Fix snapshot automount race causing AVL tree panic

Multiple threads racing to automount the same snapshot can both pass
the initial mount check and attempt to add identical AVL tree entries,
triggering a VERIFY() panic in avl_add().

The fix adds a recheck after acquiring the write lock to detect if
another thread already added the entry during the mount operation.
If found, the duplicate is freed instead of causing a panic.

Reproducible with parallel access to a fresh snapshot:
  ls /mnt/test/.zfs/snapshot/snap1/ &
  ls /mnt/test/.zfs/snapshot/snap1/ &

Signed-off-by: Ameer Hamza <ahamza@ixsystems.com>

Author: ixhamza

module/os/linux/zfs/zfs_ctldir.c

@@ -1291,11 +1291,25 @@ zfsctl_snapshot_mount(struct path *path, int flags)
 		spath.mnt->mnt_flags |= MNT_SHRINKABLE;
 
 		rw_enter(&zfs_snapshot_lock, RW_WRITER);
-		se = zfsctl_snapshot_alloc(full_name, full_path,
-		    snap_zfsvfs->z_os->os_spa, dmu_objset_id(snap_zfsvfs->z_os),
-		    dentry);
-		zfsctl_snapshot_add(se);
-		zfsctl_snapshot_unmount_delay_impl(se, zfs_expire_snapshot);
+		/*
+		 * Recheck if another thread added the entry while we were
+		 * mounting. This handles the race where multiple threads
+		 * simultaneously mount the same fresh snapshot.
+		 */
+		se = zfsctl_snapshot_find_by_name(full_name);
+		if (se != NULL) {
+			/* Already mounted by another thread - not an error */
+			zfsctl_snapshot_rele(se);
+			se = NULL;
+		} else {
+			/* We're first - allocate and add to AVL trees */
+			se = zfsctl_snapshot_alloc(full_name, full_path,
+			    snap_zfsvfs->z_os->os_spa,
+			    dmu_objset_id(snap_zfsvfs->z_os), dentry);
+			zfsctl_snapshot_add(se);
+			zfsctl_snapshot_unmount_delay_impl(se,
+			    zfs_expire_snapshot);
+		}
 		rw_exit(&zfs_snapshot_lock);
 	}
 	path_put(&spath);