From owner-freebsd-bugs Sun Oct 15 15:40:03 1995 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id PAA13194 for bugs-outgoing; Sun, 15 Oct 1995 15:40:03 -0700 Received: (from gnats@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id PAA13186 ; Sun, 15 Oct 1995 15:40:01 -0700 Resent-Date: Sun, 15 Oct 1995 15:40:01 -0700 Resent-Message-Id: <199510152240.PAA13186@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, hsu@clinet.fi Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id PAA13096 for ; Sun, 15 Oct 1995 15:34:16 -0700 Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.6.12/8.6.4) with ESMTP id AAA09877 for ; Mon, 16 Oct 1995 00:34:09 +0200 Received: (root@localhost) by katiska.clinet.fi (8.6.12/8.6.4) id AAA03482; Mon, 16 Oct 1995 00:34:08 +0200 Message-Id: <199510152234.AAA03482@katiska.clinet.fi> Date: Mon, 16 Oct 1995 00:34:08 +0200 From: Heikki Suonsivu Reply-To: hsu@clinet.fi To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/782: fchmod, null pointer dereference Sender: owner-bugs@freebsd.org Precedence: bulk >Number: 782 >Category: kern >Synopsis: chmod does a null pointer dereference >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 15 15:40:01 PDT 1995 >Last-Modified: >Originator: Heikki Suonsivu >Organization: Clinet, Espoo, Finland >Release: FreeBSD 2.1-STABLE >Environment: Oct 15 23:25:22 katiska /kernel: CPU: 90-MHz Pentium 735\90 (Pentium-class CPU) Oct 15 23:25:22 katiska /kernel: Origin = "GenuineIntel" Id = 0x524 Stepping=4 Oct 15 23:25:22 katiska /kernel: Features=0x1bf Oct 15 23:25:23 katiska /kernel: real memory = 67108864 (65536K bytes) Oct 15 23:25:23 katiska /kernel: avail memory = 62484480 (61020K bytes) Oct 15 23:25:23 katiska /kernel: Probing for devices on the ISA bus: Oct 15 23:25:23 katiska /kernel: ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa Oct 15 23:25:23 katiska /kernel: ed0: address 00:00:c0:cd:b9:a3, type WD8013EPC (16 bit) Oct 15 23:25:23 katiska /kernel: vt0 at 0x60-0x6f irq 1 on motherboard Oct 15 23:25:23 katiska /kernel: vt0: unkown s3, 80 col, mono, 8 scr, mf2-kbd, [R3.20-b24] Oct 15 23:25:23 katiska /kernel: lpt0 at 0x378-0x37f irq 7 on isa Oct 15 23:25:23 katiska /kernel: lpt0: Interrupt-driven port Oct 15 23:25:23 katiska /kernel: lp0: TCP/IP capable interface Oct 15 23:25:23 katiska /kernel: lpt1 not found at 0xffffffff Oct 15 23:25:23 katiska /kernel: lpt2 not found at 0xffffffff Oct 15 23:25:23 katiska /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa Oct 15 23:25:23 katiska /kernel: sio0: type 16550A Oct 15 23:25:23 katiska /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa Oct 15 23:25:23 katiska /kernel: sio1: type 16550A Oct 15 23:25:23 katiska /kernel: sio2 not found at 0x3e8 Oct 15 23:25:23 katiska /kernel: sio3 not found at 0x2e8 Oct 15 23:25:23 katiska /kernel: pca0 on isa Oct 15 23:25:23 katiska /kernel: pca0: PC speaker audio driver Oct 15 23:25:23 katiska /kernel: bt0 not found at 0x330 Oct 15 23:25:23 katiska /kernel: aha0 not found at 0x330 Oct 15 23:25:23 katiska /kernel: wdc0 not found at 0x1f0 Oct 15 23:25:23 katiska /kernel: wdc1 not found at 0x170 Oct 15 23:25:23 katiska /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa Oct 15 23:25:24 katiska /kernel: fdc0: NEC 72065B Oct 15 23:25:24 katiska /kernel: fd0: 1.44MB 3.5in Oct 15 23:25:24 katiska /kernel: mcd0: timeout getting status Oct 15 23:25:24 katiska /kernel: mcd0 not found at 0x300 Oct 15 23:25:24 katiska /kernel: le0: no board found at 0x300 Oct 15 23:25:24 katiska /kernel: le0 not found at 0x300 Oct 15 23:25:24 katiska /kernel: npx0 on motherboard Oct 15 23:25:24 katiska /kernel: npx0: INT 16 interface Oct 15 23:25:24 katiska /kernel: matcdc0 not found at 0xffffffff Oct 15 23:25:24 katiska /kernel: matcdc1 not found at 0xffffffff Oct 15 23:25:24 katiska /kernel: matcdc2 not found at 0xffffffff Oct 15 23:25:24 katiska /kernel: matcdc3 not found at 0xffffffff Oct 15 23:25:24 katiska /kernel: bio_imask c0000040 tty_imask c00300ba net_imask c00300ba Oct 15 23:25:24 katiska /kernel: Probing for devices on the PCI bus: Oct 15 23:25:24 katiska /kernel: chip0 rev 17 on pci0:0 Oct 15 23:25:24 katiska /kernel: chip1 rev 67 on pci0:2 Oct 15 23:25:24 katiska /kernel: vga0 rev 0 on pci0:6 Oct 15 23:25:24 katiska /kernel: ncr0 rev 2 int a irq 9 on pci0:12 Oct 15 23:25:24 katiska /kernel: ncr0 waiting for scsi devices to settle Oct 15 23:25:24 katiska /kernel: (ncr0:0:0): "SEAGATE ST15230N 0298" type 0 fixed SCSI 2 Oct 15 23:25:25 katiska /kernel: sd0(ncr0:0:0): Direct-Access Oct 15 23:25:25 katiska /kernel: sd0(ncr0:0:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Oct 15 23:25:25 katiska /kernel: 4095MB (8386733 512 byte sectors) Oct 15 23:25:25 katiska /kernel: sd0(ncr0:0:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Oct 15 23:25:25 katiska /kernel: (ncr0:3:0): "SEAGATE ST31200N 9348" type 0 fixed SCSI 2 Oct 15 23:25:25 katiska /kernel: sd3(ncr0:3:0): Direct-Access Oct 15 23:25:25 katiska /kernel: sd3(ncr0:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Oct 15 23:25:25 katiska /kernel: 1011MB (2072435 512 byte sectors) Oct 15 23:25:25 katiska /kernel: sd3(ncr0:3:0): with 2700 cyls, 9 heads, and an average 85 sectors/track Oct 15 23:25:25 katiska /kernel: (ncr0:4:0): "HP C1533A 9503" type 1 removable SCSI 2 Oct 15 23:25:25 katiska /kernel: st4(ncr0:4:0): Sequential-Access Oct 15 23:25:25 katiska /kernel: st4(ncr0:4:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Oct 15 23:25:25 katiska /kernel: density code 0x24, variable blocks, write-enabled Oct 15 23:25:25 katiska /kernel: ncr1 rev 1 int a irq 9 on pci0:14 Oct 15 23:25:25 katiska /kernel: ncr1 waiting for scsi devices to settle Oct 15 23:25:25 katiska /kernel: (ncr1:3:0): "SEAGATE ST15230N 0168" type 0 fixed SCSI 2 Oct 15 23:25:25 katiska /kernel: sd7(ncr1:3:0): Direct-Access Oct 15 23:25:25 katiska /kernel: sd7(ncr1:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8. Oct 15 23:25:25 katiska /kernel: 4095MB (8386733 512 byte sectors) Oct 15 23:25:25 katiska /kernel: sd7(ncr1:3:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Oct 15 23:25:25 katiska /kernel: changing root device to sd0a Oct 15 23:25:25 katiska /kernel: WARNING: / was not properly dismounted. Oct 15 23:25:25 katiska /kernel: sd7: invalid primary partition table: no magic # # CLINETSERVER - a bloated kernel for servers, include everything possible # # $Id: LINT,v 1.150 1995/03/04 21:09:21 jkh Exp $ # # # This directive is mandatory; it defines the architecture to be # configured for; in this case, the 386 family. You must also specify # at least one CPU (the one you intend to run on); deleting the # specification for CPUs you don't need to use may make parts of the # system run faster # # clinet: we have got all of these machine "i386" cpu "I386_CPU" cpu "I486_CPU" cpu "I586_CPU" # aka Pentium(tm) # # This is the ``identification'' of the kernel. Usually this should # be the same as the name of your kernel. # ident CLINETSERVER # # The `maxusers' parameter controls the static sizing of a number of # internal system tables by a complicated formula defined in param.c. # maxusers 256 options "NMBCLUSTERS=2048" options "TTYHOG=4096" options "RS_IBUFSIZE=1024" # # Under some circumstances it is necessary to make the default max # number of proccesses per user and open files per user more than the # defaults on bootup. (an example is a large news server in which # the uid, news, can sometimes need > 100 simultaneous processes running) # clinet: or hoggy administrators with gazillion xterms (yes, I have run out # of 128 processes :-) options "CHILD_MAX=256" options "OPEN_MAX=256" # # A math emulator is mandatory if you wish to run on hardware which # does not have a floating-point processor. Pick either the original, # bogus (but freely-distributable) math emulator, or a much more # fully-featured but GPL-licensed emulator taken from Linux. # options MATH_EMULATE #Support for x87 emulation #options GPL_MATH_EMULATE #Support for x87 emualtion via #new math emulator # # This directive defines a number of things: # - The compiled kernel is to be called `kernel' # - The root filesystem might be on partition wd0a # - The kernel can swap on wd0b and sd0b, defaulting to the former # - Crash dumps will be written to wd0b, if possible # # clinet: we use 4 disks per server, swap distributed on all of them (speeds # up considerably). Dumps may go to sd0. config kernel root on wd0 swap on wd0 and wd1 and sd0 and sd1 and sd2 and sd3 and vn0 dumps on sd0 ##################################################################### # COMPATIBILITY OPTIONS # # Implement system calls compatible with 4.3BSD and older versions of # FreeBSD. # options "COMPAT_43" # # Allow user-mode programs to manipulat their local descriptor tables. # This option is required for the WINE Windows(tm) emulator, and is # not used by anything else (that we know of). # options USER_LDT #allow user-level control of i386 ldt # # These three options provide support for System V Interface # Definition-style interprocess communication, in the form of shared # memory, semaphores, and message queues, respectively. # options SYSVSHM options SYSVSEM options SYSVMSG ##################################################################### # DEBUGGING OPTIONS # # Enable the kernel debugger. # # options DDB # # Enable dumping of the kernel image to swap for panics. This is not # the default because writing to misconfigured swap may wipe out file # systems. # options DODUMP # # KTRACE enables the system-call tracing facility ktrace(2). # options KTRACE #kernel tracing # # The DIAGNOSTIC option is used in a number of source files to enable # extra sanity checking of internal structures. This support is not # enabled by default because of the extra time it would take to check # for these conditions, which can only occur as a result of # programming errors. # options DIAGNOSTIC # # Allow ordinary users to take the console - this is useful for X. options UCONSOLE ##################################################################### # NETWORKING OPTIONS # # Protocol families: # Only the INET (Internet) family is officially supported in FreeBSD. # Source code for the NS (Xerox Network Service), ISO (OSI), and # CCITT (X.25) families is provided for amusement value, although we # try to ensure that it actually compiles. # options INET #Internet communications protocols # options ISO # options CCITT #X.25 network layer # options NS #Xerox NS communications protocols # options TPIP #ISO TP class 4 over IP # options TPCONS #ISO TP class 0 over X.25 # # Network interfaces: # The `loop' pseudo-device is mandatory when networking is enabled. # The `ether' pseudo-device provides generic code to handle # Ethernets; it is mandatory when a Ethernet device driver is # configured. # The `sppp' pseudo-device serves a similar role for certain types # of synchronous PPP links (like `cx'). # The `sl' pseudo-device implements the Serial Line IP (SLIP) service. # The `ppp' pseudo-device implements the Point-to-Point Protocol. # The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be # aware of the legal and administrative consequences of enabling this # option. The number of devices determines the maximum number of # simultaneous BPF clients programs runnable. # The `disc' pseudo-device implements a minimal network interface, # which throws away all packets sent and never receives any. It is # included for testing purposes. # The `tun' pseudo-device implements the User Process PPP (iijppp) # pseudo-device ether #Generic Ethernet pseudo-device sppp #Generic Synchronous PPP pseudo-device loop #Network loopback device pseudo-device sl 16 #Serial Line IP pseudo-device ppp 32 #Point-to-point protocol pseudo-device bpfilter 4 #Berkeley packet filter pseudo-device disc #Discard device pseudo-device tun 1 #Tunnel driver(user process ppp) #options NSIP #XNS over IP #options EON #ISO CLNP over IP #options LLC #X.25 link layer for Ethernets #options HDLC #X.25 link layer for serial lines # # Internet family options: # # TCP_COMPAT_42 causes the TCP code to emulate certain bugs present in # 4.2BSD. This option should not be used unless you have a 4.2BSD # machine and TCP connections fail. # # GATEWAY allows the machine to forward packets, and also configures # larger static sizes of a number of system tables. # # MROUTING enables the kernel multicast packet forwarder, which works # with mrouted(8). # # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE does # the obvious thing. # # ARP_PROXYALL enables global proxy ARP. Beware! This can burn # your house down! See netinet/if_ether.c for the gory details. # (Eventually there will be a better management interface.) # options "TCP_COMPAT_42" #emulate 4.2BSD TCP bugs options GATEWAY #internetwork gateway options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets #options ARP_PROXYALL # global proxy ARP ##################################################################### # FILESYSTEM OPTIONS # # Only the root, /usr, and /tmp filesystems need be statically # compiled; everything else will be automatically loaded at mount # time. (Exception: the UFS family---FFS, MFS, and LFS---cannot # currently be demand-loaded.) Some people still prefer to statically # compile other filesystems as well. # # NB: The LFS, PORTAL, and UNION filesystems are known to be buggy, # and WILL panic your system if you attempt to do anything with them. # They are included here as an incentive for some enterprising soul to # sit down and fix them. # # One of these is mandatory: options FFS #Fast filesystem options NFS #Network File System # The rest are optional: options "CD9660" #ISO 9660 filesystem options FDESC #File descriptor filesystem options KERNFS #Kernel filesystem options LFS #Log filesystem options MFS #Memory File System options MSDOSFS #MS DOS File System options NULLFS #NULL filesystem options PORTAL #Portal filesystem options PROCFS #Process filesystem options UMAPFS #UID map filesystem options UNION #Union filesystem # # Disk quotas are supported when this option is enabled. If you # change the value of this option, you must do a `make clean' in your # kernel compile directory in order to get a working kernel. # #options QUOTA #enable disk quotas # # PCI devices: # # The main PCI bus device is `pci'. It provides auto-detection and # configuration support for all devices on the PCI bus, using either # configuration mode defined in the PCI specification. # # The `ncr' device provides support for the NCR 53C810 and 53C825 # self-contained SCSI host adapters. # # The `de' device provides support for the Digital Equipment DC21040 # self-contained Ethernet adapter. # # The PROBE_VERBOSE option enables a long listing of chip set registers # for supported PCI chip sets (currently only intel Saturn and Mercury). # controller pci0 device ncr0 device de0 options PROBE_VERBOSE options "SCSI_DELAY=10" ##################################################################### # SCSI DEVICE CONFIGURATION # # The SCSI subsystem consists of the `base' SCSI code, a number of # high-level SCSI device `type' drivers, and the low-level host-adapter # device drivers. The host adapters are listed in the ISA and PCI # device configuration sections below. # # Beginning with FreeBSD 2.1 you can wire down your SCSI devices so # that a given bus, target, and LUN always come on line as the same # device unit. In earlier versions the unit numbers were assigned # in the order that the devices were probed on the SCSI bus. This # means that if you removed a disk drive, you may have had to rewrite # your /etc/fstab file, and also that you had to be careful when adding # a new disk as it may have been probed earlier and moved your device # configuration around. # This old behavior is maintained as the default behavior. The unit # assignment begins with the first non-wired down unit for a device # type. For example, if you wire a disk as "sd3" then the first # non-wired disk will be assigned sd4. # The syntax for wiring down devices is: # disk sd0 at scbus0 target 0 unit 0 # disk sd1 at scbus0 target 1 # disk sd2 at scbus0 target 3 # tape st1 at scbus0 target 6 # device cd0 at scbus? # "units" (SCSI logical unit number) that are not specified are # treated as if specified as LUN 0. # All SCSI devices allocate as many units as are required. # The "unknown" device (uk? in pre-2.1) is now part of the base SCSI # configuration and doesn't have to be explicitly configured. controller scbus0 #base SCSI code device ch0 #SCSI media changers device sd0 #SCSI disks device st0 #SCSI tapes device cd0 #SCSI CD-ROMs disk sd0 at scbus0 target 0 disk sd1 at scbus0 target 1 disk sd2 at scbus0 target 2 disk sd3 at scbus0 target 3 disk sd4 at scbus0 target 4 disk sd5 at scbus0 target 5 disk sd6 at scbus0 target 6 tape st0 at scbus0 target 0 tape st1 at scbus0 target 1 tape st2 at scbus0 target 2 tape st3 at scbus0 target 3 tape st4 at scbus0 target 4 tape st5 at scbus0 target 5 tape st6 at scbus0 target 6 device cd0 at scbus0 target 0 device cd1 at scbus0 target 1 device cd2 at scbus0 target 2 device cd3 at scbus0 target 3 device cd4 at scbus0 target 4 device cd5 at scbus0 target 5 device cd6 at scbus0 target 6 # SCSIDEBUG: When defined enables debugging macros # NO_SCSI_SENSE: When defined disables sense descriptions (about 4k) # SCSI_REPORT_GEOMETRY: Always report disk geometry at boot up instead # of only when booting verbosely. #options SCSIDEBUG #options NO_SCSI_SENSE options SCSI_REPORT_GEOMETRY ##################################################################### # MISCELLANEOUS DEVICES AND OPTIONS # # Of these, only the `log' device is truly mandatory. The `pty' # device usually turns out to be ``effectively mandatory'', as it is # required for `telnetd', `rlogind', `screen', `emacs', and `xterm', # among others. # pseudo-device pty 256 #Pseudo ttys - can go as high as 64 pseudo-device speaker #Play IBM BASIC-style noises out your speaker pseudo-device log #Kernel syslog interface (/dev/klog) pseudo-device gzip #Exec gzipped a.out's pseudo-device vn #Vnode driver (turns a file into a device) #pseudo-device snp 3 #Snoop device - to look at pty/vty/etc.. ##################################################################### # HARDWARE DEVICE CONFIGURATION # ISA and EISA devices: # Currently there is no separate support for EISA. There should be. # Micro Channel is not supported at all. # # Mandatory ISA devices: isa, sc, npx # controller isa0 # # Options for `isa': # # ALLOW_CONFLICT_DRQ suppresses the DMA conflict checks. This option is # included so that people with sound cards that support multiple emulations # can setup different sound drivers on the same DMA channel. There are no # other known uses for this option. # # ALLOW_CONFLICT_IOADDR suppresses the I/O address conflict checks, so # that the PS/2 mouse driver doesn't conflict with the console driver. # # ALLOW_CONFLICT_IRQ suppresses the interrupt line conflict checks, so # that multiple devices can share the same IRQ, provided that the # hardware supports it (it usually doesn't). # # ALLOW_CONFLICT_MEMADDR suppresses the memory address conflict checks. # This option is not known to be good for anything. # # AUTO_EOI_1 enables the `automatic EOI' feature for the master 8259A # interrupt controller. This saves about 1.25 usec for each interrupt. # No problems are known to be caused by this option. # # AUTO_EOI_2 enables the `automatic EOI' feature for the slave 8259A # interrupt controller. This saves about 1.25 usec for each interrupt. # Automatic EOI is documented not to work for for the slave with the # original i8259A, but it works for some clones and some integrated # versions. # # BOUNCE_BUFFERS provides support for ISA DMA on machines with more # than 16 megabytes of memory. It doesn't hurt on other machines. # Some broken EISA and VLB hardware may need this, too. # # DUMMY_NOPS disables extra delays for some bus operations. The delays # are mostly for older systems and aren't used consistently. Probably # works OK on most EISA bus machines. # # TUNE_1542 enables the automatic ISA bus speed selection for the # Adaptec 1542 boards. Does not work for all boards, use it with caution. # #options ALLOW_CONFLICT_DRQ #options ALLOW_CONFLICT_IOADDR #options ALLOW_CONFLICT_IRQ #options ALLOW_CONFLICT_MEMADDR options "AUTO_EOI_1" #options "AUTO_EOI_2" options BOUNCE_BUFFERS #options DUMMY_NOPS #options TUNE_1542 # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver device vt0 at isa? port "IO_KBD" tty irq 1 vector pcrint options "PCVT_FREEBSD=210" # pcvt running on FreeBSD 2.1 options XSERVER # include code for XFree86 options FAT_CURSOR # start with block cursor # The syscons console driver (sco color console compatible) - default. #device sc0 at isa? port "IO_KBD" tty irq 1 vector scintr #options "NCONS=4" # # Options for `sc': # # HARDFONTS allows the driver to load an ISO-8859-1 font to replace # the default font in your display adapter's memory. # options HARDFONTS # # MAXCONS is maximum number of virtual consoles, no more than 16 # default value: 12 # options "MAXCONS=16" device npx0 at isa? port "IO_NPX" irq 13 vector npxintr # # Optional ISA and EISA devices: # # # SCSI host adapters: `aha', `ahb', `aic', `bt', `nca' # # aha: Adaptec 154x # ahb: Adaptec 174x # ahc: Adaptec 274x # aic: Adaptec 152x and sound cards using the Adaptec AIC-6360 (slow!) # bt: Most Buslogic controllers # nca: ProAudioSpectrum cards using the NCR 5380 or Trantor T130 # uha: UltraStore 14F and 34F # sea: Seagate ST01/02 8 bit controller (slow!) # wds: Western Digital WD7000 controller (no scatter/gather!). # # Note that the order is important in order for Buslogic cards to be # probed correctly. # controller bt0 at isa? port "IO_BT0" bio irq ? vector btintr #controller ahc0 at isa? bio irq ? vector ahcintr # port??? iomem? #controller ahb0 at isa? bio irq ? vector ahbintr controller aha0 at isa? port "IO_AHA0" bio irq ? drq 5 vector ahaintr #controller uha0 at isa? port "IO_UHA0" bio irq ? drq 5 vector uhaintr #controller aic0 at isa? port 0x340 bio irq 11 vector aicintr #controller nca0 at isa? port 0x1f88 bio irq 10 vector ncaintr #controller nca1 at isa? port 0x1f84 #controller nca2 at isa? port 0x1f8c #controller nca3 at isa? port 0x1e88 #controller nca4 at isa? port 0x350 bio irq 5 vector ncaintr #controller sea0 at isa? bio irq 5 iomem 0xdc000 iosiz 0x2000 vector seaintr #controller wds0 at isa? port 0x350 bio irq 15 drq 6 vector wdsintr # # ST-506, ESDI, and IDE hard disks: `wdc' and `wd' # # NB: ``Enhanced IDE'' is NOT supported at this time. # controller wdc0 at isa? port "IO_WD1" bio irq 14 vector wdintr disk wd0 at wdc0 drive 0 disk wd1 at wdc0 drive 1 controller wdc1 at isa? port "IO_WD2" bio irq 15 vector wdintr disk wd2 at wdc1 drive 0 disk wd3 at wdc1 drive 1 # # Standard floppy disk controllers and floppy tapes: `fdc', `fd', and `ft' # controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 vector fdintr disk fd0 at fdc0 drive 0 disk fd1 at fdc0 drive 1 tape ft0 at fdc0 drive 2 # # Options for `fd': # # FDSEEKWAIT selects a non-default head-settle time (i.e., the time to # wait after a seek is performed). The default value (1/32 s) is # usually sufficient. The units are inverse seconds, so a value of 16 # here means to wait 1/16th of a second; you should choose a power of # two. # #options FDSEEKWAIT="16" # # Other standard PC hardware: `lpt', `mse', `psm', `sio', etc. # # lpt: printer port # mse: Logitech and ATI InPort bus mouse ports # psm: PS/2 mouse port (needs ALLOW_CONFLICT_IOADDR, above) # sio: serial ports (see sio(4)) # cy: Cyclades high-speed serial driver (ALPHA QUALITY!) # gp: National Instruments AT-GPIB and AT-GPIB/TNT board # gsc: Genius GS-4500 hand scanner. # joy: joystick device lpt0 at isa? port? tty irq 7 vector lptintr device lpt1 at isa? port? tty device lpt2 at isa? port? tty #device mse0 at isa? port 0x23c tty irq 5 vector mseintr #device psm0 at isa? port "IO_KBD" tty irq 12 vector psmintr device sio0 at isa? port "IO_COM1" tty irq 4 vector siointr device sio1 at isa? port "IO_COM2" tty irq 3 vector siointr device sio2 at isa? port "IO_COM3" tty irq 5 vector siointr device sio3 at isa? port "IO_COM4" tty irq 9 vector siointr #device gp0 at isa? port 0x2c0 tty #device gsc0 at isa? port "IO_GSC1" tty drq 3 #device joy0 at isa? port "IO_GAME" #device cy0 at isa? tty irq 10 iomem 0xd4000 vector cyintr # Options for sio: #options COMCONSOLE #prefer serial console to video console options COM_MULTIPORT #code for some cards with shared IRQs #options DSI_SOFT_MODEM #code for DSI Softmodems # # Network interfaces: `cx', `ed', `el', `ep', `ie', `is', `le', `lnc' # # cx: Cronyx/Sigma multiport sync/async (with Cisco or PPP framing) # ed: Western Digital and SMC 80xx; Novell NE1000 and NE2000; 3Com 3C503 # el: 3Com 3C501 (slow!) # ep: 3Com 3C509 (buggy) # ie: AT&T StarLAN 10 and EN100; 3Com 3C507; unknown NI5210 # le: Digital Equipment EtherWorks 2 and EtherWorks 3 (DEPCA, DE100, # DE101, DE200, DE201, DE202, DE203, DE204, DE205, DE422) # lnc: Lance/PCnet cards (Isolan, Novell NE2100, NE32-VL) # ze: IBM/National Semiconductor PCMCIA ethernet controller. # zp: 3Com PCMCIA Etherlink III (It does not require shared memory for # send/receive operation, but it needs 'iomem' to read/write the # attribute memory) # #device cx0 at isa? port 0x240 net irq 15 drq 7 vector cxintr device ed0 at isa? port 0x280 net irq 5 iomem 0xd8000 vector edintr #device ie0 at isa? port 0x360 net irq 7 iomem 0xd0000 vector ieintr #device lnc0 at isa? port 0x280 net irq 10 drq 0 vector lncintr #device ep0 at isa? port 0x300 net irq 10 vector epintr #device el0 at isa? port 0x300 net irq 9 vector elintr device le0 at isa? port 0x300 net irq 5 iomem 0xd0000 vector le_intr #device ze0 at isa? port 0x300 net irq 5 iomem 0xd8000 vector zeintr #device zp0 at isa? port 0x300 net irq 10 iomem 0xd8000 vector zpintr # ISDN drivers - `isdn'. # # Uncomment one (and only one) of the following 4 drivers for the appropriate # ISDN device you have. For more information on what's considered appropriate # for your given set of circumstances, please read # /usr/src/gnu/usr.sbin/docs/INSTALL. It's a bit sparse at present, but it's # the best we have right now. The snic driver is also disabled at present, # waiting for someone to upgrade the driver to 2.0 (it's in /sys/gnu/scsi/). # #device nic0 at isa? port "IO_COM3" iomem 0xe0000 tty irq 9 vector nicintr #device nnic0 at isa? port 0x150 iomem 0xe0000 tty irq 12 vector nnicintr # This one is also temporarily ill - needs an isa_device structure!! #controller tel0 at isa? iomem 0xe0000 tty irq 9 vector telintr # These are non-optional for ISDN #pseudo-device isdn #pseudo-device ii 4 #pseudo-device ity 4 #pseudo-device itel 2 #pseudo-device ispy 1 # # Audio drivers: `snd', `pca' # # snd: Voxware sound drivers for various cards # see /usr/src/sys/i386/isa/sound/sound.doc for details # pca: PCM audio through your PC speaker # #options AUDIO_PAS #options AUDIO_SB #options AUDIO_ADLIB #options AUDIO_GUS #options AUDIO_MPU401 #options AUDIO_UART6850 #options AUDIO_PSS #options AUDIO_GUS16 #options AUDIO_GUSMAX #options AUDIO_MSS #options AUDIO_SBPRO #options AUDIO_SB16 #options AUDIO_YM3812 #device snd10 at isa? port 0x530 irq 10 drq 1 vector adintr #device snd5 at isa? port 0x330 irq 6 vector mpuintr #device snd4 at isa? port 0x220 irq 15 drq 6 vector gusintr #device snd3 at isa? port 0x388 irq 10 drq 6 vector pasintr #device snd2 at isa? port 0x220 irq 7 drq 1 vector sbintr #device snd6 at isa? port 0x220 irq 7 drq 5 vector sbintr #device snd7 at isa? port 0x300 #device snd1 at isa? port 0x388 device pca0 at isa? tty # # Miscellaneous hardware: `mcd', `wt', `ctx', `apm' # # mcd: Mitsumi CD-ROM # scd: Sony CD-ROM # matcd: Matsushita/Panasonic CD-ROM # wt: Wangtek and Archive QIC-02/QIC-36 tape drives # ctx: Cortex-I frame grabber # apm: Laptop Advanced Power Management (experimental) # spigot: The Creative Labs Video Spigot video-aquisition board # # Notes on the spigot: # The video spigot is at 0xad6. This port address can not be changed. # The irq values may only be 10, 11, or 15 # I/O memory is an 8kb region. Possible values are: # 0a0000, 0a2000, ..., 0fffff, f00000, f02000, ..., ffffff # Note that the start address must be on an even boundary. device mcd0 at isa? port 0x300 bio irq 10 vector mcdintr # for the Sony CDU31/33A CDROM #device scd0 at isa? port 0x230 bio # for the soundblaster 16 multicd - up to 4 devices controller matcd0 at isa? port ? controller matcd1 at isa? port ? controller matcd2 at isa? port ? controller matcd3 at isa? port ? #device wt0 at isa? port 0x300 bio irq 5 drq 1 vector wtintr #device ctx0 at isa? port 0x230 iomem 0xd0000 #device spigot0 at isa? port 0xad6 irq 15 iomem 0xee000 vector spigintr #device apm0 at isa? >Description: fchmod does dereference vp->v_mount, which is NULL here. As usual the proc is slirp. Current directory is /var/crash/ Reading symbol data from /var/crash/kernel.29...done. IdlePTD 25a000 panic: page fault current pcb at 20851c Reading in symbols for ../../i386/i386/machdep.c...done. (kgdb) directory /usr/src/sys/i386/conf Source directories searched: /m/katiska/news/crash:/usr/src/sys/i386/conf (kgdb) up Reading in symbols for ../../kern/subr_prf.c...done. #1 0xf0114b43 in panic (fmt=(char *) 0xf01bca7e "page fault") (../../kern/subr_prf.c line 124) (kgdb) up Reading in symbols for ../../i386/i386/trap.c...done. #2 0xf01bd57e in trap_fatal (frame=(struct trapframe *) 0xefbffe80) (../../i386/i386/trap.c line 745) (kgdb) up #3 0xf01bd0f0 in trap_pfault (frame=(struct trapframe *) 0xefbffe80, usermode=0) (../../i386/i386/trap.c line 667) (kgdb) up #4 0xf01bcd8f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -272629868, tf_esi = -244656640, tf_ebp = -272629940, tf_isp = -267198779, tf_ebx = 0, tf_edx = -247663616, tf_ecx = 29, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -267198779, tf_cs = 8, tf_eflags = 66178, tf_esp = -272629868, tf_ss = -242884096}) (../../i386/i386/trap.c line 307) (kgdb) down #3 0xf01bd0f0 in trap_pfault (frame=(struct trapframe *) 0xefbffe80, usermode=0) (../../i386/i386/trap.c line 667) (kgdb) print curpcb $1 = -175075328 (kgdb) print &curpcb $2 = (int *) 0xf01f8110 (kgdb) up #4 0xf01bcd8f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -272629868, tf_esi = -244656640, tf_ebp = -272629940, tf_isp = -267198779, tf_ebx = 0, tf_edx = -247663616, tf_ecx = 29, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -267198779, tf_cs = 8, tf_eflags = 66178, tf_esp = -272629868, tf_ss = -242884096}) (../../i386/i386/trap.c line 307) (kgdb) print type $3 = 0 (kgdb) up #5 0xf01b2b4d in exception:calltrap () (kgdb) up Reading in symbols for ../../kern/vfs_syscalls.c...done. #6 0xf012dec5 in fchmod (p=(struct proc *) 0xf185e200, uap=(struct fchmod_args *) 0xefbfff94, retval=(int *) 0xefbfff8c) (../../kern/vfs_syscalls.c line 1503) (kgdb) print vp $4 = (struct vnode *) 0xf16ad600 (kgdb) print *vp $5 = {v_flag = 0x00000000, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, v_lastr = 0, v_id = 0x009127ad, v_mount = 0x0, v_op = 0xf13cf400, v_freelist = {tqe_next = 0x0, tqe_prev = 0xf1660d9c}, v_mntvnodes = {le_next = 0xf15b5380, le_prev = 0xf14b41a4}, v_cleanblkhd = {lh_first = 0x0}, v_dirtyblkhd = {lh_first = 0x0}, v_numoutput = 0, v_type = VBAD, v_un = {vu_mountedhere = 0x0, vu_socket = 0x0, vu_specinfo = 0x0, vu_fifoinfo = 0x0}, v_lease = 0x0, v_lastw = 0, v_cstart = 0, v_lasta = 0, v_clen = 0, v_ralen = 0, v_maxra = 0, v_vmdata = 0x0, v_tag = VT_NON, v_data = 0x0} (kgdb) print vp->v_mount->mnt_flag Cannot read memory: address 0x14 out of bounds. (kgdb) print vp->v_mount $6 = (struct mount *) 0x0 (kgdb) print p->p_fd $7 = (struct filedesc *) 0xf1dcc180 (kgdb) print *p->p_fd $8 = {fd_ofiles = 0xf1dcc19c, fd_ofileflags = 0xf1dcc1ec , fd_cdir = 0xf15fdd80, fd_rdir = 0x0, fd_nfiles = 20, fd_lastfile = 0x0004, fd_freefile = 0x0004, fd_cmask = 0x003f, fd_refcnt = 0x0001} (kgdb) list 1498 if (error) 1499 return (error); 1500 vp = (struct vnode *)fp->f_data; 1501 LEASE_CHECK(vp, p, p->p_ucred, LEASE_WRITE); 1502 VOP_LOCK(vp); 1503 if (vp->v_mount->mnt_flag & MNT_RDONLY) 1504 error = EROFS; 1505 else { 1506 VATTR_NULL(&vattr); 1507 vattr.va_mode = uap->mode & ALLPERMS; (kgdb) print vp->v_mount $9 = (struct mount *) 0x0 (kgdb) print *vp $10 = {v_flag = 0x00000000, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, v_lastr = 0, v_id = 0x009127ad, v_mount = 0x0, v_op = 0xf13cf400, v_freelist = {tqe_next = 0x0, tqe_prev = 0xf1660d9c}, v_mntvnodes = {le_next = 0xf15b5380, le_prev = 0xf14b41a4}, v_cleanblkhd = {lh_first = 0x0}, v_dirtyblkhd = {lh_first = 0x0}, v_numoutput = 0, v_type = VBAD, v_un = {vu_mountedhere = 0x0, vu_socket = 0x0, vu_specinfo = 0x0, vu_fifoinfo = 0x0}, v_lease = 0x0, v_lastw = 0, v_cstart = 0, v_lasta = 0, v_clen = 0, v_ralen = 0, v_maxra = 0, v_vmdata = 0x0, v_tag = VT_NON, v_data = 0x0} (kgdb) >How-To-Repeat: Load a P90 heavily with random users, some of them running slirp. I will keep the crash dumps for couple of days in case someone wants them. >Fix: Don't know, but either v_mount should not be NULL, or if it is ok to be NULL here, it needs to be checked? >Audit-Trail: >Unformatted: