Fix snapshot automount race causing AVL tree panic

[ixhamza]

Motivation and Context

This fixes a race condition that causes kernel panics when multiple processes simultaneously access a fresh snapshot. The bug triggers a VERIFY() assertion failure in the AVL tree code when concurrent threads attempt to add identical entries during snapshot automount.

Fixes: #17659

Description

The race condition occurs in zfsctl_snapshot_mount() due to a time-of-check-time-of-use (TOCTOU) bug between checking if a snapshot is mounted and adding it to the AVL tree. The sequence is:

1. Thread A checks if snapshot is mounted via zfsctl_snapshot_ismounted() - returns FALSE
2. Thread B checks if snapshot is mounted - also returns FALSE (no AVL entry exists yet)
3. Both threads release the reader lock and proceed to mount
4. Both threads call userspace mount helper (call_usermodehelper())
5. Thread A acquires write lock and adds entry to AVL tree - succeeds
6. Thread B acquires write lock and attempts to add duplicate entry
7. AVL tree's VERIFY() assertion fails

The fix adds a pending entry mechanism with per-entry mutex synchronization. The first mount thread creates a pending AVL entry and holds se_mtx during helper execution. Concurrent mounts find the pending entry and return success without spawning duplicate helpers, preventing the AVL panic.

Kernel Stack Trace:

[   24.765626] VERIFY(avl_find(tree, new_node, &where) == NULL) failed
[   24.768232] PANIC at avl.c:625:avl_add()
[   24.769719] Showing stack for process 858
[   24.771962] CPU: 13 UID: 0 PID: 858 Comm: ls Not tainted 6.12.43-production+ #656
[   24.771974] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.771978] Call Trace:
[   24.771982]  <TASK>
[   24.771987]  dump_stack_lvl+0x6c/0x90
[   24.772002]  dump_stack+0x10/0x20
[   24.772010]  spl_dumpstack+0x28/0x30
[   24.772019]  spl_panic+0xd3/0xf0
[   24.772027]  ? schedule+0x34/0x100
[   24.772037]  ? __kmalloc_node_noprof+0x13d/0x3f0
[   24.772045]  ? __kvmalloc_node_noprof+0x24/0xe0
[   24.772054]  ? __kvmalloc_node_noprof+0x24/0xe0
[   24.772061]  ? __kvmalloc_node_noprof+0x24/0xe0
[   24.772068]  ? __kmalloc_noprof+0x157/0x3c0
[   24.772074]  ? snapentry_compare_by_name+0x14/0x30
[   24.772082]  spl_assert.constprop.0+0x1a/0x30
[   24.772091]  avl_add+0x7e/0x90
[   24.772099]  zfsctl_snapshot_add+0x34/0x70
[   24.772105]  zfsctl_snapshot_mount+0x51d/0x700
[   24.772117]  zpl_snapdir_automount+0x10/0x40
[   24.772124]  __traverse_mounts+0x8f/0x210
[   24.772134]  step_into+0x33a/0x760
[   24.772140]  walk_component+0x51/0x180
[   24.772145]  path_lookupat+0x6a/0x1a0
[   24.772150]  filename_lookup+0xc8/0x1c0
[   24.772161]  vfs_statx+0x7b/0xe0
[   24.772171]  do_statx+0x45/0x80
[   24.772180]  ? __check_object_size+0x25b/0x2c0
[   24.772191]  ? strncpy_from_user+0x25/0x100
[   24.772199]  ? getname_flags.part.0+0x4b/0x1d0
[   24.772207]  ? getname_flags+0x37/0x60
[   24.772212]  __x64_sys_statx+0x9b/0xe0
[   24.772225]  x64_sys_call+0x16b5/0x2060
[   24.772235]  do_syscall_64+0x69/0x110
[   24.772247]  ? debug_smp_processor_id+0x17/0x20
[   24.772259]  ? __alloc_pages_noprof+0x164/0x310
[   24.772270]  ? debug_smp_processor_id+0x17/0x20
[   24.772277]  ? __mod_memcg_lruvec_state+0xf9/0x1b0
[   24.772288]  ? debug_smp_processor_id+0x17/0x20
[   24.772294]  ? __folio_batch_add_and_move+0xf3/0x110
[   24.772304]  ? set_ptes.isra.0+0x3b/0x80
[   24.772311]  ? _raw_spin_unlock+0x19/0x40
[   24.772322]  ? do_anonymous_page+0x111/0x800
[   24.772331]  ? __pte_offset_map+0x1c/0x180
[   24.772342]  ? __handle_mm_fault+0xbc1/0x1040
[   24.772356]  ? debug_smp_processor_id+0x17/0x20
[   24.772363]  ? __count_memcg_events+0x76/0x110
[   24.772374]  ? count_memcg_events.constprop.0+0x1e/0x40
[   24.772386]  ? debug_smp_processor_id+0x17/0x20
[   24.772558]  ? fpregs_assert_state_consistent+0x29/0x60
[   24.772573]  ? arch_exit_to_user_mode_prepare.isra.0+0x24/0xe0
[   24.772585]  ? irqentry_exit_to_user_mode+0x2d/0x120
[   24.772591]  ? irqentry_exit+0x3b/0x50
[   24.772595]  ? clear_bhb_loop+0x50/0xa0
[   24.772605]  ? clear_bhb_loop+0x50/0xa0
[   24.772612]  ? clear_bhb_loop+0x50/0xa0
[   24.772618]  ? clear_bhb_loop+0x50/0xa0
[   24.772625]  ? clear_bhb_loop+0x50/0xa0
[   24.772632]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   24.772641] RIP: 0033:0x7f2abed8aa2f
[   24.772648] Code: c0 78 16 48 89 e6 48 89 df e8 f2 05 00 00 b8 00 00 00 00 48 83 ec 80 5b c3 b8 ff ff ff ff eb f3 41 89 ca b8 4c 01 00 00 0f 05 <48> 89 c2 48 3d 00 f0 ff ff 77 03 89 d0 c3 f7 d8 48 8b 15 aa 33 0d
[   24.772653] RSP: 002b:00007ffcfd19ee08 EFLAGS: 00000202 ORIG_RAX: 000000000000014c
[   24.772661] RAX: ffffffffffffffda RBX: 00007ffcfd19f4f8 RCX: 00007f2abed8aa2f
[   24.772665] RDX: 0000000000000800 RSI: 00007ffcfd19feee RDI: 00000000ffffff9c
[   24.772668] RBP: 00007ffcfd19ef60 R08: 00007ffcfd19ee40 R09: 0000000000000000
[   24.772671] R10: 0000000000000002 R11: 0000000000000202 R12: 0000000000000000
[   24.772674] R13: 000055b31f123ed8 R14: 00007ffcfd19f510 R15: 000055b31f123ed8
[   24.772682]  </TASK>

How Has This Been Tested?

Reproduction script:

zpool create -f testpool /dev/sdc -O mountpoint=none
zfs create -o mountpoint=/mnt/test -o snapdir=visible testpool/testfs
zfs snapshot testpool/testfs@snap1
for i in {1..10}; do
    ls /mnt/test/.zfs/snapshot/snap1/ &
done

Results:

• Without fix: Panic occurs immediately on concurrent access to fresh snapshot
• With fix: No panic with parallel access to snapshots

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Quality assurance (non-breaking change which makes the code more robust against bugs)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[amotin]

It makes me wonder why parallel mounts may somehow succeed, considering identical sequential ones are failing. But if this is a state of things, then I have no objections.

It seems multiple successful parallel mount calls result in multiple mounts, which is not right. It needs deeper investigation and possibly different solution.

[behlendorf]

Looks good. Thanks for sorting this out. Let's just also add the simply reproducer to posted to the test suite. Even if it doesn't always reproduce the issue it should be quick to run and will provide some test coverage.

[ixhamza]

Looks good. Thanks for sorting this out. Let's just also add the simply reproducer to posted to the test suite. Even if it doesn't always reproduce the issue it should be quick to run and will provide some test coverage.

Thanks, @behlendorf. Will add a reproducer in a separate PR.