Hello.
Last night I was trying to start an anonymous ftp server on my
-current box for my local network. I made a mistake in vipw:
ftp:*:44444:44444:Unprivileged user:/sbin/nologin:/home/mp3
i.e., wrote a path to a script where directory is needed, and directory
where path to shell is needed. Without noticing, I started ftpd in
standalone mode, and logged in as user ftp, when the box panicked:
# /usr/libexec/ftpd -AD
# ftp -4 localhost
On 4.7-RC1 box, this just spewed an error message in /var/log/messages
and didn't panic, and man 2 chroot doesn't state it should.
If there's something other than the backtrace(attached), let me know it.
Regards.
Script started on Thu Oct 3 23:27:19 2002
qhwt@gzl$ gdb -k /usr/obj/kernel/kernel.debug vmcore.14
GNU gdb 5.2.0 (FreeBSD) 20020627
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: bdwrite: buffer is not busy
panic messages:
---
panic: vrele: negative ref cnt
syncing disks... panic: bdwrite: buffer is not busy
Uptime: 5m31s
Dumping 63 MB
ata0: resetting devices ..
ata0: mask=03 ostat0=50 ostat2=00
ad0: ATAPI 00 00
ata0-slave: ATAPI 00 00
ata0: mask=03 stat0=50 stat1=00
ad0: ATA 01 a5
ata0: devices=01
ad0: success setting PIO4 on generic chip
done
16 32 48
---
#0 doadump () at /home/usr.src/sys/kern/kern_shutdown.c:223
223 dumping++;
(kgdb) bt
#0 doadump () at /home/usr.src/sys/kern/kern_shutdown.c:223
#1 0xc0198625 in boot (howto=260)
at /home/usr.src/sys/kern/kern_shutdown.c:355
#2 0xc0198873 in panic () at /home/usr.src/sys/kern/kern_shutdown.c:508
#3 0xc01d725d in bdwrite (bp=0xc223edd0)
at /home/usr.src/sys/kern/vfs_bio.c:952
#4 0xc0273d4b in ffs_update (vp=0xc13cb6f0, waitfor=0)
at /home/usr.src/sys/ufs/ffs/ffs_inode.c:125
#5 0xc028702f in ffs_fsync (ap=0xc73a1ab0)
at /home/usr.src/sys/ufs/ffs/ffs_vnops.c:309
#6 0xc0286b89 in VOP_FSYNC (vp=0x0, cred=0x0, waitfor=0, td=0x0)
at vnode_if.h:612
#7 0xc0286014 in ffs_sync (mp=0xc0f9f800, waitfor=2, cred=0xc0726d80,
td=0xc033e460) at /home/usr.src/sys/ufs/ffs/ffs_vfsops.c:1127
#8 0xc01ebd38 in sync (td=0xc033e460, uap=0x0)
at /home/usr.src/sys/kern/vfs_syscalls.c:130
#9 0xc019820c in boot (howto=256)
at /home/usr.src/sys/kern/kern_shutdown.c:264
#10 0xc0198873 in panic () at /home/usr.src/sys/kern/kern_shutdown.c:508
#11 0xc01e8618 in vrele (vp=0xc0fce4a0)
at /home/usr.src/sys/kern/vfs_subr.c:2163
#12 0xc01eb7a9 in NDFREE (ndp=0xc73a1c78, flags=0)
at /home/usr.src/sys/kern/vfs_subr.c:3590
---Type <return> to continue, or q <return> to quit---
#13 0xc01ec8d3 in chroot (td=0xc142f0c0, uap=0x0)
at /home/usr.src/sys/kern/vfs_syscalls.c:564
#14 0xc02de39a in syscall (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 126, tf_esi = -1077936868, tf_ebp
= -1077939528, tf_isp = -952492684, tf_ebx = 0, tf_edx = -1, tf_ecx = 2, tf_eax = 61,
tf_trapno = 0, tf_err = 2, tf_eip = 672269963, tf_cs = 31, tf_eflags = 514, tf_esp =
-1077941908, tf_ss = 47})
at /home/usr.src/sys/i386/i386/trap.c:1050
#15 0xc02ce9bd in Xint0x80_syscall () at {standard input}:140
---Can't read userspace from dump, or kernel process---
(kgdb) frame 11
#11 0xc01e8618 in vrele (vp=0xc0fce4a0)
at /home/usr.src/sys/kern/vfs_subr.c:2163
2163 panic("vrele: negative ref cnt");
(kgdb) print vp->v_usecount
$1 = 0
(kgdb) print *vp
$2 = {v_interlock = {mtx_object = {lo_class = 0xc0342920,
lo_name = 0xc030b67b "vnode interlock",
lo_type = 0xc030b67b "vnode interlock", lo_flags = 196608, lo_list = {
tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4,
mtx_recurse = 0, mtx_blocked = {tqh_first = 0x0, tqh_last = 0xc0fce4c4},
mtx_contested = {le_next = 0x0, le_prev = 0x0}, mtx_acqtime = 0,
mtx_filename = 0x0, mtx_lineno = 0}, v_iflag = 256, v_usecount = 0,
v_numoutput = 0, v_vxproc = 0x0, v_holdcnt = 0, v_cleanblkhd = {
tqh_first = 0x0, tqh_last = 0xc0fce4f8}, v_cleanblkroot = 0x0,
v_dirtyblkhd = {tqh_first = 0x0, tqh_last = 0xc0fce504},
v_dirtyblkroot = 0x0, v_vflag = 8, v_writecount = 0, v_object = 0xc14522bc,
v_lastw = 0, v_cstart = 0, v_lasta = 0, v_clen = 0, v_un = {
vu_mountedhere = 0x0, vu_socket = 0x0, vu_spec = {vu_specinfo = 0x0,
vu_specnext = {sle_next = 0x0}}, vu_fifoinfo = 0x0}, v_freelist = {
tqe_next = 0x0, tqe_prev = 0xc13ca2f0}, v_nmntvnodes = {tqe_next = 0x0,
tqe_prev = 0xc0fd2b10}, v_synclist = {le_next = 0x0,
le_prev = 0xc0f6912c}, v_type = VREG, v_tag = 0xc0321a29 "ufs",
v_data = 0xc14b9800, v_lock = {lk_interlock = 0xc036f728, lk_flags = 64,
lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 72,
lk_wmesg = 0xc0321c77 "inode", lk_timo = 6, lk_lockholder = -1},
v_vnlock = 0xc0fce564, v_op = 0xc0f7ca00, v_mount = 0xc0fa4a00,
v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xc13d68c0,
tqh_last = 0xc13d68d0}, v_id = 2506, v_dd = 0xc0fce4a0, v_ddid = 0,
---Type <return> to continue, or q <return> to quit---
v_pollinfo = 0x0, v_label = {l_flags = 0, l_perpolicy = {{l_ptr = 0x0,
l_long = 0}, {l_ptr = 0x0, l_long = 0}, {l_ptr = 0x0, l_long = 0}, {
l_ptr = 0x0, l_long = 0}}}, v_cachedfs = 29696,
v_cachedid = 4294967295}
(kgdb) qhwt@gzl$ ^D��
Script done on Thu Oct 3 23:28:34 2002
