From 8cbbb0fa9a0af4043533e8e3ea55b8ed9ff75946 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Thu, 10 Apr 2014 14:50:56 +0000
Subject: [PATCH 05/14] Fix locking around rename ancestry traversal in ext2fs
 and ufs.

---
 sys/ufs/ext2fs/ext2fs_rename.c | 11 +----------
 sys/ufs/ufs/ufs_lookup.c       |  4 ++--
 sys/ufs/ufs/ufs_rename.c       | 11 +----------
 3 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/sys/ufs/ext2fs/ext2fs_rename.c b/sys/ufs/ext2fs/ext2fs_rename.c
index c2bc54b..9e78601 100644
--- a/sys/ufs/ext2fs/ext2fs_rename.c
+++ b/sys/ufs/ext2fs/ext2fs_rename.c
@@ -846,17 +846,8 @@ ext2fs_gro_genealogy(struct mount *mp, kauth_cred_t cred,
 		}
 
 		/* Neither -- keep ascending the family tree.  */
-
-		/*
-		 * Unlock vp so that we can lock the parent, but keep
-		 * vp referenced until after we have found the parent,
-		 * so that dotdot_ino will not be recycled.
-		 *
-		 * XXX This guarantees that vp's inode number will not
-		 * be recycled, but why can't dotdot_ino be recycled?
-		 */
-		VOP_UNLOCK(vp);
 		error = VFS_VGET(mp, dotdot_ino, 0, &dvp);
+		VOP_UNLOCK(vp);
 		if (error) {
 			vrele(vp);
 			return error;
diff --git a/sys/ufs/ufs/ufs_lookup.c b/sys/ufs/ufs/ufs_lookup.c
index 8c6d627..5485327 100644
--- a/sys/ufs/ufs/ufs_lookup.c
+++ b/sys/ufs/ufs/ufs_lookup.c
@@ -1284,9 +1284,9 @@ ufs_checkpath(struct inode *source, struct inode *target, kauth_cred_t cred)
 		}
 		if (ufs_rw32(dirbuf.dotdot_ino, needswap) == rootino)
 			break;
-		VOP_UNLOCK(vp);
 		error = VFS_VGET(vp->v_mount,
 		    ufs_rw32(dirbuf.dotdot_ino, needswap), 0, &nextvp);
+		VOP_UNLOCK(vp);
 		if (error) {
 			vrele(vp);
 			vp = NULL;
@@ -1415,8 +1415,8 @@ ufs_parentcheck(struct vnode *upper, struct vnode *lower, kauth_cred_t cred,
 			*upperchild_ret = NULL;
 			return 0;
 		}
-		VOP_UNLOCK(current);
 		error = VFS_VGET(current->v_mount, found_ino, 0, &next);
+		VOP_UNLOCK(current);
 		if (error) {
 			vrele(current);
 			return error;
diff --git a/sys/ufs/ufs/ufs_rename.c b/sys/ufs/ufs/ufs_rename.c
index 178ac7f..69eccc5 100644
--- a/sys/ufs/ufs/ufs_rename.c
+++ b/sys/ufs/ufs/ufs_rename.c
@@ -979,17 +979,8 @@ ufs_gro_genealogy(struct mount *mp, kauth_cred_t cred,
 		}
 
 		/* Neither -- keep ascending the family tree.  */
-
-		/*
-		 * Unlock vp so that we can lock the parent, but keep
-		 * vp referenced until after we have found the parent,
-		 * so that dotdot_ino will not be recycled.
-		 *
-		 * XXX This guarantees that vp's inode number will not
-		 * be recycled, but why can't dotdot_ino be recycled?
-		 */
-		VOP_UNLOCK(vp);
 		error = VFS_VGET(mp, dotdot_ino, 0, &dvp);
+		VOP_UNLOCK(vp);
 		if (error) {
 			vrele(vp);
 			return error;
-- 
1.8.3.1