From owner-freebsd-bugs Thu Oct 3 11:20: 9 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 164CF37B401 for ; Thu, 3 Oct 2002 11:20:04 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A34C43E42 for ; Thu, 3 Oct 2002 11:20:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g93IK2Co073415 for ; Thu, 3 Oct 2002 11:20:02 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g93IK2U2073414; Thu, 3 Oct 2002 11:20:02 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3284537B401 for ; Thu, 3 Oct 2002 11:10:43 -0700 (PDT) Received: from midten.fast.no (midten.fast.no [217.144.236.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18D0A43E65 for ; Thu, 3 Oct 2002 11:10:38 -0700 (PDT) (envelope-from Arne.Juul@fast.no) Received: from innenfor.trondheim.fast.no (innenfor.trondheim.fast.no [192.168.8.11]) by midten.fast.no (8.12.5/8.12.5) with ESMTP id g93IAS0B033519; Thu, 3 Oct 2002 20:10:29 +0200 (CEST) (envelope-from Arne.Juul@fast.no) Received: from guinness.trondheim.fast.no (guinness.trondheim.fast.no [192.168.8.119]) by innenfor.trondheim.fast.no (8.9.3/8.9.3) with ESMTP id UAA16327; Thu, 3 Oct 2002 20:10:23 +0200 (CEST) (envelope-from arnej@trondheim.fast.no) Received: (from arnej@localhost) by guinness.trondheim.fast.no (8.11.6/8.9.3) id g93IANd22666; Thu, 3 Oct 2002 20:10:23 +0200 (CEST) (envelope-from arnej@trondheim.fast.no) Message-Id: <200210031810.g93IANd22666@guinness.trondheim.fast.no> Date: Thu, 3 Oct 2002 20:10:23 +0200 (CEST) From: Arne H Juul Reply-To: Arne H Juul To: FreeBSD-gnats-submit@FreeBSD.org Cc: arnej@pvv.org X-Send-Pr-Version: 3.113 Subject: bin/43635: filesystem damage not detected by fsck Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43635 >Category: bin >Synopsis: filesystem damage not detected by fsck >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 03 11:20:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Arne H Juul >Release: FreeBSD 4.5-RELEASE i386 >Organization: ProgramVareVerkstedet >Environment: System: FreeBSD guinness.trondheim.fast.no 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Thu Apr 18 03:10:10 CEST 2002 arnej@guinness.trondheim.fast.no:/usr/src/sys/compile/GUINNESS_PXE i386 The problem was originally seen on a 4.4-RELEASE kernel, but the fsck fix seems to apply across the board. >Description: we had a problem where a machine would panic with page fault in kernel mode during normal usage of a filesystem. fsck detected no problem but a closer look at a kernel crashdump showed that a cg->cg_irotor was hugely negative; this led to crashes in skpc like this: #5 0xc02872bf in trap (frame={tf_fs = 24, tf_es = -1072037872, tf_ds = 16, tf_edi = -724213760, tf_esi = -1002668032, tf_ebp = -413647876, tf_isp = -413647896, tf_ebx = 115468226, tf_edx = -724210968, tf_ecx = 255, tf_eax = -839679194, tf_trapno = 12, tf_err = 0, tf_eip = -1071319959, tf_cs = 8, tf_eflags = 66195, tf_esp = -413647832, tf_ss = -1071520840}) at /usr/src/sys/i386/i386/trap.c:467 #6 0xc024f469 in skpc (mask0=255, size=115468226, cp0=0xcdf38326
) at /usr/src/sys/libkern/skpc.c:50 #7 0xc021e3b8 in ffs_nodealloccg (ip=0xc43d5600, cg=88, ipref=157696, mode=33188) at /usr/src/sys/ufs/ffs/ffs_alloc.c:1252 #8 0xc021d587 in ffs_hashalloc (ip=0xc43d5600, cg=88, pref=157696, size=33188, allocator=0xc021e278 ) at /usr/src/sys/ufs/ffs/ffs_alloc.c:768 #9 0xc021d27a in ffs_valloc (pvp=0xe75c7b00, mode=33188, cred=0xc1ddf900, vpp=0xe7583ca0) at /usr/src/sys/ufs/ffs/ffs_alloc.c:596 #10 0xc02301f7 in ufs_makeinode (mode=33188, dvp=0xe75c7b00, vpp=0xe7583edc, cnp=0xe7583ef0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2097 #11 0xc022dbac in ufs_create (ap=0xe7583dfc) at /usr/src/sys/ufs/ufs/ufs_vnops.c:194 #12 0xc02304b9 in ufs_vnoperate (ap=0xe7583dfc) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2382 #13 0xc01b830c in vn_open (ndp=0xe7583ec8, fmode=1538, cmode=420) at vnode_if.h:106 #14 0xc01b44f8 in open (p=0xe33c5f60, uap=0xe7583f80) at /usr/src/sys/kern/vfs_syscalls.c:1010 because ffs_nodealloccg depends on start = cgp->cg_irotor / NBBY; to be a valid index into the "inosused" array. fsck has a check of cg->cg_irotor but only for "too large" values, not for negative values. I've also added a printf to actually report the change made by fsck since this should only happen when the filesystem has been damaged. >How-To-Repeat: overwrite cylinder group data with random junk. "fix" with fsck -y. try to use filesystem normally. observe the panic - if you're lucky. If you're not lucky the kernel will probably read some random memory and write data to random places on the disk, or something... >Fix: The following two patches are for current and for RELENG_4; they are very similar, and follow the current code-style in fsck. Please apply. Index: pass5.c =================================================================== RCS file: /usr/cvs/src/sbin/fsck_ffs/pass5.c,v retrieving revision 1.32 diff -u -r1.32 pass5.c --- pass5.c 25 Sep 2002 04:06:36 -0000 1.32 +++ pass5.c 3 Oct 2002 17:52:57 -0000 @@ -192,10 +192,13 @@ newcg->cg_frotor = cg->cg_frotor; else newcg->cg_frotor = 0; - if (cg->cg_irotor < fs->fs_ipg) + if (cg->cg_irotor < fs->fs_ipg && cg->cg_irotor >= 0) newcg->cg_irotor = cg->cg_irotor; - else + else { + printf("%s: phase 5: bad cg irotor %d of %d\n", + cdevname, cg->cg_irotor, newcg->cg_niblk); newcg->cg_irotor = 0; + } if (fs->fs_magic == FS_UFS1_MAGIC) { newcg->cg_initediblk = 0; } else { Index: pass5.c =================================================================== RCS file: /usr/cvs/src/sbin/fsck/Attic/pass5.c,v retrieving revision 1.17.2.1 diff -u -IId: -u -r1.17.2.1 pass5.c --- pass5.c 23 Jan 2001 23:11:07 -0000 1.17.2.1 +++ pass5.c 3 Oct 2002 17:48:02 -0000 @@ -203,10 +203,13 @@ newcg->cg_frotor = cg->cg_frotor; else newcg->cg_frotor = 0; - if (cg->cg_irotor < newcg->cg_niblk) + if (cg->cg_irotor < newcg->cg_niblk && cg->cg_irotor >= 0) newcg->cg_irotor = cg->cg_irotor; - else + else { + printf("%s: phase 5: bad cg irotor %d of %d\n", + cdevname, cg->cg_irotor, newcg->cg_niblk); newcg->cg_irotor = 0; + } memset(&newcg->cg_frsum[0], 0, sizeof newcg->cg_frsum); memset(&cg_blktot(newcg)[0], 0, (size_t)(sumsize + mapsize)); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message