bin/187221: fsck_ufs -p segmentation fault with SU+J

Mon Mar 3 12:00:01 UTC 2014

>Number:         187221
>Category:       bin
>Synopsis:       fsck_ufs -p segmentation fault with SU+J
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 03 12:00:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Petr Lampa
>Release:        9.2-STABLE
>Organization:
BUT FIT
>Environment:
FreeBSD xxx 9.2-STABLE FreeBSD 9.2-STABLE #23: Thu Jan 23 08:17:47 CET 2014     root at xxx:/usr/src/sys/amd64/compile/XXX  amd64
>Description:
Some mismatch in SU+J journal was found during initial fsck -p 
and it ends with segmentaion fault. Full fsck -y run without problems.

(gdb) where
#0  0x0000000000404fb0 in ckfini (markclean=0)
    at /usr/src/sbin/fsck_ffs/fsutil.c:418
#1  0x000000000040548b in pfatal (fmt=<value optimized out>)
    at /usr/src/sbin/fsck_ffs/fsutil.c:980
#2  0x00000000004047e1 in reply (question=0x417d07 "FALLBACK TO FULL FSCK")
    at /usr/src/sbin/fsck_ffs/fsutil.c:106
#3  0x0000000000413462 in suj_check (filesys=0x41007928 "/dev/mirror/root")
    at /usr/src/sbin/fsck_ffs/suj.c:2685
#4  0x0000000000408ca8 in main (argc=8193, argv=0x7fffffffdc50)
    at /usr/src/sbin/fsck_ffs/main.c:403
(gdb) frame 0
#0  0x0000000000404fb0 in ckfini (markclean=0)
    at /usr/src/sbin/fsck_ffs/fsutil.c:418
418                     if (cgbufs[cnt].b_un.b_cg == NULL)
(gdb) l
413                     free((char *)bp);
414             }
415             if (numbufs != cnt)
416                     errx(EEXIT, "panic: lost %d buffers", numbufs - cnt);
417             for (cnt = 0; cnt < sblock.fs_ncg; cnt++) {
418                     if (cgbufs[cnt].b_un.b_cg == NULL)
419                             continue;
420                     flush(fswritefd, &cgbufs[cnt]);
421                     free(cgbufs[cnt].b_un.b_cg);
422             }
 p cgbufs
$4 = (struct bufarea *) 0x0
(gdb)

It seems that cgbufs were not allocated, but they are flushed in ckfini() in
this case. This look similar problem like 
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=478954+0+current/svn-src-head

>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: