[Bug 259107] A damaged ext2 superblock can cause a panic due to a recursive bread().
Date: Tue, 12 Oct 2021 16:21:48 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259107
Bug ID: 259107
Summary: A damaged ext2 superblock can cause a panic due to a
recursive bread().
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Created attachment 228630
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228630&action=edit
A damaged ext3 disk image that causes a recursive bread lock attempt.
If a damaged ext2 file system has its e2fs_first_dblock superblock
field set to zero instead of 1, ext2_compute_sb_data() will attempt
to bread() block 1 even though ext2_mount() already has that disk
block locked. The panic could be avoided if ext2_compute_sb_data()
had another sanity check on e2fs_first_dblock.
I've attached a demo disk image:
# gunzip ext39.img.gz
# mdconfig -f ext39.img
# mount -t ext2fs -o ro /dev/md0 /mnt
panic: lockmgr_xlock_hard: recursing on non recursive lockmgr
0xfffffe00086efc78 @ /usr/src/sys/kern/vfs_bio.c:3962
panic() at panic+0x43/frame 0xfffffe009bb522c0
lockmgr_xlock_hard() at lockmgr_xlock_hard+0xee/frame 0xfffffe009bb52370
__lockmgr_args() at __lockmgr_args+0x1f9/frame 0xfffffe009bb52410
getblkx() at getblkx+0x195/frame 0xfffffe009bb524d0
breadn_flags() at breadn_flags+0x44/frame 0xfffffe009bb52540
ext2_compute_sb_data() at ext2_compute_sb_data+0x80d/frame 0xfffffe009bb525d0
ext2_mount() at ext2_mount+0xea9/frame 0xfffffe009bb52770
vfs_domount() at vfs_domount+0x8d8/frame 0xfffffe009bb529e0
vfs_donmount() at vfs_donmount+0x880/frame 0xfffffe009bb52a80
sys_nmount() at sys_nmount+0x69/frame 0xfffffe009bb52ac0
amd64_syscall() at amd64_syscall+0x12e/frame 0xfffffe009bb52bf0
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe009bb52bf0
--
You are receiving this mail because:
You are the assignee for the bug.