From nobody@FreeBSD.org  Mon Dec 10 11:15:16 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0FA9C16A417
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Dec 2007 11:15:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 0121A13C465
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Dec 2007 11:15:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lBABFEuT085374
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Dec 2007 11:15:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lBABFEIt085373;
	Mon, 10 Dec 2007 11:15:14 GMT
	(envelope-from nobody)
Message-Id: <200712101115.lBABFEIt085373@www.freebsd.org>
Date: Mon, 10 Dec 2007 11:15:14 GMT
From: Jaakko Heinonen <jh@saunalahti.fi>
To: freebsd-gnats-submit@FreeBSD.org
Subject: tmpfs panic on mount
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         118531
>Category:       kern
>Synopsis:       [tmpfs] tmpfs panic on mount
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    rodrigc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 10 11:20:02 UTC 2007
>Closed-Date:    Sun Jan 20 02:41:04 UTC 2008
>Last-Modified:  Sun Jan 20 02:41:04 UTC 2008
>Originator:     Jaakko Heinonen
>Release:        7.0-BETA4
>Organization:
>Environment:
FreeBSD x 7.0-BETA4 FreeBSD 7.0-BETA4 #0: Sun Dec  2 19:19:04 UTC 2007     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
Mountings panics if you use any mount option which expects a value (e.g. size, gid, uid) _without_ the value.

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x0
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc07dbd48
stack pointer           = 0x28:0xd0c2a7ec
frame pointer           = 0x28:0xd0c2a7ec
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 11782 (mount)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 8m50s
Physical memory: 371 MB
Dumping 79 MB: 64 48 32 16

#0  doadump () at pcpu.h:195
195     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:195
#1  0xc0751987 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc0751c49 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:563
#3  0xc0a1635c in trap_fatal (frame=0xd0c2a7ac, eva=0)
    at /usr/src/sys/i386/i386/trap.c:872
#4  0xc0a165e0 in trap_pfault (frame=0xd0c2a7ac, usermode=0, eva=0)
    at /usr/src/sys/i386/i386/trap.c:785
#5  0xc0a16f55 in trap (frame=0xd0c2a7ac) at /usr/src/sys/i386/i386/trap.c:463
#6  0xc09fcf7b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc07dbd48 in strlen (str=0x0) at /usr/src/sys/libkern/strlen.c:41
#8  0xc077e430 in vsscanf (inp=0x0, fmt0=0xc350dbae "%qu", 
    ap=0xd0c2a9cc "h&#65533;&#65533;&#65533;) at /usr/src/sys/kern/subr_scanf.c:123
#9  0xc07c2770 in vfs_scanopt (opts=0xc2976710, name=0xc350dbb2 "size", 
    fmt=0xc350dbae "%qu") at /usr/src/sys/kern/vfs_mount.c:1944
#10 0xc350b9b7 in ?? ()
#11 0xc2976710 in ?? ()
#12 0xc350dbb2 in ?? ()
#13 0xc350dbae in ?? ()
#14 0xd0c2aa68 in ?? ()
#15 0x000000dc in ?? ()
#16 0xc0966a8e in uma_zfree_arg (zone=0xc350e360, item=0xc295d840, 
    udata=0xc29767d0) at /usr/src/sys/vm/uma_core.c:2302
#17 0xc07c59db in vfs_donmount (td=0xc295d840, fsflags=0, fsoptions=0xc33eab00)
    at /usr/src/sys/kern/vfs_mount.c:1004
#18 0xc07c6dc2 in nmount (td=0xc295d840, uap=0xd0c2acfc)
    at /usr/src/sys/kern/vfs_mount.c:417
#19 0xc0a16935 in syscall (frame=0xd0c2ad38)
    at /usr/src/sys/i386/i386/trap.c:1008
#20 0xc09fcfe0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196
#21 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)

>How-To-Repeat:
# mount -t tmpfs -o size tmpfs /mnt
>Fix:
The problem is that tmpfs calls vfs_scanopt() with an option value being NULL. Following patch adds a NULL check to vfs_scanopt().

Patch attached with submission follows:

--- sys/kern/vfs_mount.c.orig	2007-11-19 13:30:38.000000000 +0200
+++ sys/kern/vfs_mount.c	2007-11-19 13:33:28.000000000 +0200
@@ -1938,7 +1938,7 @@
 	TAILQ_FOREACH(opt, opts, link) {
 		if (strcmp(name, opt->name) != 0)
 			continue;
-		if (((char *)opt->value)[opt->len - 1] != '\0')
+		if (!opt->value || ((char *)opt->value)[opt->len - 1] != '\0')
 			return (0);
 		va_start(ap, fmt);
 		ret = vsscanf(opt->value, fmt, ap);


>Release-Note:
>Audit-Trail:

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org, jh@saunalahti.fi
Cc:  
Subject: Re: kern/118531: [tmpfs] tmpfs panic on mount
Date: Wed, 19 Dec 2007 15:46:43 +0200

 The bug is not tmpfs specific. The problem is reproducible with any
 filesystem using vfs_scanopt and the standard mount command
 (/sbin/mount).  For most of filesystems which use vfs_scanopt the
 problem doesn't show up because they use custom mount commands which
 ensure the parameter validity.
 
 The bug should be fixed in kernel because (n)mount system call shouldn't
 make kernel panic.
 
Responsible-Changed-From-To: freebsd-bugs->rodrigc 
Responsible-Changed-By: kris 
Responsible-Changed-When: Tue Dec 25 13:29:16 UTC 2007 
Responsible-Changed-Why:  
Seems like a nmount problem 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118531 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/118531: commit references a PR
Date: Mon, 31 Dec 2007 23:44:59 +0000 (UTC)

 rodrigc     2007-12-31 23:44:53 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/kern             vfs_mount.c 
   Log:
   In vfs_scanopt(), make sure that the mount option value is not NULL
   before calling vsscanf().
   
   PR:             118531
   Submitted by:   Jaakko Heinonen <jh saunalahti fi>
   MFC after:      3 days
   
   Revision  Changes    Path
   1.270     +2 -0      src/sys/kern/vfs_mount.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/118531: commit references a PR
Date: Thu, 17 Jan 2008 04:25:00 +0000 (UTC)

 rodrigc     2008-01-17 04:24:53 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_7)
     sys/kern             vfs_mount.c 
   Log:
   MFC: 1.270
    - In vfs_scanopt(), make sure that the mount option value is not NULL
      before calling vsscanf().
   
   PR:             118531
   
   MFC: 1.268
     - Internally convert "rdonly" mount option to "ro".
   
   Approved by:    re (kensmith)
   
   Revision   Changes    Path
   1.265.2.2  +8 -3      src/sys/kern/vfs_mount.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/118531: commit references a PR
Date: Sun, 20 Jan 2008 02:38:47 +0000 (UTC)

 rodrigc     2008-01-20 02:38:42 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_7_0)
     sys/kern             vfs_mount.c 
   Log:
   MFC: 1.270
    - In vfs_scanopt(), make sure that the mount option value is not NULL
      before calling vsscanf().
   
   PR:             118531
   
   MFC: 1.268
     - Internally convert "rdonly" mount option to "ro".
   
   Approved by:    re (kensmith)
   
   Revision       Changes    Path
   1.265.2.1.2.1  +8 -3      src/sys/kern/vfs_mount.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: rodrigc 
State-Changed-When: Sun Jan 20 02:40:48 UTC 2008 
State-Changed-Why:  
Patch applied. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118531 
>Unformatted:
