Relax the lockcount assertion in vputonfreelist(). Back when I fixed

several problems with the vnode exclusive lock implementation, I
overlooked the fact that a vnode can be in a state where the usecount is
zero while the holdcount still being positive. There could still be
threads waiting on the vnode lock in uvn_io() as long as the holdcount
is positive.

"go ahead" mpi@

Reported-by: syzbot+767d6deb1a647850a0ca@syzkaller.appspotmail.com

1 files changed, 6 insertions, 2 deletions

diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index e6cb86795a1..8c015e44e40 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_subr.c,v 1.300 2020/02/13 08:47:10 claudio Exp $	*/
+/*	$OpenBSD: vfs_subr.c,v 1.301 2020/03/27 07:58:17 anton Exp $	*/
 /*	$NetBSD: vfs_subr.c,v 1.53 1996/04/22 01:39:13 christos Exp $	*/
 
 /*
@@ -704,7 +704,11 @@ vputonfreelist(struct vnode *vp)
 	if (vp->v_usecount != 0)
 		panic("Use count is not zero!");
 
-	if (vp->v_lockcount != 0)
+	/*
+	 * If the hold count is still positive, one or many threads could still
+	 * be waiting on the vnode lock inside uvn_io().
+	 */
+	if (vp->v_holdcnt == 0 && vp->v_lockcount != 0)
 		panic("%s: lock count is not zero", __func__);
 
 	if (vp->v_bioflag & VBIOONFREELIST) {