From owner-freebsd-current  Sat Jan 25 10:34:18 2003
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 099DE37B401
	for <freebsd-current@freebsd.org>; Sat, 25 Jan 2003 10:34:14 -0800 (PST)
Received: from mail04.svc.cra.dublin.eircom.net (mail04.svc.cra.dublin.eircom.net [159.134.118.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 997FE43F43
	for <freebsd-current@freebsd.org>; Sat, 25 Jan 2003 10:34:11 -0800 (PST)
	(envelope-from pmedwards@eircom.net)
Received: (qmail 54927 messnum 1152447 invoked from network[159.134.237.83/otto.eircom.net]); 25 Jan 2003 18:34:06 -0000
Received: from otto.eircom.net (HELO webmail.eircom.net) (159.134.237.83)
  by mail04.svc.cra.dublin.eircom.net (qp 54927) with SMTP; 25 Jan 2003 18:34:06 -0000
From: "Peter Edwards" <pmedwards@eircom.net>
To: freebsd-current@freebsd.org
Subject: Opening /dev/tty in session leader after controlling terminal is revoked causes panic.
Date: Sat, 25 Jan 2003 18:34:06 +0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="-------3K5K4NHDM57INZZ7J97H8123"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 62.17.151.61
X-Mailer: Eircom Net CRC Webmail (http://www.eircom.net/)
Organization: Eircom Net (http://www.eircom.net/)
Message-Id: <20030125183411.997FE43F43@mx1.FreeBSD.org>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.
---------3K5K4NHDM57INZZ7J97H8123
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Attached is a panic and patch a patch for the problem in the Subject line.

The problem is in kern/tty_tty.c:ctty_clone. It's assuming that if the process
has its P_CONTROLT flag set, then it's session has a valid vnode for it's
controlling terminal. This doesn't hold if the terminal was revoked.

Cheers,
Peter Edwards.
---------3K5K4NHDM57INZZ7J97H8123
Content-Type: text/plain
Content-Disposition: attachment; filename="gdb.txt"

GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: bdwrite: buffer is not busy
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x88
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc020795a
stack pointer           = 0x10:0xcdd7e7b8
frame pointer           = 0x10:0xcdd7e7c8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 986 (mozilla-bin)
trap number             = 12
panic: page fault

syncing disks, buffers remaining... panic: bdwrite: buffer is not busy
Uptime: 20h40m24s
Dumping 256 MB
ata0: resetting devices ..
done
 16 32 48 64 80 96 112 128 144 160 176 192[CTRL-C to abort]  208 224 240
---
#0  doadump () at /pub/FreeBSD/current/src/sys/kern/kern_shutdown.c:232
232             dumping++;
(kgdb) p/a 0xc020795a
$1 = 0xc020795a <ctty_clone+74>
(kgdb) bt
#0  doadump () at /pub/FreeBSD/current/src/sys/kern/kern_shutdown.c:232
#1  0xc01d1969 in boot (howto=260) at /pub/FreeBSD/current/src/sys/kern/kern_shutdown.c:364
#2  0xc01d1bc3 in panic () at /pub/FreeBSD/current/src/sys/kern/kern_shutdown.c:531
#3  0xc0214ea0 in bdwrite (bp=0xc7783bf0) at /pub/FreeBSD/current/src/sys/kern/vfs_bio.c:955
#4  0xc028abab in ffs_update (vp=0xc27d3b18, waitfor=0)
    at /pub/FreeBSD/current/src/sys/ufs/ffs/ffs_inode.c:125
#5  0xc029f62f in ffs_fsync (ap=0xcdd7e5c0) at
/pub/FreeBSD/current/src/sys/ufs/ffs/ffs_vnops.c:315
#6  0xc029e5f7 in ffs_sync (mp=0xc2691000, waitfor=2, cred=0xc0eb6e80, td=0xc034f000)
    at vnode_if.h:612
#7  0xc022a7db in sync (td=0xc034f000, uap=0x0)
    at /pub/FreeBSD/current/src/sys/kern/vfs_syscalls.c:138
#8  0xc01d154c in boot (howto=256) at /pub/FreeBSD/current/src/sys/kern/kern_shutdown.c:273
#9  0xc01d1bc3 in panic () at /pub/FreeBSD/current/src/sys/kern/kern_shutdown.c:531
#10 0xc02f9c42 in trap_fatal (frame=0xcdd7e778, eva=0)
    at /pub/FreeBSD/current/src/sys/i386/i386/trap.c:844
#11 0xc02f9922 in trap_pfault (frame=0xcdd7e778, usermode=0, eva=136)
    at /pub/FreeBSD/current/src/sys/i386/i386/trap.c:758
#12 0xc02f93f0 in trap (frame=
      {tf_fs = -841547752, tf_es = -841547760, tf_ds = -1069416432, tf_edi = -1033343948, tf_esi
= -
841487372, tf_ebp = -841488440, tf_isp = -841488476, tf_ebx = -841488376, tf_edx = -841488260,
tf_ec
x = -1070401078, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1071613606, tf_cs = 8,
tf_eflags 
= 66050, tf_esp = -841488264, tf_ss = -1070401082})
    at /pub/FreeBSD/current/src/sys/i386/i386/trap.c:445
#13 0xc02e94a8 in calltrap () at {standard input}:98
#14 0xc0195f38 in devfs_lookupx (ap=0x0) at
/pub/FreeBSD/current/src/sys/fs/devfs/devfs_vnops.c:382
#15 0xc01961db in devfs_lookup (ap=0xcdd7e914)
    at /pub/FreeBSD/current/src/sys/fs/devfs/devfs_vnops.c:448
#16 0xc021ed12 in lookup (ndp=0xcdd7ebcc) at vnode_if.h:52
#17 0xc021e71b in namei (ndp=0xcdd7ebcc) at /pub/FreeBSD/current/src/sys/kern/vfs_lookup.c:181
#18 0xc0231eb9 in vn_open_cred (ndp=0xcdd7ebcc, flagp=0xcdd7eccc, cmode=420, cred=0xc2afb500)
    at /pub/FreeBSD/current/src/sys/kern/vfs_vnops.c:122
#19 0xc0231e59 in vn_open (ndp=0x0, flagp=0x0, cmode=0)
    at /pub/FreeBSD/current/src/sys/kern/vfs_vnops.c:86
#20 0xc022b683 in kern_open (td=0xc264d8c0, path=0x0, pathseg=UIO_USERSPACE, flags=1538,
mode=438)
    at /pub/FreeBSD/current/src/sys/kern/vfs_syscalls.c:662
#21 0xc022b490 in open (td=0x0, uap=0x0) at /pub/FreeBSD/current/src/sys/kern/vfs_syscalls.c:625
#22 0xc02f9f6a in syscall (frame=
      {tf_fs = -65489, tf_es = -1078001617, tf_ds = -1078001617, tf_edi = 703138768, tf_esi =
678015
352, tf_ebp = -1077956120, tf_isp = -841486988, tf_ebx = 677213476, tf_edx = 1537, tf_ecx =
67801535
2, tf_eax = 5, tf_trapno = 12, tf_err = 2, tf_eip = 677550019, tf_cs = 31, tf_eflags = 518,
tf_esp =
 -1077956148, tf_ss = 47}) at /pub/FreeBSD/current/src/sys/i386/i386/trap.c:1033
#23 0xc02e94fd in Xint0x80_syscall () at {standard input}:140
---Can't read userspace from dump, or kernel process---

(kgdb) disas ctty_clone
Dump of assembler code for function ctty_clone:
0xc0207910 <ctty_clone>:        push   %ebp
0xc0207911 <ctty_clone+1>:      mov    %esp,%ebp
0xc0207913 <ctty_clone+3>:      sub    $0x10,%esp
0xc0207916 <ctty_clone+6>:      mov    %ebx,0xfffffffc(%ebp)
0xc0207919 <ctty_clone+9>:      mov    0x14(%ebp),%ebx
0xc020791c <ctty_clone+12>:     cmpl   $0xffffffff,(%ebx)
0xc020791f <ctty_clone+15>:     jne    0xc0207970 <ctty_clone+96>
0xc0207921 <ctty_clone+17>:     movl   $0xc032f9c6,0x4(%esp,1)
0xc0207929 <ctty_clone+25>:     mov    0xc(%ebp),%eax
0xc020792c <ctty_clone+28>:     mov    %eax,(%esp,1)
0xc020792f <ctty_clone+31>:     call   0xc0234a20 <strcmp>
0xc0207934 <ctty_clone+36>:     test   %eax,%eax
0xc0207936 <ctty_clone+38>:     jne    0xc0207970 <ctty_clone+96>
0xc0207938 <ctty_clone+40>:     mov    %fs:0x0,%eax
0xc020793e <ctty_clone+46>:     mov    (%eax),%eax
0xc0207940 <ctty_clone+48>:     testb  $0x2,0x38(%eax)
0xc0207944 <ctty_clone+52>:     je     0xc0207962 <ctty_clone+82>
0xc0207946 <ctty_clone+54>:     mov    %fs:0x0,%eax
0xc020794c <ctty_clone+60>:     mov    (%eax),%eax
0xc020794e <ctty_clone+62>:     mov    0x15c(%eax),%eax
0xc0207954 <ctty_clone+68>:     mov    0xc(%eax),%eax
0xc0207957 <ctty_clone+71>:     mov    0x8(%eax),%eax
0xc020795a <ctty_clone+74>:     mov    0x88(%eax),%eax
0xc0207960 <ctty_clone+80>:     jmp    0xc0207967 <ctty_clone+87>
0xc0207962 <ctty_clone+82>:     mov    0xc0381eec,%eax
0xc0207967 <ctty_clone+87>:     mov    %eax,(%ebx)
0xc0207969 <ctty_clone+89>:     lea    0x0(%esi,1),%esi
0xc0207970 <ctty_clone+96>:     mov    0xfffffffc(%ebp),%ebx
0xc0207973 <ctty_clone+99>:     mov    %ebp,%esp
0xc0207975 <ctty_clone+101>:    pop    %ebp
0xc0207976 <ctty_clone+102>:    ret    
End of assembler dump.
(kgdb) 

---------3K5K4NHDM57INZZ7J97H8123
Content-Type: text/plain
Content-Disposition: attachment; filename="ttypatch.txt"

Index: sys/kern/tty_tty.c
===================================================================
RCS file: /pub/FreeBSD/development/FreeBSD-CVS/src/sys/kern/tty_tty.c,v
retrieving revision 1.46
diff -u -r1.46 tty_tty.c
--- sys/kern/tty_tty.c  19 Jan 2003 11:03:07 -0000      1.46
+++ sys/kern/tty_tty.c  25 Jan 2003 18:22:55 -0000
@@ -66,12 +66,15 @@
 ctty_clone(void *arg, char *name, int namelen, dev_t *dev)
 {
 
+       struct proc *p = curthread->td_proc;
+       struct vnode *ttyvp;
+
        if (*dev != NODEV)
                return;
        if (strcmp(name, "tty"))
                return;
-       if (curthread->td_proc->p_flag & P_CONTROLT)
-               *dev = curthread->td_proc->p_session->s_ttyvp->v_rdev;
+       if (p->p_flag & P_CONTROLT && (ttyvp = p->p_session->s_ttyvp) != NULL)
+               *dev = ttyvp->v_rdev;
        else
                *dev = ctty;
 }
---------3K5K4NHDM57INZZ7J97H8123--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message