From owner-freebsd-newbies  Wed Sep 12  5:57:41 2001
Delivered-To: freebsd-newbies@freebsd.org
Received: from fnord.ir.bbn.com (FNORD.IR.BBN.COM [192.1.100.210])
	by hub.freebsd.org (Postfix) with SMTP id A73F337B409
	for <freebsd-newbies@freebsd.org>; Wed, 12 Sep 2001 05:57:34 -0700 (PDT)
Received: (qmail 17826 invoked by uid 10853); 12 Sep 2001 12:57:34 -0000
To: Nathan Mace <nmace85@yahoo.com>
Cc: freebsd newbies <freebsd-newbies@freebsd.org>,
	freebsd-stable <freebsd-stable@freebsd.org>
Subject: Re: burncd makes computer reboot!
References: <20010912002741.4cac25b4.nmace85@yahoo.com>
From: Greg Troxel <gdt@fnord.ir.bbn.com>
Date: 12 Sep 2001 08:57:33 -0400
In-Reply-To: Nathan Mace's message of "Wed, 12 Sep 2001 00:27:41 -0400"
Message-ID: <rmiy9nklg76.fsf@fnord.ir.bbn.com>
Lines: 44
X-Mailer: Gnus v5.7/Emacs 20.7
Sender: owner-freebsd-newbies@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-newbies.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-newbies>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-newbies>
X-Loop: FreeBSD.org

I have seen behavior that may be similar, but not tracked it down well
enough to file a report.

  burncd: ioctl(CDRIOCCLOSEDISK): Inapproprate iotl for device

This may be a sign of burncd/kernel version skew - I think something
changed between near 4.3.  (I tried 4.3 burncd on 4.2+kame and lost;
with everything from the same 'make world' it works fine.)  Make sure
you have burncd of the same date as kernel sources, compiled against
the matching include files.  This could explain why the cd did not get
written properly (or fixated), but not the crash.

I believe that the kernel code involving in cd9660 mounting may have a
bug that is triggered by CDs that are apparently zero length
(i.e. those for which read at 0 acts like EOF).  I use the following
shell function to test CDs to make sure they have data on them before
mounting.

ddcd () 
{ 
    dd if=/dev/racd0c of=/dev/null bs=32k
}

Looking at the sources, I see in isofs/cd9660/cd9660_vfsops.c, around
line 327 of 1.74.2.5, bread is called on the device, and the return
value checked for error.
Then, bp->b_data is dereferenced without checking bp->b_count,
bp->b_bufsize, or bp->b_resid.
Perhaps adding

	if ( bp->b_count != iso_bsize ) {
		error = ENOSPC;		/* XXX need better error report */
		goto out;
	}

might help.  I didn't read kern/vfs_bio.c to see if an error would be
returned, but I note that dd reports reading 0 bytes with no errors.
If my guess is right, this problem exists multiple places in cd9660.
But I suspect I'm off base, since I see similar code in ffs_vfsops.c.
But there could be checks for partition size first, and then again,
how often do people mount zero-length disks?

        Greg Troxel <gdt@ir.bbn.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message