1.  mount may be removed before we acquire the rlock on mh.
check after the lock is acquired.

2.  vmemchr requires that &name[0] is valid so use validaddr
on it before calling vmemchr.

Notes:
Wed Jan 5 15:53:23 EST 2011 geoff
    applied first 2 fixes; last one is redundant, and thus
    not applied, since caller is required to have verified
    legality of first byte's addr and vmemchr checks the
    rest for user addresses.


Reference: /n/sources/patch/applied/chancrash
Date: Sun Sep 19 12:23:41 CES 2010
Signed-off-by: quanstro@quanstro.net
Reviewed-by: geoff

--- /sys/src/9/port/chan.c	Sun Sep 19 12:20:26 2010
+++ /sys/src/9/port/chan.c	Sun Sep 19 12:20:23 2010
@@ -1012,7 +1012,9 @@
 				/*
 				 * mh->mount->to == c, so start at mh->mount->next
 				 */
+				f = nil;
 				rlock(&mh->lock);
+				if(mh->mount)
 				for(f = mh->mount->next; f; f = f->next)
 					if((wq = ewalk(f->to, nil, names+nhave, ntry)) != nil)
 						break;
@@ -1263,7 +1265,7 @@
 			if(name <= aname)
 				panic("bad math in namelenerror");
 			/* walk out of current UTF sequence */
-			for(i=0; (*name&0xC0)==0x80 && i<3; i++)
+			for(i=0; (*name&0xC0)==0x80 && i<UTFmax; i++)
 				name++;
 		}
 		snprint(up->genbuf, sizeof up->genbuf, "...%.*s",
@@ -1686,8 +1688,9 @@
 
 	name = aname;
 	if((ulong)name < KZERO){
+		validaddr((ulong)name, 1, 0);
 		if(!dup)
-			print("warning: validname called from %lux with user pointer", pc);
+			print("warning: validname called from %#p with user pointer", pc);
 		ename = vmemchr(name, 0, (1<<16));
 	}else
 		ename = memchr(name, 0, (1<<16));