From stark@UG.CS.SUNYSB.EDU  Wed Sep 27 07:24:21 1995
Received: from bfs2.ug.cs.sunysb.edu (bfs2.ug.cs.sunysb.edu [129.49.15.4])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id HAA01815
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Sep 1995 07:24:20 -0700
Received: from ws24.ug.cs.sunysb.edu (ws24.ug.cs.sunysb.edu [129.49.15.44]) by bfs2.ug.cs.sunysb.edu (8.6.11/8.6.9) with ESMTP id KAA00885 for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Sep 1995 10:24:18 -0400
Received: (from stark@localhost) by ws24.ug.cs.sunysb.edu (8.6.11/8.6.9) id KAA10038; Wed, 27 Sep 1995 10:24:17 -0400
Message-Id: <199509271424.KAA10038@ws24.ug.cs.sunysb.edu>
Date: Wed, 27 Sep 1995 10:24:17 -0400
From: Eugene Stark <stark@UG.CS.SUNYSB.EDU>
Reply-To: stark@UG.CS.SUNYSB.EDU
To: FreeBSD-gnats-submit@freebsd.org
Subject: Page fault in fchmod() with Sep 20 -stable kernel
X-Send-Pr-Version: 3.2

>Number:         744
>Category:       kern
>Synopsis:       Page fault in fchmod() with Sep 20 -stable kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 27 07:30:01 PDT 1995
>Closed-Date:    Sat Nov 11 10:27:45 PST 1995
>Last-Modified:  Sat Nov 11 10:29:41 PST 1995
>Originator:     Eugene Stark
>Release:        FreeBSD 2.1-STABLE supped on Sep 20, 1995
>Organization:
SUNY at Stony Brook CS Dept.
>Environment:

	486DX4/100, 32MB RAM, IDE, BusLogic SCSI.
	FreeBSD 2.1-STABLE supped on Sep 20, 1995.

>Description:

	System crashed due to attempt to follow NULL vp->v_mount
	pointer in fchmod() in kern/vfs_syscalls.c.

	There has been one revision to vnode code in -STABLE since
	that date, but I'm not sure if it is relevant to this problem.

	I'll retain this core dump for a little while, in case
	anybody wants more information.

gdb -k kernel vmcore.7
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), 
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 1c3000
current pcb at 1b6140
panic: page fault
#0  boot (howto=256) at ../../i386/i386/machdep.c:873
873                                     dumppcb.pcb_ptd = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../i386/i386/machdep.c:873
#1  0xf010f893 in panic (fmt=0xf018c9fc "page fault")
    at ../../kern/subr_prf.c:124
#2  0xf018d4be in trap_fatal (frame=0xefbffe80) at ../../i386/i386/trap.c:718
#3  0xf018d030 in trap_pfault (frame=0xefbffe80, usermode=0)
    at ../../i386/i386/trap.c:640
#4  0xf018cce7 in trap (frame={tf_es = -266665968, tf_ds = -227672048, 
      tf_edi = -255635968, tf_esi = 0, tf_ebp = -272629940, 
      tf_isp = -267232531, tf_ebx = -257021696, tf_edx = -258090496, 
      tf_ecx = 29, tf_eax = 0, tf_trapno = 12, tf_err = -257032192, 
      tf_eip = -267232531, tf_cs = -267255800, tf_eflags = 66178, 
      tf_esp = -272629868, tf_ss = -255635968}) at ../../i386/i386/trap.c:299
#5  0xf0185e7d in calltrap ()
#6  0xf0125aed in fchmod (p=0xf0c34e00, uap=0xefbfff94, retval=0xefbfff8c)
    at ../../kern/vfs_syscalls.c:1503
#7  0xf018d703 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 136768, 
      tf_esi = 0, tf_ebp = -272640484, tf_isp = -272629788, tf_ebx = 147456, 
      tf_edx = 147524, tf_ecx = 0, tf_eax = 124, tf_trapno = 514, 
      tf_err = 514, tf_eip = 134525525, tf_cs = 31, tf_eflags = 514, 
      tf_esp = -272640504, tf_ss = 39}) at ../../i386/i386/trap.c:853
#8  0xf0185ecb in Xsyscall ()
#9  0xde0a in ?? ()
#10 0xcf51 in ?? ()
#11 0x10d3 in ?? ()
(kgdb) frame 6
#6  0xf0125aed in fchmod (p=0xf0c34e00, uap=0xefbfff94, retval=0xefbfff8c)
    at ../../kern/vfs_syscalls.c:1503
1503            if (vp->v_mount->mnt_flag & MNT_RDONLY)
(kgdb) print *vp
$1 = {v_flag = 0, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, 
  v_lastr = 0, v_id = 2194101, v_mount = 0x0, v_op = 0xf09dda00, v_freelist = {
    tqe_next = 0x0, tqe_prev = 0xf0ae209c}, v_mntvnodes = {
    le_next = 0xf0b37a80, le_prev = 0xf0b1b424}, v_cleanblkhd = {
    lh_first = 0x0}, v_dirtyblkhd = {lh_first = 0x0}, v_numoutput = 0, 
  v_type = VBAD, v_un = {vu_mountedhere = 0x0, vu_socket = 0x0, 
    vu_specinfo = 0x0, vu_fifoinfo = 0x0}, v_lease = 0x0, v_lastw = 0, 
  v_cstart = 0, v_lasta = 0, v_clen = 0, v_ralen = 0, v_maxra = 0, 
  v_vmdata = 0x0, v_tag = VT_NON, v_data = 0x0}
(kgdb) print *p
$2 = {p_forw = 0xf0bf8200, p_back = 0x0, p_next = 0xf0c41a00, 
  p_prev = 0xf0a4fd08, p_cred = 0xf0bd1f40, p_fd = 0xf0c63700, 
  p_stats = 0xf4610288, p_limit = 0xf01bc74c, p_vmspace = 0xf0ad4000, 
  p_sigacts = 0xf461015c, p_flag = 16390, p_stat = 2 '\002', 
  p_pad1 = "\000\000", p_pid = 15224, p_hash = 0x0, p_pgrpnxt = 0x0, 
  p_pptr = 0xf09e7e00, p_osptr = 0xf0a83300, p_ysptr = 0x0, p_cptr = 0x0, 
  p_oppid = 0, p_dupfd = 0, p_estcpu = 71, p_cpticks = 70, p_pctcpu = 34, 
  p_wchan = 0x0, p_wmesg = 0xf01112b4 "select", p_swtime = 660, p_slptime = 0, 
  p_realtimer = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {
      tv_sec = 0, tv_usec = 0}}, p_rtime = {tv_sec = 2, tv_usec = 682432}, 
  p_uticks = 53, p_sticks = 376, p_iticks = 12, p_traceflag = 0, 
  p_tracep = 0x0, p_siglist = 0, p_textvp = 0xf0af4300, p_lock = 0 '\000', 
  p_pad2 = "\000\000", p_spare = {0, 0}, p_sigmask = 0, 
  p_sigignore = 406884353, p_sigcatch = 548870, p_priority = 67 'C', 
  p_usrpri = 67 'C', p_nice = 0 '\000', 
  p_comm = "slirp\000d\000\000\000\000\000\000\000\000\000", 
  p_pgrp = 0xf0bee600, p_sysent = 0xf01ac020, p_rtprio = {type = 1, prio = 0}, 
  p_thread = 6, p_addr = 0xf4610000, p_md = {md_flags = 0, 
    md_regs = 0xefbfffbc}, p_xstat = 0, p_acflag = 0, p_ru = 0x0}
(kgdb) 

>How-To-Repeat:

	Unknown.

>Fix:
	
	Unknown.


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: davidg 
State-Changed-When: Sat Nov 11 10:27:45 PST 1995 
State-Changed-Why:  
This was caused by a bug in the checks for read-only mounts. They 
needed to be done at the filesystem layer rather than the syscall 
layer to avoid accessing possibly invalid struct mount fields. The 
bug has been fixed for the 2.1 release. 
>Unformatted:
