Bug 277414 - FAT SecPerClust=128 can cause crash
Summary: FAT SecPerClust=128 can cause crash
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-fs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-01 14:53 UTC by Robert Morris
Modified: 2024-03-11 09:41 UTC (History)
2 users (show)

See Also:

Attachments
FAT file system image with SecPerClust=128, causes crash (200.00 KB, application/x-apple-diskimage)
2024-03-01 14:53 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2024-03-01 14:53:30 UTC 
Created attachment 248848 [details]
FAT file system image with SecPerClust=128, causes crash

The attached FAT image specifies a SecPerClust of 128. This causes
readep() in msdosfs_lookup.c to call bread() with size of 65536.
getblkx() calculates a maxsize that's somewhat larger, 69120:

                        maxsize = size + (offset & PAGE_MASK);

and bufkva_alloc() on an INVARIANTS kernel thinks that's too big:

        KASSERT(maxsize <= maxbcachebuf,
            ("bufkva_alloc kva too large %d %u", maxsize, maxbcachebuf));

On a non-INVARIANTS kernel, something gets corrupted and the system
eventually crashes.

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #18 main-n268497-3562b7b1eb80: Fri Feb 23 07:08:37 AST 2024     root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# cp fat3d.img junk
# mdconfig -f junk
# mount_msdosfs /dev/md0 /mnt
# cat < /mnt/d/y > /dev/null
panic: bufkva_alloc kva too large 81920 65536
cpuid = 8
time = 1709302796
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe012559c2f0
vpanic() at vpanic+0x135/frame 0xfffffe012559c420
panic() at panic+0x43/frame 0xfffffe012559c480
bufkva_alloc() at bufkva_alloc+0x13c/frame 0xfffffe012559c4c0
getnewbuf() at getnewbuf+0x4b1/frame 0xfffffe012559c530
getblkx() at getblkx+0x655/frame 0xfffffe012559c5f0
breadn_flags() at breadn_flags+0x44/frame 0xfffffe012559c660
readep() at readep+0xc1/frame 0xfffffe012559c6d0
deget() at deget+0x341/frame 0xfffffe012559c770
msdosfs_lookup_ino() at msdosfs_lookup_ino+0xa9d/frame 0xfffffe012559c9c0
vfs_cache_lookup() at vfs_cache_lookup+0xa6/frame 0xfffffe012559ca10
vfs_lookup() at vfs_lookup+0x457/frame 0xfffffe012559caa0
namei() at namei+0x2d1/frame 0xfffffe012559cb00
vn_open_cred() at vn_open_cred+0x505/frame 0xfffffe012559cc80
openatfp() at openatfp+0x287/frame 0xfffffe012559cdd0
sys_openat() at sys_openat+0x45/frame 0xfffffe012559ce00
amd64_syscall() at amd64_syscall+0x153/frame 0xfffffe012559cf30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe012559cf30
--- syscall (499, FreeBSD ELF64, openat), rip = 0x1462c90d3fa, rsp = 0x14629bb7308, rbp = 0x14629bb73e0 ---
Comment 1 commit-hook freebsd_committer freebsd_triage 2024-03-02 05:03:34 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7e4ac11b6076e6a9bf7341ddeae22784284ed733

commit 7e4ac11b6076e6a9bf7341ddeae22784284ed733
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-03-02 04:58:57 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-03-02 05:02:55 +0000

    getblkx(9): be more tolerant but also strict with the buffer size checks

    It is possible that on-disk filesystem format causes allocation of
    buffers of size larger than maxbcachebuf.  Currently, getblkx() and
    indirectly bufkva_alloc() panic in that situation.

    It is more useful to return an error instead, allowing the system to
    continue running.

    PR:     277414
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation

 sys/kern/vfs_bio.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-03-09 09:06:00 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f7d51eb77e848a6f7823d98349ebabb6efce4e52

commit f7d51eb77e848a6f7823d98349ebabb6efce4e52
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-03-02 04:58:57 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-03-09 09:05:03 +0000

    getblkx(9): be more tolerant but also strict with the buffer size checks

    PR:     277414

    (cherry picked from commit 7e4ac11b6076e6a9bf7341ddeae22784284ed733)

 sys/kern/vfs_bio.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-03-09 09:07:02 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=1c1fde7540d813703d775e013a950145224f182e

commit 1c1fde7540d813703d775e013a950145224f182e
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-03-02 04:58:57 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-03-08 18:48:02 +0000

    getblkx(9): be more tolerant but also strict with the buffer size checks

    PR:     277414

    (cherry picked from commit 7e4ac11b6076e6a9bf7341ddeae22784284ed733)

 sys/kern/vfs_bio.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)