[Bug 254318] [panic] when a specific sequence of read requests is issued to a geom_uzip device the kernel panics
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Mar 15 20:43:54 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254318
Bug ID: 254318
Summary: [panic] when a specific sequence of read requests is
issued to a geom_uzip device the kernel panics
Product: Base System
Version: 12.2-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: jgordeev at dir.bg
Created attachment 223307
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=223307&action=edit
list of read requests which cause a panic
Some sequences of read requests to a geom_uzip device coupled with specific
uzip images lead to kernel panic on FreeBSD/amd64 12.2-RELEASE-p4. You can see
a stacktrace below. When reading linearly from the uzip device with dd(1) no
kernel panic occurs.
On FreeBSD/amd64 13.0-RC2 a different symptom is observed:
There is no kernel panic, but some of the read requests fail with errno EFAULT
even though they should succeed.
On FreeBSD/amd64 14.0-CURRENT (from
FreeBSD-14.0-CURRENT-amd64-20210311-15565e0a217-257277-disc1.iso) the behaviour
is the same as on 13.0-RC2.
A kernel minidump from 12.2-RELEASE-p4 is provided in the file 'vmcore.3.gz'
(available for download). Official binaries from the FreeBSD project were used.
For reproducing the kernel panic the following is provided:
1) A specific list of read requests (in the file 'script1.txt', attached)
2) A program that takes a list of read requests and performs them (in the
file 'sr.c', attached)
3) A uzip image (in the file 'system.uzip', available for download)
Steps for reproducing the kernel panic:
1) kldload geom_uzip
2) mdconfig -a -t vnode -o readonly -f system.uzip -u 0
3) ./sr /dev/md0.uzip < script1.txt
The files 'vmcore.3.gz' and 'system.uzip' can be downloaded from
<https://drive.google.com/drive/folders/1mmsdCcxEFmU8XzdQpXJoJdvLJbqqnD_X?usp=sharing>.
Graham Perrin contributed significantly to discovering and documenting this
problem. Please mention him where appropriate.
A stacktrace from the panic on 12.2-RELEASE-p4:
#0 doadump () at src/sys/amd64/include/pcpu_aux.h:55
55 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct
pcpu,
(kgdb) #0 doadump () at src/sys/amd64/include/pcpu_aux.h:55
#1 0xffffffff80bbec45 in kern_reboot (howto=260)
at /usr/src/sys/kern/kern_shutdown.c:451
#2 0xffffffff80bbf083 in vpanic (fmt=<value optimized out>,
ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:880
#3 0xffffffff80bbeea3 in panic (fmt=<value optimized out>)
at /usr/src/sys/kern/kern_shutdown.c:807
#4 0xffffffff80ef3722 in vm_fault (map=<value optimized out>,
vaddr=<value optimized out>, fault_type=<value optimized out>,
fault_flags=<value optimized out>, m_hold=<value optimized out>)
at /usr/src/sys/vm/vm_fault.c:727
#5 0xffffffff80ef1130 in vm_fault_trap (map=0xfffff80003001000,
vaddr=<value optimized out>, fault_type=<value optimized out>,
fault_flags=0, signo=0x0, ucode=0x0) at /usr/src/sys/vm/vm_fault.c:574
#6 0xffffffff8108eabc in trap_pfault (frame=0xfffffe001baf4850,
usermode=false, signo=<value optimized out>, ucode=<value optimized out>)
at /usr/src/sys/amd64/amd64/trap.c:824
#7 0xffffffff8108dfb6 in trap (frame=0xfffffe001baf4850)
at /usr/src/sys/amd64/amd64/trap.c:405
#8 0xffffffff81066c28 in calltrap ()
at /usr/src/sys/amd64/amd64/exception.S:289
#9 0xffffffff80caedb3 in _zlib104_inflate_fast (bl=<value optimized out>,
bd=<value optimized out>, tl=0xfffffe001c111010, td=0xfffff800038d6390,
s=0xfffff8000381c180, z=0xfffff80003822130)
at /usr/src/sys/libkern/zlib.c:5015
#10 0xffffffff80cadc50 in inflate_codes (s=0xfffff8000381c180,
z=0xfffff80003822130, r=<value optimized out>)
at /usr/src/sys/libkern/zlib.c:4715
#11 0xffffffff80cac5b6 in inflate_blocks (s=<value optimized out>,
z=0xfffff80003822130, r=470883682) at /usr/src/sys/libkern/zlib.c:3972
#12 0xffffffff80cab8a6 in _zlib104_inflate (z=0xfffff80003822130, f=5)
at /usr/src/sys/libkern/zlib.c:3270
#13 0xffffffff82723d6c in g_uzip_zlib_decompress (zpp=<value optimized out>,
gp_name=0xfffff8000305d540 "md0.uzip", ibp=<value optimized out>,
ilen=<value optimized out>, obp=<value optimized out>)
at /usr/src/sys/geom/uzip/g_uzip_zlib.c:77
#14 0xffffffff827231a2 in g_uzip_do (sc=<value optimized out>,
bp=<value optimized out>) at /usr/src/sys/geom/uzip/g_uzip.c:395
#15 0xffffffff827240b4 in g_uzip_wrkthr (arg=0xfffff80055240000)
at /usr/src/sys/geom/uzip/g_uzip_wrkthr.c:69
#16 0xffffffff80b8088e in fork_exit (
callout=0xffffffff82723f80 <g_uzip_wrkthr>, arg=0xfffff80055240000,
frame=0xfffffe001baf4c00) at /usr/src/sys/kern/kern_fork.c:1080
#17 0xffffffff81067c5e in fork_trampoline ()
at /usr/src/sys/amd64/amd64/exception.S:1078
#18 0x0000000000000000 in ?? ()
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list