The following reply was made to PR kern/35278; it has been noted by GNATS.

From: yamt@mwd.biglobe.ne.jp (YAMAMOTO Takashi)
To: elad@NetBSD.org
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
Date: Sat, 23 Dec 2006 23:27:39 +0900 (JST)

 > YAMAMOTO Takashi wrote:
 > 
 > > i think the patch causes double-free of pnbuf because
 > > VOP_ABORTOP frees it as well.  (see genfs_abortop)
 > > except that, seems fine to me.
 > 
 > in kern/vfs_syscalls.c:rename_files():
 > 
 > 3318:        error = vn_start_write(fvp, &mp, V_WAIT | V_PCATCH);
 > 3319:        if (error != 0) {
 > 3320:                VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd);
 > 3321:                vrele(fromnd.ni_dvp);
 > 3322:                vrele(fvp);
 > 3323:                if (fromnd.ni_startdir)
 > 3324:                        vrele(fromnd.ni_startdir);
 > 3325:                PNBUF_PUT(fromnd.ni_cnd.cn_pnbuf);
 > 3326:                return (error);
 > 3327:        }
 > 
 > (namei() was called with SAVESTART in this snippet.)
 > 
 > is this also wrong?
 
 VOP_ABORTOP doesn't free pnbuf if SAVESTART is set.
 
 > in the diff I posted, you're referring to the
 > PNBUF_PUT() after the 'out' label in sys_unlink(), right?
 > 
 > -e.
 
 yes.
 
 YAMAMOTO Takashi