From dave@dogwood.com  Thu Jan 16 18:39:39 1997
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id SAA04657
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 16 Jan 1997 18:39:38 -0800 (PST)
Received: from white.dogwood.com (white.dogwood.com [140.174.96.1])
          by who.cdrom.com (8.7.5/8.6.11) with ESMTP id SAA01901
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 16 Jan 1997 18:36:06 -0800 (PST)
Received: (from dave@localhost)
          by white.dogwood.com (8.8.4/8.8.4)
	  id SAA23094; Thu, 16 Jan 1997 18:36:03 -0800 (PST)
Message-Id: <199701170236.SAA23094@white.dogwood.com>
Date: Thu, 16 Jan 1997 18:36:03 -0800 (PST)
From: Dave Cornejo <dave@dogwood.com>
Reply-To: dave@dogwood.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: pppd causes panic
X-Send-Pr-Version: 3.2

>Number:         2513
>Category:       kern
>Synopsis:       a PPP connection causes a page fault panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 16 18:40:01 PST 1997
>Closed-Date:    Sat Jan 18 12:10:52 PST 1997
>Last-Modified:  Sat Jan 18 12:11:29 PST 1997
>Originator:     Dave Cornejo
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Dogwood Media
>Environment:

FreeBSD 3.0-CURRENT cvsupped Jan 16 07:11 PST

>Description:

When a PPP connection is established we get a panic due to a page fault.

The dump stack trace:

#0  boot (howto=256) at ../../kern/kern_shutdown.c:243
#1  0xf0111482 in panic (fmt=0xf01b72ff "page fault")
    at ../../kern/kern_shutdown.c:367
#2  0xf01b7e66 in trap_fatal (frame=0xefbffcd8) at ../../i386/i386/trap.c:742
#3  0xf01b7954 in trap_pfault (frame=0xefbffcd8, usermode=0)
    at ../../i386/i386/trap.c:653
#4  0xf01b762f in trap (frame={tf_es = 16, tf_ds = -229244912, tf_edi = 0, 
      tf_esi = 0, tf_ebp = -272630480, tf_isp = -272630528, 
      tf_ebx = -266443772, tf_edx = 0, tf_ecx = -2145359567, 
      tf_eax = -1073544038, tf_trapno = 12, tf_err = 0, tf_eip = -267108901, 
      tf_cs = 8, tf_eflags = 66118, tf_esp = -228623456, tf_ss = -1073610752})
    at ../../i386/i386/trap.c:311
#5  0xf0143ddb in pppsioctl (ifp=0xf01e6404, cmd=-2145359567, data=0x0)
    at ../../net/if_ppp.c:547
#6  0xf01425b1 in if_addmulti (ifp=0xf01e6404, sa=0xefbffd80, 
    retifma=0xefbffd7c) at ../../net/if.c:888
#7  0xf014e058 in in_addmulti (ap=0xefbffdb4, ifp=0xf01e6404)
    at ../../netinet/in.c:535
#8  0xf014dfa4 in in_ifinit (ifp=0xf01e6404, ia=0xf25fe000, sin=0xefbffee4, 
    scrub=0) at ../../netinet/in.c:465
#9  0xf014dc64 in in_control (so=0xf2600500, cmd=2151704858, 
    data=0xefbffed4 "ppp0", ifp=0xf01e6404) at ../../netinet/in.c:336
#10 0xf01584d2 in udp_usrreq (so=0xf2600500, req=11, m=0x8040691a, 
    addr=0xefbffed4, control=0xf01e6404) at ../../netinet/udp_usrreq.c:479
#11 0xf012784a in old_control (so=0xf2600500, cmd=-2143262438, 
    data=0xefbffed4 "ppp0", ifp=0xf01e6404) at ../../kern/uipc_socket2.c:881
#12 0xf0142057 in ifioctl (so=0xf2600500, cmd=-2143262438, 
    data=0xefbffed4 "ppp0", p=0xf25eb800) at ../../net/if.c:642
#13 0xf011ad0a in soo_ioctl (fp=0xf2602bc0, cmd=-2143262438, 
    data=0xefbffed4 "ppp0", p=0xf25eb800) at ../../kern/sys_socket.c:138
#14 0xf0118a73 in ioctl (p=0xf25eb800, uap=0xefbfff94, retval=0xefbfff84)
    at ../../kern/sys_generic.c:497
#15 0xf01b80ff in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = -251658241, 
      tf_esi = 302098624, tf_ebp = -272639028, tf_isp = -272629788, 
      tf_ebx = 285321408, tf_edx = 0, tf_ecx = 0, tf_eax = 54, tf_trapno = 7, 
      tf_err = 7, tf_eip = 134762129, tf_cs = 31, tf_eflags = 658, 
      tf_esp = -272639120, tf_ss = 39}) at ../../i386/i386/trap.c:892
#16 0x8084e91 in ?? ()
#17 0x698c in ?? ()
#18 0x35c0 in ?? ()
#19 0x3322 in ?? ()
#20 0x5971 in ?? ()
#21 0x22c4 in ?? ()
#22 0x2109 in ?? ()
#23 0x1095 in ?? ()

the fault occurs in line 547 of if_ppp.c - ifr == NULL at this point.
ifr is set in line 483 by casting data to (struct ifreq *).  This is
called at line 888 of if.c in if_addmulti() which is pretty blatantly
wrong:

        ifp->if_ioctl(ifp, SIOCADDMULTI, 0);
                                        ^^^

>How-To-Repeat:

run pppd

>Fix:
	


>Release-Note:
>Audit-Trail:

From: Dave Cornejo <dave@dogwood.com>
To: bug-followup@freebsd.org
Cc:  Subject: kern/2513
Date: Fri, 17 Jan 1997 10:26:39 -0800 (PST)

 The bad call was introduced in if.c revision 1.39:
 
 ----------------------------
 revision 1.39
 date: 1997/01/07 19:15:28;  author: wollman;  state: Exp;  lines: +179 -1
 Checkpoint the beginnings of the new kernel interface for
 multicast group memberships.  This is not actually operative
 at the moment (a lot of other code still needs to be changed), but
 this seemed like a useful reference point to check in so that
 others (i.e. Bill Fenner) have fair warning of where we are going.
 ----------------------------
 
 -- 
 Dave Cornejo - Dogwood Media, Fremont, California
State-Changed-From-To: open->feedback 
State-Changed-By: wollman 
State-Changed-When: Fri Jan 17 11:38:40 PST 1997 
State-Changed-Why:  
Should be fixed by rev. 1.38 of if_ppp.c. 
State-Changed-From-To: feedback->closed 
State-Changed-By: wollman 
State-Changed-When: Sat Jan 18 12:10:52 PST 1997 
State-Changed-Why:  
From: Dave Cornejo <dave@dogwood.com> 
This fixed the problem, thanks! 

>Unformatted:
