nullfs: Fix handling of doomed vnodes in nullfs_unlink_lowervp()
nullfs_unlink_lowervp() is called with the lower vnode locked, so the
nullfs vnode is locked too. The following can occur:
- the vunref() call decrements the usecount 2->1,
- a different thread calls vrele() on the vnode, decrements the usecount 0->1, then blocks on the vnode lock,
- the first thread tests vp->v_usecount == 0 and observes that it is true,
- the first thread incorrectly unlocks the lower vnode.
Fix this by testing VN_IS_DOOMED directly. Since
nullfs_unlink_lowervp() holds the vnode lock, the value of the
VIRF_DOOMED flag is stable.
Thanks to leres@ for patiently helping to track this down.
PR: 288345
MFC after: 1 week
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D55446