From Arne.Juul@fast.no  Thu Oct  3 11:10:43 2002
Return-Path: <Arne.Juul@fast.no>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3284537B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  3 Oct 2002 11:10:43 -0700 (PDT)
Received: from midten.fast.no (midten.fast.no [217.144.236.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 18D0A43E65
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  3 Oct 2002 11:10:38 -0700 (PDT)
	(envelope-from Arne.Juul@fast.no)
Received: from innenfor.trondheim.fast.no (innenfor.trondheim.fast.no [192.168.8.11])
	by midten.fast.no (8.12.5/8.12.5) with ESMTP id g93IAS0B033519;
	Thu, 3 Oct 2002 20:10:29 +0200 (CEST)
	(envelope-from Arne.Juul@fast.no)
Received: from guinness.trondheim.fast.no (guinness.trondheim.fast.no [192.168.8.119])
	by innenfor.trondheim.fast.no (8.9.3/8.9.3) with ESMTP id UAA16327;
	Thu, 3 Oct 2002 20:10:23 +0200 (CEST)
	(envelope-from arnej@trondheim.fast.no)
Received: (from arnej@localhost)
	by guinness.trondheim.fast.no (8.11.6/8.9.3) id g93IANd22666;
	Thu, 3 Oct 2002 20:10:23 +0200 (CEST)
	(envelope-from arnej@trondheim.fast.no)
Message-Id: <200210031810.g93IANd22666@guinness.trondheim.fast.no>
Date: Thu, 3 Oct 2002 20:10:23 +0200 (CEST)
From: Arne H Juul <Arne.Juul@fast.no>
Reply-To: Arne H Juul <Arne.Juul@fast.no>
To: FreeBSD-gnats-submit@freebsd.org
Cc: arnej@pvv.org
Subject: filesystem damage not detected by fsck
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         43635
>Category:       bin
>Synopsis:       filesystem damage not detected by fsck
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-fs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 03 11:20:01 PDT 2002
>Closed-Date:    Sun Jul 13 04:57:33 PDT 2003
>Last-Modified:  Sun Jul 13 04:57:33 PDT 2003
>Originator:     Arne H Juul
>Release:        FreeBSD 4.5-RELEASE i386
>Organization:
ProgramVareVerkstedet
>Environment:
System: FreeBSD guinness.trondheim.fast.no 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Thu Apr 18 03:10:10 CEST 2002 arnej@guinness.trondheim.fast.no:/usr/src/sys/compile/GUINNESS_PXE i386

	The problem was originally seen on a 4.4-RELEASE kernel,
	but the fsck fix seems to apply across the board.

>Description:
	we had a problem where a machine would panic with
	page fault in kernel mode during normal usage of a
	filesystem.  fsck detected no problem but a closer
	look at a kernel crashdump showed that a cg->cg_irotor
	was hugely negative; this led to crashes in skpc like this:

#5  0xc02872bf in trap (frame={tf_fs = 24, tf_es = -1072037872, tf_ds = 16, 
      tf_edi = -724213760, tf_esi = -1002668032, tf_ebp = -413647876, 
      tf_isp = -413647896, tf_ebx = 115468226, tf_edx = -724210968, 
      tf_ecx = 255, tf_eax = -839679194, tf_trapno = 12, tf_err = 0, 
      tf_eip = -1071319959, tf_cs = 8, tf_eflags = 66195, tf_esp = -413647832, 
      tf_ss = -1071520840}) at /usr/src/sys/i386/i386/trap.c:467
#6  0xc024f469 in skpc (mask0=255, size=115468226, 
    cp0=0xcdf38326 <Address 0xcdf38326 out of bounds>)
    at /usr/src/sys/libkern/skpc.c:50
#7  0xc021e3b8 in ffs_nodealloccg (ip=0xc43d5600, cg=88, ipref=157696, 
    mode=33188) at /usr/src/sys/ufs/ffs/ffs_alloc.c:1252
#8  0xc021d587 in ffs_hashalloc (ip=0xc43d5600, cg=88, pref=157696, 
    size=33188, allocator=0xc021e278 <ffs_nodealloccg>)
    at /usr/src/sys/ufs/ffs/ffs_alloc.c:768
#9  0xc021d27a in ffs_valloc (pvp=0xe75c7b00, mode=33188, cred=0xc1ddf900, 
    vpp=0xe7583ca0) at /usr/src/sys/ufs/ffs/ffs_alloc.c:596
#10 0xc02301f7 in ufs_makeinode (mode=33188, dvp=0xe75c7b00, vpp=0xe7583edc, 
    cnp=0xe7583ef0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2097
#11 0xc022dbac in ufs_create (ap=0xe7583dfc)
    at /usr/src/sys/ufs/ufs/ufs_vnops.c:194
#12 0xc02304b9 in ufs_vnoperate (ap=0xe7583dfc)
    at /usr/src/sys/ufs/ufs/ufs_vnops.c:2382
#13 0xc01b830c in vn_open (ndp=0xe7583ec8, fmode=1538, cmode=420)
    at vnode_if.h:106
#14 0xc01b44f8 in open (p=0xe33c5f60, uap=0xe7583f80)
    at /usr/src/sys/kern/vfs_syscalls.c:1010

because ffs_nodealloccg depends on start = cgp->cg_irotor / NBBY;
to be a valid index into the "inosused" array.

fsck has a check of cg->cg_irotor but only for "too large"
values, not for negative values.  I've also added a printf
to actually report the change made by fsck since this should
only happen when the filesystem has been damaged. 

>How-To-Repeat:
	overwrite cylinder group data with random junk. "fix"
	with fsck -y. try to use filesystem normally.  observe
	the panic - if you're lucky.  If you're not lucky
	the kernel will probably read some random memory and
	write data to random places on the disk, or something...
>Fix:
	The following two patches are for current and for RELENG_4;
	they are very similar, and follow the current code-style
	in fsck.  Please apply.

Index: pass5.c
===================================================================
RCS file: /usr/cvs/src/sbin/fsck_ffs/pass5.c,v
retrieving revision 1.32
diff -u -r1.32 pass5.c
--- pass5.c	25 Sep 2002 04:06:36 -0000	1.32
+++ pass5.c	3 Oct 2002 17:52:57 -0000
@@ -192,10 +192,13 @@
 			newcg->cg_frotor = cg->cg_frotor;
 		else
 			newcg->cg_frotor = 0;
-		if (cg->cg_irotor < fs->fs_ipg)
+		if (cg->cg_irotor < fs->fs_ipg  && cg->cg_irotor >= 0)
 			newcg->cg_irotor = cg->cg_irotor;
-		else
+		else {
+			printf("%s: phase 5: bad cg irotor %d of %d\n",
+				cdevname, cg->cg_irotor, newcg->cg_niblk);
 			newcg->cg_irotor = 0;
+		}
 		if (fs->fs_magic == FS_UFS1_MAGIC) {
 			newcg->cg_initediblk = 0;
 		} else {

Index: pass5.c
===================================================================
RCS file: /usr/cvs/src/sbin/fsck/Attic/pass5.c,v
retrieving revision 1.17.2.1
diff -u -IId: -u -r1.17.2.1 pass5.c
--- pass5.c	23 Jan 2001 23:11:07 -0000	1.17.2.1
+++ pass5.c	3 Oct 2002 17:48:02 -0000
@@ -203,10 +203,13 @@
 			newcg->cg_frotor = cg->cg_frotor;
 		else
 			newcg->cg_frotor = 0;
-		if (cg->cg_irotor < newcg->cg_niblk)
+		if (cg->cg_irotor < newcg->cg_niblk && cg->cg_irotor >= 0)
 			newcg->cg_irotor = cg->cg_irotor;
-		else
+		else {
+			printf("%s: phase 5: bad cg irotor %d of %d\n",
+			    cdevname, cg->cg_irotor, newcg->cg_niblk);
 			newcg->cg_irotor = 0;
+		}
 		memset(&newcg->cg_frsum[0], 0, sizeof newcg->cg_frsum);
 		memset(&cg_blktot(newcg)[0], 0,
 		      (size_t)(sumsize + mapsize));
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Jul 12 18:07:55 PDT 2003 
Responsible-Changed-Why:  
Assign to fs mailing list for evaluation of the included patch 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43635 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sun Jul 13 04:56:53 PDT 2003 
State-Changed-Why:  
Duplicate of bin/40697. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43635 
>Unformatted:
