kern/38460: fstrans_start code in genfs_do_putpages is racy

[yamt%mwd.biglobe.ne.jp@localhost]

>Number:         38460
>Category:       kern
>Synopsis:       fstrans_start code in genfs_do_putpages is racy
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Apr 19 08:05:00 +0000 2008
>Originator:     YAMAMOTO Takashi <yamt%mwd.biglobe.ne.jp@localhost>
>Release:        NetBSD 4.99.60
>Organization:
        
>Environment:
        
        
Architecture: i386
Machine: i386
>Description:
        genfs_do_putpages temporarily releases vmobjlock for fstrans_start.

        if ((flags & PGO_CLEANIT) != 0) {
                mutex_exit(slock);
                if (pagedaemon) {
                        error = fstrans_start_nowait(vp->v_mount, FSTRANS_LAZY);
                        if (error)
                                return error;
                } else  
                        fstrans_start(vp->v_mount, FSTRANS_LAZY);
                has_trans = true;
                mutex_enter(slock);
        }

        it isn't safe.  eg. if defined(DEBUG) and all pages are released
        in the window, by_list will be true, pg will be NULL, and it ends
        up with a NULL dereference.

>How-To-Repeat:
        code inspection.
>Fix:
        

>Unformatted: