namei() can call underlying nfs_readlink() passing a struct uio pointer

owned by a NULL owner. This will lead consequent VOP_ISLOCKED() present
into nfs_upgrade_vnlock() to panic as it only acquire curthread now.
Fix nfs_upgrade_vnlock() and nfs_downgrade_vnlock() in order to not use
more the struct thread pointer passed as argument (as it is really nomore
required there as vn_lock() and VOP_UNLOCK doesn't get the lock more).
Using curthread, in place, doesn't get ambiguity as LK_EXCLOTHER should
be handled as a "not locked" request by both functions.

Reported by: kris
Tested by: kris
Reviewed by: ups

1 files changed, 3 insertions, 3 deletions

diff --git a/sys/nfsclient/nfs_subs.c b/sys/nfsclient/nfs_subs.c
index 881b1a11f065..f8cefb51c9e6 100644
--- a/sys/nfsclient/nfs_subs.c
+++ b/sys/nfsclient/nfs_subs.c
@@ -480,11 +480,11 @@ nfs_dircookie_unlock(struct nfsnode *np)
 }
 
 int
-nfs_upgrade_vnlock(struct vnode *vp, struct thread *td)
+nfs_upgrade_vnlock(struct vnode *vp)
 {
 	int old_lock;
 	
- 	if ((old_lock = VOP_ISLOCKED(vp, td)) != LK_EXCLUSIVE) {
+ 	if ((old_lock = VOP_ISLOCKED(vp, curthread)) != LK_EXCLUSIVE) {
  		if (old_lock == LK_SHARED) {
  			/* Upgrade to exclusive lock, this might block */
  			vn_lock(vp, LK_UPGRADE | LK_RETRY);
@@ -496,7 +496,7 @@ nfs_upgrade_vnlock(struct vnode *vp, struct thread *td)
 }
 
 void
-nfs_downgrade_vnlock(struct vnode *vp, struct thread *td, int old_lock)
+nfs_downgrade_vnlock(struct vnode *vp, int old_lock)
 {
 	if (old_lock != LK_EXCLUSIVE) {
  		if (old_lock == LK_SHARED) {