From pantzer@skalman.campus.luth.se  Sat Jan 27 08:03:20 2001
Return-Path: <pantzer@skalman.campus.luth.se>
Received: from skalman.campus.luth.se (skalman.campus.luth.se [130.240.197.52])
	by hub.freebsd.org (Postfix) with ESMTP id BC11637B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 27 Jan 2001 08:03:19 -0800 (PST)
Received: (from pantzer@localhost)
	by skalman.campus.luth.se (8.11.1/8.11.0) id f0RG3I905012;
	Sat, 27 Jan 2001 17:03:18 +0100 (CET)
	(envelope-from pantzer)
Message-Id: <200101271603.f0RG3I905012@skalman.campus.luth.se>
Date: Sat, 27 Jan 2001 17:03:18 +0100 (CET)
From: pantzer@ludd.luth.se
Reply-To: pantzer@ludd.luth.se
To: FreeBSD-gnats-submit@freebsd.org
Subject: panic on cd .. on the root of a filesystem that is unmounted.
X-Send-Pr-Version: 3.2

>Number:         24680
>Category:       kern
>Synopsis:       panic on cd .. on the root of a filesystem that is unmounted.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    alfred
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 27 08:10:00 PST 2001
>Closed-Date:    Fri Feb 9 11:26:03 PST 2001
>Last-Modified:  Fri Feb 09 11:30:17 PST 2001
>Originator:     Mattias Pantzare
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
>Environment:

	

>Description:

The kernel will panic if a user does cd .. in a shell that was on the
mountpoint of a filesystem that has been unmounted with the force flag.

#0  dumpsys () at ../../kern/kern_shutdown.c:469
#1  0xc013336f in boot (howto=260) at ../../kern/kern_shutdown.c:309
#2  0xc0133705 in panic (fmt=0xc023fcf4 "from debugger")
    at ../../kern/kern_shutdown.c:556
#3  0xc011e339 in db_panic (addr=-1072311442, have_addr=0, count=-1, 
    modif=0xc5d10c7c "") at ../../ddb/db_command.c:433
#4  0xc011e2d9 in db_command (last_cmdp=0xc026ab78, cmd_table=0xc026a9d8, 
    aux_cmd_tablep=0xc0284208) at ../../ddb/db_command.c:333
#5  0xc011e39e in db_command_loop () at ../../ddb/db_command.c:455
#6  0xc01204ab in db_trap (type=12, code=0) at ../../ddb/db_trap.c:71
#7  0xc021ca8a in kdb_trap (type=12, code=0, regs=0xc5d10dd0)
    at ../../i386/i386/db_interface.c:158
#8  0xc022bcc8 in trap_fatal (frame=0xc5d10dd0, eva=16)
    at ../../i386/i386/trap.c:946
#9  0xc022b9a1 in trap_pfault (frame=0xc5d10dd0, usermode=0, eva=16)
    at ../../i386/i386/trap.c:844
#10 0xc022b517 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = -976154868, tf_esi = -980796414, tf_ebp = -976155060, 
      tf_isp = -976155140, tf_ebx = -975865280, tf_edx = -976154908, 
      tf_ecx = 38, tf_eax = 0, tf_trapno = 12, tf_err = 0, 
      tf_eip = -1072311442, tf_cs = 8, tf_eflags = 582, tf_esp = -975865280, 
      tf_ss = -1064217856}) at ../../i386/i386/trap.c:443
#11 0xc015d36e in lookup (ndp=0xc5d10ee4) at ../../kern/vfs_lookup.c:408
#12 0xc015cef4 in namei (ndp=0xc5d10ee4) at ../../kern/vfs_lookup.c:153
#13 0xc0161705 in change_dir (ndp=0xc5d10ee4, p=0xc58935e0)
    at ../../kern/vfs_syscalls.c:935
#14 0xc01615b8 in chdir (p=0xc58935e0, uap=0xc5d10f80)
    at ../../kern/vfs_syscalls.c:836
#15 0xc022bfa1 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = 135464784, tf_esi = 0, tf_ebp = -1077954296, 
      tf_isp = -976154668, tf_ebx = 135725184, tf_edx = 135472514, 
      tf_ecx = 135472640, tf_eax = 12, tf_trapno = 22, tf_err = 2, 
      tf_eip = 134802156, tf_cs = 31, tf_eflags = 582, tf_esp = -1077957444, 
      tf_ss = 47}) at ../../i386/i386/trap.c:1150
#16 0xc021d3d5 in Xint0x80_syscall ()
#17 0x804bb09 in ?? ()
#18 0x80532e4 in ?? ()
#19 0x806061a in ?? ()
#20 0x8060855 in ?? ()
#21 0x804a7db in ?? ()
#22 0x8049a07 in ?? ()
#23 0x8048135 in ?? ()


>How-To-Repeat:

mount /dev/ad1a /mnt
cd /mnt
umount -f /mnt
cd ..

PANIC

>Fix:

This might not be the "right" fix, but it stops the panic.

*** vfs_lookup.c        Sat Jan 27 17:37:24 2001
--- vfs_lookup.c.new    Sat Jan 27 17:37:06 2001
***************
*** 404,409 ****
--- 404,411 ----
                        if ((dp->v_flag & VROOT) == 0 ||
                            (cnp->cn_flags & NOCROSSMOUNT))
                                break;
+                       if (dp->v_mount == 0)
+                               break;
                        tdp = dp;
                        dp = dp->v_mount->mnt_vnodecovered;
                        vput(tdp);



>Release-Note:
>Audit-Trail:

From: Thomas Moestl <tmoestl@gmx.net>
To: freebsd-gnats-submit@FreeBSD.org, pantzer@ludd.luth.se
Cc:  
Subject: Re: kern/24680: panic on cd .. on the root of a filesystem that is unmounted.
Date: Sat, 27 Jan 2001 18:12:40 +0100

 Hi,
 
 this bug should be fixed in -CURRENT (vfs_lookup.c v. 1.41), but the fix 
 has not yet been MFC'ed.
 
 	- thomas
 
State-Changed-From-To: open->closed 
State-Changed-By: johan 
State-Changed-When: Fri Feb 9 11:26:03 PST 2001 
State-Changed-Why:  
Sort of duplicate of 19572 which got a fix in 
23191, which is handled by Alfred. 

This get to serv a MFC reminder. 

Alfred, can you please MCF rev 1.41 of src/sys/kern/vfs_lookup.c 
if this works in -current. 


Responsible-Changed-From-To: freebsd-bugs->alfred 
Responsible-Changed-By: johan 
Responsible-Changed-When: Fri Feb 9 11:26:03 PST 2001 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=24680 
>Unformatted:
