commit 0857650a784a358beeee52dd63926dffec971d41
Author: Mikolaj Golub <trociny@freebsd.org>
Date:   Sat Feb 18 20:44:54 2012 +0200

    When detaching an unix domain socket, uipc_detach() checks
    unp->unp_vnode pointer to find out if there is a vnode associated with
    (binded to) this socket and does necessary cleanup if there is.
    
    The issue is that after forced unmount this check may be too late as
    the unp_vnode is reclaimed and the reference is stale.
    
    To fix this provide a helper function that is called on a socket vnode
    reclamation to do necessary cleanup.
    
    Pointed by:	kib
    Reviewed by:	kib

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 3a439ec..0504d63 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -2300,6 +2300,45 @@ unp_scan(struct mbuf *m0, void (*op)(struct file *))
 	}
 }
 
+/*
+ * A helper function called by VFS before vnode reclamation. For an
+ * active vnode it clears unp_vnode pointer and decrements unp_vnode
+ * use count.
+ */
+void
+vfs_unp_reclaim(struct vnode *vp)
+{
+	struct socket *so;
+	struct unpcb *unp;
+	int active;
+
+	ASSERT_VOP_ELOCKED(vp, "vfs_unp_reclaim");
+	KASSERT(vp->v_type == VSOCK,
+	    ("vfs_unp_reclaim: vp->v_type != VSOCK"));
+
+	active = 0;
+	UNP_LINK_WLOCK();
+	so = vp->v_socket;
+	if (so == NULL)
+		goto done;
+	unp = sotounpcb(so);
+	if (unp == NULL)
+		goto done;
+	UNP_PCB_LOCK(unp);
+	if (unp->unp_vnode != NULL) {
+		KASSERT(unp->unp_vnode == vp,
+		    ("vfs_unp_reclaim: vp != unp->unp_vnode"));
+		vp->v_socket = NULL;
+		unp->unp_vnode = NULL;
+		active = 1;
+	}
+	UNP_PCB_UNLOCK(unp);
+done:
+	UNP_LINK_WUNLOCK();
+	if (active)
+		vunref(vp);
+}
+
 #ifdef DDB
 static void
 db_print_indent(int indent)
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index 28562e6..8d3c6aa 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -2657,6 +2657,8 @@ vgonel(struct vnode *vp)
 			vinactive(vp, td);
 		VI_UNLOCK(vp);
 	}
+	if (vp->v_type == VSOCK)
+		vfs_unp_reclaim(vp);
 	/*
 	 * Reclaim the vnode.
 	 */
diff --git a/sys/sys/vnode.h b/sys/sys/vnode.h
index 4fd5a28..a3ba1b7 100644
--- a/sys/sys/vnode.h
+++ b/sys/sys/vnode.h
@@ -793,6 +793,8 @@ int vfs_read_dirent(struct vop_readdir_args *ap, struct dirent *dp, off_t off);
 
 int vfs_unixify_accmode(accmode_t *accmode);
 
+void vfs_unp_reclaim(struct vnode *vp);
+
 int setfmode(struct thread *td, struct ucred *cred, struct vnode *vp, int mode);
 int setfown(struct thread *td, struct ucred *cred, struct vnode *vp, uid_t uid,
     gid_t gid);