commit a6a5024d16a141fc72bdd4b292dd6f77cd96665e
Author: Mikolaj Golub <trociny@freebsd.org>
Date:   Sat Feb 18 20:44:54 2012 +0200

    When detaching an unix domain socket, uipc_detach() checks
    unp->unp_vnode pointer to find out if there is a vnode associated with
    (binded to) this socket and does necessary cleanup if there is.
    
    The issue is that after forced unmount this check may be too late as
    the unp_vnode is reclaimed and the reference is stale.
    
    To fix this provide a helper function that is called on a socket vnode
    reclamation to do necessary cleanup.
    
    Pointed by:	kib
    Reviewed by:	XXX

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 3a439ec..e5cba26 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1238,6 +1238,45 @@ uipc_ctloutput(struct socket *so, struct sockopt *sopt)
 	return (error);
 }
 
+/*
+ * A helper function called by VFS before vnode reclamation. For an
+ * active vnode it clears unp_vnode pointer and decrements unp_vnode
+ * use count.
+ */
+void
+unp_prepare_reclaim(struct vnode *vp)
+{
+	struct socket *so;
+	struct unpcb *unp;
+	int active;
+
+	ASSERT_VOP_ELOCKED(vp, "unp_prepare_reclaim");
+	KASSERT(vp->v_type == VSOCK,
+	    ("unp_prepare_reclaim: vp->v_type != VSOCK"));
+
+	active = 0;
+	UNP_LINK_WLOCK();
+	so = vp->v_socket;
+	if (so == NULL)
+		goto done;
+	unp = sotounpcb(so);
+	if (unp == NULL)
+		goto done;
+	UNP_PCB_LOCK(unp);
+	if (unp->unp_vnode != NULL) {
+		KASSERT(unp->unp_vnode == vp,
+		    ("unp_prepare_reclaim: vp != unp->unp_vnode"));
+		vp->v_socket = NULL;
+		unp->unp_vnode = NULL;
+		active = 1;
+	}
+	UNP_PCB_UNLOCK(unp);
+done:
+	UNP_LINK_WUNLOCK();
+	if (active)
+		vunref(vp);
+}
+
 static int
 unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 {
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index 28562e6..11f193c 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/stat.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
+#include <sys/unpcb.h>
 #include <sys/vmmeter.h>
 #include <sys/vnode.h>
 #ifdef SW_WATCHDOG
@@ -2657,6 +2658,8 @@ vgonel(struct vnode *vp)
 			vinactive(vp, td);
 		VI_UNLOCK(vp);
 	}
+	if (vp->v_type == VSOCK)
+		unp_prepare_reclaim(vp);
 	/*
 	 * Reclaim the vnode.
 	 */
diff --git a/sys/sys/unpcb.h b/sys/sys/unpcb.h
index 4d69f3e..55002df 100644
--- a/sys/sys/unpcb.h
+++ b/sys/sys/unpcb.h
@@ -117,6 +117,8 @@ struct unpcb {
 
 #define	sotounpcb(so)	((struct unpcb *)((so)->so_pcb))
 
+void unp_prepare_reclaim(struct vnode *vp);
+
 /* Hack alert -- this structure depends on <sys/socketvar.h>. */
 #ifdef	_SYS_SOCKETVAR_H_
 struct xunpcb {