CVS commit: [netbsd-5] src/sys/ufs/ufs

Wed, 27 Jan 2010 13:26:48 -0800 

Module Name:    src
Committed By:   sborrill
Date:           Wed Jan 27 21:26:45 UTC 2010

Modified Files:
        src/sys/ufs/ufs [netbsd-5]: ufs_quota.c

Log Message:
Pull up the following revisions(s) (requested by bouyer in ticket #1252):
        sys/ufs/ufs/ufs_quota.c:        revision 1.65

vclean() actually sets v_tag to VT_NON but doesn't touch v_type.
getcleanvnode() sets v_type to VNON after releasing v_interlock.
So the thread doing quotaon(), quotaoff() or qsync() could vget()
a vnode which is being recycled in getcleanvnode(), after it has
been cleaned and v_interlock released, but before v_type has been
reset, leading to KASSERT(vp->v_usecount == 1) firing in
getnewvnode(), or qsync() dereferencing a NULL pointer as in
PR kern/42205.
Fix by using the same tests as other ffs functions traversing the mount
list: also check for VTOI(vp) == NULL, and VI_XLOCK in addition
to VI_CLEAN.


To generate a diff of this commit:
cvs rdiff -u -r1.60.10.3 -r1.60.10.4 src/sys/ufs/ufs/ufs_quota.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/ufs/ufs/ufs_quota.c
diff -u src/sys/ufs/ufs/ufs_quota.c:1.60.10.3 src/sys/ufs/ufs/ufs_quota.c:1.60.10.4
--- src/sys/ufs/ufs/ufs_quota.c:1.60.10.3	Fri Aug  7 05:59:44 2009
+++ src/sys/ufs/ufs/ufs_quota.c	Wed Jan 27 21:26:45 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: ufs_quota.c,v 1.60.10.3 2009/08/07 05:59:44 snj Exp $	*/
+/*	$NetBSD: ufs_quota.c,v 1.60.10.4 2010/01/27 21:26:45 sborrill Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1990, 1993, 1995
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_quota.c,v 1.60.10.3 2009/08/07 05:59:44 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_quota.c,v 1.60.10.4 2010/01/27 21:26:45 sborrill Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -473,9 +473,9 @@
 	for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
 		vmark(mvp, vp);
 		mutex_enter(&vp->v_interlock);
-		if (vp->v_mount != mp || vismarker(vp) ||
+		if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
 		    vp->v_type == VNON || vp->v_writecount == 0 ||
-		    (vp->v_iflag & VI_CLEAN) != 0) {
+		    (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
 			mutex_exit(&vp->v_interlock);
 			continue;
 		}
@@ -543,8 +543,9 @@
 	for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
 		vmark(mvp, vp);
 		mutex_enter(&vp->v_interlock);
-		if (vp->v_mount != mp || vismarker(vp) || vp->v_type == VNON ||
-		    (vp->v_iflag & VI_CLEAN) != 0) {
+		if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
+		    vp->v_type == VNON ||
+		    (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
 			mutex_exit(&vp->v_interlock);
 			continue;
 		}
@@ -728,8 +729,9 @@
 	for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
 		vmark(mvp, vp);
 		mutex_enter(&vp->v_interlock);
-		if (vp->v_mount != mp || vismarker(vp) || vp->v_type == VNON ||
-		    (vp->v_iflag & VI_CLEAN) != 0) {
+		if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
+		    vp->v_type == VNON ||
+		    (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
 			mutex_exit(&vp->v_interlock);
 			continue;
 		}

Reply via email to