Bug 254318

Summary: [panic] when a specific sequence of read requests is issued to a geom_uzip device the kernel panics
Product: Base System Reporter: Jordan Gordeev <jgordeev>
Component: kernAssignee: freebsd-geom (Nobody) <geom>
Status: New ---    
Severity: Affects Some People CC: grahamperrin, probono
Priority: --- Keywords: crash
Version: 12.2-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
list of read requests which cause a panic
none
a program for reproduction none

Description Jordan Gordeev 2021-03-15 20:43:54 UTC 
Created attachment 223307 [details]
list of read requests which cause a panic

Some sequences of read requests to a geom_uzip device coupled with specific uzip images lead to kernel panic on FreeBSD/amd64 12.2-RELEASE-p4. You can see a stacktrace below. When reading linearly from the uzip device with dd(1) no kernel panic occurs.

On FreeBSD/amd64 13.0-RC2 a different symptom is observed:
There is no kernel panic, but some of the read requests fail with errno EFAULT even though they should succeed.

On FreeBSD/amd64 14.0-CURRENT (from FreeBSD-14.0-CURRENT-amd64-20210311-15565e0a217-257277-disc1.iso) the behaviour is the same as on 13.0-RC2.

A kernel minidump from 12.2-RELEASE-p4 is provided in the file 'vmcore.3.gz' (available for download). Official binaries from the FreeBSD project were used.

For reproducing the kernel panic the following is provided:
  1) A specific list of read requests (in the file 'script1.txt', attached)
  2) A program that takes a list of read requests and performs them (in the file 'sr.c', attached)
  3) A uzip image (in the file 'system.uzip', available for download)

Steps for reproducing the kernel panic:
  1) kldload geom_uzip
  2) mdconfig -a -t vnode -o readonly -f system.uzip -u 0
  3) ./sr /dev/md0.uzip < script1.txt

The files 'vmcore.3.gz' and 'system.uzip' can be downloaded from <https://drive.google.com/drive/folders/1mmsdCcxEFmU8XzdQpXJoJdvLJbqqnD_X?usp=sharing>.

Graham Perrin contributed significantly to discovering and documenting this problem. Please mention him where appropriate.

A stacktrace from the panic on 12.2-RELEASE-p4:

#0  doadump () at src/sys/amd64/include/pcpu_aux.h:55
55		__asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct pcpu,
(kgdb) #0  doadump () at src/sys/amd64/include/pcpu_aux.h:55
#1  0xffffffff80bbec45 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:451
#2  0xffffffff80bbf083 in vpanic (fmt=<value optimized out>, 
    ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:880
#3  0xffffffff80bbeea3 in panic (fmt=<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:807
#4  0xffffffff80ef3722 in vm_fault (map=<value optimized out>, 
    vaddr=<value optimized out>, fault_type=<value optimized out>, 
    fault_flags=<value optimized out>, m_hold=<value optimized out>)
    at /usr/src/sys/vm/vm_fault.c:727
#5  0xffffffff80ef1130 in vm_fault_trap (map=0xfffff80003001000, 
    vaddr=<value optimized out>, fault_type=<value optimized out>, 
    fault_flags=0, signo=0x0, ucode=0x0) at /usr/src/sys/vm/vm_fault.c:574
#6  0xffffffff8108eabc in trap_pfault (frame=0xfffffe001baf4850, 
    usermode=false, signo=<value optimized out>, ucode=<value optimized out>)
    at /usr/src/sys/amd64/amd64/trap.c:824
#7  0xffffffff8108dfb6 in trap (frame=0xfffffe001baf4850)
    at /usr/src/sys/amd64/amd64/trap.c:405
#8  0xffffffff81066c28 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:289
#9  0xffffffff80caedb3 in _zlib104_inflate_fast (bl=<value optimized out>, 
    bd=<value optimized out>, tl=0xfffffe001c111010, td=0xfffff800038d6390, 
    s=0xfffff8000381c180, z=0xfffff80003822130)
    at /usr/src/sys/libkern/zlib.c:5015
#10 0xffffffff80cadc50 in inflate_codes (s=0xfffff8000381c180, 
    z=0xfffff80003822130, r=<value optimized out>)
    at /usr/src/sys/libkern/zlib.c:4715
#11 0xffffffff80cac5b6 in inflate_blocks (s=<value optimized out>, 
    z=0xfffff80003822130, r=470883682) at /usr/src/sys/libkern/zlib.c:3972
#12 0xffffffff80cab8a6 in _zlib104_inflate (z=0xfffff80003822130, f=5)
    at /usr/src/sys/libkern/zlib.c:3270
#13 0xffffffff82723d6c in g_uzip_zlib_decompress (zpp=<value optimized out>, 
    gp_name=0xfffff8000305d540 "md0.uzip", ibp=<value optimized out>, 
    ilen=<value optimized out>, obp=<value optimized out>)
    at /usr/src/sys/geom/uzip/g_uzip_zlib.c:77
#14 0xffffffff827231a2 in g_uzip_do (sc=<value optimized out>, 
    bp=<value optimized out>) at /usr/src/sys/geom/uzip/g_uzip.c:395
#15 0xffffffff827240b4 in g_uzip_wrkthr (arg=0xfffff80055240000)
    at /usr/src/sys/geom/uzip/g_uzip_wrkthr.c:69
#16 0xffffffff80b8088e in fork_exit (
    callout=0xffffffff82723f80 <g_uzip_wrkthr>, arg=0xfffff80055240000, 
    frame=0xfffffe001baf4c00) at /usr/src/sys/kern/kern_fork.c:1080
#17 0xffffffff81067c5e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:1078
#18 0x0000000000000000 in ?? ()
Comment 1 Jordan Gordeev 2021-03-15 20:44:44 UTC 
Created attachment 223308 [details]
a program for reproduction