SMP refcount_release panic

[Jake Thalacker]

Sorry, this is overdue on being reported.

I've encountered a panic with VIMAGE from a patched build of current  
from around mid September.  I tracked the problem to the second call  
to refcount_release in kern_vimage.c:vi_td_ioctl().  Just for clarity  
I determined this by making 3 refcount_release functions to replace  
the calls including the one in kern_prot.c:crfree().  I noted that  
throughout the kernel code prior to all kern_prot.c:crcopy() calls  
there is a PROC_LOCK and proceeded by a PROC_UNLOCK afterward.  I  
found that there was one occurrence where this was missing in netncp/ 
ncp_comm.c:ncp_conn_alloc().  I added it and that did not resolve the  
panic but figured it's still probably needed.  It's probably poor  
form but I ended up commenting out the second call and have had no  
panics since, had to move on at that point.

The panic is very reproducible with the following script on an SMP  
system.  I have not observed any panics on non-SMP systems.

_vimage="rc-panic-$$"
vimage -c ${_vimage}

_cnt=0
_fw=1
_loopcount=64
while [ ${_cnt} -lt ${_loopcount} ]; do
     vimage ${_vimage} sysctl net.inet.ip.forwarding=${_fw}

     if [ ${_fw} -eq 1 ]; then
         _fw=0
     else
         _fw=1
     fi
     _cnt=$(expr ${_cnt} '+' 1)
done


If there's any further information I can provide just let me know, or  
any testing of new code I'd gladly help out.

Thanks for all your efforts!
Jake