afs: Do not QueueVCB before osi_dnlc_purge*

In afs_FlushVCache, when we QueueVCB, we might drop the afs_xvcache
lock (as of 76158df491f47de56d1febe1d1d2d17d316c9a74). The vcache may
still be on the DNLC, so a lookup while xvcache is dropped can cause
someone else to grab a reference to the vcache while it is being
flushed. This can cause panics and failed assertions, since someone
will have a reference to the flushed vcache, which is effectively
freed and many of the structure fields are no longer valid.

So instead, do not call QueueVCB until we have purged the vcache from
the DNLC.

Reviewed-on: http://gerrit.openafs.org/7430
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
(cherry picked from commit 0e81db38b549d79a3af5fce0f9f8fa48d9e6efeb)

Change-Id: Idabad9076c6c36bede3faf459abb940aae5a975c
Reviewed-on: http://gerrit.openafs.org/7502
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>

diff --git a/src/afs/afs_vcache.c b/src/afs/afs_vcache.c
index be668aa0602555756aa45b513364cce6f4c81a7a..d8e4cdebbb94c450959c5b1bd816efc0fdb5fdaf 100644 (file)
--- a/src/afs/afs_vcache.c
+++ b/src/afs/afs_vcache.c
@@ -205,8 +205,6 @@ afs_FlushVCache(struct vcache *avc, int *slept)
     vn_reinit(AFSTOV(avc));
 #endif
     afs_FreeAllAxs(&(avc->Access));
-    if (!afs_shuttingdown)
-       afs_QueueVCB(avc, slept);
     ObtainWriteLock(&afs_xcbhash, 460);
     afs_DequeueCallback(avc);  /* remove it from queued callbacks list */
     avc->f.states &= ~(CStatd | CUnique);
@@ -216,6 +214,9 @@ afs_FlushVCache(struct vcache *avc, int *slept)
     else
        osi_dnlc_purgevp(avc);
 
+    if (!afs_shuttingdown)
+       afs_QueueVCB(avc, slept);
+
     /*
      * Next, keep track of which vnodes we've deleted for create's
      * optimistic synchronization algorithm