The following reply was made to PR kern/35278; it has been noted by GNATS.

From: Elad Efrat <elad@NetBSD.org>
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>, gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/35278: veriexec sometimes feeds user va to log(9)
Date: Sat, 23 Dec 2006 15:44:07 +0200

 YAMAMOTO Takashi wrote:
 
 > i think the patch causes double-free of pnbuf because
 > VOP_ABORTOP frees it as well.  (see genfs_abortop)
 > except that, seems fine to me.
 
 in kern/vfs_syscalls.c:rename_files():
 
 3318:        error = vn_start_write(fvp, &mp, V_WAIT | V_PCATCH);
 3319:        if (error != 0) {
 3320:                VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd);
 3321:                vrele(fromnd.ni_dvp);
 3322:                vrele(fvp);
 3323:                if (fromnd.ni_startdir)
 3324:                        vrele(fromnd.ni_startdir);
 3325:                PNBUF_PUT(fromnd.ni_cnd.cn_pnbuf);
 3326:                return (error);
 3327:        }
 
 (namei() was called with SAVESTART in this snippet.)
 
 is this also wrong? in the diff I posted, you're referring to the
 PNBUF_PUT() after the 'out' label in sys_unlink(), right?
 
 -e.