Re: possible fix for PR 39307 (mfs sometimes crashing on unmount)

[Andrew Doran <ad%netbsd.org@localhost>]

On Thu, Sep 25, 2008 at 09:54:09PM +0930, Brett Lymn wrote:

> I have been puzzling over the symptoms of PR # 39307 for a while, mfs
> sometimes causes a panic in VFS_START.  Looking at it, mfs is a
> strange beast.  The start routine (mfs_start) does not exit until the
> mount is going away and then mfs_start() actually calls dounmount()
> directly to unmount itself - once this is done, the race is on, can
> mfs_start() exit and VFS_START() do it's final bit before the memory
> that was the struct mount * is reused.  Hence the crash.

Wow, I completely ignored that call to dounmount().

> following fixes the symptom but I don't know if it is the "right" way
> to fix the bug:
> 
> Index: mfs_vfsops.c
> ===================================================================
> RCS file: /cvsroot/src/sys/ufs/mfs/mfs_vfsops.c,v
> retrieving revision 1.98
> diff -u -r1.98 mfs_vfsops.c
> --- mfs_vfsops.c      28 Jun 2008 01:34:05 -0000      1.98
> +++ mfs_vfsops.c      25 Sep 2008 12:23:29 -0000
> @@ -403,7 +403,7 @@
>       mutex_enter(&mfs_lock);
>       mfsp->mfs_refcnt++;
>       mutex_exit(&mfs_lock);
> -     vfs_unbusy(mp, false, NULL);
> +     vfs_unbusy(mp, true, NULL);
>  
>       base = mfsp->mfs_baseoff;
>       mutex_enter(&mfs_lock);

That would leak a reference to the mountpoint in some cases. Since a
reference is held for us across VFS_START(), and dounmount() always
consumes a reference, we can simply add one before calling dounmount().
I will check in fix.

Andrew