kern/104753: kernel panic in ffs_dirpref() with "strange" filesystem parameters

Alexey Zakirov frank at unshadow.net
Tue Oct 24 08:10:22 PDT 2006


>Number:         104753
>Category:       kern
>Synopsis:       kernel panic in ffs_dirpref() with "strange" filesystem parameters
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 24 15:10:21 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Alexey Zakirov
>Release:        6.2-PRERELEASE
>Organization:
IN-LINE Technologies
>Environment:
FreeBSD hellbell.bm.in-line.local 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #3: Tue Oct 24 14:46:39 MSD 2006     root at hellbell.bm.in-line.local:/usr/obj/usr/src/sys/SGENERIC  i386
>Description:
Create filesystem (UFS2) with "strange" params (it was mistype really):
newfs -g 1073741824 -h 512 -U /dev/da0s2a (it was about 220Gb in my case).

Attempt to make "mkdir some/directory" on created filesystem cause kernel panic.

Script started on Tue Oct 24 19:00:20 2006
root at hellbell:/var/crash# kgdb -n 0
kgdb: kvm_nlist(_stopped_cpus): 
kgdb: kvm_nlist(_stoppcbs): 
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 18: integer divide fault while in kernel mode
instruction pointer	= 0x20:0xc0635e52
stack pointer	        = 0x28:0xd6f02984
frame pointer	        = 0x28:0xd6f029b0
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 2007 (mkdir)
trap number		= 18
panic: integer divide fault
Uptime: 11m59s
Dumping 511 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 511MB (130816 pages) 496 480 464 448 432 416 400 384 368 352 336 320 304 288 272 256 240 224 208 192 176 160 144 128 112 96 80 64 48 32 16

#0  doadump () at pcpu.h:165
165	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc052a74e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc052aa14 in panic (fmt=0xc06dd6bd "%s") at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc06b58d6 in trap_fatal (frame=0xd6f02944, eva=0) at /usr/src/sys/i386/i386/trap.c:837
#4  0xc06b53c8 in trap (frame=
      {tf_fs = -1066729464, tf_es = 40, tf_ds = 40, tf_edi = -999532544, tf_esi = 0, tf_ebp = -688903760, tf_isp = -688903824, tf_ebx = 192692224, tf_edx = 0, tf_ecx = 0, tf_eax = 186613760, tf_trapno = 18, tf_err = 0, tf_eip = -1067229614, tf_cs = 32, tf_eflags = 66054, tf_esp = -1005662076, tf_ss = -844379568}) at /usr/src/sys/i386/i386/trap.c:632
#5  0xc06a33ea in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6  0xc0635e52 in ffs_dirpref (pip=0xc40ed084) at libkern.h:56
#7  0xc0635938 in ffs_valloc (pvp=0xc40e7dd0, mode=16877, cred=0xc4061a00, vpp=0xd6f02a10)
    at /usr/src/sys/ufs/ffs/ffs_alloc.c:915
#8  0xc065cf28 in ufs_mkdir (ap=0xd6f02bb8) at /usr/src/sys/ufs/ufs/ufs_vnops.c:1362
#9  0xc06c7070 in VOP_MKDIR_APV (vop=0xb1f8000, a=0xd6f02bb8) at vnode_if.c:1251
#10 0xc058cc0d in kern_mkdir (td=0xc3e03180, path=0xbfbfe9c5 <Address 0xbfbfe9c5 out of bounds>, segflg=UIO_USERSPACE, 
    mode=511) at vnode_if.h:653
#11 0xc058c8ed in mkdir (td=0xc3e03180, uap=0xb1f8000) at /usr/src/sys/kern/vfs_syscalls.c:3387
#12 0xc06b5beb in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077941819, tf_esi = 0, tf_ebp = -1077942344, tf_isp = -688902812, tf_ebx = -1077941803, tf_edx = -1, tf_ecx = 672444096, tf_eax = 136, tf_trapno = 12, tf_err = 2, tf_eip = 672329163, tf_cs = 51, tf_eflags = 582, tf_esp = -1077942532, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983
#13 0xc06a343f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#14 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) up 6
#6  0xc0635e52 in ffs_dirpref (pip=0xc40ed084) at libkern.h:56
56	static __inline u_int min(u_int a, u_int b) { return (a < b ? a : b); }
(kgdb) p fs->fs_avgfilesize
$1 = 1073741824
(kgdb) p fs->fs_avgfpdir
$2 = 512
(kgdb) p dirsize
$3 = 0

The code seems to has overflow in line (1051 in my ffs_alloc.c)
dirsize = fs->fs_avgfilesize * fs->fs_avgfpdir;
Due to overflow 'dirsize' become 0 and later it used in 
maxcontigdirs = min((avgbfree * fs->fs_bsize) / dirsize, 255);

Version of ffs_alloc.c is
$FreeBSD: src/sys/ufs/ffs/ffs_alloc.c,v 1.132.2.4 2006/03/13 03:07:32 jeff Exp $
>How-To-Repeat:
newfs -g 1073741824 -h 512 -U /dev/da0s2a
mount /dev/da0s2a /mnt
mkdir -p /mnt/some/dirs
>Fix:
Do not use such big values for 'average file size' and 'average files per directory' while creating filesystem.
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list