From owner-freebsd-bugs Fri Feb 1 14:40:24 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6066E37B41A for ; Fri, 1 Feb 2002 14:40:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g11Me2f26417; Fri, 1 Feb 2002 14:40:02 -0800 (PST) (envelope-from gnats) Received: from kevinday.com (dsl092-133-149.chi1.dsl.speakeasy.net [66.92.133.149]) by hub.freebsd.org (Postfix) with ESMTP id 3410537B405 for ; Fri, 1 Feb 2002 14:31:44 -0800 (PST) Received: (from root@localhost) by gw.kevinday.com (8.11.6/8.11.6) id g11NRFu02041; Fri, 1 Feb 2002 17:27:15 -0600 (CST) (envelope-from toasty) Message-Id: <200202012327.g11NRFu02041@gw.kevinday.com> Date: Fri, 1 Feb 2002 17:27:15 -0600 (CST) From: toasty Reply-To: toasty To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/34539: [PATCH] fsck(8) doesn't account for negative values in some signed fields Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 34539 >Category: bin >Synopsis: [PATCH] fsck(8) doesn't account for negative values in some signed fields >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 01 14:40:02 PST 2002 >Closed-Date: >Last-Modified: >Originator: toasty >Release: FreeBSD 4.4-RELEASE i386 >Organization: DragonData >Environment: System: FreeBSD gw.kevinday.com 4.4-RELEASE FreeBSD 4.4-RELEASE #4: Thu Jan 17 23:34:34 CST 2002 toasty@gw.kevinday.com:/usr/src/sys/compile/GW i386 >Description: In fs.h: /* * Cylinder group block for a file system. */ struct cg { ... int32_t cg_rotor; /* position of last used block */ int32_t cg_frotor; /* position of last used frag */ int32_t cg_irotor; /* position of last used inode */ ... } these are signed fields, but fsck never checks for negative values. We had a system crash, and come back with negative values in a few irotor fields on a FS. Fsck says the FS was fine, but the kernel crashed every time that CG was used. I discussed this with a few people. I originally suggested changing this to an unsigned value, but it was pointed out that NetBSD tried this and it ended up being quite a bit of work. My patch below checks for negative numbers, and corrects them. >How-To-Repeat: >Fix: --- pass5.c.orig Fri Feb 1 17:16:48 2002 +++ pass5.c Fri Feb 1 17:18:19 2002 @@ -195,15 +195,15 @@ newcg->cg_cs.cs_nffree = 0; newcg->cg_cs.cs_nbfree = 0; newcg->cg_cs.cs_nifree = fs->fs_ipg; - if (cg->cg_rotor < newcg->cg_ndblk) + if ((cg->cg_rotor < newcg->cg_ndblk) && (cg->cg_rotor > 0)) newcg->cg_rotor = cg->cg_rotor; else newcg->cg_rotor = 0; - if (cg->cg_frotor < newcg->cg_ndblk) + if ((cg->cg_frotor < newcg->cg_ndblk) && (cg->cg_frotor > 0)) newcg->cg_frotor = cg->cg_frotor; else newcg->cg_frotor = 0; - if (cg->cg_irotor < newcg->cg_niblk) + if ((cg->cg_irotor < newcg->cg_niblk) && (cg->cg_irotor > 0)) newcg->cg_irotor = cg->cg_irotor; else newcg->cg_irotor = 0; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message