From 27dd8057d33d24fcfa8b3fc1a49f3ef77fe3803e Mon Sep 17 00:00:00 2001
From: Edward Tomasz Napierala <trasz@FreeBSD.org>
Date: Thu, 5 Feb 2009 08:46:18 +0000
Subject: [PATCH] In some situations, mnt_lockref could go negative due to
 vfs_unbusy() being called without calling vfs_busy() first.  This made
 umount(8) hang waiting for mnt_lockref to become zero, which would never
 happen.

Reviewed by:	kib
Approved by:	rwatson (mentor)
Reported by:	pho
Found with:	stress2
Sponsored by:	FreeBSD Foundation
---
 sys/kern/vfs_syscalls.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index a910bf3eaad..be3dc76ab86 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -395,14 +395,16 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf)
 		vfs_ref(mp);
 	VOP_UNLOCK(vp, 0);
 	fdrop(fp, td);
-	if (vp->v_iflag & VI_DOOMED) {
+	if (mp == NULL) {
 		error = EBADF;
 		goto out;
 	}
 	error = vfs_busy(mp, 0);
 	vfs_rel(mp);
-	if (error)
-		goto out;
+	if (error) {
+		VFS_UNLOCK_GIANT(vfslocked);
+		return (error);
+	}
 #ifdef MAC
 	error = mac_mount_check_stat(td->td_ucred, mp);
 	if (error)
-- 
2.45.2