Why only under INVARIANTS ?

We do not allocate so large buffers on stack.

I think this is off-by-one since you zero byte at req->newlen.

You must check some privilege to do the operation.

Indent should be +4 spaces. Previous line is under-filled.

Why disallowing v_usecount > 1 ? I think for this tool to be useful, it needs to allow reclaiming open vnodes.

Result of '&' is not boolean, you should use != 0.

What is the reason to vhold() the vnode for which you already bumped usecount ?

Because it's strictly a facility for testing. It probably isn't even useful for debugging.

I left out a privilege check because only root has the ability to write to sysctls. Or is there some case where non-root users can do it too?

My intent was to simulate what the vnlru thread might do anyway. But I can remove that restriction if you think it would be useful.

Because that's what devfs_revoke and vlrureclaim do. Are they wrong? Or am I missing something?

It might be useful for debugging, I did not tried it to state this definitely. Currently we achieve the same effect with umount -f.

Yes, it would be more useful if there is no such restriction, see above about forced umount.

You already took the use count on the vnode, which implies hold count.

For vlrureclaim, the function tries hard not to bump usecount to not unfree the vnode. So it needs a hold reference at least.

For devfs, devfs_close() unlocks the vnode, again without extra ref, so the vhold() prevent race with a parallel reclaim.

Nothing of that is relevant after vget() inside namei(). You own both refs.

Do you mean devfs_revoke? It doesn't unlock the vnode until after the vhold/vdrop, so how is that relevant?

No, I mean devfs_close(). vgone() calls VOP_CLOSE() when needed. vgone() might also unlock the vnode if there are layered mounts over the vnode' mp like nullfs, but it is not typical for devfs.

Maybe priv check for root here?

This overflows the buffer when req->newlen == sizeof(buf).

You can probably use LOCKSHARED for the lookup to avoid invalidating / blocking on any existing shared holders in the case that the vnode is active.

The latter two can be shortened to NDF_NO_VP_PUT.

Might be more clear to use atomic_load(vp->v_usecount), but no difference on any freebsd arch.

I'd pick different errors for v_usecount>1 <=> doomed cases.

Ok, I'll enable it unconditionally.

Since this is a sysctl handler, the thread must be privileged.

But the vnode needs to be locked exclusively for VOP_RECLAIM.

Like what, EAGAIN? I don't want to return 0, because a test program may want to know whether the sysctl had any effect.

You can upgrade the lock after performing usecount check. This avoids unnecessarily xlocking vnodes the routine isn’t going to act on anyway.

Like Ebusy for usecount and ebadf for doomed.

I'm removing the usecount check at kib's suggestion. And the doomed check should very rarely fail. So there will no longer be any reason to do the lookup with a shared lock and then upgrade.

I think that EBADF is not a good choice in this case, since a doomed vnode is one that is already being recycled. That's an argument for returning 0. However, I do think that a test case might want to know whether the sysctl had any effect at all, so I don't want to return 0 in that case. I think EAGAIN is appropriate, because once the doomed vnode is fully reclaimed a subsequent call will succeed (because namei will create a new vnode if necessary).

Yes, the optimization was only valid if we were checking usecount.

EBADF is consistent with the spirit / status of existing doomed vnodes, i.e., dead_vnodeops mostly return EBADF.

Arguably, there should be a distinct error code between "that fd isn't valid in the fd table" and "the referenced vnode has actually been torn down/revoked under you", but that's outside the scope of this revision.

I don't believe EAGAIN makes sense in this context.

It's probably impossible to get into that situation, anyway. Even if the vnode were doomed when the sysctl started, namei would allocate a new one. And it can't become doomed after namei returns since it's locked and referenced.

Sure; hypothetically you could have two APIs here. One that takes a path and does namei, and another that takes an fd. Both are interesting cases. The fd case could be DOOMED, although you're correct that the current lookup LOCKLEAF cannot succeed and return a doomed vnode (AFAIK).

I do not see how error can be non-zero here.

Oops. That's leftover from the LK_UPGRADE that I briefly added, but then removed.

For me, ioctl_rights check does not sound right. There is no specific rights which would match this operation, of course, but IMO fcntl or unlink are somewhat closer in spirit to what is done.

The flag must be checked under the vnode lock.

If you not pass LK_RETRY, then vn_lock() returns error for doomed vnode, which removes the need to manually check for VI_DOOMED.

I don't think that unlink rights are correct, because unlink affects the data on disk. I'll use fcntl.

why the +1 here?

So the argument can be as long as PATH_MAX, without nul-termination. nul-termination is ensured 5 lines lower.

But PATH_MAX / MAXPATHLEN includes space for the NUL.

(I added the original comment above while trying to understand the situation here, and have now submitted D21876 which I think makes this more clear.)