Bug 277414

Summary: FAT SecPerClust=128 can cause crash
Product: Base System Reporter: Robert Morris <rtm>
Component: kernAssignee: freebsd-fs (Nobody) <fs>
Status: Closed FIXED    
Severity: Affects Some People CC: emaste, kib
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
FAT file system image with SecPerClust=128, causes crash none

Description Robert Morris 2024-03-01 14:53:30 UTC
Created attachment 248848 [details]
FAT file system image with SecPerClust=128, causes crash

The attached FAT image specifies a SecPerClust of 128. This causes
readep() in msdosfs_lookup.c to call bread() with size of 65536.
getblkx() calculates a maxsize that's somewhat larger, 69120:

                        maxsize = size + (offset & PAGE_MASK);

and bufkva_alloc() on an INVARIANTS kernel thinks that's too big:

        KASSERT(maxsize <= maxbcachebuf,
            ("bufkva_alloc kva too large %d %u", maxsize, maxbcachebuf));

On a non-INVARIANTS kernel, something gets corrupted and the system
eventually crashes.

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #18 main-n268497-3562b7b1eb80: Fri Feb 23 07:08:37 AST 2024     root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# cp fat3d.img junk
# mdconfig -f junk
# mount_msdosfs /dev/md0 /mnt
# cat < /mnt/d/y > /dev/null
panic: bufkva_alloc kva too large 81920 65536
cpuid = 8
time = 1709302796
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe012559c2f0
vpanic() at vpanic+0x135/frame 0xfffffe012559c420
panic() at panic+0x43/frame 0xfffffe012559c480
bufkva_alloc() at bufkva_alloc+0x13c/frame 0xfffffe012559c4c0
getnewbuf() at getnewbuf+0x4b1/frame 0xfffffe012559c530
getblkx() at getblkx+0x655/frame 0xfffffe012559c5f0
breadn_flags() at breadn_flags+0x44/frame 0xfffffe012559c660
readep() at readep+0xc1/frame 0xfffffe012559c6d0
deget() at deget+0x341/frame 0xfffffe012559c770
msdosfs_lookup_ino() at msdosfs_lookup_ino+0xa9d/frame 0xfffffe012559c9c0
vfs_cache_lookup() at vfs_cache_lookup+0xa6/frame 0xfffffe012559ca10
vfs_lookup() at vfs_lookup+0x457/frame 0xfffffe012559caa0
namei() at namei+0x2d1/frame 0xfffffe012559cb00
vn_open_cred() at vn_open_cred+0x505/frame 0xfffffe012559cc80
openatfp() at openatfp+0x287/frame 0xfffffe012559cdd0
sys_openat() at sys_openat+0x45/frame 0xfffffe012559ce00
amd64_syscall() at amd64_syscall+0x153/frame 0xfffffe012559cf30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe012559cf30
--- syscall (499, FreeBSD ELF64, openat), rip = 0x1462c90d3fa, rsp = 0x14629bb7308, rbp = 0x14629bb73e0 ---
Comment 1 commit-hook freebsd_committer freebsd_triage 2024-03-02 05:03:34 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7e4ac11b6076e6a9bf7341ddeae22784284ed733

commit 7e4ac11b6076e6a9bf7341ddeae22784284ed733
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-03-02 04:58:57 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-03-02 05:02:55 +0000

    getblkx(9): be more tolerant but also strict with the buffer size checks

    It is possible that on-disk filesystem format causes allocation of
    buffers of size larger than maxbcachebuf.  Currently, getblkx() and
    indirectly bufkva_alloc() panic in that situation.

    It is more useful to return an error instead, allowing the system to
    continue running.

    PR:     277414
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation

 sys/kern/vfs_bio.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-03-09 09:06:00 UTC
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f7d51eb77e848a6f7823d98349ebabb6efce4e52

commit f7d51eb77e848a6f7823d98349ebabb6efce4e52
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-03-02 04:58:57 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-03-09 09:05:03 +0000

    getblkx(9): be more tolerant but also strict with the buffer size checks

    PR:     277414

    (cherry picked from commit 7e4ac11b6076e6a9bf7341ddeae22784284ed733)

 sys/kern/vfs_bio.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-03-09 09:07:02 UTC
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=1c1fde7540d813703d775e013a950145224f182e

commit 1c1fde7540d813703d775e013a950145224f182e
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-03-02 04:58:57 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-03-08 18:48:02 +0000

    getblkx(9): be more tolerant but also strict with the buffer size checks

    PR:     277414

    (cherry picked from commit 7e4ac11b6076e6a9bf7341ddeae22784284ed733)

 sys/kern/vfs_bio.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)