I have a candidate patch for kern/28448, which at this point only affects -6 (and -5, but it's presumably not getting fixed there) -- the issue is that lookups of ".." can deadlock.
The patch has passed an anita run, so it isn't overtly toxic, but that's not itself all that persuasive. I don't have a -6 test environment (or in fact anything with -6 other than transient VMs) so it would be helpful if someone could try this out in the field. It's not clear that anyone has ever seen this deadlock in the wild, so evidence that the patch doesn't make layers explode is probably sufficient. because extracting patches from gnats is so much fun, here's a copy. (for some reason the last N years it didn't occur to me that the solution could be this simple... sigh) Index: sys/miscfs/genfs/layer_vnops.c =================================================================== RCS file: /cvsroot/src/sys/miscfs/genfs/layer_vnops.c,v retrieving revision 1.50.8.1 diff -u -p -r1.50.8.1 layer_vnops.c --- sys/miscfs/genfs/layer_vnops.c 18 Nov 2012 18:36:58 -0000 1.50.8.1 +++ sys/miscfs/genfs/layer_vnops.c 14 Oct 2015 20:14:42 -0000 @@ -382,7 +382,21 @@ layer_lookup(void *v) vref(dvp); *ap->a_vpp = dvp; vrele(lvp); - } else if (lvp != NULL) { + } else if (lvp == NULL) { + /* nothing */ + } else if (cnp->cn_flags & ISDOTDOT) { + /* must unlock dvp temporarily to conform to lock ordering */ + struct mount *mp; + + /* mp can't disappear because we still hold a ref on dvp */ + mp = dvp->v_mount; + VOP_UNLOCK(dvp); + error = layer_node_create(mp, lvp, ap->a_vpp); + vn_lock(dvp, LK_EXCLUSIVE | LK_RETRY); + if (error) { + vrele(lvp); + } + } else { /* Note: dvp, ldvp and lvp are all locked. */ error = layer_node_create(dvp->v_mount, lvp, ap->a_vpp); if (error) { -- David A. Holland dholl...@netbsd.org