Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 3 Oct 2002 23:52:36 +0900
From:      qhwt@myrealbox.com
To:        current@freebsd.org
Subject:   panic trying to chroot(2) on a script(?)
Message-ID:  <20021003145236.GA633.qhwt@myrealbox.com>
index | next in thread | raw e-mail 

[-- Attachment #1 --]
Hello.
Last night I was trying to start an anonymous ftp server on my
-current box for my local network. I made a mistake in vipw:

ftp:*:44444:44444:Unprivileged user:/sbin/nologin:/home/mp3

i.e., wrote a path to a script where directory is needed, and directory
where path to shell is needed. Without noticing, I started ftpd in
standalone mode, and logged in as user ftp, when the box panicked:

# /usr/libexec/ftpd -AD
# ftp -4 localhost

On 4.7-RC1 box, this just spewed an error message in /var/log/messages
and didn't panic, and man 2 chroot doesn't state it should.
If there's something other than the backtrace(attached), let me know it.

Regards.

[-- Attachment #2 --]
Script started on Thu Oct  3 23:27:19 2002
qhwt@gzl$ gdb -k /usr/obj/kernel/kernel.debug vmcore.14


GNU gdb 5.2.0 (FreeBSD) 20020627

Copyright 2002 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "i386-undermydesk-freebsd"...

panic: bdwrite: buffer is not busy

panic messages:

---

panic: vrele: negative ref cnt



syncing disks... panic: bdwrite: buffer is not busy

Uptime: 5m31s

Dumping 63 MB

ata0: resetting devices ..

ata0: mask=03 ostat0=50 ostat2=00

ad0: ATAPI 00 00

ata0-slave: ATAPI 00 00

ata0: mask=03 stat0=50 stat1=00

ad0: ATA 01 a5

ata0: devices=01

ad0: success setting PIO4 on generic chip

done

 16 32 48

---

#0  doadump () at /home/usr.src/sys/kern/kern_shutdown.c:223

223		dumping++;

(kgdb) bt

#0  doadump () at /home/usr.src/sys/kern/kern_shutdown.c:223

#1  0xc0198625 in boot (howto=260)

    at /home/usr.src/sys/kern/kern_shutdown.c:355

#2  0xc0198873 in panic () at /home/usr.src/sys/kern/kern_shutdown.c:508

#3  0xc01d725d in bdwrite (bp=0xc223edd0)

    at /home/usr.src/sys/kern/vfs_bio.c:952

#4  0xc0273d4b in ffs_update (vp=0xc13cb6f0, waitfor=0)

    at /home/usr.src/sys/ufs/ffs/ffs_inode.c:125

#5  0xc028702f in ffs_fsync (ap=0xc73a1ab0)

    at /home/usr.src/sys/ufs/ffs/ffs_vnops.c:309

#6  0xc0286b89 in VOP_FSYNC (vp=0x0, cred=0x0, waitfor=0, td=0x0)

    at vnode_if.h:612

#7  0xc0286014 in ffs_sync (mp=0xc0f9f800, waitfor=2, cred=0xc0726d80, 

    td=0xc033e460) at /home/usr.src/sys/ufs/ffs/ffs_vfsops.c:1127

#8  0xc01ebd38 in sync (td=0xc033e460, uap=0x0)

    at /home/usr.src/sys/kern/vfs_syscalls.c:130

#9  0xc019820c in boot (howto=256)

    at /home/usr.src/sys/kern/kern_shutdown.c:264

#10 0xc0198873 in panic () at /home/usr.src/sys/kern/kern_shutdown.c:508

#11 0xc01e8618 in vrele (vp=0xc0fce4a0)

    at /home/usr.src/sys/kern/vfs_subr.c:2163

#12 0xc01eb7a9 in NDFREE (ndp=0xc73a1c78, flags=0)

    at /home/usr.src/sys/kern/vfs_subr.c:3590

---Type <return> to continue, or q <return> to quit---

#13 0xc01ec8d3 in chroot (td=0xc142f0c0, uap=0x0)

    at /home/usr.src/sys/kern/vfs_syscalls.c:564

#14 0xc02de39a in syscall (frame=

      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 126, tf_esi = -1077936868, tf_ebp = -1077939528, tf_isp = -952492684, tf_ebx = 0, tf_edx = -1, tf_ecx = 2, tf_eax = 61, tf_trapno = 0, tf_err = 2, tf_eip = 672269963, tf_cs = 31, tf_eflags = 514, tf_esp = -1077941908, tf_ss = 47})

    at /home/usr.src/sys/i386/i386/trap.c:1050

#15 0xc02ce9bd in Xint0x80_syscall () at {standard input}:140

---Can't read userspace from dump, or kernel process---



(kgdb) frame 11

#11 0xc01e8618 in vrele (vp=0xc0fce4a0)

    at /home/usr.src/sys/kern/vfs_subr.c:2163

2163			panic("vrele: negative ref cnt");

(kgdb) print vp->v_usecount

$1 = 0

(kgdb) print *vp

$2 = {v_interlock = {mtx_object = {lo_class = 0xc0342920, 

      lo_name = 0xc030b67b "vnode interlock", 

      lo_type = 0xc030b67b "vnode interlock", lo_flags = 196608, lo_list = {

        tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4, 

    mtx_recurse = 0, mtx_blocked = {tqh_first = 0x0, tqh_last = 0xc0fce4c4}, 

    mtx_contested = {le_next = 0x0, le_prev = 0x0}, mtx_acqtime = 0, 

    mtx_filename = 0x0, mtx_lineno = 0}, v_iflag = 256, v_usecount = 0, 

  v_numoutput = 0, v_vxproc = 0x0, v_holdcnt = 0, v_cleanblkhd = {

    tqh_first = 0x0, tqh_last = 0xc0fce4f8}, v_cleanblkroot = 0x0, 

  v_dirtyblkhd = {tqh_first = 0x0, tqh_last = 0xc0fce504}, 

  v_dirtyblkroot = 0x0, v_vflag = 8, v_writecount = 0, v_object = 0xc14522bc, 

  v_lastw = 0, v_cstart = 0, v_lasta = 0, v_clen = 0, v_un = {

    vu_mountedhere = 0x0, vu_socket = 0x0, vu_spec = {vu_specinfo = 0x0, 

      vu_specnext = {sle_next = 0x0}}, vu_fifoinfo = 0x0}, v_freelist = {

    tqe_next = 0x0, tqe_prev = 0xc13ca2f0}, v_nmntvnodes = {tqe_next = 0x0, 

    tqe_prev = 0xc0fd2b10}, v_synclist = {le_next = 0x0, 

    le_prev = 0xc0f6912c}, v_type = VREG, v_tag = 0xc0321a29 "ufs", 

  v_data = 0xc14b9800, v_lock = {lk_interlock = 0xc036f728, lk_flags = 64, 

    lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 72, 

    lk_wmesg = 0xc0321c77 "inode", lk_timo = 6, lk_lockholder = -1}, 

  v_vnlock = 0xc0fce564, v_op = 0xc0f7ca00, v_mount = 0xc0fa4a00, 

  v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xc13d68c0, 

    tqh_last = 0xc13d68d0}, v_id = 2506, v_dd = 0xc0fce4a0, v_ddid = 0, 

---Type <return> to continue, or q <return> to quit---

  v_pollinfo = 0x0, v_label = {l_flags = 0, l_perpolicy = {{l_ptr = 0x0, 

        l_long = 0}, {l_ptr = 0x0, l_long = 0}, {l_ptr = 0x0, l_long = 0}, {

        l_ptr = 0x0, l_long = 0}}}, v_cachedfs = 29696, 

  v_cachedid = 4294967295}

(kgdb) qhwt@gzl$ ^D
Script done on Thu Oct  3 23:28:34 2002
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021003145236.GA633.qhwt>