From owner-freebsd-bugs  Sat Jan 27  8:10:20 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9381337B401
	for <freebsd-bugs@hub.freebsd.org>; Sat, 27 Jan 2001 08:10:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f0RGA1a27316;
	Sat, 27 Jan 2001 08:10:01 -0800 (PST)
	(envelope-from gnats)
Received: from skalman.campus.luth.se (skalman.campus.luth.se [130.240.197.52])
	by hub.freebsd.org (Postfix) with ESMTP id BC11637B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 27 Jan 2001 08:03:19 -0800 (PST)
Received: (from pantzer@localhost)
	by skalman.campus.luth.se (8.11.1/8.11.0) id f0RG3I905012;
	Sat, 27 Jan 2001 17:03:18 +0100 (CET)
	(envelope-from pantzer)
Message-Id: <200101271603.f0RG3I905012@skalman.campus.luth.se>
Date: Sat, 27 Jan 2001 17:03:18 +0100 (CET)
From: pantzer@ludd.luth.se
Reply-To: pantzer@ludd.luth.se
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/24680: panic on cd .. on the root of a filesystem that is unmounted.
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         24680
>Category:       kern
>Synopsis:       panic on cd .. on the root of a filesystem that is unmounted.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 27 08:10:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Mattias Pantzare
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
>Environment:

	

>Description:

The kernel will panic if a user does cd .. in a shell that was on the
mountpoint of a filesystem that has been unmounted with the force flag.

#0  dumpsys () at ../../kern/kern_shutdown.c:469
#1  0xc013336f in boot (howto=260) at ../../kern/kern_shutdown.c:309
#2  0xc0133705 in panic (fmt=0xc023fcf4 "from debugger")
    at ../../kern/kern_shutdown.c:556
#3  0xc011e339 in db_panic (addr=-1072311442, have_addr=0, count=-1, 
    modif=0xc5d10c7c "") at ../../ddb/db_command.c:433
#4  0xc011e2d9 in db_command (last_cmdp=0xc026ab78, cmd_table=0xc026a9d8, 
    aux_cmd_tablep=0xc0284208) at ../../ddb/db_command.c:333
#5  0xc011e39e in db_command_loop () at ../../ddb/db_command.c:455
#6  0xc01204ab in db_trap (type=12, code=0) at ../../ddb/db_trap.c:71
#7  0xc021ca8a in kdb_trap (type=12, code=0, regs=0xc5d10dd0)
    at ../../i386/i386/db_interface.c:158
#8  0xc022bcc8 in trap_fatal (frame=0xc5d10dd0, eva=16)
    at ../../i386/i386/trap.c:946
#9  0xc022b9a1 in trap_pfault (frame=0xc5d10dd0, usermode=0, eva=16)
    at ../../i386/i386/trap.c:844
#10 0xc022b517 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = -976154868, tf_esi = -980796414, tf_ebp = -976155060, 
      tf_isp = -976155140, tf_ebx = -975865280, tf_edx = -976154908, 
      tf_ecx = 38, tf_eax = 0, tf_trapno = 12, tf_err = 0, 
      tf_eip = -1072311442, tf_cs = 8, tf_eflags = 582, tf_esp = -975865280, 
      tf_ss = -1064217856}) at ../../i386/i386/trap.c:443
#11 0xc015d36e in lookup (ndp=0xc5d10ee4) at ../../kern/vfs_lookup.c:408
#12 0xc015cef4 in namei (ndp=0xc5d10ee4) at ../../kern/vfs_lookup.c:153
#13 0xc0161705 in change_dir (ndp=0xc5d10ee4, p=0xc58935e0)
    at ../../kern/vfs_syscalls.c:935
#14 0xc01615b8 in chdir (p=0xc58935e0, uap=0xc5d10f80)
    at ../../kern/vfs_syscalls.c:836
#15 0xc022bfa1 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = 135464784, tf_esi = 0, tf_ebp = -1077954296, 
      tf_isp = -976154668, tf_ebx = 135725184, tf_edx = 135472514, 
      tf_ecx = 135472640, tf_eax = 12, tf_trapno = 22, tf_err = 2, 
      tf_eip = 134802156, tf_cs = 31, tf_eflags = 582, tf_esp = -1077957444, 
      tf_ss = 47}) at ../../i386/i386/trap.c:1150
#16 0xc021d3d5 in Xint0x80_syscall ()
#17 0x804bb09 in ?? ()
#18 0x80532e4 in ?? ()
#19 0x806061a in ?? ()
#20 0x8060855 in ?? ()
#21 0x804a7db in ?? ()
#22 0x8049a07 in ?? ()
#23 0x8048135 in ?? ()


>How-To-Repeat:

mount /dev/ad1a /mnt
cd /mnt
umount -f /mnt
cd ..

PANIC

>Fix:

This might not be the "right" fix, but it stops the panic.

*** vfs_lookup.c        Sat Jan 27 17:37:24 2001
--- vfs_lookup.c.new    Sat Jan 27 17:37:06 2001
***************
*** 404,409 ****
--- 404,411 ----
                        if ((dp->v_flag & VROOT) == 0 ||
                            (cnp->cn_flags & NOCROSSMOUNT))
                                break;
+                       if (dp->v_mount == 0)
+                               break;
                        tdp = dp;
                        dp = dp->v_mount->mnt_vnodecovered;
                        vput(tdp);



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message