From 2b19466836ce4cfd6afda04e09c635cccdc754f2 Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Wed, 22 Feb 2012 20:03:51 +0000
Subject: [PATCH] Properly lock DQREF() with dqhlock. Missed locking caused
 counter corruption.

Assert that the dq reference value is sane before decrementing it.

Reported and tested by:	pho
MFC after:	1 week
---
 sys/ufs/ufs/ufs_quota.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/ufs/ufs/ufs_quota.c b/sys/ufs/ufs/ufs_quota.c
index ce89efaccb6..b652bec0c77 100644
--- a/sys/ufs/ufs/ufs_quota.c
+++ b/sys/ufs/ufs/ufs_quota.c
@@ -1469,6 +1469,7 @@ dqrele(struct vnode *vp, struct dquot *dq)
 	if (dq == NODQUOT)
 		return;
 	DQH_LOCK();
+	KASSERT(dq->dq_cnt > 0, ("Lost dq %p reference 1", dq));
 	if (dq->dq_cnt > 1) {
 		dq->dq_cnt--;
 		DQH_UNLOCK();
@@ -1479,6 +1480,7 @@ sync:
 	(void) dqsync(vp, dq);
 
 	DQH_LOCK();
+	KASSERT(dq->dq_cnt > 0, ("Lost dq %p reference 2", dq));
 	if (--dq->dq_cnt > 0)
 	{
 		DQH_UNLOCK();
@@ -1658,6 +1660,7 @@ quotaref(vp, qrp)
 	 */
 	found = 0;
 	ip = VTOI(vp);
+	mtx_lock(&dqhlock);
 	for (i = 0; i < MAXQUOTAS; i++) {
 		if ((dq = ip->i_dquot[i]) == NODQUOT)
 			continue;
@@ -1665,6 +1668,7 @@ quotaref(vp, qrp)
 		qrp[i] = dq;
 		found++;
 	}
+	mtx_unlock(&dqhlock);
 	return (found);
 }