From e4111a6b71f8dc06602bb1d894ddb649e49d1d7d Mon Sep 17 00:00:00 2001
From: kib <kib@FreeBSD.org>
Date: Wed, 12 Mar 2014 15:13:57 +0000
Subject: Do not vdrop() the tmpfs vnode until it is unlocked.  The hold
 reference might be the last, and then vdrop() would free the vnode.

Reported and tested by:	bdrewery
MFC after:	1 week
---
 sys/vm/vm_object.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/vm/vm_object.c b/sys/vm/vm_object.c
index 1c463ea..1066a9d 100644
--- a/sys/vm/vm_object.c
+++ b/sys/vm/vm_object.c
@@ -536,17 +536,18 @@ vm_object_deallocate(vm_object_t object)
 				vhold(vp);
 				VM_OBJECT_WUNLOCK(object);
 				vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
-				vdrop(vp);
 				VM_OBJECT_WLOCK(object);
 				if (object->type == OBJT_DEAD ||
 				    object->ref_count != 1) {
 					VM_OBJECT_WUNLOCK(object);
 					VOP_UNLOCK(vp, 0);
+					vdrop(vp);
 					return;
 				}
 				if ((object->flags & OBJ_TMPFS) != 0)
 					VOP_UNSET_TEXT(vp);
 				VOP_UNLOCK(vp, 0);
+				vdrop(vp);
 			}
 			if (object->shadow_count == 0 &&
 			    object->handle == NULL &&
-- 
cgit v1.1