When pulling an msdos formated umass stick during mount while the

usb stack was busy, the kernel could trigger an uvm fault.  There
is a race between vop_generic_revoke() and sys_mount() where vgonel()
could reset v_specinfo.  Then v_specmountpoint is no longer valid.
So after sleeping, msdosfs_mountfs() could crash in the error path.
The code in the different *_mountfs() functions was inconsistent,
implement the same check everywhere.
OK krw@ natano@

2 files changed, 6 insertions, 2 deletions

diff --git a/sys/isofs/cd9660/cd9660_vfsops.c b/sys/isofs/cd9660/cd9660_vfsops.c
index 95dd7169123..2997ffbf4f9 100644
--- a/sys/isofs/cd9660/cd9660_vfsops.c
+++ b/sys/isofs/cd9660/cd9660_vfsops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cd9660_vfsops.c,v 1.78 2016/04/26 18:37:02 natano Exp $	*/
+/*	$OpenBSD: cd9660_vfsops.c,v 1.79 2016/05/22 20:27:04 bluhm Exp $	*/
 /*	$NetBSD: cd9660_vfsops.c,v 1.26 1997/06/13 15:38:58 pk Exp $	*/
 
 /*-
@@ -446,6 +446,8 @@ iso_mountfs(devvp, mp, p, argp)
 
 	return (0);
 out:
+	if (devvp->v_specinfo)
+		devvp->v_specmountpoint = NULL;
 	if (bp)
 		brelse(bp);
 	if (supbp)
diff --git a/sys/isofs/udf/udf_vfsops.c b/sys/isofs/udf/udf_vfsops.c
index b56e53ff41c..c4e2524047b 100644
--- a/sys/isofs/udf/udf_vfsops.c
+++ b/sys/isofs/udf/udf_vfsops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udf_vfsops.c,v 1.50 2016/04/26 18:37:02 natano Exp $	*/
+/*	$OpenBSD: udf_vfsops.c,v 1.51 2016/05/22 20:27:04 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002 Scott Long <scottl@freebsd.org>
@@ -449,6 +449,8 @@ bail:
 		mp->mnt_data = NULL;
 		mp->mnt_flag &= ~MNT_LOCAL;
 	}
+	if (devvp->v_specinfo)
+		devvp->v_specmountpoint = NULL;
 	if (bp != NULL)
 		brelse(bp);