From 5f5bf9dadc00a7cc8dc6b37e8abf10a23ced17f4 Mon Sep 17 00:00:00 2001
From: kib <kib@FreeBSD.org>
Date: Fri, 20 Oct 2006 07:59:50 +0000
Subject: Fix the race between devfs_fp_check and devfs_reclaim. Derefence the
 vnode' v_rdev and increment the dev threadcount , as well as clear it (in
 devfs_reclaim) under the dev_lock().

Reviewed by:	tegge
Approved by:	pjd (mentor)
---
 sys/fs/devfs/devfs_vnops.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'sys/fs/devfs')

diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index 4b348ec..55eaeb6 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -78,12 +78,14 @@ static int
 devfs_fp_check(struct file *fp, struct cdev **devp, struct cdevsw **dswp)
 {
 
-	*devp = fp->f_vnode->v_rdev;
-	if (*devp != fp->f_data)
+	*dswp = devvn_refthread(fp->f_vnode, devp);
+	if (*devp != fp->f_data) {
+		if (*dswp != NULL)
+			dev_relthread(*devp);
 		return (ENXIO);
+	}
 	KASSERT((*devp)->si_refcount > 0,
 	    ("devfs: un-referenced struct cdev *(%s)", devtoname(*devp)));
-	*dswp = dev_refthread(*devp);
 	if (*dswp == NULL)
 		return (ENXIO);
 	return (0);
@@ -965,13 +967,15 @@ devfs_reclaim(struct vop_reclaim_args *ap)
 
 	vnode_destroy_vobject(vp);
 
+	dev_lock();
 	dev = vp->v_rdev;
 	vp->v_rdev = NULL;
 
-	if (dev == NULL)
+	if (dev == NULL) {
+		dev_unlock();
 		return (0);
+	}
 
-	dev_lock();
 	dev->si_usecount -= vp->v_usecount;
 	dev_unlock();
 	dev_rel(dev);
-- 
cgit v1.1