When pulling an msdos formated umass stick during mount while the

usb stack was busy, the kernel could trigger an uvm fault.  There
is a race between vop_generic_revoke() and sys_mount() where vgonel()
could reset v_specinfo.  Then v_specmountpoint is no longer valid.
So after sleeping, msdosfs_mountfs() could crash in the error path.
The code in the different *_mountfs() functions was inconsistent,
implement the same check everywhere.
OK krw@ natano@

1 files changed, 3 insertions, 1 deletions

diff --git a/sys/ufs/ext2fs/ext2fs_vfsops.c b/sys/ufs/ext2fs/ext2fs_vfsops.c
index aa2ef069ac2..c518338b546 100644
--- a/sys/ufs/ext2fs/ext2fs_vfsops.c
+++ b/sys/ufs/ext2fs/ext2fs_vfsops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ext2fs_vfsops.c,v 1.90 2016/04/26 18:37:03 natano Exp $	*/
+/*	$OpenBSD: ext2fs_vfsops.c,v 1.91 2016/05/22 20:27:04 bluhm Exp $	*/
 /*	$NetBSD: ext2fs_vfsops.c,v 1.1 1997/06/11 09:34:07 bouyer Exp $	*/
 
 /*
@@ -596,6 +596,8 @@ ext2fs_mountfs(struct vnode *devvp, struct mount *mp, struct proc *p)
 	devvp->v_specmountpoint = mp;
 	return (0);
 out:
+	if (devvp->v_specinfo)
+		devvp->v_specmountpoint = NULL;
 	if (bp)
 		brelse(bp);
 	vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, p);