If a race is detected, pfs_vncache_alloc() may reclaim a vnode that had

never been inserted into the pfs_vncache list. Since pfs_vncache_free() does not anticipate this case, it decrements pfs_vncache_entries unconditionally; if the vnode was not in the list, pfs_vncache_entries will no longer reflect the actual number of list entries. This may cause size of the cache to exceed the configured maximum. It may also trigger a panic during module unload or system shutdown. Do not decrement pfs_vncache_entries for the vnode that was not in the list. Submitted by: tegge Reviewed by: des MFC after: 1 week
2026-06-10 17:22:46 -04:00 · 2009-09-07 12:10:41 +00:00 · 2009-09-07 12:10:41 +00:00 · 481208a815
commit 481208a815
parent 6cc745d2d7
1 changed files with 5 additions and 3 deletions
--- a/sys/fs/pseudofs/pseudofs_vncache.c
+++ b/sys/fs/pseudofs/pseudofs_vncache.c
@ -246,11 +246,13 @@ pfs_vncache_free(struct vnode *vp)
 	KASSERT(pvd != NULL, ("pfs_vncache_free(): no vnode data\n"));
 	if (pvd->pvd_next)
 		pvd->pvd_next->pvd_prev = pvd->pvd_prev;
-	if (pvd->pvd_prev)
+	if (pvd->pvd_prev) {
 		pvd->pvd_prev->pvd_next = pvd->pvd_next;
-	else if (pfs_vncache == pvd)
+		--pfs_vncache_entries;
+	} else if (pfs_vncache == pvd) {
 		pfs_vncache = pvd->pvd_next;
-	--pfs_vncache_entries;
+		--pfs_vncache_entries;
+	}
 	mtx_unlock(&pfs_vncache_mutex);

 	free(pvd, M_PFSVNCACHE);