I'm not David, but: I would also suggest tcpdumping to a file the nfs traffic, on some other machine (perhaps the osx box) and then when the panic happens look at the last few transactions to see if you spot anything odd. There's a cache of name translations (used for namei), maintained by code in sys/kern/vfs_cache.c. As far as I can tell from what you posted and reading the code for not quite long enough to be sure, the problem is that the plan for NFS is for clients to short-circuit the "." entry, and that therefore there's a KASSERT that the looked-up answer (*vpp) isn't the same vnode as the directory (dvp). In your case, cnp is "..". At the root of a regular fs ".." is ".", so I suspect that may have something to do with it. For a mounted filesystem, .. on the root is supposed to go back to the directory holding the mount point, but I don't know how that surgery is done. And, the current operation is mkdir. Also, I wonder if the problem is that the cache is stale, and that the invariant only holds on non-stale entries. I would modify nfs_cache_enter to have a KASSERT(dvp != vp) and see what happens.
Attachment:
pgp4eUo4rZcPn.pgp
Description: PGP signature