aa0e1a2ecf
getcleanvnode() sets v_type to VNON after releasing v_interlock. So the thread doing quotaon(), quotaoff() or qsync() could vget() a vnode which is being recycled in getcleanvnode(), after is has been cleaned and v_interlock released, but before v_type has been reset, leading to KASSERT(vp->v_usecount == 1) firing in getnewvnode(), or qsync() dereferending a NULL pointer as in PR kern/42205. Fix by using the same tests as other ffs function traversing the mount list: also check for VTOI(vp) == NULL, and VI_XLOCK in addition to VI_CLEAN.