Fix snapshot automount race causing AVL tree panic

[ixhamza]

Motivation and Context

This fixes a race condition that causes kernel panics when multiple processes simultaneously access a fresh snapshot. The bug triggers a VERIFY() assertion failure in the AVL tree code when concurrent threads attempt to add identical entries during snapshot automount.

Description

The race condition occurs in zfsctl_snapshot_mount() due to a time-of-check-time-of-use (TOCTOU) bug between checking if a snapshot is mounted and adding it to the AVL tree. The sequence is:

1. Thread A checks if snapshot is mounted via zfsctl_snapshot_ismounted() - returns FALSE
2. Thread B checks if snapshot is mounted - also returns FALSE (no AVL entry exists yet)
3. Both threads release the reader lock and proceed to mount
4. Both threads call userspace mount helper (call_usermodehelper())
5. Thread A acquires write lock and adds entry to AVL tree - succeeds
6. Thread B acquires write lock and attempts to add duplicate entry
7. AVL tree's VERIFY() assertion fails

The fix adds a pending entry mechanism with per-entry mutex synchronization. The first mount thread creates a pending AVL entry and holds se_mtx during helper execution. Concurrent mounts find the pending entry and return success without spawning duplicate helpers, preventing the AVL panic.

Kernel Stack Trace:

[   24.765626] VERIFY(avl_find(tree, new_node, &where) == NULL) failed
[   24.768232] PANIC at avl.c:625:avl_add()
[   24.769719] Showing stack for process 858
[   24.771962] CPU: 13 UID: 0 PID: 858 Comm: ls Not tainted 6.12.43-production+ #656
[   24.771974] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.771978] Call Trace:
[   24.771982]  <TASK>
[   24.771987]  dump_stack_lvl+0x6c/0x90
[   24.772002]  dump_stack+0x10/0x20
[   24.772010]  spl_dumpstack+0x28/0x30
[   24.772019]  spl_panic+0xd3/0xf0
[   24.772027]  ? schedule+0x34/0x100
[   24.772037]  ? __kmalloc_node_noprof+0x13d/0x3f0
[   24.772045]  ? __kvmalloc_node_noprof+0x24/0xe0
[   24.772054]  ? __kvmalloc_node_noprof+0x24/0xe0
[   24.772061]  ? __kvmalloc_node_noprof+0x24/0xe0
[   24.772068]  ? __kmalloc_noprof+0x157/0x3c0
[   24.772074]  ? snapentry_compare_by_name+0x14/0x30
[   24.772082]  spl_assert.constprop.0+0x1a/0x30
[   24.772091]  avl_add+0x7e/0x90
[   24.772099]  zfsctl_snapshot_add+0x34/0x70
[   24.772105]  zfsctl_snapshot_mount+0x51d/0x700
[   24.772117]  zpl_snapdir_automount+0x10/0x40
[   24.772124]  __traverse_mounts+0x8f/0x210
[   24.772134]  step_into+0x33a/0x760
[   24.772140]  walk_component+0x51/0x180
[   24.772145]  path_lookupat+0x6a/0x1a0
[   24.772150]  filename_lookup+0xc8/0x1c0
[   24.772161]  vfs_statx+0x7b/0xe0
[   24.772171]  do_statx+0x45/0x80
[   24.772180]  ? __check_object_size+0x25b/0x2c0
[   24.772191]  ? strncpy_from_user+0x25/0x100
[   24.772199]  ? getname_flags.part.0+0x4b/0x1d0
[   24.772207]  ? getname_flags+0x37/0x60
[   24.772212]  __x64_sys_statx+0x9b/0xe0
[   24.772225]  x64_sys_call+0x16b5/0x2060
[   24.772235]  do_syscall_64+0x69/0x110
[   24.772247]  ? debug_smp_processor_id+0x17/0x20
[   24.772259]  ? __alloc_pages_noprof+0x164/0x310
[   24.772270]  ? debug_smp_processor_id+0x17/0x20
[   24.772277]  ? __mod_memcg_lruvec_state+0xf9/0x1b0
[   24.772288]  ? debug_smp_processor_id+0x17/0x20
[   24.772294]  ? __folio_batch_add_and_move+0xf3/0x110
[   24.772304]  ? set_ptes.isra.0+0x3b/0x80
[   24.772311]  ? _raw_spin_unlock+0x19/0x40
[   24.772322]  ? do_anonymous_page+0x111/0x800
[   24.772331]  ? __pte_offset_map+0x1c/0x180
[   24.772342]  ? __handle_mm_fault+0xbc1/0x1040
[   24.772356]  ? debug_smp_processor_id+0x17/0x20
[   24.772363]  ? __count_memcg_events+0x76/0x110
[   24.772374]  ? count_memcg_events.constprop.0+0x1e/0x40
[   24.772386]  ? debug_smp_processor_id+0x17/0x20
[   24.772558]  ? fpregs_assert_state_consistent+0x29/0x60
[   24.772573]  ? arch_exit_to_user_mode_prepare.isra.0+0x24/0xe0
[   24.772585]  ? irqentry_exit_to_user_mode+0x2d/0x120
[   24.772591]  ? irqentry_exit+0x3b/0x50
[   24.772595]  ? clear_bhb_loop+0x50/0xa0
[   24.772605]  ? clear_bhb_loop+0x50/0xa0
[   24.772612]  ? clear_bhb_loop+0x50/0xa0
[   24.772618]  ? clear_bhb_loop+0x50/0xa0
[   24.772625]  ? clear_bhb_loop+0x50/0xa0
[   24.772632]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   24.772641] RIP: 0033:0x7f2abed8aa2f
[   24.772648] Code: c0 78 16 48 89 e6 48 89 df e8 f2 05 00 00 b8 00 00 00 00 48 83 ec 80 5b c3 b8 ff ff ff ff eb f3 41 89 ca b8 4c 01 00 00 0f 05 <48> 89 c2 48 3d 00 f0 ff ff 77 03 89 d0 c3 f7 d8 48 8b 15 aa 33 0d
[   24.772653] RSP: 002b:00007ffcfd19ee08 EFLAGS: 00000202 ORIG_RAX: 000000000000014c
[   24.772661] RAX: ffffffffffffffda RBX: 00007ffcfd19f4f8 RCX: 00007f2abed8aa2f
[   24.772665] RDX: 0000000000000800 RSI: 00007ffcfd19feee RDI: 00000000ffffff9c
[   24.772668] RBP: 00007ffcfd19ef60 R08: 00007ffcfd19ee40 R09: 0000000000000000
[   24.772671] R10: 0000000000000002 R11: 0000000000000202 R12: 0000000000000000
[   24.772674] R13: 000055b31f123ed8 R14: 00007ffcfd19f510 R15: 000055b31f123ed8
[   24.772682]  </TASK>

How Has This Been Tested?

Reproduction script:

zpool create -f testpool /dev/sdc -O mountpoint=none
zfs create -o mountpoint=/mnt/test -o snapdir=visible testpool/testfs
zfs snapshot testpool/testfs@snap1
for i in {1..10}; do
    ls /mnt/test/.zfs/snapshot/snap1/ &
done

Results:

• Without fix: Panic occurs immediately on concurrent access to fresh snapshot
• With fix: No panic with parallel access to snapshots

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Quality assurance (non-breaking change which makes the code more robust against bugs)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[amotin]

It makes me wonder why parallel mounts may somehow succeed, considering identical sequential ones are failing. But if this is a state of things, then I have no objections.

It seems multiple successful parallel mount calls result in multiple mounts, which is not right. It needs deeper investigation and possibly different solution.

[allanjude]

How does this handle the case of the pending mount failing

[ixhamza]

Auto-mounting of snapshots happens transparently on first access (e.g., ls), so I believe it makes sense for parallel processes racing for first access to get the same result as the first mount attempt. Updated the PR to store the mount error in se_mount_error and return it to all waiting processes for consistency.