Moved the fsnode MALLOC to before the call to getnewvnode() so that the

process won't possibly block before filling in the fsnode pointer (v_data)
which might be dereferenced during a sync since the vnode is put on the
mnt_vnodelist by getnewvnode.

Pointed out by Matt Day <mday@artisoft.com>

7 files changed, 80 insertions, 32 deletions

diff --git a/sys/miscfs/fdesc/fdesc_vnops.c b/sys/miscfs/fdesc/fdesc_vnops.c
index bec6bc7..c563298 100644
--- a/sys/miscfs/fdesc/fdesc_vnops.c
+++ b/sys/miscfs/fdesc/fdesc_vnops.c
@@ -35,7 +35,7 @@
  *
  *	@(#)fdesc_vnops.c	8.9 (Berkeley) 1/21/94
  *
- * $Id: fdesc_vnops.c,v 1.14 1995/12/05 19:12:05 bde Exp $
+ * $Id: fdesc_vnops.c,v 1.15 1995/12/08 11:17:40 julian Exp $
  */
 
 /*
@@ -170,10 +170,18 @@ loop:
 	}
 	fdcache_lock |= FDL_LOCKED;
 
+	/*
+	 * Do the MALLOC before the getnewvnode since doing so afterward
+	 * might cause a bogus v_data pointer to get dereferenced
+	 * elsewhere if MALLOC should block.
+	 */
+	MALLOC(fd, struct fdescnode *, sizeof(struct fdescnode), M_TEMP, M_WAITOK);
+
 	error = getnewvnode(VT_FDESC, mp, fdesc_vnodeop_p, vpp);
-	if (error)
+	if (error) {
+		FREE(fd, M_TEMP);
 		goto out;
-	MALLOC(fd, void *, sizeof(struct fdescnode), M_TEMP, M_WAITOK);
+	}
 	(*vpp)->v_data = fd;
 	fd->fd_vnode = *vpp;
 	fd->fd_type = ftype;
diff --git a/sys/miscfs/kernfs/kernfs_vfsops.c b/sys/miscfs/kernfs/kernfs_vfsops.c
index c1ccf07..3a3e33c 100644
--- a/sys/miscfs/kernfs/kernfs_vfsops.c
+++ b/sys/miscfs/kernfs/kernfs_vfsops.c
@@ -34,7 +34,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)kernfs_vfsops.c	8.4 (Berkeley) 1/21/94
- * $Id: kernfs_vfsops.c,v 1.12 1995/12/13 15:13:28 julian Exp $
+ * $Id: kernfs_vfsops.c,v 1.13 1995/12/14 18:26:55 julian Exp $
  */
 
 /*
@@ -165,12 +165,15 @@ kernfs_mount(mp, path, data, ndp, p)
 	if (mp->mnt_flag & MNT_UPDATE)
 		return (EOPNOTSUPP);
 
+	MALLOC(fmp, struct kernfs_mount *, sizeof(struct kernfs_mount),
+				M_UFSMNT, M_WAITOK);	/* XXX */
+
 	error = getnewvnode(VT_KERNFS, mp, kernfs_vnodeop_p, &rvp);	/* XXX */
-	if (error)
+	if (error) {
+		FREE(fmp, M_UFSMNT);
 		return (error);
+	}
 
-	MALLOC(fmp, struct kernfs_mount *, sizeof(struct kernfs_mount),
-				M_UFSMNT, M_WAITOK);	/* XXX */
 	rvp->v_type = VDIR;
 	rvp->v_flag |= VROOT;
 #ifdef KERNFS_DIAGNOSTIC
diff --git a/sys/miscfs/nullfs/null_subr.c b/sys/miscfs/nullfs/null_subr.c
index e5fa590..4123dc2 100644
--- a/sys/miscfs/nullfs/null_subr.c
+++ b/sys/miscfs/nullfs/null_subr.c
@@ -35,7 +35,7 @@
  *
  *	@(#)null_subr.c	8.4 (Berkeley) 1/21/94
  *
- * $Id: null_subr.c,v 1.4 1995/12/03 14:38:49 bde Exp $
+ * $Id: null_subr.c,v 1.5 1995/12/03 14:54:22 bde Exp $
  */
 
 #include <sys/param.h>
@@ -162,12 +162,20 @@ null_node_alloc(mp, lowervp, vpp)
 	struct vnode *othervp, *vp;
 	int error;
 
+	/*
+	 * Do the MALLOC before the getnewvnode since doing so afterward
+	 * might cause a bogus v_data pointer to get dereferenced
+	 * elsewhere if MALLOC should block.
+	 */
+	MALLOC(xp, struct null_node *, sizeof(struct null_node), M_TEMP, M_WAITOK);
+
 	error = getnewvnode(VT_NULL, mp, null_vnodeop_p, vpp);
-	if (error)
+	if (error) {
+		FREE(xp, M_TEMP);
 		return (error);
+	}
 	vp = *vpp;
 
-	MALLOC(xp, struct null_node *, sizeof(struct null_node), M_TEMP, M_WAITOK);
 	vp->v_type = lowervp->v_type;
 	xp->null_vnode = vp;
 	vp->v_data = xp;
diff --git a/sys/miscfs/portal/portal_vfsops.c b/sys/miscfs/portal/portal_vfsops.c
index 6a5b1ba..500b9ef 100644
--- a/sys/miscfs/portal/portal_vfsops.c
+++ b/sys/miscfs/portal/portal_vfsops.c
@@ -35,7 +35,7 @@
  *
  *	@(#)portal_vfsops.c	8.6 (Berkeley) 1/21/94
  *
- * $Id: portal_vfsops.c,v 1.9 1995/11/16 11:24:06 bde Exp $
+ * $Id: portal_vfsops.c,v 1.10 1995/12/11 09:24:43 phk Exp $
  */
 
 /*
@@ -105,6 +105,7 @@ portal_mount(mp, path, data, ndp, p)
 	struct portalmount *fmp;
 	struct socket *so;
 	struct vnode *rvp;
+	struct portalnode *pn;
 	u_int size;
 	int error;
 
@@ -125,14 +126,20 @@ portal_mount(mp, path, data, ndp, p)
 	if (so->so_proto->pr_domain->dom_family != AF_UNIX)
 		return (ESOCKTNOSUPPORT);
 
+	MALLOC(pn, struct portalnode *, sizeof(struct portalnode),
+		M_TEMP, M_WAITOK);
+
+	MALLOC(fmp, struct portalmount *, sizeof(struct portalmount),
+		M_UFSMNT, M_WAITOK);	/* XXX */
+
 	error = getnewvnode(VT_PORTAL, mp, portal_vnodeop_p, &rvp); /* XXX */
-	if (error)
+	if (error) {
+		FREE(fmp, M_UFSMNT);
+		FREE(pn, M_TEMP);
 		return (error);
-	MALLOC(rvp->v_data, void *, sizeof(struct portalnode),
-		M_TEMP, M_WAITOK);
+	}
 
-	fmp = (struct portalmount *) malloc(sizeof(struct portalmount),
-				 M_UFSMNT, M_WAITOK);	/* XXX */
+	rvp->v_data = pn;
 	rvp->v_type = VDIR;
 	rvp->v_flag |= VROOT;
 	VTOPORTAL(rvp)->pt_arg = 0;
diff --git a/sys/miscfs/portal/portal_vnops.c b/sys/miscfs/portal/portal_vnops.c
index 27780bf..fcd5958 100644
--- a/sys/miscfs/portal/portal_vnops.c
+++ b/sys/miscfs/portal/portal_vnops.c
@@ -35,7 +35,7 @@
  *
  *	@(#)portal_vnops.c	8.8 (Berkeley) 1/21/94
  *
- * $Id: portal_vnops.c,v 1.10 1995/12/11 09:24:45 phk Exp $
+ * $Id: portal_vnops.c,v 1.11 1996/02/13 18:16:25 wollman Exp $
  */
 
 /*
@@ -126,15 +126,21 @@ portal_lookup(ap)
 		return (0);
 	}
 
+	/*
+	 * Do the MALLOC before the getnewvnode since doing so afterward
+	 * might cause a bogus v_data pointer to get dereferenced
+	 * elsewhere if MALLOC should block.
+	 */
+	MALLOC(pt, struct portalnode *, sizeof(struct portalnode),
+		M_TEMP, M_WAITOK);
 
 	error = getnewvnode(VT_PORTAL, ap->a_dvp->v_mount, portal_vnodeop_p, &fvp);
-	if (error)
+	if (error) {
+		FREE(pt, M_TEMP);
 		goto bad;
+	}
 	fvp->v_type = VREG;
-	MALLOC(fvp->v_data, void *, sizeof(struct portalnode),
-		M_TEMP, M_WAITOK);
-
-	pt = VTOPORTAL(fvp);
+	fvp->v_data = pt;
 	/*
 	 * Save all of the remaining pathname and
 	 * advance the namei next pointer to the end
diff --git a/sys/miscfs/procfs/procfs_subr.c b/sys/miscfs/procfs/procfs_subr.c
index 6c464c1..7a0eafe 100644
--- a/sys/miscfs/procfs/procfs_subr.c
+++ b/sys/miscfs/procfs/procfs_subr.c
@@ -36,7 +36,7 @@
  *
  *	@(#)procfs_subr.c	8.4 (Berkeley) 1/27/94
  *
- *	$Id: procfs_subr.c,v 1.4 1995/04/15 02:30:12 davidg Exp $
+ *	$Id: procfs_subr.c,v 1.5 1995/05/30 08:07:11 rgrimes Exp $
  */
 
 #include <sys/param.h>
@@ -111,14 +111,20 @@ loop:
 	}
 	pfsvplock |= PROCFS_LOCKED;
 
+	/*
+	 * Do the MALLOC before the getnewvnode since doing so afterward
+	 * might cause a bogus v_data pointer to get dereferenced
+	 * elsewhere if MALLOC should block.
+	 */
+	MALLOC(pfs, struct pfsnode *, sizeof(struct pfsnode), M_TEMP, M_WAITOK);
+
 	error = getnewvnode(VT_PROCFS, mp, procfs_vnodeop_p, vpp);
-	if (error)
+	if (error) {
+		FREE(pfs, M_TEMP);
 		goto out;
+	}
 
-	MALLOC((*vpp)->v_data, void *, sizeof(struct pfsnode),
-		M_TEMP, M_WAITOK);
-
-	pfs = VTOPFS(*vpp);
+	(*vpp)->v_data = pfs;
 	pfs->pfs_next = 0;
 	pfs->pfs_pid = (pid_t) pid;
 	pfs->pfs_type = pfs_type;
diff --git a/sys/miscfs/umapfs/umap_subr.c b/sys/miscfs/umapfs/umap_subr.c
index 0267584..fe1ec56 100644
--- a/sys/miscfs/umapfs/umap_subr.c
+++ b/sys/miscfs/umapfs/umap_subr.c
@@ -35,7 +35,7 @@
  *
  *	@(#)umap_subr.c	8.6 (Berkeley) 1/26/94
  *
- * $Id: umap_subr.c,v 1.5 1995/12/03 14:38:57 bde Exp $
+ * $Id: umap_subr.c,v 1.6 1995/12/03 14:54:39 bde Exp $
  */
 
 #include <sys/param.h>
@@ -222,13 +222,23 @@ umap_node_alloc(mp, lowervp, vpp)
 	struct vnode *othervp, *vp;
 	int error;
 
+	/* XXX This routine probably needs a node_alloc lock */
+
+	/*
+	 * Do the MALLOC before the getnewvnode since doing so afterward
+	 * might cause a bogus v_data pointer to get dereferenced
+	 * elsewhere if MALLOC should block.
+	 */
+	MALLOC(xp, struct umap_node *, sizeof(struct umap_node),
+	    M_TEMP, M_WAITOK);
+
 	error = getnewvnode(VT_UMAP, mp, umap_vnodeop_p, vpp);
-	if (error)
+	if (error) {
+		FREE(xp, M_TEMP);
 		return (error);
+	}
 	vp = *vpp;
 
-	MALLOC(xp, struct umap_node *, sizeof(struct umap_node),
-	    M_TEMP, M_WAITOK);
 	vp->v_type = lowervp->v_type;
 	xp->umap_vnode = vp;
 	vp->v_data = xp;