Date: Mon, 15 Mar 2021 20:43:54 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 254318] [panic] when a specific sequence of read requests is issued to a geom_uzip device the kernel panics Message-ID: <bug-254318-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254318 Bug ID: 254318 Summary: [panic] when a specific sequence of read requests is issued to a geom_uzip device the kernel panics Product: Base System Version: 12.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jgordeev@dir.bg Created attachment 223307 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D223307&action= =3Dedit list of read requests which cause a panic Some sequences of read requests to a geom_uzip device coupled with specific uzip images lead to kernel panic on FreeBSD/amd64 12.2-RELEASE-p4. You can = see a stacktrace below. When reading linearly from the uzip device with dd(1) no kernel panic occurs. On FreeBSD/amd64 13.0-RC2 a different symptom is observed: There is no kernel panic, but some of the read requests fail with errno EFA= ULT even though they should succeed. On FreeBSD/amd64 14.0-CURRENT (from FreeBSD-14.0-CURRENT-amd64-20210311-15565e0a217-257277-disc1.iso) the behav= iour is the same as on 13.0-RC2. A kernel minidump from 12.2-RELEASE-p4 is provided in the file 'vmcore.3.gz' (available for download). Official binaries from the FreeBSD project were u= sed. For reproducing the kernel panic the following is provided: 1) A specific list of read requests (in the file 'script1.txt', attached) 2) A program that takes a list of read requests and performs them (in the file 'sr.c', attached) 3) A uzip image (in the file 'system.uzip', available for download) Steps for reproducing the kernel panic: 1) kldload geom_uzip 2) mdconfig -a -t vnode -o readonly -f system.uzip -u 0 3) ./sr /dev/md0.uzip < script1.txt The files 'vmcore.3.gz' and 'system.uzip' can be downloaded from <https://drive.google.com/drive/folders/1mmsdCcxEFmU8XzdQpXJoJdvLJbqqnD_X?u= sp=3Dsharing>. Graham Perrin contributed significantly to discovering and documenting this problem. Please mention him where appropriate. A stacktrace from the panic on 12.2-RELEASE-p4: #0 doadump () at src/sys/amd64/include/pcpu_aux.h:55 55 __asm("movq %%gs:%P1,%0" : "=3Dr" (td) : "n" (offsetof(stru= ct pcpu, (kgdb) #0 doadump () at src/sys/amd64/include/pcpu_aux.h:55 #1 0xffffffff80bbec45 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:451 #2 0xffffffff80bbf083 in vpanic (fmt=3D<value optimized out>,=20 ap=3D<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:880 #3 0xffffffff80bbeea3 in panic (fmt=3D<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:807 #4 0xffffffff80ef3722 in vm_fault (map=3D<value optimized out>,=20 vaddr=3D<value optimized out>, fault_type=3D<value optimized out>,=20 fault_flags=3D<value optimized out>, m_hold=3D<value optimized out>) at /usr/src/sys/vm/vm_fault.c:727 #5 0xffffffff80ef1130 in vm_fault_trap (map=3D0xfffff80003001000,=20 vaddr=3D<value optimized out>, fault_type=3D<value optimized out>,=20 fault_flags=3D0, signo=3D0x0, ucode=3D0x0) at /usr/src/sys/vm/vm_fault.= c:574 #6 0xffffffff8108eabc in trap_pfault (frame=3D0xfffffe001baf4850,=20 usermode=3Dfalse, signo=3D<value optimized out>, ucode=3D<value optimiz= ed out>) at /usr/src/sys/amd64/amd64/trap.c:824 #7 0xffffffff8108dfb6 in trap (frame=3D0xfffffe001baf4850) at /usr/src/sys/amd64/amd64/trap.c:405 #8 0xffffffff81066c28 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:289 #9 0xffffffff80caedb3 in _zlib104_inflate_fast (bl=3D<value optimized out>= ,=20 bd=3D<value optimized out>, tl=3D0xfffffe001c111010, td=3D0xfffff800038= d6390,=20 s=3D0xfffff8000381c180, z=3D0xfffff80003822130) at /usr/src/sys/libkern/zlib.c:5015 #10 0xffffffff80cadc50 in inflate_codes (s=3D0xfffff8000381c180,=20 z=3D0xfffff80003822130, r=3D<value optimized out>) at /usr/src/sys/libkern/zlib.c:4715 #11 0xffffffff80cac5b6 in inflate_blocks (s=3D<value optimized out>,=20 z=3D0xfffff80003822130, r=3D470883682) at /usr/src/sys/libkern/zlib.c:3= 972 #12 0xffffffff80cab8a6 in _zlib104_inflate (z=3D0xfffff80003822130, f=3D5) at /usr/src/sys/libkern/zlib.c:3270 #13 0xffffffff82723d6c in g_uzip_zlib_decompress (zpp=3D<value optimized ou= t>,=20 gp_name=3D0xfffff8000305d540 "md0.uzip", ibp=3D<value optimized out>,=20 ilen=3D<value optimized out>, obp=3D<value optimized out>) at /usr/src/sys/geom/uzip/g_uzip_zlib.c:77 #14 0xffffffff827231a2 in g_uzip_do (sc=3D<value optimized out>,=20 bp=3D<value optimized out>) at /usr/src/sys/geom/uzip/g_uzip.c:395 #15 0xffffffff827240b4 in g_uzip_wrkthr (arg=3D0xfffff80055240000) at /usr/src/sys/geom/uzip/g_uzip_wrkthr.c:69 #16 0xffffffff80b8088e in fork_exit ( callout=3D0xffffffff82723f80 <g_uzip_wrkthr>, arg=3D0xfffff80055240000,= =20 frame=3D0xfffffe001baf4c00) at /usr/src/sys/kern/kern_fork.c:1080 #17 0xffffffff81067c5e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:1078 #18 0x0000000000000000 in ?? () --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254318-227>