2016 11:46:13 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-vendor@freebsd.org
Subject: svn commit: r302652 - vendor-sys/illumos/dist/uts/common/fs/zfs
X-SVN-Group: vendor-sys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 11:46:14 -0000

Author: avg
Date: Tue Jul 12 11:46:13 2016
New Revision: 302652
URL: https://svnweb.freebsd.org/changeset/base/302652

Log:
  5768 zfsctl_snapshot_inactive() can leak a vnode hold
  
  illumos/illumos-gate@20a95fb2c4af266e063e0cf86037f910a303c710
  https://github.com/illumos/illumos-gate/commit/20a95fb2c4af266e063e0cf86037f910a303c710
  
  https://www.illumos.org/issues/5768
    zfsctl_snapshot_inactive() leaks a hold on the dvp (directory vnode) if v_count > 1.
    reproduce by:
    create a fs with 100 snapshots.
    have a thread do:
    while true; do ls -l /test/snaps/.zfs/snapshot >/dev/null; done
    have another thread do:
    while true; do zfs promote test/clone; zfs promote test/snaps; done
    use dtrace to delay & observe:
    dtrace -w -xd \\
    -n 'vn_rele:entry/args0 == (void*)0xffffff01dd42ce80ULL/{[stack()]=count();
    chill(100000);}' \\
    -n 'zfsctl_snapshot_inactive:entry{ if (args[0]->v_count > 1) trace(args[0]-
    >v_count); self->vp=args[0];}' \\
    -n 'gfs_vop_inactive:entry/callers["zfsctl_snapshot_inactive"]/{self->good=1;
    [stack()]=count()}' \\
    -n 'zfsctl_snapshot_inactive:return{if (self->good) self->good=0; else printf
    ("bad return");}' \\
    -n 'gfs_dir_lookup:return/callers["zfsctl_snapshot_inactive"] && self->vp-
    >v_count > 1/{trace(self->vp->v_count)}'
    the address is found by selecting one of the output of this at random:
    dtrace -n 'zfsctl_snapshot_inactive:entry{print(args[0]);'
    when you see "bad return", we have hit the bug. Then doing "zfs umount test/
    snaps" will fail with EBUSY.
    When we hit this case, we also leak the hold on the target vnode (vn). When the
    inactive callback is called on a vnode with v_count > 1, it needs to be
    decremented.
  
  Reviewed by: George Wilson <george@delphix.com>
  Reviewed by: Prakash Surya <prakash.surya@delphix.com>
  Reviewed by: Adam Leventhal <adam.leventhal@delphix.com>
  Reviewed by: Bayard Bell <buffer.g.overflow@gmail.com>
  Approved by: Rich Lowe <richlowe@richlowe.net>
  Author: Matthew Ahrens <mahrens@delphix.com>

Modified:
  vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c

Modified: vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c
==============================================================================
--- vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c	Tue Jul 12 11:37:19 2016	(r302651)
+++ vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c	Tue Jul 12 11:46:13 2016	(r302652)
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2013 by Delphix. All rights reserved.
+ * Copyright (c) 2012, 2014 by Delphix. All rights reserved.
  * Copyright 2015, OmniTI Computer Consulting, Inc. All rights reserved.
  */
 
@@ -1214,10 +1214,15 @@ zfsctl_snapshot_inactive(vnode_t *vp, cr
 
 	mutex_enter(&sdp->sd_lock);
 
+	mutex_enter(&vp->v_lock);
 	if (vp->v_count > 1) {
+		vp->v_count--;
+		mutex_exit(&vp->v_lock);
 		mutex_exit(&sdp->sd_lock);
+		VN_RELE(dvp);
 		return;
 	}
+	mutex_exit(&vp->v_lock);
 	ASSERT(!vn_ismntpt(vp));
 
 	sep = avl_first(&sdp->sd_snaps);