FREF() and FRELE() should be used for modify file reference count, so direct f_count modification replaced by their calls. Only one direct f_count decrement was kept in closef() since FRELE() call looks inapplicable here.
Index: kern/kern_descrip.c =================================================================== RCS file: /home/cvsync/openbsd-cvs/src/sys/kern/kern_descrip.c,v retrieving revision 1.117 diff -u -p -r1.117 kern_descrip.c --- kern/kern_descrip.c 14 Mar 2015 03:38:50 -0000 1.117 +++ kern/kern_descrip.c 30 Apr 2015 02:08:52 -0000 @@ -566,7 +566,7 @@ finishdup(struct proc *p, struct file *f fdp->fd_ofiles[new] = fp; fdp->fd_ofileflags[new] = fdp->fd_ofileflags[old] & ~UF_EXCLOSE; - fp->f_count++; + FREF(fp); FRELE(fp, p); if (dup2 && oldfp == NULL) fd_used(fdp, new); @@ -1001,7 +1001,7 @@ fdcopy(struct process *pr) (*fpp)->f_type == DTYPE_SYSTRACE) fdremove(newfdp, i); else - (*fpp)->f_count++; + FREF(*fpp); } /* finish cleaning up kq bits */ @@ -1075,6 +1075,11 @@ closef(struct file *fp, struct proc *p) if (fp->f_count < 2) panic("closef: count (%ld) < 2", fp->f_count); #endif + /* + * XXX: The fp has its usecount bumped by FREF() call. FRELE() + * call will not destroy fp here. This direct modification + * kept here until usecount logic will be refactored. + */ fp->f_count--; /* @@ -1249,7 +1254,7 @@ dupfdopen(struct filedesc *fdp, int indx fdp->fd_ofiles[indx] = wfp; fdp->fd_ofileflags[indx] = (fdp->fd_ofileflags[indx] & UF_EXCLOSE) | (fdp->fd_ofileflags[dfd] & ~UF_EXCLOSE); - wfp->f_count++; + FREF(wfp); fd_used(fdp, indx); return (0); } Index: kern/uipc_usrreq.c =================================================================== RCS file: /home/cvsync/openbsd-cvs/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.80 diff -u -p -r1.80 uipc_usrreq.c --- kern/uipc_usrreq.c 28 Mar 2015 23:50:55 -0000 1.80 +++ kern/uipc_usrreq.c 30 Apr 2015 02:08:52 -0000 @@ -837,7 +837,7 @@ morespace: } memcpy(rp, &fp, sizeof fp); rp--; - fp->f_count++; + FREF(fp); fp->f_msgcount++; unp_rights++; } @@ -847,8 +847,8 @@ fail: for ( ; i > 0; i--) { rp++; memcpy(&fp, rp, sizeof(fp)); - fp->f_count--; fp->f_msgcount--; + FRELE(fp, NULL); unp_rights--; } @@ -962,7 +962,7 @@ unp_gc(void) *fpp++ = fp; nunref++; FREF(fp); - fp->f_count++; + FREF(fp); } } for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) Index: nfs/nfs_syscalls.c =================================================================== RCS file: /home/cvsync/openbsd-cvs/src/sys/nfs/nfs_syscalls.c,v retrieving revision 1.99 diff -u -p -r1.99 nfs_syscalls.c --- nfs/nfs_syscalls.c 14 Mar 2015 03:38:52 -0000 1.99 +++ nfs/nfs_syscalls.c 30 Apr 2015 02:08:52 -0000 @@ -276,7 +276,7 @@ nfssvc_addsock(struct file *fp, struct m } slp->ns_so = so; slp->ns_nam = mynam; - fp->f_count++; + FREF(fp); slp->ns_fp = fp; s = splsoftnet(); so->so_upcallarg = (caddr_t)slp;