[Bug 277414] FAT SecPerClust=128 can cause crash

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277414] FAT SecPerClust=128 can cause crash"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 01 Mar 2024 14:53:30 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277414

            Bug ID: 277414
           Summary: FAT SecPerClust=128 can cause crash
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 248848
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=248848&action=edit
FAT file system image with SecPerClust=128, causes crash

The attached FAT image specifies a SecPerClust of 128. This causes
readep() in msdosfs_lookup.c to call bread() with size of 65536.
getblkx() calculates a maxsize that's somewhat larger, 69120:

                        maxsize = size + (offset & PAGE_MASK);

and bufkva_alloc() on an INVARIANTS kernel thinks that's too big:

        KASSERT(maxsize <= maxbcachebuf,
            ("bufkva_alloc kva too large %d %u", maxsize, maxbcachebuf));

On a non-INVARIANTS kernel, something gets corrupted and the system
eventually crashes.

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #18
main-n268497-3562b7b1eb80: Fri Feb 23 07:08:37 AST 2024    
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# cp fat3d.img junk
# mdconfig -f junk
# mount_msdosfs /dev/md0 /mnt
# cat < /mnt/d/y > /dev/null
panic: bufkva_alloc kva too large 81920 65536
cpuid = 8
time = 1709302796
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe012559c2f0
vpanic() at vpanic+0x135/frame 0xfffffe012559c420
panic() at panic+0x43/frame 0xfffffe012559c480
bufkva_alloc() at bufkva_alloc+0x13c/frame 0xfffffe012559c4c0
getnewbuf() at getnewbuf+0x4b1/frame 0xfffffe012559c530
getblkx() at getblkx+0x655/frame 0xfffffe012559c5f0
breadn_flags() at breadn_flags+0x44/frame 0xfffffe012559c660
readep() at readep+0xc1/frame 0xfffffe012559c6d0
deget() at deget+0x341/frame 0xfffffe012559c770
msdosfs_lookup_ino() at msdosfs_lookup_ino+0xa9d/frame 0xfffffe012559c9c0
vfs_cache_lookup() at vfs_cache_lookup+0xa6/frame 0xfffffe012559ca10
vfs_lookup() at vfs_lookup+0x457/frame 0xfffffe012559caa0
namei() at namei+0x2d1/frame 0xfffffe012559cb00
vn_open_cred() at vn_open_cred+0x505/frame 0xfffffe012559cc80
openatfp() at openatfp+0x287/frame 0xfffffe012559cdd0
sys_openat() at sys_openat+0x45/frame 0xfffffe012559ce00
amd64_syscall() at amd64_syscall+0x153/frame 0xfffffe012559cf30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe012559cf30
--- syscall (499, FreeBSD ELF64, openat), rip = 0x1462c90d3fa, rsp =
0x14629bb7308, rbp = 0x14629bb73e0 ---

-- 
You are receiving this mail because:
You are the assignee for the bug.