[Bug 199476] [patch] panic when geom_uncompress tastes large filesystems

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Apr 16 01:51:34 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199476

            Bug ID: 199476
           Summary: [patch] panic when geom_uncompress tastes large
                    filesystems
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: kwhite at site.uottawa.ca
          Keywords: patch

Created attachment 155638
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=155638&action=edit
patch to fix panic when tasting large compressed filesystems

geom_uncompress reads the header and all block offsets with a single
g_read_data() request.  This will fail (panic) if the total data
requested is greater then MAXPHYS.  i.e. when the total number of
block offsets approaches MAXPHYS / sizeof(uint64). The attached
patch changes the method of getting the block offsets to be the
same as that used by geom_uzip: sector by sector.

Patch attached.

Typical panic (please excuse transcription errors):

# kldload geom_uncompress
md0.uncompress: GEOM_UZIP image found
panic: g_read_data(): invalid length 290816
cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00932a59c0
vpanic() at vpanic+0x189/frame 0xfffffe00932a5a40
kassert_panic() at kassert_panic+0x132/frame 0xffffe00932a5ab0
g_read_data() at g_read_data+0x45/frame 0xffffe00932a5af0
g_uncompress_taste() at g_uncompress_taste_0x30d/frame 0xfffffe00932a5b40
g_load_class() at g_load_class+0x1cc/frame 0xfffffe00932a5b70
g_run_events() at g_run_events_0x1a7/frame 0xfffffe00932a5bb0
fork_exit() at fork_exit+0x84/frame 0xfffffe00932a5bf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00932a5bf0
--- trap 0, rip = 0, rsp = 0xfffffe00932a5cb0, rbp = 0 ---
KDB: enter: panic
[ thread pid 13 tid 100013 ]
Stopped at      kdb_enter+0x3e: movq    $0,kdb_why
db>

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list