From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: sys/ffs: reclaim vnode before dropping last ref
To: tech@openbsd.org
Date: Wed, 24 Jun 2026 03:35:08 -0600

> Right now it works also because vnode is cached inside free list and until
> someone reused it, it is fine.

I should explain what's going on behind the scenes.

A free vnode remains mapped in memory.  It gets added to a freelist, but
you cannot bzero it, because it is not entirely dead becuase the
lifecycle of various pointers and chains are handled very strangely.
Some of this is desiged in (example VALIASED), other things are
accidental sloppiness.

Leaving objects with fields partly live but free, and re-allocated some
various future allocations with different use patterns is not the normal
way to assure high quality code.  It is crazy.

There is an experimental diff which actually unmaps the vnodes so we can see
how far these contract violations have gone.  We could have various use-after-free
bugs today which don't occur in practice, but if we unlock and run things in
parallel things will go badly.

This vrele/vgone error is safe if we want to keep everything biglock.....