Store a reference to the vnode associated with a file descriptor in the

linux_file structure and use it instead of directly accessing td_fpop
when destroying the linux_file structure.  The td_fpop pointer is not
valid when a cdevpriv destructor is run, and the type-specific close
method has already been called, so f_vnode may not be valid (and the
vnode might have been recycled without our own reference).

Tested by:	Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
MFC after:	1 week

sys/ofed/include/linux/fs.h

@@ -73,6 +73,7 @@ struct linux_file {
 	struct dentry	f_dentry_store;
 	struct selinfo	f_selinfo;
 	struct sigio	*f_sigio;
+	struct vnode	*f_vnode;
 };
 
 #define	file		linux_file

sys/ofed/include/linux/linux_compat.c

@@ -212,7 +212,8 @@ linux_file_dtor(void *cdp)
 	struct linux_file *filp;
 
 	filp = cdp;
-	filp->f_op->release(curthread->td_fpop->f_vnode, filp);
+	filp->f_op->release(filp->f_vnode, filp);
+	vdrop(filp->f_vnode);
 	kfree(filp);
 }
 
@@ -232,6 +233,8 @@ linux_dev_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
 	filp->f_dentry = &filp->f_dentry_store;
 	filp->f_op = ldev->ops;
 	filp->f_flags = file->f_flag;
+	vhold(file->f_vnode);
+	filp->f_vnode = file->f_vnode;
 	if (filp->f_op->open) {
 		error = -filp->f_op->open(file->f_vnode, filp);
 		if (error) {