reported at https://lists.freebsd.org/archives/freebsd-current/2022-February/001564.html
watch'ing a tty triggers a refcount wraparound panic:
% watch ttyu0 panic: refcount 0xfffff80003bb97d4 wraparound cpuid = 1 time = 1645472248 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00827d0c80 vpanic() at vpanic+0x17f/frame 0xfffffe00827d0cd0 panic() at panic+0x43/frame 0xfffffe00827d0d30 fdclose() at fdclose/frame 0xfffffe00827d0dc0 closefp_impl() at closefp_impl+0x77/frame 0xfffffe00827d0e00 amd64_syscall() at amd64_syscall+0x12e/frame 0xfffffe00827d0f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00827d0f30 --- syscall (6, FreeBSD ELF64, sys_close), rip = 0x8011e8f7a, rsp = 0x7fffffffe0b8, rbp = 0x7fffffffe4f0 --- KDB: enter: panic [ thread pid 709 tid 100091 ] Stopped at kdb_enter+0x37: movq $0,0x1281ffe(%rip) db>
Take a reference on the file after fget_cap_locked() to fix.
Reported by: Michael Jung <mikej_at_paymentallianceintl.com>
Fixes: f40dd6c8034b ("tty: switch ttyhook_register to use fget_cap_locked")