DF-0044 / panic.txt
DF-0044 panic.txt -- panic signature capture.
Command used to scan dfbsd-qemu/boot.log (the serial console, which captures
kernel panics even when ssh dies):
grep -iE 'fatal trap|panic:|Stopped at|db> ' dfbsd-qemu/boot.log
Result: EMPTY. No panic occurred across any of the verification runs
(unprivileged 60s, root 90s with MNT_FORCE, multiple shorter exploratory
runs). The guest stayed up throughout.
For completeness, the boot.log DID contain the kernel's own race-detection
messages, which prove the race is being exercised (just not won):
login: unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 9 mount refs
unmount(/tmp/df0044/m): (0xfffff80066c1c400): 3 namecache refs, 9 mount refs still present
unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 9 mount refs
unmount(/tmp/df0044/m): (0xfffff80066acac00): 3 namecache refs, 9 mount refs still present
nlookup: warning umount race avoided
nlookup: warning umount race avoided
unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 5 mount refs
unmount(/tmp/df0044/m): (0xfffff80066acac00): 3 namecache refs, 5 mount refs still present
unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 3 mount refs
unmount(/tmp/df0044/m): (0xfffff80066acac00): 3 namecache refs, 3 mount refs still present
unmount(/tmp/df0044/m): forced umount of "(null)" - 1 namecache refs, 7 mount refs
unmount(/tmp/df0044/m): (0xfffff80066acb000): 1 namecache refs, 7 mount refs still present
unmount(/tmp/df0044/m): forcing unmount
nlookup: warning umount race avoided
nlookup: warning umount race avoided
nlookup: warning umount race avoided
Sources of those messages:
* "forced umount of ... - N namecache refs, M mount refs" (vfs_syscalls.c:966-971)
-- dounmount() retry loop exhausted; mount is being torn down despite
lingering refs. Printed for ANY unmount that hits the retry cap, not
only MNT_FORCE.
* "(%p): N namecache refs, M mount refs still present" (vfs_syscalls.c:980-985)
-- post-drain status; mnt_refs did not reach 1.
* "forcing unmount" (vfs_syscalls.c:988)
-- MNT_FORCE path electing freeok=0 (skip kfree). Without this, EBUSY.
* "nlookup: warning umount race avoided" (vfs_nlookup.c:1056)
-- nlookup detected MNTK_UNMOUNT and bailed with EBUSY instead of
dereferencing the dying mount.
Crucially: the kernel's defense-in-depth (nlookup bail-out + dounmount
freeok=0 skip) means the actual kfree of mp does not happen while refs
remain. In every observed cycle the deref at vfs_cache.c:5224 read either
still-valid or zeroed-but-not-freed memory, never freed-then-reallocated
memory. Hence no panic.