>Number:         5239
>Category:       kern
>Synopsis:       mount_null causes kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 31 15:05:00 1998
>Last-Modified:
>Originator:     MINOURA Makoto
>Organization:
MINOURA, Makoto <minoura@kw.netlaputa.ne.jp> or <minoura@kyogoku.com>
Nakahara-ku Kawasaki-Shi, JAPAN
>Release:        Mar. 30
>Environment:
	
System: NetBSD daisy 1.3E NetBSD 1.3E (DAISY) #45: Tue Mar 31 06:36:37 JST 1998 root@daisy:/usr/src/sys/arch/i386/compile/DAISY i386


>Description:
mount_null always causes kernel panic.
In null_node_create() of null_subr.c, null_node_alloc() is called,
which returns already locked vnode.
If takelock argument is true, null_node_create attempts to lock the
returned vnode again.

>How-To-Repeat:
mount -t null /foo /bar
>Fix:
*** null_subr.c.bak	Thu Mar 12 21:13:15 1998
--- null_subr.c	Tue Mar 31 06:27:37 1998
***************
*** 250,255 ****
--- 250,256 ----
  	int takelock;
  {
  	struct vnode *aliasvp;
+ 	int locked = 0;
  
  	if ((aliasvp = null_node_find(mp, lowervp)) != NULL) {
  		/*
***************
*** 279,284 ****
--- 280,286 ----
  		/*
  		 * aliasvp is already VREF'd by getnewvnode()
  		 */
+ 		locked = 1;
  	}
  
  	vrele(lowervp);
***************
*** 298,305 ****
  	/* lower node was locked: mark it as locked and take
  	   upper layer lock */
  	VTONULL(aliasvp)->null_flags |= NULL_LLOCK;
! 	if (takelock)
! 		vn_lock(aliasvp, LK_EXCLUSIVE | LK_RETRY);
  
  	*newvpp = aliasvp;
  	return (0);
--- 300,311 ----
  	/* lower node was locked: mark it as locked and take
  	   upper layer lock */
  	VTONULL(aliasvp)->null_flags |= NULL_LLOCK;
! 	if (takelock) {
! 		if (!locked)
! 			vn_lock(aliasvp, LK_EXCLUSIVE | LK_RETRY);
! /*		else
! 			printf ("null_node_create: already locked\n");*/
! 	}
  
  	*newvpp = aliasvp;
  	return (0);
>Audit-Trail:
>Unformatted: