From 2a9890d8c8d9454dc9a5d48b7ce4b6f195c98c24 Mon Sep 17 00:00:00 2001
From: anton <anton@openbsd.org>
Date: Fri, 27 Mar 2020 07:58:17 +0000
Subject: [PATCH] Relax the lockcount assertion in vputonfreelist(). Back when
 I fixed several problems with the vnode exclusive lock implementation, I
 overlooked the fact that a vnode can be in a state where the usecount is zero
 while the holdcount still being positive. There could still be threads
 waiting on the vnode lock in uvn_io() as long as the holdcount is positive.

"go ahead" mpi@

Reported-by: syzbot+767d6deb1a647850a0ca@syzkaller.appspotmail.com
---
 sys/kern/vfs_subr.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index e6cb86795a10..8c015e44e40d 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_subr.c,v 1.300 2020/02/13 08:47:10 claudio Exp $	*/
+/*	$OpenBSD: vfs_subr.c,v 1.301 2020/03/27 07:58:17 anton Exp $	*/
 /*	$NetBSD: vfs_subr.c,v 1.53 1996/04/22 01:39:13 christos Exp $	*/
 
 /*
@@ -704,7 +704,11 @@ vputonfreelist(struct vnode *vp)
 	if (vp->v_usecount != 0)
 		panic("Use count is not zero!");
 
-	if (vp->v_lockcount != 0)
+	/*
+	 * If the hold count is still positive, one or many threads could still
+	 * be waiting on the vnode lock inside uvn_io().
+	 */
+	if (vp->v_holdcnt == 0 && vp->v_lockcount != 0)
 		panic("%s: lock count is not zero", __func__);
 
 	if (vp->v_bioflag & VBIOONFREELIST) {