Re: newfs_msdos and DVD-RAM

From: Fabian Keil <freebsd-listen_at_fabiankeil.de>
Date: Sun, 28 Mar 2010 17:25:37 +0200
Andriy Gapon <avg_at_icyb.net.ua> wrote:

> on 19/03/2010 20:26 Paul B Mahol said the following:
> > On Fri, Mar 19, 2010 at 7:11 PM, Fabian Keil
> > <freebsd-listen_at_fabiankeil.de> wrote:
> >> Paul B Mahol <onemda_at_gmail.com> wrote:
> >>
> >>> FreeBSD 9.0 CURRENT panics when mounting file system created via
> >>> newfs_msdos on DVD-RAM disc.
> >>> Something to do about divide by zero.
> >> I recently had a similar problem with a 16GB iPod. I still haven't
> >> managed to actually mount it, but the patch below at least works
> >> around the panic.
> >>
> >> Does it work for you, too?
> > 
> > Obviously it will fix panic, but will not allow to mount. Zero value
> > should be handled
> > already much before. It looks the real bug is in newfs_msdos.
> > 
> 
> Looking at the code in mountmsdosfs(), it seems that SecPerClust can
> have zero value at the place of the crash only if pm_BlkPerSec is zero.
> See this line and the check above it:
> SecPerClust         *= pmp->pm_BlkPerSec;
> But that is impossible because of the same if statement.
> 
> In my opinion, the only possible explanation is an overflow of a
> SecPerClust value.  Given that its type is u_int8_t, it seems plausible.

That seems to be indeed the case. Adding a printf before
	SecPerClust         *= pmp->pm_BlkPerSec;

Results in: Multiplying 64 with 8

Using an unsigned int for SecPerClust allows to mount the file
system and df -h correctly shows its size, but cd'ing into it
and running ls -l leads to another panic:

fk_at_r500 /usr/crash $kgdb kernel.1/kernel.symbols vmcore.1
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: getblk: size(262144) > MAXBSIZE(65536)

cpuid = 0
KDB: enter: panic
panic: from debugger
cpuid = 0
Uptime: 4m44s
Dumping 1992 MB (5 chunks)
  chunk 0: 1MB (155 pages) ... ok
  chunk 1: 1990MB (509345 pages) 1974 [...] ... ok
  chunk 2: 2MB (273 pages) ... ok
  chunk 3: 1MB (184 pages)

Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /boot/kernel/zfs.ko.symbols...done.
[...]
#0  doadump () at pcpu.h:223
223     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) where
#0  doadump () at pcpu.h:223
#1  0xffffffff803be9ef in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:416
#2  0xffffffff803bedec in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:579
#3  0xffffffff801f58f7 in db_panic (addr=Variable "addr" is not available.
) at /usr/src/sys/ddb/db_command.c:478
#4  0xffffffff801f5d01 in db_command (last_cmdp=0xffffffff808a93c0, cmd_table=Variable "cmd_table" is not available.
) at /usr/src/sys/ddb/db_command.c:445
#5  0xffffffff801f5f50 in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
#6  0xffffffff801f7ea9 in db_trap (type=Variable "type" is not available.
) at /usr/src/sys/ddb/db_main.c:229
#7  0xffffffff803ed545 in kdb_trap (type=3, code=0, tf=0xffffff803e71c480) at /usr/src/sys/kern/subr_kdb.c:535
#8  0xffffffff80619e28 in trap (frame=0xffffff803e71c480) at /usr/src/sys/amd64/amd64/trap.c:621
#9  0xffffffff80600af3 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:224
#10 0xffffffff803ed71d in kdb_enter (why=0xffffffff806be028 "panic", msg=0xa <Address 0xa out of bounds>) at cpufunc.h:63
#11 0xffffffff803bedfb in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:562
#12 0xffffffff8042ecde in getblk (vp=0xffffff006dbfad20, blkno=992, size=262144, slpflag=0, slptimeo=Variable "slptimeo" is not available.
) at /usr/src/sys/kern/vfs_bio.c:2523
#13 0xffffffff8042f12f in breadn (vp=0xffffff006dbfad20, blkno=Variable "blkno" is not available.
) at /usr/src/sys/kern/vfs_bio.c:800
#14 0xffffffff8042f24e in bread (vp=Variable "vp" is not available.
) at /usr/src/sys/kern/vfs_bio.c:748
#15 0xffffffff8035efc2 in msdosfs_readdir (ap=0xffffff803e71ca60) at /usr/src/sys/fs/msdosfs/msdosfs_vnops.c:1641
#16 0xffffffff8044b33d in kern_getdirentries (td=0xffffff006db6d3b0, fd=Variable "fd" is not available.
) at vnode_if.h:758
#17 0xffffffff8044b5f3 in getdirentries (td=Variable "td" is not available.
) at /usr/src/sys/kern/vfs_syscalls.c:4066
#18 0xffffffff806199ed in syscall (frame=0xffffff803e71cc80) at /usr/src/sys/amd64/amd64/trap.c:1026
#19 0xffffffff80600dd1 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:373
#20 0x000000080091916c in ?? ()
Previous frame inner to this frame (corrupt stack?)

Fabian

Received on Sun Mar 28 2010 - 13:24:51 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:02 UTC