svn commit: r302652 - vendor-sys/illumos/dist/uts/common/fs/zfs

[Andriy Gapon]

Author: avg
Date: Tue Jul 12 11:46:13 2016
New Revision: 302652
URL: https://svnweb.freebsd.org/changeset/base/302652

Log:
  5768 zfsctl_snapshot_inactive() can leak a vnode hold
  
  illumos/illumos-gate at 20a95fb2c4af266e063e0cf86037f910a303c710
  https://github.com/illumos/illumos-gate/commit/20a95fb2c4af266e063e0cf86037f910a303c710
  
  https://www.illumos.org/issues/5768
    zfsctl_snapshot_inactive() leaks a hold on the dvp (directory vnode) if v_count > 1.
    reproduce by:
    create a fs with 100 snapshots.
    have a thread do:
    while true; do ls -l /test/snaps/.zfs/snapshot >/dev/null; done
    have another thread do:
    while true; do zfs promote test/clone; zfs promote test/snaps; done
    use dtrace to delay & observe:
    dtrace -w -xd \\
    -n 'vn_rele:entry/args0 == (void*)0xffffff01dd42ce80ULL/{[stack()]=count();
    chill(100000);}' \\
    -n 'zfsctl_snapshot_inactive:entry{ if (args[0]->v_count > 1) trace(args[0]-
    >v_count); self->vp=args[0];}' \\
    -n 'gfs_vop_inactive:entry/callers["zfsctl_snapshot_inactive"]/{self->good=1;
    [stack()]=count()}' \\
    -n 'zfsctl_snapshot_inactive:return{if (self->good) self->good=0; else printf
    ("bad return");}' \\
    -n 'gfs_dir_lookup:return/callers["zfsctl_snapshot_inactive"] && self->vp-
    >v_count > 1/{trace(self->vp->v_count)}'
    the address is found by selecting one of the output of this at random:
    dtrace -n 'zfsctl_snapshot_inactive:entry{print(args[0]);'
    when you see "bad return", we have hit the bug. Then doing "zfs umount test/
    snaps" will fail with EBUSY.
    When we hit this case, we also leak the hold on the target vnode (vn). When the
    inactive callback is called on a vnode with v_count > 1, it needs to be
    decremented.
  
  Reviewed by: George Wilson <george at delphix.com>
  Reviewed by: Prakash Surya <prakash.surya at delphix.com>
  Reviewed by: Adam Leventhal <adam.leventhal at delphix.com>
  Reviewed by: Bayard Bell <buffer.g.overflow at gmail.com>
  Approved by: Rich Lowe <richlowe at richlowe.net>
  Author: Matthew Ahrens <mahrens at delphix.com>

Modified:
  vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c

Modified: vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c
==============================================================================
--- vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c	Tue Jul 12 11:37:19 2016	(r302651)
+++ vendor-sys/illumos/dist/uts/common/fs/zfs/zfs_ctldir.c	Tue Jul 12 11:46:13 2016	(r302652)
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2013 by Delphix. All rights reserved.
+ * Copyright (c) 2012, 2014 by Delphix. All rights reserved.
  * Copyright 2015, OmniTI Computer Consulting, Inc. All rights reserved.
  */
 
@@ -1214,10 +1214,15 @@ zfsctl_snapshot_inactive(vnode_t *vp, cr
 
 	mutex_enter(&sdp->sd_lock);
 
+	mutex_enter(&vp->v_lock);
 	if (vp->v_count > 1) {
+		vp->v_count--;
+		mutex_exit(&vp->v_lock);
 		mutex_exit(&sdp->sd_lock);
+		VN_RELE(dvp);
 		return;
 	}
+	mutex_exit(&vp->v_lock);
 	ASSERT(!vn_ismntpt(vp));
 
 	sep = avl_first(&sdp->sd_snaps);