From 57ef02ff0f3beeee95ac757a1e8eaa1ab10036de Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Mon, 14 Jul 2014 08:41:13 +0000
Subject: [PATCH] In kern_linkat(), avoid passing doomed vnode to the VOP.

Tested by:	pho
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
---
 sys/kern/vfs_syscalls.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 7aa457e6071..9d5380ae601 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1554,6 +1554,7 @@ kern_linkat(struct thread *td, int fd1, int fd2, char *path1, char *path2,
 	bwillwrite();
 	NDINIT_AT(&nd, LOOKUP, follow | AUDITVNODE1, segflg, path1, fd1, td);
 
+again:
 	if ((error = namei(&nd)) != 0)
 		return (error);
 	NDFREE(&nd, NDF_ONLY_PNBUF);
@@ -1576,8 +1577,7 @@ kern_linkat(struct thread *td, int fd1, int fd2, char *path1, char *path2,
 				vput(nd.ni_dvp);
 			vrele(nd.ni_vp);
 			error = EEXIST;
-		} else if ((error = vn_lock(vp, LK_EXCLUSIVE | LK_RETRY))
-		    == 0) {
+		} else if ((error = vn_lock(vp, LK_EXCLUSIVE)) == 0) {
 			error = can_hardlink(vp, td->td_ucred);
 			if (error == 0)
 #ifdef MAC
@@ -1588,6 +1588,12 @@ kern_linkat(struct thread *td, int fd1, int fd2, char *path1, char *path2,
 				error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd);
 			VOP_UNLOCK(vp, 0);
 			vput(nd.ni_dvp);
+		} else {
+			vput(nd.ni_dvp);
+			NDFREE(&nd, NDF_ONLY_PNBUF);
+			vrele(vp);
+			vn_finished_write(mp);
+			goto again;
 		}
 		NDFREE(&nd, NDF_ONLY_PNBUF);
 	}