[src/trunk]: src/sys/ufs/ufs vclean() actually sets v_tag to VT_NON but doesn...

[bouyer <bouyer%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/96941dc67ddf
branches:  trunk
changeset: 750821:96941dc67ddf
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Fri Jan 15 19:46:35 2010 +0000

description:
vclean() actually sets v_tag to VT_NON but doesn't touch v_type.
getcleanvnode() sets v_type to VNON after releasing v_interlock.
So the thread doing quotaon(), quotaoff() or qsync() could vget()
a vnode which is being recycled in getcleanvnode(), after is has
been cleaned and v_interlock released, but before v_type has been
reset, leading to KASSERT(vp->v_usecount == 1) firing in
getnewvnode(), or qsync() dereferending a NULL pointer as in
PR kern/42205.
Fix by using the same tests as other ffs function traversing the mount
list: also check for VTOI(vp) == NULL, and VI_XLOCK in addition
to VI_CLEAN.

diffstat:

 sys/ufs/ufs/ufs_quota.c |  18 ++++++++++--------
 1 files changed, 10 insertions(+), 8 deletions(-)

diffs (54 lines):

diff -r 653b7d2ef3fb -r 96941dc67ddf sys/ufs/ufs/ufs_quota.c
--- a/sys/ufs/ufs/ufs_quota.c   Fri Jan 15 19:39:10 2010 +0000
+++ b/sys/ufs/ufs/ufs_quota.c   Fri Jan 15 19:46:35 2010 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ufs_quota.c,v 1.64 2009/08/02 20:50:33 bouyer Exp $    */
+/*     $NetBSD: ufs_quota.c,v 1.65 2010/01/15 19:46:35 bouyer Exp $    */
 
 /*
  * Copyright (c) 1982, 1986, 1990, 1993, 1995
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_quota.c,v 1.64 2009/08/02 20:50:33 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_quota.c,v 1.65 2010/01/15 19:46:35 bouyer Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -475,9 +475,9 @@
        for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
                vmark(mvp, vp);
                mutex_enter(&vp->v_interlock);
-               if (vp->v_mount != mp || vismarker(vp) ||
+               if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
                    vp->v_type == VNON || vp->v_writecount == 0 ||
-                   (vp->v_iflag & VI_CLEAN) != 0) {
+                   (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
                        mutex_exit(&vp->v_interlock);
                        continue;
                }
@@ -545,8 +545,9 @@
        for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
                vmark(mvp, vp);
                mutex_enter(&vp->v_interlock);
-               if (vp->v_mount != mp || vismarker(vp) || vp->v_type == VNON ||
-                   (vp->v_iflag & VI_CLEAN) != 0) {
+               if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
+                   vp->v_type == VNON ||
+                   (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
                        mutex_exit(&vp->v_interlock);
                        continue;
                }
@@ -730,8 +731,9 @@
        for (vp = TAILQ_FIRST(&mp->mnt_vnodelist); vp; vp = vunmark(mvp)) {
                vmark(mvp, vp);
                mutex_enter(&vp->v_interlock);
-               if (vp->v_mount != mp || vismarker(vp) || vp->v_type == VNON ||
-                   (vp->v_iflag & VI_CLEAN) != 0) {
+               if (VTOI(vp) == NULL || vp->v_mount != mp || vismarker(vp) ||
+                   vp->v_type == VNON ||
+                   (vp->v_iflag & (VI_XLOCK | VI_CLEAN)) != 0) {
                        mutex_exit(&vp->v_interlock);
                        continue;
                }