0

    tmpfs_destroy_vobject(): clear v_object under the object lock
    
    Which allows tmpfs_pager_writecount_recalc() to reliably detect
    reclaimed vnode and make its accesses to object->un_pager.swp.private
    (== vp) safe against reclaim.  Note that vnode instantiation already
    assigns v_object under the object lock.
    
    Reviewed by:    markj
    Reported and tested by: pho
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D45119
---
 sys/fs/tmpfs/tmpfs_subr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/fs/tmpfs/tmpfs_subr.c b/sys/fs/tmpfs/tmpfs_subr.c
index 4ddf2b4ba5ff..53781202b066 100644
--- a/sys/fs/tmpfs/tmpfs_subr.c
+++ b/sys/fs/tmpfs/tmpfs_subr.c
@@ -120,7 +120,7 @@ tmpfs_pager_writecount_recalc(vm_object_t object, vm_offset_t old,
 	/*
 	 * Forced unmount?
 	 */
-	if (vp == NULL) {
+	if (vp == NULL || vp->v_object == NULL) {
 		KASSERT((object->flags & OBJ_TMPFS_VREF) == 0,
 		    ("object %p with OBJ_TMPFS_VREF but without vnode",
 		    object));
@@ -957,6 +957,8 @@ tmpfs_destroy_vobject(struct vnode *vp, vm_object_t obj)
 
 	VM_OBJECT_WLOCK(obj);
 	VI_LOCK(vp);
+	vp->v_object = NULL;
+
 	/*
 	 * May be going through forced unmount.
 	 */