kern/37706: Forced unmount of file systems is unsafe

[ad%netbsd.org@localhost]

>Number:         37706
>Category:       kern
>Synopsis:       Forced unmount of file systems is unsafe
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 06 13:10:00 +0000 2008
>Originator:     Andrew Doran
>Release:        4.99.48
>Organization:
The NetBSD Project
>Environment:
n/a
>Description:
- Reference counting is not done for struct mount and it can disappear
  out from underneath code that is using it.

- Modification of vnode_t::v_op while v_usecount != 0 is unsafe because
  it's not known whether deadfs or the original file system code will
  be called. Additionally the original fs code could be unloaded from
  the system.
>How-To-Repeat:
Code inspection.
>Fix:
For struct mount:

- Add reference counting to struct mount. Make struct mount
  persist until all references are removed.

- Replace lockmgr() 'handoff' trick used to access struct mount with
  reference counting and a rwlock.

- Have vnodes take references to struct mount.

- Have mounts reference the underlying file system type to prevent
  fs code from being unloaded.

- Have vfs_busy() return ENOENT for file systems in purgatory (this
  is done already in a slightly different way).

For vnode_t::v_op:

- Push locking back into file systems and store locks in the inode.

- Make VOP_RECLAIM() preserve the in-core inode structure if
  v_usecount > 1, but mark the structure as 'gone'.

- Make file system locks/gates return ENOENT if the inode is 'gone'.