From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: sys/ffs: reclaim vnode before dropping last ref
To: tech@openbsd.org
Date: Wed, 24 Jun 2026 10:48:52 +0200

On Wed, 24 Jun 2026 10:34:19 +0200,
Jeremie Courreges-Anglas <jca@wxcvbn.org> wrote:
> 
> On Wed, Jun 24, 2026 at 10:05:45AM +0200, Kirill A. Korinsky wrote:
> > tech@,
> > 
> > In ffs_vinit(), the alias path called vrele() before vgone() on the same
> > vnode.
> > 
> > Once vrele() drops the last reference, the caller no longer owns the vnode;
> > VFS may reclaim or reuse it.
> 
> Is this code supposed to be runnable w/o kernel lock?
> 
> > Ok?
> 
> There's a lot more of call sites with the same vrele->vgone sequence.
>

Not that many of them actually. Majority is respects the contract.

And yes, if we would like to unlock vfs we must respect that contract.

Right now it works also because vnode is cached inside free list and until
someone reused it, it is fine.

If we unlock *fs layers... well.. this will explode.

> > diff --git sys/ufs/ffs/ffs_subr.c sys/ufs/ffs/ffs_subr.c
> > index de81df8b619..3b38f1ec36b 100644
> > --- sys/ufs/ffs/ffs_subr.c
> > +++ sys/ufs/ffs/ffs_subr.c
> > @@ -243,8 +243,8 @@ ffs_vinit(struct mount *mntp, struct vnode **vpp)
> >  #ifdef VFSLCKDEBUG
> >  			vp->v_flag &= ~VLOCKSWORK;
> >  #endif
> > -			vrele(vp);
> >  			vgone(vp);
> > +			vrele(vp);
> >  			/*
> >  			 * Reinitialize aliased inode.
> >  			 */
> > 
> > 
> > -- 
> > wbr, Kirill
> > 
> 
> -- 
> jca
> 

-- 
wbr, Kirill