Bug 199476

Summary:

[patch] panic when geom_uncompress tastes large filesystems

Product:

Base System

Reporter:

Keith White <ksw.childe>

Component:

kern

Assignee:

Andrey V. Elsukov <ae>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

Priority:

---

Keywords:

patch

Version:

CURRENT

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch to fix panic when tasting large compressed filesystems	none
Proposed patch	none
Proposed patch	none

Description Keith White 2015-04-16 01:51:33 UTC

Created attachment 155638 [details]
patch to fix panic when tasting large compressed filesystems

geom_uncompress reads the header and all block offsets with a single
g_read_data() request.  This will fail (panic) if the total data
requested is greater then MAXPHYS.  i.e. when the total number of
block offsets approaches MAXPHYS / sizeof(uint64). The attached
patch changes the method of getting the block offsets to be the
same as that used by geom_uzip: sector by sector.

Patch attached.

Typical panic (please excuse transcription errors):

# kldload geom_uncompress
md0.uncompress: GEOM_UZIP image found
panic: g_read_data(): invalid length 290816
cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00932a59c0
vpanic() at vpanic+0x189/frame 0xfffffe00932a5a40
kassert_panic() at kassert_panic+0x132/frame 0xffffe00932a5ab0
g_read_data() at g_read_data+0x45/frame 0xffffe00932a5af0
g_uncompress_taste() at g_uncompress_taste_0x30d/frame 0xfffffe00932a5b40
g_load_class() at g_load_class+0x1cc/frame 0xfffffe00932a5b70
g_run_events() at g_run_events_0x1a7/frame 0xfffffe00932a5bb0
fork_exit() at fork_exit+0x84/frame 0xfffffe00932a5bf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00932a5bf0
--- trap 0, rip = 0, rsp = 0xfffffe00932a5cb0, rbp = 0 ---
KDB: enter: panic
[ thread pid 13 tid 100013 ]
Stopped at      kdb_enter+0x3e: movq    $0,kdb_why
db>

Comment 1 Andrey V. Elsukov freebsd_committer

2015-05-18 13:15:12 UTC

Created attachment 156873 [details]
Proposed patch

Can you test this patch instead?

Comment 2 Andrey V. Elsukov freebsd_committer

2015-05-18 14:47:29 UTC

Created attachment 156876 [details]
Proposed patch

Comment 3 Keith White 2015-05-18 18:59:40 UTC

Tested.  The proposed patch avoids the panic.

Thanks!

Comment 4 commit-hook freebsd_committer

2015-05-19 09:29:06 UTC

A commit references this bug:

Author: ae
Date: Tue May 19 09:28:52 UTC 2015
New revision: 283104
URL: https://svnweb.freebsd.org/changeset/base/283104

Log:
  Read GEOM_UNCOMPRESS metadata using several requests that fit into
  MAXPHYS. For large compressed images the metadata size can be bigger
  than MAXPHYS and this triggers KASSERT in g_read_data().
  Also use g_free() to free memory allocated by g_read_data().

  PR:		199476
  MFC after:	2 weeks

Changes:
  head/sys/geom/uncompress/g_uncompress.c

Comment 5 commit-hook freebsd_committer

2015-06-02 02:06:20 UTC

A commit references this bug:

Author: ae
Date: Tue Jun  2 02:05:32 UTC 2015
New revision: 283900
URL: https://svnweb.freebsd.org/changeset/base/283900

Log:
  MFC r283104:
    Read GEOM_UNCOMPRESS metadata using several requests that fit into
    MAXPHYS. For large compressed images the metadata size can be bigger
    than MAXPHYS and this triggers KASSERT in g_read_data().
    Also use g_free() to free memory allocated by g_read_data().

    PR:		199476

Changes:
_U  stable/10/
  stable/10/sys/geom/uncompress/g_uncompress.c