In this line in msdosfs_fat.c's fatblock(): size = roundup(min(fatblocksec, pmp->pm_FATsecs - bn) * DEV_BSIZE, pmp->pm_BlkPerSec * DEV_BSIZE); It should probably be ulmin(). I've attached a corrupt FAT32 image that trips over this. FATsecs is 0x100000000, which passes the != 0 test in mountmsdosfs(), but looks like zero when cast to 32 bits to pass to min(). The result is a zero bsize passed to bread() by fillinusemap(), causing bread() to return no error but a bp->b_data that points to unmapped memory. # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #17 main-n265546-d06328c37bbc: Tue Sep 26 20:08:23 AST 2023 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # gunzip fat6a.img.gz # mdconfig -f fat6a.img # mount_msdosfs /dev/md0 /mnt panic: vm_fault_lookup: fault on nofault entry, addr: 0xfffffe0020d3c000 cpuid = 4 time = 1708682767 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01017f0470 vpanic() at vpanic+0x132/frame 0xfffffe01017f05a0 panic() at panic+0x43/frame 0xfffffe01017f0600 vm_fault() at vm_fault+0x18c9/frame 0xfffffe01017f0730 vm_fault_trap() at vm_fault_trap+0x6f/frame 0xfffffe01017f0770 trap_pfault() at trap_pfault+0x24a/frame 0xfffffe01017f07e0 calltrap() at calltrap+0x8/frame 0xfffffe01017f07e0 --- trap 0xc, rip = 0xffffffff809dd295, rsp = 0xfffffe01017f08b0, rbp = 0xfffffe01017f08e0 --- fillinusemap() at fillinusemap+0x235/frame 0xfffffe01017f08e0 mountmsdosfs() at mountmsdosfs+0x864/frame 0xfffffe01017f0980 msdosfs_mount() at msdosfs_mount+0x45d/frame 0xfffffe01017f0ac0 vfs_domount_first() at vfs_domount_first+0x258/frame 0xfffffe01017f0c00 vfs_domount() at vfs_domount+0x315/frame 0xfffffe01017f0d20 vfs_donmount() at vfs_donmount+0x912/frame 0xfffffe01017f0dc0 sys_nmount() at sys_nmount+0x6c/frame 0xfffffe01017f0e00 amd64_syscall() at amd64_syscall+0x14f/frame 0xfffffe01017f0f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01017f0f30 --- syscall (378, FreeBSD ELF64, nmount), rip = 0x16e644522a2a, rsp = 0x16e6425ccb58, rbp = 0x16e6425cd1d0 ---
Created attachment 248690 [details] FAT32 image that causes a page fault in fillinusemap()
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=0085afdceb17cb7d4e41f9073299f688372c6a0f commit 0085afdceb17cb7d4e41f9073299f688372c6a0f Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-02-23 17:30:10 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-02-23 17:37:52 +0000 fs/msdosfs fatblock: use ulmin() rather than min() to avoid truncation of pmp->pm_FATsecs. Submitted by: Robert Morris <rtm@lcs.mit.edu> PR: 277237 MFC after: 1 week sys/fs/msdosfs/msdosfs_fat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b2c9d403d5a6d4a8eaaeff0005e48c6d107dba31 commit b2c9d403d5a6d4a8eaaeff0005e48c6d107dba31 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-02-23 17:30:10 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-03-01 04:12:02 +0000 fs/msdosfs fatblock: use ulmin() rather than min() PR: 277237 (cherry picked from commit 0085afdceb17cb7d4e41f9073299f688372c6a0f) sys/fs/msdosfs/msdosfs_fat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=846bf43ca4a2b42f2751df935de6d3257c6169ae commit 846bf43ca4a2b42f2751df935de6d3257c6169ae Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-02-23 17:30:10 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-03-01 04:12:45 +0000 fs/msdosfs fatblock: use ulmin() rather than min() PR: 277237 (cherry picked from commit 0085afdceb17cb7d4e41f9073299f688372c6a0f) sys/fs/msdosfs/msdosfs_fat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)