From nobody@FreeBSD.org  Fri Feb 22 13:28:28 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E058B16A400
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 22 Feb 2008 13:28:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id D795D13C44B
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 22 Feb 2008 13:28:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m1MDPqoa061743
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 22 Feb 2008 13:25:52 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m1MDPqDH061731;
	Fri, 22 Feb 2008 13:25:52 GMT
	(envelope-from nobody)
Message-Id: <200802221325.m1MDPqDH061731@www.freebsd.org>
Date: Fri, 22 Feb 2008 13:25:52 GMT
From: Andrew Muhametshin <andrew@dobrohot.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: the crash happens on mounting an UDF DVD
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         120967
>Category:       kern
>Synopsis:       [udf] [panic] crash happens on mounting an UDF DVD
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 22 13:30:03 UTC 2008
>Closed-Date:    Mon Mar 23 13:36:17 UTC 2009
>Last-Modified:  Mon Mar 23 13:36:17 UTC 2009
>Originator:     Andrew Muhametshin
>Release:        FreeBSD-7.0-RC2 & 6.3-RELEASE
>Organization:
>Environment:
FreeBSD inspirra.localdomain 6.3-RELEASE FreeBSD 6.3-RELEASE #3: Wed Feb  6 10:00:26 MSK 2008     root@inspirra.localdomain:/SHARED/obj.inspirra/usr/src/sys/INSPIRRA  i386

FreeBSD host01.localdomain 7.0-RC2 FreeBSD 7.0-RC2 #3: Mon Feb 18 09:30:32 MSK 2008     root@host01.localdomain:/usr/obj/usr/src/sys/HOST01  i386
>Description:
Given a disc with UDF. Trying to mount it and further changing to any
directory give: reboot after panic: getblk: size(67584) > MAXBSIZE(65536)"

This crash is constantly repeated in the FreeBSD-6.3 and 7-RC2

===============================
$ kgdb kernel.debug /var/crash/vmcore.2
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
uiomove returned -1
panic: getblk: size(67584) > MAXBSIZE(65536)

Uptime: 19m52s
Physical memory: 878 MB
Dumping 126 MB: 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:195
195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:195
#1  0xc0556c84 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc0556e84 in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:563
#3  0xc05ba3dd in getblk (vp=0xc491d880, blkno=4192, size=67584, slpflag=0, slptimeo=0, flags=0)
    at /usr/src/sys/kern/vfs_bio.c:2438
#4  0xc05bb2c4 in breadn (vp=0xc491d880, blkno=) at /usr/src/sys/kern/vfs_bio.c:786
#5  0xc05bb3fc in bread (vp=0xc491d880, blkno=) at /usr/src/sys/kern/vfs_bio.c:734
#6  0xc0501ab5 in udf_readatoffset (node=) at udf.h:100
#7  0xc0501b62 in udf_getfid (ds=0xc71914e0) at /usr/src/sys/fs/udf/udf_vnops.c:549
#8  0xc0502257 in udf_readdir (a=0xe5762c24) at /usr/src/sys/fs/udf/udf_vnops.c:710
#9  0xc0787382 in VOP_READDIR_APV (vop=0xc07dd4e0, a=0xe5762c24) at vnode_if.c:1407
#10 0xc05d8a3e in getdirentries (td=0xc497e630, uap=0xe5762cfc) at vnode_if.h:747
#11 0xc077ac95 in syscall (frame=0xe5762d38) at /usr/src/sys/i386/i386/trap.c:1035
#12 0xc0764ec0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196
#13 0x00000033 in ?? ()
(kgdb) bt full
#0  doadump () at pcpu.h:195
No locals.
#1  0xc0556c84 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
        _giantcnt = (kgdb) where
#0  doadump () at pcpu.h:195
#1  0xc0556c84 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc0556e84 in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:563
#3  0xc05ba3dd in getblk (vp=0xc491d880, blkno=4192, size=67584, slpflag=0, slptimeo=0, flags=0)
    at /usr/src/sys/kern/vfs_bio.c:2438
#4  0xc05bb2c4 in breadn (vp=0xc491d880, blkno=) at /usr/src/sys/kern/vfs_bio.c:786
#5  0xc05bb3fc in bread (vp=0xc491d880, blkno=) at /usr/src/sys/kern/vfs_bio.c:734
#6  0xc0501ab5 in udf_readatoffset (node=) at udf.h:100
#7  0xc0501b62 in udf_getfid (ds=0xc71914e0) at /usr/src/sys/fs/udf/udf_vnops.c:549
#8  0xc0502257 in udf_readdir (a=0xe5762c24) at /usr/src/sys/fs/udf/udf_vnops.c:710
#9  0xc0787382 in VOP_READDIR_APV (vop=0xc07dd4e0, a=0xe5762c24) at vnode_if.c:1407
#10 0xc05d8a3e in getdirentries (td=0xc497e630, uap=0xe5762cfc) at vnode_if.h:747
#11 0xc077ac95 in syscall (frame=0xe5762d38) at /usr/src/sys/i386/i386/trap.c:1035
#12 0xc0764ec0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196
#13 0x00000033 in ?? ()
(kgdb) quit

>How-To-Repeat:
$ mount_udf /dev/acd0 /cdrom
$ ls /cdrom/data/photos/
!!!panic!!!
>Fix:


>Release-Note:
>Audit-Trail:

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, andrew@dobrohot.org
Cc:  
Subject: Re: kern/120967: [udf] [panic] crash happens on mounting an UDF DVD
Date: Sat, 23 Feb 2008 14:49:36 +0100

 Andrew,
 
 I'm wondering if you can additionally show output of
 
 dumpfs /dev/acd0
 tunefs -p /dev/acd0
 
 Note: PR i386/120989 might be a related issue and AFAIR DVD problems
 have been discussed lately in either current@ or stable@.
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Sat Feb 23 14:35:17 UTC 2008 
State-Changed-Why:  
Note that submitter has been asked for feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120967 

From: Andriy Gapon <avg@icyb.net.ua>
To: bug-followup@FreeBSD.org, andrew@dobrohot.org, 
 Scott Long <scottl@samsco.org>
Cc:  
Subject: Re: kern/120967: [udf] [panic] crash happens on mounting an UDF DVD
Date: Sun, 24 Feb 2008 00:08:55 +0200

 This is problem was introduced as a part of a fix for other issues.
 Relevant commits:
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/fs/udf/udf_vnops.c.diff?r1=1.58.2.3;r2=1.58.2.4;f=h
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/fs/udf/udf_vnops.c.diff?r1=1.65;r2=1.66;f=h
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/fs/udf/udf_vnops.c.diff?r1=1.37.2.2;r2=1.37.2.3;f=h
 
 The issue was reported and discussed on freebsd-fs:
 http://docs.FreeBSD.org/cgi/mid.cgi?47A2EDB0.8000801
 
 But I guess that this issue and other similar ones are bound to linger
 until this filesystem code gets a real maintainer.
 From what I see so far, there is no one to disclaim a prior
 maintainership and there is no one trying to reclaim it.
 
 -- 
 Andriy Gapon

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, andrew@dobrohot.org
Cc:  
Subject: Re: kern/120967: [udf] [panic] crash happens on mounting an UDF DVD
Date: Sat, 23 Feb 2008 23:53:52 +0100

 sorry, please forget my previous post. I've looked at two different
 problems at the same time. Sorry! ;)

From: Andrew Muhametshin <andrew@dobrohot.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/120967: [udf] [panic] crash happens on mounting an UDF DVD
Date: Sun, 24 Feb 2008 03:08:15 +0300

 2008/2/23, Volker:
 > I'm wondering if you can additionally show output of
 >
 > dumpfs /dev/acd0
 > tunefs -p /dev/acd0
 
 $ dumpfs /dev/acd0
 dumpfs: /dev/acd0: could not read superblock to fill out disk
 
 $ tunefs -p /dev/acd0
 tunefs: /dev/acd0: could not read superblock to fill out disk
 
 
 I must note, that this issue happens only with some specific UDF DVD's, 
 otehrs seem work fine.  Burner software info string is empty.
 
 The next example may be useful:
 Filenames containing spaces and Cyrillic symbols and the Number sign 
 (U+2116)
 
 In FreeBSD:
 ----------------------
 $ mount_cd9660 -CKOI8-R /dev/acd0 /cdrom/
 $ cd /cdrom/data/photos/
 $ ls -la ./*56*
    ls: ./st. Kildinskaya,  building  56.xml: No such file or directory
    ls: ./st. Kildinskaya,  building  56_s.xml: No such file or directory
    -r-xr-xr-x  1 root  wheel  303872 18  19:40 ./. _2564.xml
    -r-xr-xr-x  1 root  wheel   44364 18  12:06 ./. _2564_s.xml
 
 $ umount /cdrom
 
 $ mount_udf -CKOI8-R /dev/acd0 /cdrom/
 $ cd /cdrom/data/photos/
 !!!CRASH!!!
 
 In Linux:
 ----------------------
 $ mount -t iso9660 -o iocharset=koi8-r /dev/hdc /mnt/cdrom/
 $ cd /mnt/cdrom/data/photos/
 $ ls -la ./*56*
    -r-xr-xr-x 1 root root  59239  18 12:05 st. Kildinskaya,  building 
 ? 56.xml
    -r-xr-xr-x 1 root root 720820  14 16:48 st. Kildinskaya,  building 
 ? 56_s.xml
    -r-xr-xr-x 1 root root  44364  18 12:06 . _2564_s.xml
    -r-xr-xr-x 1 root root 303872  18 19:40 . _2564.xml
 $ umount /cdrom
 $ mount -t udf -o iocharset=koi8-r /dev/hdc /mnt/cdrom/
 $ cd /mnt/cdrom/data/photos/
 $ ls -la ./*56*
    -r-xr-xr-x 1 root root  44364  18 12:06 . _2564_s.xml
    -r-xr-xr-x 1 root root 303872  18 19:40 . _2564.xml
 
 In Windows
 ----------------------
 D:\data\photos>dir *56*.xml
 <...>
    14.10.2007  15:48           720 820 st. Kildinskaya,  building N 56.xml
    18.10.2007  11:05            59 239 st. Kildinskaya,  building  N 
 56_s.xml
    18.10.2007  18:40           303 872 . _2564.xml
    18.10.2007  11:06            44 364 . _2564_s.xmll
 <...>
 !!! *N* = Number sign (U+2116) !!!
 
 
 

From: Scott Long <scottl@samsco.org>
To: Andriy Gapon <avg@icyb.net.ua>
Cc: bug-followup@FreeBSD.org, andrew@dobrohot.org
Subject: Re: kern/120967: [udf] [panic] crash happens on mounting an UDF DVD
Date: Sun, 24 Feb 2008 00:14:14 -0700

 Andriy Gapon wrote:
 > This is problem was introduced as a part of a fix for other issues.
 > Relevant commits:
 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/fs/udf/udf_vnops.c.diff?r1=1.58.2.3;r2=1.58.2.4;f=h
 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/fs/udf/udf_vnops.c.diff?r1=1.65;r2=1.66;f=h
 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/fs/udf/udf_vnops.c.diff?r1=1.37.2.2;r2=1.37.2.3;f=h
 > 
 > The issue was reported and discussed on freebsd-fs:
 > http://docs.FreeBSD.org/cgi/mid.cgi?47A2EDB0.8000801
 > 
 > But I guess that this issue and other similar ones are bound to linger
 > until this filesystem code gets a real maintainer.
 > From what I see so far, there is no one to disclaim a prior
 > maintainership and there is no one trying to reclaim it.
 > 
 
 I absolutely assure you that your input into UDF is welcomed and 
 encouraged.  I lost track of your last set of changes once the
 discussion turned to the VM, so if they still need to be committed,
 please let me know and I'll take care of it.
 
 Scott
 
State-Changed-From-To: feedback->open 
State-Changed-By: vwe 
State-Changed-When: Thu May 8 21:38:20 UTC 2008 
State-Changed-Why:  

reset to open 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120967 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/120967: commit references a PR
Date: Thu, 26 Feb 2009 18:58:58 +0000 (UTC)

 Author: avg
 Date: Thu Feb 26 18:58:41 2009
 New Revision: 189082
 URL: http://svn.freebsd.org/changeset/base/189082
 
 Log:
   udf_readatoffset: read through directory vnode, do not read > MAXBSIZE
   
   Currently bread()-ing through device vnode with
   (1) VMIO enabled,
   (2) bo_bsize != DEV_BSIZE
   (3) more than 1 block
   results in data being incorrectly cached.
   So instead a more common approach of using a vnode belonging to fs is now
   employed.
   Also, prevent attempt to bread more than MAXBSIZE bytes because of
   adjustments made to account for offset that doesn't start on block
   boundary.
   Add expanded comments to explain the calculations.
   Also drop unused inline function while here.
   
   PR: kern/120967
   PR: kern/129084
   
   Reviewed by: scottl, kib
   Approved by: jhb (mentor)
 
 Modified:
   head/sys/fs/udf/udf.h
   head/sys/fs/udf/udf_vfsops.c
   head/sys/fs/udf/udf_vnops.c
 
 Modified: head/sys/fs/udf/udf.h
 ==============================================================================
 --- head/sys/fs/udf/udf.h	Thu Feb 26 18:55:55 2009	(r189081)
 +++ head/sys/fs/udf/udf.h	Thu Feb 26 18:58:41 2009	(r189082)
 @@ -95,27 +95,12 @@ struct ifid {
  MALLOC_DECLARE(M_UDFFENTRY);
  
  static __inline int
 -udf_readlblks(struct udf_mnt *udfmp, int sector, int size, struct buf **bp)
 +udf_readdevblks(struct udf_mnt *udfmp, int sector, int size, struct buf **bp)
  {
  	return (RDSECTOR(udfmp->im_devvp, sector,
  			 (size + udfmp->bmask) & ~udfmp->bmask, bp));
  }
  
 -static __inline int
 -udf_readalblks(struct udf_mnt *udfmp, int lsector, int size, struct buf **bp)
 -{
 -	daddr_t rablock, lblk;
 -	int rasize;
 -
 -	lblk = (lsector + udfmp->part_start) << (udfmp->bshift - DEV_BSHIFT);
 -	rablock = (lblk + 1) << udfmp->bshift;
 -	rasize = size;
 -
 -	return (breadn(udfmp->im_devvp, lblk,
 -		       (size + udfmp->bmask) & ~udfmp->bmask,
 -		       &rablock, &rasize, 1,  NOCRED, bp));
 -}
 -
  /*
   * Produce a suitable file number from an ICB.  The passed in ICB is expected
   * to be in little endian (meaning that it hasn't been swapped for big
 
 Modified: head/sys/fs/udf/udf_vfsops.c
 ==============================================================================
 --- head/sys/fs/udf/udf_vfsops.c	Thu Feb 26 18:55:55 2009	(r189081)
 +++ head/sys/fs/udf/udf_vfsops.c	Thu Feb 26 18:58:41 2009	(r189082)
 @@ -476,7 +476,7 @@ udf_mountfs(struct vnode *devvp, struct 
  	 */
  	sector = le32toh(udfmp->root_icb.loc.lb_num) + udfmp->part_start;
  	size = le32toh(udfmp->root_icb.len);
 -	if ((error = udf_readlblks(udfmp, sector, size, &bp)) != 0) {
 +	if ((error = udf_readdevblks(udfmp, sector, size, &bp)) != 0) {
  		printf("Cannot read sector %d\n", sector);
  		goto bail;
  	}
 @@ -794,7 +794,7 @@ udf_find_partmaps(struct udf_mnt *udfmp,
  		 * XXX If reading the first Sparing Table fails, should look
  		 * for another table.
  		 */
 -		if ((error = udf_readlblks(udfmp, le32toh(pms->st_loc[0]),
 +		if ((error = udf_readdevblks(udfmp, le32toh(pms->st_loc[0]),
  					   le32toh(pms->st_size), &bp)) != 0) {
  			if (bp != NULL)
  				brelse(bp);
 
 Modified: head/sys/fs/udf/udf_vnops.c
 ==============================================================================
 --- head/sys/fs/udf/udf_vnops.c	Thu Feb 26 18:55:55 2009	(r189081)
 +++ head/sys/fs/udf/udf_vnops.c	Thu Feb 26 18:58:41 2009	(r189082)
 @@ -1296,16 +1296,20 @@ static int
  udf_readatoffset(struct udf_node *node, int *size, off_t offset,
      struct buf **bp, uint8_t **data)
  {
 -	struct udf_mnt *udfmp;
 -	struct file_entry *fentry = NULL;
 +	struct udf_mnt *udfmp = node->udfmp;
 +	struct vnode *vp = node->i_vnode;
 +	struct file_entry *fentry;
  	struct buf *bp1;
  	uint32_t max_size;
  	daddr_t sector;
 +	off_t off;
 +	int adj_size;
  	int error;
  
 -	udfmp = node->udfmp;
 -
 -	*bp = NULL;
 +	/*
 +	 * This call is made *not* only to detect UDF_INVALID_BMAP case,
 +	 * max_size is used as an ad-hoc read-ahead hint for "normal" case.
 +	 */
  	error = udf_bmap_internal(node, offset, &sector, &max_size);
  	if (error == UDF_INVALID_BMAP) {
  		/*
 @@ -1323,9 +1327,18 @@ udf_readatoffset(struct udf_node *node, 
  	/* Adjust the size so that it is within range */
  	if (*size == 0 || *size > max_size)
  		*size = max_size;
 -	*size = min(*size, MAXBSIZE);
  
 -	if ((error = udf_readlblks(udfmp, sector, *size + (offset & udfmp->bmask), bp))) {
 +	/*
 +	 * Because we will read starting at block boundary, we need to adjust
 +	 * how much we need to read so that all promised data is in.
 +	 * Also, we can't promise to read more than MAXBSIZE bytes starting
 +	 * from block boundary, so adjust what we promise too.
 +	 */
 +	off = blkoff(udfmp, offset);
 +	*size = min(*size, MAXBSIZE - off);
 +	adj_size = (*size + off + udfmp->bmask) & ~udfmp->bmask;
 +	*bp = NULL;
 +	if ((error = bread(vp, lblkno(udfmp, offset), adj_size, NOCRED, bp))) {
  		printf("warning: udf_readlblks returned error %d\n", error);
  		/* note: *bp may be non-NULL */
  		return (error);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: gavin 
State-Changed-When: Mon Mar 23 13:35:29 UTC 2009 
State-Changed-Why:  
This has been fixed in HEAD and merged to 7.x (confirmed by avg on IRC) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120967 
>Unformatted:
