[Bug 259107] A damaged ext2 superblock can cause a panic due to a recursive bread().

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 12 Oct 2021 16:21:48 UTC

            Bug ID: 259107
           Summary: A damaged ext2 superblock can cause a panic due to a
                    recursive bread().
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 228630
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228630&action=edit
A damaged ext3 disk image that causes a recursive bread lock attempt.

If a damaged ext2 file system has its e2fs_first_dblock superblock
field set to zero instead of 1, ext2_compute_sb_data() will attempt
to bread() block 1 even though ext2_mount() already has that disk
block locked. The panic could be avoided if ext2_compute_sb_data()
had another sanity check on e2fs_first_dblock.

I've attached a demo disk image:

# gunzip ext39.img.gz
# mdconfig -f ext39.img
# mount -t ext2fs -o ro /dev/md0 /mnt
panic: lockmgr_xlock_hard: recursing on non recursive lockmgr
0xfffffe00086efc78 @ /usr/src/sys/kern/vfs_bio.c:3962
panic() at panic+0x43/frame 0xfffffe009bb522c0
lockmgr_xlock_hard() at lockmgr_xlock_hard+0xee/frame 0xfffffe009bb52370
__lockmgr_args() at __lockmgr_args+0x1f9/frame 0xfffffe009bb52410
getblkx() at getblkx+0x195/frame 0xfffffe009bb524d0
breadn_flags() at breadn_flags+0x44/frame 0xfffffe009bb52540
ext2_compute_sb_data() at ext2_compute_sb_data+0x80d/frame 0xfffffe009bb525d0
ext2_mount() at ext2_mount+0xea9/frame 0xfffffe009bb52770
vfs_domount() at vfs_domount+0x8d8/frame 0xfffffe009bb529e0
vfs_donmount() at vfs_donmount+0x880/frame 0xfffffe009bb52a80
sys_nmount() at sys_nmount+0x69/frame 0xfffffe009bb52ac0
amd64_syscall() at amd64_syscall+0x12e/frame 0xfffffe009bb52bf0
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe009bb52bf0

You are receiving this mail because:
You are the assignee for the bug.