DragonFlyBSD Kernel Audit
DF-0044 / panic.txt
← back to finding ↓ download raw
DF-0044 panic.txt -- panic signature capture.

Command used to scan dfbsd-qemu/boot.log (the serial console, which captures
kernel panics even when ssh dies):
    grep -iE 'fatal trap|panic:|Stopped at|db> ' dfbsd-qemu/boot.log

Result: EMPTY.  No panic occurred across any of the verification runs
(unprivileged 60s, root 90s with MNT_FORCE, multiple shorter exploratory
runs).  The guest stayed up throughout.

For completeness, the boot.log DID contain the kernel's own race-detection
messages, which prove the race is being exercised (just not won):

    login: unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 9 mount refs
    unmount(/tmp/df0044/m): (0xfffff80066c1c400): 3 namecache refs, 9 mount refs still present
    unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 9 mount refs
    unmount(/tmp/df0044/m): (0xfffff80066acac00): 3 namecache refs, 9 mount refs still present
    nlookup: warning umount race avoided
    nlookup: warning umount race avoided
    unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 5 mount refs
    unmount(/tmp/df0044/m): (0xfffff80066acac00): 3 namecache refs, 5 mount refs still present
    unmount(/tmp/df0044/m): forced umount of "(null)" - 3 namecache refs, 3 mount refs
    unmount(/tmp/df0044/m): (0xfffff80066acac00): 3 namecache refs, 3 mount refs still present
    unmount(/tmp/df0044/m): forced umount of "(null)" - 1 namecache refs, 7 mount refs
    unmount(/tmp/df0044/m): (0xfffff80066acb000): 1 namecache refs, 7 mount refs still present
    unmount(/tmp/df0044/m): forcing unmount

    nlookup: warning umount race avoided
    nlookup: warning umount race avoided
    nlookup: warning umount race avoided

Sources of those messages:
  * "forced umount of ... - N namecache refs, M mount refs"  (vfs_syscalls.c:966-971)
    -- dounmount() retry loop exhausted; mount is being torn down despite
    lingering refs.  Printed for ANY unmount that hits the retry cap, not
    only MNT_FORCE.
  * "(%p): N namecache refs, M mount refs still present"     (vfs_syscalls.c:980-985)
    -- post-drain status; mnt_refs did not reach 1.
  * "forcing unmount"                                        (vfs_syscalls.c:988)
    -- MNT_FORCE path electing freeok=0 (skip kfree).  Without this, EBUSY.
  * "nlookup: warning umount race avoided"                   (vfs_nlookup.c:1056)
    -- nlookup detected MNTK_UNMOUNT and bailed with EBUSY instead of
    dereferencing the dying mount.

Crucially: the kernel's defense-in-depth (nlookup bail-out + dounmount
freeok=0 skip) means the actual kfree of mp does not happen while refs
remain.  In every observed cycle the deref at vfs_cache.c:5224 read either
still-valid or zeroed-but-not-freed memory, never freed-then-reallocated
memory.  Hence no panic.