From f4f14d92e23977993fc16fdcece27ba510a6d40b Mon Sep 17 00:00:00 2001
From: Vitaliy Gusev <gusev.vitaliy@gmail.com>
Date: Wed, 15 Nov 2017 00:50:09 +0300
Subject: [PATCH] 8805 xattr_dir_lookup() can leak a vnode hold Reviewed by:
 Marcel Telka <marcel@telka.sk> Reviewed by: Gordon Ross
 <gordon.w.ross@gmail.com> Approved by: Dan McDonald <danmcd@joyent.com>

---
 usr/src/uts/common/fs/xattr.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/usr/src/uts/common/fs/xattr.c b/usr/src/uts/common/fs/xattr.c
index 0c5ddde20d..2326a42747 100644
--- a/usr/src/uts/common/fs/xattr.c
+++ b/usr/src/uts/common/fs/xattr.c
@@ -1664,22 +1664,18 @@ xattr_dir_lookup(vnode_t *dvp, vnode_t **vpp, int flags, cred_t *cr)
 
 			ASSERT((*vpp)->v_count == 1);
 			vn_free(*vpp);
+			VN_RELE_LOCKED(dvp);
 
 			mutex_destroy(&dp->gfsd_lock);
 			kmem_free(dp->gfsd_static,
 			    dp->gfsd_nstatic * sizeof (gfs_dirent_t));
 			kmem_free(dp, dp->gfsd_file.gfs_size);
 
-			/*
-			 * There is an implied VN_HOLD(dvp) here.  We should
-			 * be doing a VN_RELE(dvp) to clean up the reference
-			 * from *vpp, and then a VN_HOLD(dvp) for the new
-			 * reference.  Instead, we just leave the count alone.
-			 */
-
+			/* dvp was held by winner in gfs_dir_create */
 			*vpp = dvp->v_xattrdir;
 			VN_HOLD(*vpp);
 		} else {
+			/* winner */
 			(*vpp)->v_flag |= (V_XATTRDIR|V_SYSATTR);
 			dvp->v_xattrdir = *vpp;
 		}
-- 
2.11.4.GIT