From e0abeab2bf1cbe0feb1a9cdd8a2bfbfd70286480 Mon Sep 17 00:00:00 2001
From: kib <kib@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Mon, 28 Jul 2014 00:57:28 +0000
Subject: [PATCH] MFC r268607: In kern_linkat(), avoid passing doomed vnode to
 the VOP.

git-svn-id: svn://svn.freebsd.org/base/stable/10@269166 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/kern/vfs_syscalls.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index a5ef59d02..80a41d243 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1555,6 +1555,7 @@ kern_linkat(struct thread *td, int fd1, int fd2, char *path1, char *path2,
 	bwillwrite();
 	NDINIT_AT(&nd, LOOKUP, follow | AUDITVNODE1, segflg, path1, fd1, td);
 
+again:
 	if ((error = namei(&nd)) != 0)
 		return (error);
 	NDFREE(&nd, NDF_ONLY_PNBUF);
@@ -1577,8 +1578,7 @@ kern_linkat(struct thread *td, int fd1, int fd2, char *path1, char *path2,
 				vput(nd.ni_dvp);
 			vrele(nd.ni_vp);
 			error = EEXIST;
-		} else if ((error = vn_lock(vp, LK_EXCLUSIVE | LK_RETRY))
-		    == 0) {
+		} else if ((error = vn_lock(vp, LK_EXCLUSIVE)) == 0) {
 			error = can_hardlink(vp, td->td_ucred);
 			if (error == 0)
 #ifdef MAC
@@ -1589,6 +1589,12 @@ kern_linkat(struct thread *td, int fd1, int fd2, char *path1, char *path2,
 				error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd);
 			VOP_UNLOCK(vp, 0);
 			vput(nd.ni_dvp);
+		} else {
+			vput(nd.ni_dvp);
+			NDFREE(&nd, NDF_ONLY_PNBUF);
+			vrele(vp);
+			vn_finished_write(mp);
+			goto again;
 		}
 		NDFREE(&nd, NDF_ONLY_PNBUF);
 	}
-- 
2.45.0