On Fri, Feb 28, 2014 at 03:41:33PM +0000, Taylor R Campbell wrote:
> Nope. After DESTROYING it gets freed. The protocol is this:
>
> 1. When vfs decides to destroy a vnode, it enters DESTROYING.
> 2. During this time, vget returns ENOENT for it.
> 3. VOP_RECLAIM unhooks it from all data structures (e.g., ufs_ihash).
> 4. Once VOP_RECLAIM returns, nobody else will even try to vget it.
> 5. vfs vnfrees the vnode.
>
> That said, I made vnfree change its state to UNINITIALIZED so that
> anything trying to use-after-free will crash.
For this to work, the inode must be synced before it enters the
DESTROYING state. Otherwise you get this fun exciting race:
vp becomes inactive
vfs decides to destroy vp
vp's state is now DESTROYING
someone else looks up this inode
vget returns ENOENT
a new vnode nvp is created and loaded
VOP_RECLAIM is called
vp gets synced
and now nvp is wrong.
If I'm reading the ffs code correctly it doesn't do the final stuff
until reclaim. But I might not be.
--
David A. Holland
dholl...@netbsd.org
