git: e0e72e797347 - stable/15 - unionfs: avoid vdrop()ing a locked but doomed vnode

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jason A. Harmening <jah_at_FreeBSD.org>
Date: Mon, 03 Nov 2025 05:31:44 UTC
The branch stable/15 has been updated by jah:

URL: https://cgit.FreeBSD.org/src/commit/?id=e0e72e797347f51888645a2e3c2e21c51f5a355c

commit e0e72e797347f51888645a2e3c2e21c51f5a355c
Author:     Jason A. Harmening <jah@FreeBSD.org>
AuthorDate: 2025-10-14 19:40:39 +0000
Commit:     Jason A. Harmening <jah@FreeBSD.org>
CommitDate: 2025-11-03 04:33:32 +0000

    unionfs: avoid vdrop()ing a locked but doomed vnode
    
    unionfs_lock() unconditionally calls vdrop() on the target vnode
    after locking it, but it's possible this vnode may be doomed.
    In that case, vdrop() may free the vnode, which in certain cases
    requires taking the vnode lock.  Commit a7aac8c20497d added an
    assert to this effect, which unionfs_lock() now trips over.
    
    Fix this by lightly reworking the flow of unionfs_lock() so that
    the target vnode is vdrop()ed after being unlocked in the case
    where the unionfs lock operation needs to be restarted (which
    will happen if the unionfs vnode has been doomed, which is a
    prerequisite for the target vnode in the underlying filesystem
    to have been doomed).
    
    While here, get rid of a superfluous vhold/vdrop sequence in
    unionfs_unlock() that was probably inherited from nullfs and whose
    nullfs equivalent was recently removed.
    
    Reviewed by:    kib, markj, olce
    Tested by:      pho
    Differential Revision: https://reviews.freebsd.org/D53107
    
    (cherry picked from commit a498c5e1a111ae8c48b8e7028daff861785c2bf2)
---
 sys/fs/unionfs/union_vnops.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/sys/fs/unionfs/union_vnops.c b/sys/fs/unionfs/union_vnops.c
index 0a91d1d5ed02..410ab413b172 100644
--- a/sys/fs/unionfs/union_vnops.c
+++ b/sys/fs/unionfs/union_vnops.c
@@ -2208,7 +2208,6 @@ unionfs_lock_restart:
 	vholdnz(tvp);
 	VI_UNLOCK(vp);
 	error = VOP_LOCK(tvp, flags);
-	vdrop(tvp);
 	if (error == 0 && (lvp_locked || VTOUNIONFS(vp) == NULL)) {
 		/*
 		 * After dropping the interlock above, there exists a window
@@ -2234,6 +2233,7 @@ unionfs_lock_restart:
 		unp = VTOUNIONFS(vp);
 		if (unp == NULL || unp->un_uppervp != NULLVP) {
 			VOP_UNLOCK(tvp);
+			vdrop(tvp);
 			/*
 			 * If we previously held the lock, the upgrade may
 			 * have temporarily dropped the lock, in which case
@@ -2249,6 +2249,7 @@ unionfs_lock_restart:
 			goto unionfs_lock_restart;
 		}
 	}
+	vdrop(tvp);
 
 	return (error);
 }
@@ -2259,7 +2260,6 @@ unionfs_unlock(struct vop_unlock_args *ap)
 	struct vnode   *vp;
 	struct vnode   *tvp;
 	struct unionfs_node *unp;
-	int		error;
 
 	KASSERT_UNIONFS_VNODE(ap->a_vp);
 
@@ -2271,11 +2271,7 @@ unionfs_unlock(struct vop_unlock_args *ap)
 
 	tvp = (unp->un_uppervp != NULL ? unp->un_uppervp : unp->un_lowervp);
 
-	vholdnz(tvp);
-	error = VOP_UNLOCK(tvp);
-	vdrop(tvp);
-
-	return (error);
+	return (VOP_UNLOCK(tvp));
 }
 
 static int