65a8e18fa7
On dotdot lookup and fhtovp operations, it is possible for the file represented by tmpfs node to be removed after the thread calculated the pointer. In this case, tmpfs_alloc_vp() accesses freed memory. Introduce the reference count on the nodes. The allnodes list from tmpfs mount owns 1 reference, and threads performing unlocked operations on the node, add one transient reference. Similarly, since struct tmpfs_mount maintains the list where nodes are enlisted, refcount it by one reference from struct mount and one reference from each node on the list. Both nodes and tmpfs_mounts are removed when refcount goes to zero. Note that this means that nodes and tmpfs_mounts might survive some time after the node is deleted or tmpfs_unmount() finished. The tmpfs_alloc_vp() in these cases returns error either due to node removal (tn_nlinks == 0) or because of insmntque1(9) error. Tested by: pho (as part of larger patch) Sponsored by: The FreeBSD Foundation MFC after: 2 weeks