[DragonFlyBSD - Bug #3406] (Resolved) HAMMER2 base_insert panic on duplicate-named PFS at newfs time

Wed May 6 22:13:05 PDT 2026

Issue #3406 has been updated by dillon.

Category set to Userland
Status changed from New to Resolved
Assignee set to dillon

Committed with a slight modification to the "int i" declaration.

----------------------------------------
Bug #3406: HAMMER2 base_insert panic on duplicate-named PFS at newfs time
http://bugs.dragonflybsd.org/issues/3406#change-14659

* Author: afranke
* Status: Resolved
* Priority: Normal
* Assignee: dillon
* Category: Userland
* Target version: 6.6
* Start date: 2026-05-06
----------------------------------------
(authored together with Claude)

h2. Summary

@newfs_hammer2@ does not reject duplicate @-L@ labels. Because
@sbin/newfs_hammer2/mkfs_hammer2.c:97@ unconditionally adds
@"LOCAL"@ as the leading label, both @-L LOCAL ...@ and
@-L FOO -L FOO@ (two user-supplied identical names) silently
create two PFSs in the same volume sharing a name. The first
heavy write workload then panics in @hammer2_base_insert@ from
the flush thread.

Two panic variants observed, both from the same call path:

<pre>
panic: base_insert 1 1,0,1 fail 0xffffff80059a57600:2
  -- and --
panic: insert base 0xffffff800559a5200 overlapping elements at 2 elm 0xffffff801246e1218
Trace: hammer2_base_insert -> hammer2_flush_core -> hammer2_flush
       -> hammer2_xop_inode_flush -> hammer2_primary_xops_thread
</pre>

The two strings come from different validation branches inside
@hammer2_base_insert@ (@hammer2_chain.c:5310@ for the
overlap-detection panic, @hammer2_chain.c:5364@ for the
post-insert validate panic). Both reproduce 100% on the first
iteration when a duplicate name is created.

h2. Reproducer

Tested on DragonFly master @ @4f37521524@ with the virtio-modern
PCI series applied. Call chain is HAMMER2-only; likely
reproducible on stock master.

<pre>
truncate -s 5G /var/h2.img
vnconfig vn0 /var/h2.img
newfs_hammer2 -L LOCAL -L ROOT /dev/vn0   # or: -L FOO -L FOO
mount_hammer2 /dev/vn0 at LOCAL /mnt         # or @FOO for the FOO/FOO case
cpdup -i0 -I / /mnt/
</pre>

h2. Fix

@sbin/newfs_hammer2/mkfs_hammer2.c:97@ unconditionally adds
@"LOCAL"@ as the leading label:

<pre><code class="c">
opt->Label[opt->NLabels++] = strdup("LOCAL");
</code></pre>

Combined with no duplicate check on user-supplied @-L@ flags,
this lets the user (intentionally or by mistake) create
same-named PFSs. @pfs-list@ collapses the display, hiding the
duplication.

Patch attached: @0001-newfs_hammer2-reject-duplicate-labels.patch@
— rejects any @-L@ value that matches an already-accepted label
(including the auto-added @"LOCAL"@).

The duplicate-PFS workload also exposes the latent re-flush race
documented by the XXX comment at @hammer2_chain.c:5238 at . The
proximate fix above makes that unreachable from normal newfs
invocations.

h2. Side observation

When the panic path attempts @boot()@ after the
@hammer2_base_insert@ panic, it hangs in a
@send_ipiq 0->1 tgt not draining@ loop (CPU 1 won't drain IPIs
to permit the reboot). That is a separate issue in the
panic-shutdown path; mentioned here only because it appears in
the captured screenshot.

---Files--------------------------------
panic-base_insert-validate-2026-05-04.png (59.7 KB)
0001-newfs_hammer2-reject-duplicate-labels.patch (1.36 KB)
panic-base_insert-overlap-2026-05-06.png (59.1 KB)

-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account