From owner-freebsd-current@FreeBSD.ORG  Sun Mar 28 15:24:51 2010
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 497D4106564A
	for <freebsd-current@freebsd.org>; Sun, 28 Mar 2010 15:24:51 +0000 (UTC)
	(envelope-from freebsd-listen@fabiankeil.de)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de
	[80.67.31.30]) by mx1.freebsd.org (Postfix) with ESMTP id CEAE28FC2E
	for <freebsd-current@freebsd.org>; Sun, 28 Mar 2010 15:24:50 +0000 (UTC)
Received: from [78.34.185.47] (helo=r500.local)
	by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.68) (envelope-from <freebsd-listen@fabiankeil.de>)
	id 1NvuM5-0007Zo-2V
	for freebsd-current@freebsd.org; Sun, 28 Mar 2010 17:24:49 +0200
Date: Sun, 28 Mar 2010 17:25:37 +0200
From: Fabian Keil <freebsd-listen@fabiankeil.de>
To: freebsd-current@freebsd.org
Message-ID: <20100328172537.501ed3d1@r500.local>
In-Reply-To: <4BAA30CB.1070707@icyb.net.ua>
References: <3a142e751003190508x6a06868ene2e8fd9ddd977f66@mail.gmail.com>
	<3a142e751003191021p141af009m6acf7d160c890cbb@mail.gmail.com>
	<20100319191133.46fe271c@r500.local>
	<3a142e751003191126j331e525fwb9e5573bbf6f7d58@mail.gmail.com>
	<4BAA30CB.1070707@icyb.net.ua>
X-Mailer: Claws Mail 3.7.5 (GTK+ 2.18.7; amd64-portbld-freebsd9.0)
X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2008-08-18.asc
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=PGP-SHA1;
	boundary="Sig_/zeEE/DXAIkZ3i4GvR6nbrxb";
	protocol="application/pgp-signature"
X-Df-Sender: 775067
Subject: Re: newfs_msdos and DVD-RAM
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Mar 2010 15:24:51 -0000

--Sig_/zeEE/DXAIkZ3i4GvR6nbrxb
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Andriy Gapon <avg@icyb.net.ua> wrote:

> on 19/03/2010 20:26 Paul B Mahol said the following:
> > On Fri, Mar 19, 2010 at 7:11 PM, Fabian Keil
> > <freebsd-listen@fabiankeil.de> wrote:
> >> Paul B Mahol <onemda@gmail.com> wrote:
> >>
> >>> FreeBSD 9.0 CURRENT panics when mounting file system created via
> >>> newfs_msdos on DVD-RAM disc.
> >>> Something to do about divide by zero.
> >> I recently had a similar problem with a 16GB iPod. I still haven't
> >> managed to actually mount it, but the patch below at least works
> >> around the panic.
> >>
> >> Does it work for you, too?
> >=20
> > Obviously it will fix panic, but will not allow to mount. Zero value
> > should be handled
> > already much before. It looks the real bug is in newfs_msdos.
> >=20
>=20
> Looking at the code in mountmsdosfs(), it seems that SecPerClust can
> have zero value at the place of the crash only if pm_BlkPerSec is zero.
> See this line and the check above it:
> SecPerClust         *=3D pmp->pm_BlkPerSec;
> But that is impossible because of the same if statement.
>=20
> In my opinion, the only possible explanation is an overflow of a
> SecPerClust value.  Given that its type is u_int8_t, it seems plausible.

That seems to be indeed the case. Adding a printf before
	SecPerClust         *=3D pmp->pm_BlkPerSec;

Results in: Multiplying 64 with 8

Using an unsigned int for SecPerClust allows to mount the file
system and df -h correctly shows its size, but cd'ing into it
and running ls -l leads to another panic:

fk@r500 /usr/crash $kgdb kernel.1/kernel.symbols vmcore.1
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain condition=
s.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: getblk: size(262144) > MAXBSIZE(65536)

cpuid =3D 0
KDB: enter: panic
panic: from debugger
cpuid =3D 0
Uptime: 4m44s
Dumping 1992 MB (5 chunks)
  chunk 0: 1MB (155 pages) ... ok
  chunk 1: 1990MB (509345 pages) 1974 [...] ... ok
  chunk 2: 2MB (273 pages) ... ok
  chunk 3: 1MB (184 pages)

Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /boot/kerne=
l/zfs.ko.symbols...done.
[...]
#0  doadump () at pcpu.h:223
223     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) where
#0  doadump () at pcpu.h:223
#1  0xffffffff803be9ef in boot (howto=3D260) at /usr/src/sys/kern/kern_shut=
down.c:416
#2  0xffffffff803bedec in panic (fmt=3DVariable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:579
#3  0xffffffff801f58f7 in db_panic (addr=3DVariable "addr" is not available.
) at /usr/src/sys/ddb/db_command.c:478
#4  0xffffffff801f5d01 in db_command (last_cmdp=3D0xffffffff808a93c0, cmd_t=
able=3DVariable "cmd_table" is not available.
) at /usr/src/sys/ddb/db_command.c:445
#5  0xffffffff801f5f50 in db_command_loop () at /usr/src/sys/ddb/db_command=
.c:498
#6  0xffffffff801f7ea9 in db_trap (type=3DVariable "type" is not available.
) at /usr/src/sys/ddb/db_main.c:229
#7  0xffffffff803ed545 in kdb_trap (type=3D3, code=3D0, tf=3D0xffffff803e71=
c480) at /usr/src/sys/kern/subr_kdb.c:535
#8  0xffffffff80619e28 in trap (frame=3D0xffffff803e71c480) at /usr/src/sys=
/amd64/amd64/trap.c:621
#9  0xffffffff80600af3 in calltrap () at /usr/src/sys/amd64/amd64/exception=
.S:224
#10 0xffffffff803ed71d in kdb_enter (why=3D0xffffffff806be028 "panic", msg=
=3D0xa <Address 0xa out of bounds>) at cpufunc.h:63
#11 0xffffffff803bedfb in panic (fmt=3DVariable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:562
#12 0xffffffff8042ecde in getblk (vp=3D0xffffff006dbfad20, blkno=3D992, siz=
e=3D262144, slpflag=3D0, slptimeo=3DVariable "slptimeo" is not available.
) at /usr/src/sys/kern/vfs_bio.c:2523
#13 0xffffffff8042f12f in breadn (vp=3D0xffffff006dbfad20, blkno=3DVariable=
 "blkno" is not available.
) at /usr/src/sys/kern/vfs_bio.c:800
#14 0xffffffff8042f24e in bread (vp=3DVariable "vp" is not available.
) at /usr/src/sys/kern/vfs_bio.c:748
#15 0xffffffff8035efc2 in msdosfs_readdir (ap=3D0xffffff803e71ca60) at /usr=
/src/sys/fs/msdosfs/msdosfs_vnops.c:1641
#16 0xffffffff8044b33d in kern_getdirentries (td=3D0xffffff006db6d3b0, fd=
=3DVariable "fd" is not available.
) at vnode_if.h:758
#17 0xffffffff8044b5f3 in getdirentries (td=3DVariable "td" is not availabl=
e.
) at /usr/src/sys/kern/vfs_syscalls.c:4066
#18 0xffffffff806199ed in syscall (frame=3D0xffffff803e71cc80) at /usr/src/=
sys/amd64/amd64/trap.c:1026
#19 0xffffffff80600dd1 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exce=
ption.S:373
#20 0x000000080091916c in ?? ()
Previous frame inner to this frame (corrupt stack?)

Fabian

--Sig_/zeEE/DXAIkZ3i4GvR6nbrxb
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEARECAAYFAkuvdPYACgkQBYqIVf93VJ19eQCfUrGwWsdPNH/CqXdqA4bejpOi
cGwAoId8vtfZQzE6CKqDPlL6J39mWOip
=NGej
-----END PGP SIGNATURE-----

--Sig_/zeEE/DXAIkZ3i4GvR6nbrxb--