Date: Thu, 3 Oct 2002 20:10:23 +0200 (CEST) From: Arne H Juul <Arne.Juul@fast.no> To: FreeBSD-gnats-submit@FreeBSD.org Cc: arnej@pvv.org Subject: bin/43635: filesystem damage not detected by fsck Message-ID: <200210031810.g93IANd22666@guinness.trondheim.fast.no>
next in thread | raw e-mail | index | archive | help
>Number: 43635
>Category: bin
>Synopsis: filesystem damage not detected by fsck
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 03 11:20:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Arne H Juul
>Release: FreeBSD 4.5-RELEASE i386
>Organization:
ProgramVareVerkstedet
>Environment:
System: FreeBSD guinness.trondheim.fast.no 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Thu Apr 18 03:10:10 CEST 2002 arnej@guinness.trondheim.fast.no:/usr/src/sys/compile/GUINNESS_PXE i386
The problem was originally seen on a 4.4-RELEASE kernel,
but the fsck fix seems to apply across the board.
>Description:
we had a problem where a machine would panic with
page fault in kernel mode during normal usage of a
filesystem. fsck detected no problem but a closer
look at a kernel crashdump showed that a cg->cg_irotor
was hugely negative; this led to crashes in skpc like this:
#5 0xc02872bf in trap (frame={tf_fs = 24, tf_es = -1072037872, tf_ds = 16,
tf_edi = -724213760, tf_esi = -1002668032, tf_ebp = -413647876,
tf_isp = -413647896, tf_ebx = 115468226, tf_edx = -724210968,
tf_ecx = 255, tf_eax = -839679194, tf_trapno = 12, tf_err = 0,
tf_eip = -1071319959, tf_cs = 8, tf_eflags = 66195, tf_esp = -413647832,
tf_ss = -1071520840}) at /usr/src/sys/i386/i386/trap.c:467
#6 0xc024f469 in skpc (mask0=255, size=115468226,
cp0=0xcdf38326 <Address 0xcdf38326 out of bounds>)
at /usr/src/sys/libkern/skpc.c:50
#7 0xc021e3b8 in ffs_nodealloccg (ip=0xc43d5600, cg=88, ipref=157696,
mode=33188) at /usr/src/sys/ufs/ffs/ffs_alloc.c:1252
#8 0xc021d587 in ffs_hashalloc (ip=0xc43d5600, cg=88, pref=157696,
size=33188, allocator=0xc021e278 <ffs_nodealloccg>)
at /usr/src/sys/ufs/ffs/ffs_alloc.c:768
#9 0xc021d27a in ffs_valloc (pvp=0xe75c7b00, mode=33188, cred=0xc1ddf900,
vpp=0xe7583ca0) at /usr/src/sys/ufs/ffs/ffs_alloc.c:596
#10 0xc02301f7 in ufs_makeinode (mode=33188, dvp=0xe75c7b00, vpp=0xe7583edc,
cnp=0xe7583ef0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2097
#11 0xc022dbac in ufs_create (ap=0xe7583dfc)
at /usr/src/sys/ufs/ufs/ufs_vnops.c:194
#12 0xc02304b9 in ufs_vnoperate (ap=0xe7583dfc)
at /usr/src/sys/ufs/ufs/ufs_vnops.c:2382
#13 0xc01b830c in vn_open (ndp=0xe7583ec8, fmode=1538, cmode=420)
at vnode_if.h:106
#14 0xc01b44f8 in open (p=0xe33c5f60, uap=0xe7583f80)
at /usr/src/sys/kern/vfs_syscalls.c:1010
because ffs_nodealloccg depends on start = cgp->cg_irotor / NBBY;
to be a valid index into the "inosused" array.
fsck has a check of cg->cg_irotor but only for "too large"
values, not for negative values. I've also added a printf
to actually report the change made by fsck since this should
only happen when the filesystem has been damaged.
>How-To-Repeat:
overwrite cylinder group data with random junk. "fix"
with fsck -y. try to use filesystem normally. observe
the panic - if you're lucky. If you're not lucky
the kernel will probably read some random memory and
write data to random places on the disk, or something...
>Fix:
The following two patches are for current and for RELENG_4;
they are very similar, and follow the current code-style
in fsck. Please apply.
Index: pass5.c
===================================================================
RCS file: /usr/cvs/src/sbin/fsck_ffs/pass5.c,v
retrieving revision 1.32
diff -u -r1.32 pass5.c
--- pass5.c 25 Sep 2002 04:06:36 -0000 1.32
+++ pass5.c 3 Oct 2002 17:52:57 -0000
@@ -192,10 +192,13 @@
newcg->cg_frotor = cg->cg_frotor;
else
newcg->cg_frotor = 0;
- if (cg->cg_irotor < fs->fs_ipg)
+ if (cg->cg_irotor < fs->fs_ipg && cg->cg_irotor >= 0)
newcg->cg_irotor = cg->cg_irotor;
- else
+ else {
+ printf("%s: phase 5: bad cg irotor %d of %d\n",
+ cdevname, cg->cg_irotor, newcg->cg_niblk);
newcg->cg_irotor = 0;
+ }
if (fs->fs_magic == FS_UFS1_MAGIC) {
newcg->cg_initediblk = 0;
} else {
Index: pass5.c
===================================================================
RCS file: /usr/cvs/src/sbin/fsck/Attic/pass5.c,v
retrieving revision 1.17.2.1
diff -u -IId: -u -r1.17.2.1 pass5.c
--- pass5.c 23 Jan 2001 23:11:07 -0000 1.17.2.1
+++ pass5.c 3 Oct 2002 17:48:02 -0000
@@ -203,10 +203,13 @@
newcg->cg_frotor = cg->cg_frotor;
else
newcg->cg_frotor = 0;
- if (cg->cg_irotor < newcg->cg_niblk)
+ if (cg->cg_irotor < newcg->cg_niblk && cg->cg_irotor >= 0)
newcg->cg_irotor = cg->cg_irotor;
- else
+ else {
+ printf("%s: phase 5: bad cg irotor %d of %d\n",
+ cdevname, cg->cg_irotor, newcg->cg_niblk);
newcg->cg_irotor = 0;
+ }
memset(&newcg->cg_frsum[0], 0, sizeof newcg->cg_frsum);
memset(&cg_blktot(newcg)[0], 0,
(size_t)(sumsize + mapsize));
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210031810.g93IANd22666>