git: kernel - Fix race in brelvp() and reassignbuf()

Sun Dec 7 12:56:40 PST 2025

commit 47484253dd3c134d6437dff7672360f955050bea
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Sun Dec 7 12:19:34 2025 -0800

    kernel - Fix race in brelvp() and reassignbuf()
    
    * brelvp() can be called with just the buffer (bp) locked.  The
      vnode might not be locked or referenced at the time brelvp()
      is called, or might be locked by some other entity at the time.
    
    * brelvp() obtains the vnode token but this is not sufficient.
      There is a race where, once the bp is removed from the vnode lists,
      the related vnode might be retired out from under brelvp() if the
      vp token is temporarily lost.
    
      The token can, in fact, be temporarily lost during the syncer list
      manipulation at the end of the routine.  Fix with a vhold()/vdrop()
      around the related code.
    
    * In addition, set bp->b_vp to NULL before the syncer_list manipulation
      instead of after, ensuring that it is NULL'd out while the vnode token
      is still atomically held.  It was theoretically ok before since the
      bp should be locked, but the lost vnode token atomicy was concerning
      so fix this too.
    
    * reassignbuf() might have a similar syncer list race.

Summary of changes:
 sys/kern/vfs_subr.c | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/47484253dd3c134d6437dff7672360f955050bea


-- 
DragonFly BSD source repository