kernel - Fix a 'vm_page_unhold: hold count < 0' panic in kern_execve()

* imgp->firstpage is preloaded with lwbuf storage but we failed to NULL
  it out on error, causing the code to later attempt to release a bogus
  lwbuf.

* Fixes a hold count panic on random vm_page's.

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 3effc92..fdc83cc 100644 (file)
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -670,6 +670,12 @@ exec_map_page(struct image_params *imgp, vm_pindex_t pageno,
        return (0);
 }
 
+/*
+ * Map the first page of an executable image.
+ *
+ * NOTE: If the mapping fails we have to NULL-out firstpage which may
+ *      still be pointing to our supplied lwp structure.
+ */
 int
 exec_map_first_page(struct image_params *imgp)
 {
@@ -681,8 +687,10 @@ exec_map_first_page(struct image_params *imgp)
        imgp->firstpage = &imgp->firstpage_cache;
        err = exec_map_page(imgp, 0, &imgp->firstpage, &imgp->image_header);
 
-       if (err)
+       if (err) {
+               imgp->firstpage = NULL;
                return err;
+       }
 
        return 0;
 }