Date: Sun, 28 Mar 2010 17:25:37 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: freebsd-current@freebsd.org Subject: Re: newfs_msdos and DVD-RAM Message-ID: <20100328172537.501ed3d1@r500.local> In-Reply-To: <4BAA30CB.1070707@icyb.net.ua> References: <3a142e751003190508x6a06868ene2e8fd9ddd977f66@mail.gmail.com> <3a142e751003191021p141af009m6acf7d160c890cbb@mail.gmail.com> <20100319191133.46fe271c@r500.local> <3a142e751003191126j331e525fwb9e5573bbf6f7d58@mail.gmail.com> <4BAA30CB.1070707@icyb.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/zeEE/DXAIkZ3i4GvR6nbrxb
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Andriy Gapon <avg@icyb.net.ua> wrote:
> on 19/03/2010 20:26 Paul B Mahol said the following:
> > On Fri, Mar 19, 2010 at 7:11 PM, Fabian Keil
> > <freebsd-listen@fabiankeil.de> wrote:
> >> Paul B Mahol <onemda@gmail.com> wrote:
> >>
> >>> FreeBSD 9.0 CURRENT panics when mounting file system created via
> >>> newfs_msdos on DVD-RAM disc.
> >>> Something to do about divide by zero.
> >> I recently had a similar problem with a 16GB iPod. I still haven't
> >> managed to actually mount it, but the patch below at least works
> >> around the panic.
> >>
> >> Does it work for you, too?
> >=20
> > Obviously it will fix panic, but will not allow to mount. Zero value
> > should be handled
> > already much before. It looks the real bug is in newfs_msdos.
> >=20
>=20
> Looking at the code in mountmsdosfs(), it seems that SecPerClust can
> have zero value at the place of the crash only if pm_BlkPerSec is zero.
> See this line and the check above it:
> SecPerClust *=3D pmp->pm_BlkPerSec;
> But that is impossible because of the same if statement.
>=20
> In my opinion, the only possible explanation is an overflow of a
> SecPerClust value. Given that its type is u_int8_t, it seems plausible.
That seems to be indeed the case. Adding a printf before
SecPerClust *=3D pmp->pm_BlkPerSec;
Results in: Multiplying 64 with 8
Using an unsigned int for SecPerClust allows to mount the file
system and df -h correctly shows its size, but cd'ing into it
and running ls -l leads to another panic:
fk@r500 /usr/crash $kgdb kernel.1/kernel.symbols vmcore.1
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain condition=
s.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Unread portion of the kernel message buffer:
panic: getblk: size(262144) > MAXBSIZE(65536)
cpuid =3D 0
KDB: enter: panic
panic: from debugger
cpuid =3D 0
Uptime: 4m44s
Dumping 1992 MB (5 chunks)
chunk 0: 1MB (155 pages) ... ok
chunk 1: 1990MB (509345 pages) 1974 [...] ... ok
chunk 2: 2MB (273 pages) ... ok
chunk 3: 1MB (184 pages)
Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /boot/kerne=
l/zfs.ko.symbols...done.
[...]
#0 doadump () at pcpu.h:223
223 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) where
#0 doadump () at pcpu.h:223
#1 0xffffffff803be9ef in boot (howto=3D260) at /usr/src/sys/kern/kern_shut=
down.c:416
#2 0xffffffff803bedec in panic (fmt=3DVariable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:579
#3 0xffffffff801f58f7 in db_panic (addr=3DVariable "addr" is not available.
) at /usr/src/sys/ddb/db_command.c:478
#4 0xffffffff801f5d01 in db_command (last_cmdp=3D0xffffffff808a93c0, cmd_t=
able=3DVariable "cmd_table" is not available.
) at /usr/src/sys/ddb/db_command.c:445
#5 0xffffffff801f5f50 in db_command_loop () at /usr/src/sys/ddb/db_command=
.c:498
#6 0xffffffff801f7ea9 in db_trap (type=3DVariable "type" is not available.
) at /usr/src/sys/ddb/db_main.c:229
#7 0xffffffff803ed545 in kdb_trap (type=3D3, code=3D0, tf=3D0xffffff803e71=
c480) at /usr/src/sys/kern/subr_kdb.c:535
#8 0xffffffff80619e28 in trap (frame=3D0xffffff803e71c480) at /usr/src/sys=
/amd64/amd64/trap.c:621
#9 0xffffffff80600af3 in calltrap () at /usr/src/sys/amd64/amd64/exception=
.S:224
#10 0xffffffff803ed71d in kdb_enter (why=3D0xffffffff806be028 "panic", msg=
=3D0xa <Address 0xa out of bounds>) at cpufunc.h:63
#11 0xffffffff803bedfb in panic (fmt=3DVariable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:562
#12 0xffffffff8042ecde in getblk (vp=3D0xffffff006dbfad20, blkno=3D992, siz=
e=3D262144, slpflag=3D0, slptimeo=3DVariable "slptimeo" is not available.
) at /usr/src/sys/kern/vfs_bio.c:2523
#13 0xffffffff8042f12f in breadn (vp=3D0xffffff006dbfad20, blkno=3DVariable=
"blkno" is not available.
) at /usr/src/sys/kern/vfs_bio.c:800
#14 0xffffffff8042f24e in bread (vp=3DVariable "vp" is not available.
) at /usr/src/sys/kern/vfs_bio.c:748
#15 0xffffffff8035efc2 in msdosfs_readdir (ap=3D0xffffff803e71ca60) at /usr=
/src/sys/fs/msdosfs/msdosfs_vnops.c:1641
#16 0xffffffff8044b33d in kern_getdirentries (td=3D0xffffff006db6d3b0, fd=
=3DVariable "fd" is not available.
) at vnode_if.h:758
#17 0xffffffff8044b5f3 in getdirentries (td=3DVariable "td" is not availabl=
e.
) at /usr/src/sys/kern/vfs_syscalls.c:4066
#18 0xffffffff806199ed in syscall (frame=3D0xffffff803e71cc80) at /usr/src/=
sys/amd64/amd64/trap.c:1026
#19 0xffffffff80600dd1 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exce=
ption.S:373
#20 0x000000080091916c in ?? ()
Previous frame inner to this frame (corrupt stack?)
Fabian
--Sig_/zeEE/DXAIkZ3i4GvR6nbrxb
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
iEYEARECAAYFAkuvdPYACgkQBYqIVf93VJ19eQCfUrGwWsdPNH/CqXdqA4bejpOi
cGwAoId8vtfZQzE6CKqDPlL6J39mWOip
=NGej
-----END PGP SIGNATURE-----
--Sig_/zeEE/DXAIkZ3i4GvR6nbrxb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100328172537.501ed3d1>