Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Feb 2018 13:28:41 -0500
From:      Allan Jude <allanjude@freebsd.org>
To:        Konstantin Belousov <kostikbel@gmail.com>
Cc:        freebsd-fs <freebsd-fs@freebsd.org>, Kirk McKusick <mckusick@mckusick.com>, markj@freebsd.org
Subject:   Re: UFS panic when attempting to mount wrong device
Message-ID:  <a77e28c0-c603-eec0-bd3e-108582d17e89@freebsd.org>
In-Reply-To: <20180219105758.GX94212@kib.kiev.ua>
References:  <8be41fc8-ea0a-da87-da89-68f531f1cb88@freebsd.org> <20180219105758.GX94212@kib.kiev.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--My8zo2MOJZ7wdu4Et3CUvDw2dr9u572Jy
Content-Type: multipart/mixed; boundary="CDvnTA209LuMR3FIm0zWIhTD6JwlIecH9";
 protected-headers="v1"
From: Allan Jude <allanjude@freebsd.org>
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: freebsd-fs <freebsd-fs@freebsd.org>, Kirk McKusick
 <mckusick@mckusick.com>, markj@freebsd.org
Message-ID: <a77e28c0-c603-eec0-bd3e-108582d17e89@freebsd.org>
Subject: Re: UFS panic when attempting to mount wrong device
References: <8be41fc8-ea0a-da87-da89-68f531f1cb88@freebsd.org>
 <20180219105758.GX94212@kib.kiev.ua>
In-Reply-To: <20180219105758.GX94212@kib.kiev.ua>

--CDvnTA209LuMR3FIm0zWIhTD6JwlIecH9
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 2018-02-19 05:57, Konstantin Belousov wrote:
> On Sun, Feb 18, 2018 at 08:14:48PM -0500, Allan Jude wrote:
>> I accidentally forgot to specify -t cd9660 when mounting a CD image, a=
nd
>> UFS panicked the machine:
>>
>> Unread portion of the kernel message buffer:
>> panic: vtopde on a uva/gpa 0x0
>> cpuid =3D 1
>> KDB: stack backtrace:
>> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame
>> 0xfffffe0034409550
>> vpanic() at vpanic+0x18d/frame 0xfffffe00344095b0
>> vpanic() at vpanic/frame 0xfffffe0034409630
>> pmap_kextract() at pmap_kextract+0x121/frame 0xfffffe0034409660
>> free() at free+0x5e/frame 0xfffffe00344096a0
>> ffs_mount() at ffs_mount+0xe2f/frame 0xfffffe0034409840
>> vfs_donmount() at vfs_donmount+0xf56/frame 0xfffffe0034409a80
>> sys_nmount() at sys_nmount+0x72/frame 0xfffffe0034409ac0
>> amd64_syscall() at amd64_syscall+0x79b/frame 0xfffffe0034409bf0
>> fast_syscall_common() at fast_syscall_common+0x101/frame 0x7fffffffd99=
0
>>
>>
>>
>> (kgdb) bt
>> #0  __curthread () at ./machine/pcpu.h:230
>> #1  doadump (textdump=3D1) at
>> /zroot/zfs_zstd/head/sys/kern/kern_shutdown.c:347
>> #2  0xffffffff80ac9242 in kern_reboot (howto=3D260) at
>> /zroot/zfs_zstd/head/sys/kern/kern_shutdown.c:416
>> #3  0xffffffff80ac980d in vpanic (fmt=3D<optimized out>,
>> ap=3D0xfffffe00344095f0) at /zroot/zfs_zstd/head/sys/kern/kern_shutdow=
n.c:812
>> #4  0xffffffff80ac9620 in kassert_panic (fmt=3D0xffffffff81157632 "vto=
pde
>> on a uva/gpa 0x%0lx") at /zroot/zfs_zstd/head/sys/kern/kern_shutdown.c=
:698
>> #5  0xffffffff80f683a1 in vtopde (va=3D0) at
>> /zroot/zfs_zstd/head/sys/amd64/amd64/pmap.c:835
>> #6  pmap_kextract (va=3D0) at /zroot/zfs_zstd/head/sys/amd64/amd64/pma=
p.c:2237
>> #7  0xffffffff80aa3f2e in vtoslab (va=3D0) at
>> /zroot/zfs_zstd/head/sys/vm/uma_int.h:455
>> #8  free (addr=3D0x8, mtp=3D0xffffffff8189bb20 <M_UFSMNT>) at
>> /zroot/zfs_zstd/head/sys/kern/kern_malloc.c:701
>> #9  0xffffffff80dc278f in ffs_mountfs (devvp=3D<optimized out>,
>> mp=3D<optimized out>, td=3D<optimized out>)
>>     at /zroot/zfs_zstd/head/sys/ufs/ffs/ffs_vfsops.c:1047
>> #10 ffs_mount (mp=3D0xfffff80085dda000) at
>> /zroot/zfs_zstd/head/sys/ufs/ffs/ffs_vfsops.c:531
>> #11 0xffffffff80b8ebc6 in vfs_domount_first (td=3D<optimized out>,
>> fspath=3D0xfffff80003723800 "/mnt", vp=3D0xfffff80085baf938, vfsp=3D<o=
ptimized
>> out>,
>>     fsflags=3D<optimized out>, optlist=3D<optimized out>) at
>> /zroot/zfs_zstd/head/sys/kern/vfs_mount.c:827
>> #12 vfs_domount (td=3D<optimized out>, fstype=3D<optimized out>,
>> fspath=3D<optimized out>, fsflags=3D<optimized out>, optlist=3D<optimi=
zed out>)
>>     at /zroot/zfs_zstd/head/sys/kern/vfs_mount.c:1117
>> #13 vfs_donmount (td=3D0xfffff800139c6560, fsflags=3D<optimized out>,
>> fsoptions=3D0xfffff800054d6e00) at
>> /zroot/zfs_zstd/head/sys/kern/vfs_mount.c:684
>> #14 0xffffffff80b8dc42 in sys_nmount (td=3D0xfffff800139c6560,
>> uap=3D0xfffff800139c6918) at /zroot/zfs_zstd/head/sys/kern/vfs_mount.c=
:427
>> #15 0xffffffff80f7ed0b in syscallenter (td=3D0xfffff800139c6560) at
>> /zroot/zfs_zstd/head/sys/amd64/amd64/../../kern/subr_syscall.c:134
>> #16 amd64_syscall (td=3D0xfffff800139c6560, traced=3D0) at
>> /zroot/zfs_zstd/head/sys/amd64/amd64/trap.c:935
>> #17 0xffffffff80f5a66d in fast_syscall_common () at
>> /zroot/zfs_zstd/head/sys/amd64/amd64/exception.S:480
>> #18 0x0000000800c78000 in ?? ()
>>
>>
>> That that maybe a double free?
> More likely, a free of the uninitialized pointer.  Try this.
>=20
> diff --git a/sys/ufs/ffs/ffs_subr.c b/sys/ufs/ffs/ffs_subr.c
> index 40db8bf01b1..4e167d98b65 100644
> --- a/sys/ufs/ffs/ffs_subr.c
> +++ b/sys/ufs/ffs/ffs_subr.c
> @@ -174,8 +174,12 @@ ffs_sbget(void *devfd, struct fs **fsp, off_t alts=
uperblock,
> =20
>  	*fsp =3D NULL;
>  	if (altsuperblock !=3D -1) {
> -		if ((ret =3D readsuper(devfd, fsp, altsuperblock, readfunc)) !=3D 0)=

> +		if ((ret =3D readsuper(devfd, fsp, altsuperblock, readfunc))
> +		    !=3D 0) {
> +			if (*fsp !=3D NULL)
> +				(*fsp)->fs_csp =3D NULL;
>  			return (ret);
> +		}
>  	} else {
>  		for (i =3D 0; sblock_try[i] !=3D -1; i++) {
>  			if ((ret =3D readsuper(devfd, fsp, sblock_try[i],
> @@ -183,10 +187,15 @@ ffs_sbget(void *devfd, struct fs **fsp, off_t alt=
superblock,
>  				break;
>  			if (ret =3D=3D ENOENT)
>  				continue;
> +			if (*fsp !=3D NULL)
> +				(*fsp)->fs_csp =3D NULL;
>  			return (ret);
>  		}
> -		if (sblock_try[i] =3D=3D -1)
> +		if (sblock_try[i] =3D=3D -1) {
> +			if (*fsp !=3D NULL)
> +				(*fsp)->fs_csp =3D NULL;
>  			return (ENOENT);
> +		}
>  	}
>  	/*
>  	 * If not filling in summary information, NULL out fs_csp and return.=

>=20

This first patch solved the panic, but returns the wrong error message:

# mount /dev/cd0 /mnt
mount: /dev/cd0: No such file or directory

It does exist, and `mount -t cd9660 /dev/cd0 /mnt` works

I think we should return EINVAL in this case instead of ENOENT?


--=20
Allan Jude


--CDvnTA209LuMR3FIm0zWIhTD6JwlIecH9--

--My8zo2MOJZ7wdu4Et3CUvDw2dr9u572Jy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJaixdcAAoJEBmVNT4SmAt+ZsIP+wTKIEbt5Ox/T2qWQOTN3pOH
7xePZJCitLuq6JClFuJmvmTvLfaTxVAv6O3SkjeqJaArHjHF+A1I1WSSWNe3NNNj
yCBBedXUwcqPYdzwqxCl6IIur0Ozs+XYizg7CGK0EswPINPYwe1euJNmcyt+buex
P3yEalCEB2lPdtBohZLc6QD/4OHj2+8xRUTxk6penluGP8gXZc4mR9uxxenf/Hvr
WtZ0eRmlCdiCxbpBfYp5ql8DNxmuqycq9kfkRa7jFwLiCtMIwf8Tzz0EhIGAKg/A
i5dkU96WwKTuaIjDw5wZpUf50OEhXVqvqTRydSchM/IacujxXwF/s0W62kfegW+O
ftEOnCeOJzx8iSbXhqAm9j22se3oI8LPckpvflToZoelrTy15/Geq9MD/s7oitum
7vRxMsHzBUnl//3ld5rbIvjw7+FfcfJYuEcKMWYTAJtmfHDyvg4jhxRMgkUVDrqt
U2eYIzJhBdA37P2PEvrXvfwvCL/IDjFcN08AQQzGaUO9fTGvfUjaJ00wP6zVZzKk
jfOZiY52C5ROw6jAYxgTGkYis//wTUcYSlrjA4RACIQs/gOuw+ApX3UJIzjTRPln
89SNKFco43BGVU6ql4lPsdnXKAY9JT7X0qwTdjQOoHU8ecJDLp15mDgxBT4mzgiH
GJk2/9BFVXrmIkpEc6oM
=+GwP
-----END PGP SIGNATURE-----

--My8zo2MOJZ7wdu4Et3CUvDw2dr9u572Jy--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a77e28c0-c603-eec0-bd3e-108582d17e89>