Date: Sat, 07 May 2022 20:55:59 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 263853] jmicron RAID taste code can panic if conf is garbage Message-ID: <bug-263853-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263853 Bug ID: 263853 Summary: jmicron RAID taste code can panic if conf is garbage Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 233800 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D233800&action= =3Dedit disk image that causes jmicron taste code to panic During tasting, if the last sector of a newly attached drive looke enough like a jmicron_raid_conf but meta->disks[] contains no disks, and meta->spare[] contains one disk, g_raid_md_jmicron_new_disk() may call g_raid_md_jmicron_start() anyway, leading to a panic. I've attached a demo disk image, which causes this code in g_raid_md_jmicron_new_disk() to execute with disks_present =3D 1 (the disk being tasted), total_disks =3D zero (from meta->disks[]), and total_spare() =3D one (from meta->spare[]): /* If we collected all needed disks - start array. */ if (mdi->mdio_disks_present =3D=3D mdi->mdio_total_disks + jmicron_meta_total_spare(mdi->mdio_meta)) g_raid_md_jmicron_start(sc); Mounting the demo disk image: # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #219 main-n250919-29f81bc20825-dirty: Sat May 7 16:30:27 EDT 2022=20=20=20=20 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # mdconfig -f taste8a.img GEOM_RAID: JMicron-0000000: Array JMicron-0000000 created. GEOM_RAID: JMicron-0000000: No transformation module found for =C3=AF=C2=BF= =C2=BD=C3=AF=C2=BF=C2=BD. GEOM_RAID: JMicron-0000000: Volume =C3=AF=C2=BF=C2=BD=C3=AF=C2=BF=C2=BD sta= te changed from STARTING to UNSUPPORTED=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 panic: No disk at position 0! cpuid =3D 0 time =3D 1651920087 KDB: stack backtrace: db_trace_self() at db_trace_self db_trace_self_wrapper() at db_trace_self_wrapper+0x38 kdb_backtrace() at kdb_backtrace+0x2c vpanic() at vpanic+0x16e panic() at panic+0x2a g_raid_md_jmicron_start_disk() at g_raid_md_jmicron_start_disk+0x350 g_raid_md_jmicron_start() at g_raid_md_jmicron_start+0x1c2 g_raid_md_jmicron_new_disk() at g_raid_md_jmicron_new_disk+0x110 g_raid_md_taste_jmicron() at g_raid_md_taste_jmicron+0x39a G_RAID_MD_TASTE() at G_RAID_MD_TASTE+0x5a g_raid_taste() at g_raid_taste+0x15c g_new_provider_event() at g_new_provider_event+0xb8 one_event() at one_event+0x106 g_run_events() at g_run_events+0x8a g_event_procbody() at g_event_procbody+0x56 fork_exit() at fork_exit+0x80 fork_trampoline() at fork_trampoline+0xa KDB: enter: panic [ thread pid 13 tid 100017 ] Stopped at breakpoint+0xa: c.ldsp s0,0(sp) db> --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263853-227>