From rob@lillack.de  Thu May  9 09:21:34 2002
Return-Path: <rob@lillack.de>
Received: from post.webmailer.de (natpost.webmailer.de [192.67.198.65])
	by hub.freebsd.org (Postfix) with ESMTP id 4141337B40A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  9 May 2002 09:21:33 -0700 (PDT)
Received: from sickbox.partywg.home (dsl-213-023-066-240.arcor-ip.net [213.23.66.240])
	by post.webmailer.de (8.9.3/8.8.7) with SMTP id SAA20808
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 9 May 2002 18:21:31 +0200 (MET DST)
Message-Id: <20020509182545.2a12c5c4.rob@lillack.de>
Date: Thu, 9 May 2002 18:25:45 +0200
From: Robert Lillack <rob@lillack.de>
To: FreeBSD-gnats-submit@freebsd.org
Subject: kernel panic when writing to a FAT32 partition

>Number:         37889
>Category:       kern
>Synopsis:       kernel panic when writing to a FAT32 partition
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 09 09:30:01 PDT 2002
>Closed-Date:    Thu Aug 26 21:52:56 GMT 2004
>Last-Modified:  Thu Aug 26 21:52:56 GMT 2004
>Originator:     Robert Lillack <rob@lillack.de>
>Release:        FreeBSD 4.6-PRERELEASE i386
>Organization:
none
>Environment:
System: FreeBSD sickbox.partywg.home 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE
#4: Thu May 9 15:55:13 CEST 2002 root@sickbox

the problematic FAT32 partition /dev/ad0s6:

    start 4176900, size 20643525 (10079 Meg), flag 0
        beg: cyl 584/ head 0/ sector 1;
        end: cyl 1023/ head 254/ sector 63

it is mounted writable on /mnt/dose

>Description:
When trying to write (mkdir/rm/...) to that partition, the system crashes.
Reading works. Other operating systems work. fsck_msdosfs finds no errors.
Other (smaller) FAT32 partitions on the same hard disk work.

The gdb output after the system crashed when i tried to create a directory
"test" in the root directory of that partition looks like this:

 [root@sickbox:/usr/src/sys/compile/SICKBOX] gdb -k kernel.debug
 /var/crash/vmcore.0 GNU gdb 4.18
 Copyright 1998 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you
 are welcome to change it and/or distribute copies of it under certain
 conditions. Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for
 details. This GDB was configured as "i386-unknown-freebsd"...
 IdlePTD at phsyical address 0x0041b000
 initial pcb at physical address 0x00306f40
 panicstr: page fault
 panic messages:
 ---
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0xe1bd8ffc
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xc01a58e7
 stack pointer           = 0x10:0xd5986cdc
 frame pointer           = 0x10:0xd5986cec
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 298 (mkdir)
 interrupt mask          = none
 trap number             = 12
 panic: page fault

 syncing disks... 15 9 6 4 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
 giving up on 1 buffers
 Uptime: 5m2s

 dumping to dev #ad/0x20009, offset 7840
 dump ata0: resetting devices .. ad0: DMA limited to UDMA33, non-ATA66
 cable or device done

[CUT OUT: counting down]

 ---
 #0  dumpsys () at ../../kern/kern_shutdown.c:487
 487             if (dumping++) {
 (kgdb) where
 #0  dumpsys () at ../../kern/kern_shutdown.c:487
 #1  0xc016a6f3 in boot (howto=256) at ../../kern/kern_shutdown.c:316
 #2  0xc016ab18 in poweroff_wait (junk=0xc02c2d8c, howto=-1070847825)
     at ../../kern/kern_shutdown.c:595
 #3  0xc027d02a in trap_fatal (frame=0xd5986c9c, eva=3787296764)
     at ../../i386/i386/trap.c:966
 #4  0xc027ccfd in trap_pfault (frame=0xd5986c9c, usermode=0,
 eva=3787296764)    at ../../i386/i386/trap.c:859
 #5  0xc027c8e7 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = 7792, tf_esi = -1044541440, tf_ebp = -711430932, 
      tf_isp = -711430968, tf_ebx = -1044545536, tf_edx = 134217727, 
      tf_ecx = 31, tf_eax = -2147483648, tf_trapno = 12, tf_err = 0, 
      tf_eip = -1072015129, tf_cs = 8, tf_eflags = 68246, tf_esp =
 268435455,       tf_ss = 268435455}) at ../../i386/i386/trap.c:458
 #6  0xc01a58e7 in updatefats (pmp=0xc1bd8000, bp=0xcc18123c, fatbn=7792)
     at ../../msdosfs/msdosfs_fat.c:353
 #7  0xc01a5f46 in fatchain (pmp=0xc1bd8000, start=994187, count=0, 
     fillwith=4294967295) at ../../msdosfs/msdosfs_fat.c:674
 #8  0xc01a6065 in chainalloc (pmp=0xc1bd8000, start=994186, count=1, 
     fillwith=4294967295, retcluster=0xd5986dc4, got=0x0)
     at ../../msdosfs/msdosfs_fat.c:748
 #9  0xc01a6262 in clusteralloc (pmp=0xc1bd8000, start=0, count=1, 
     fillwith=4294967295, retcluster=0xd5986dc4, got=0x0)
     at ../../msdosfs/msdosfs_fat.c:842
 #10 0xc01aa581 in msdosfs_mkdir (ap=0xd5986e6c)
     at ../../msdosfs/msdosfs_vnops.c:1368
 #11 0xc019d632 in mkdir (p=0xd5953ac0, uap=0xd5986f80) at vnode_if.h:674
 #12 0xc027d2d9 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = 511, tf_esi = 1, tf_ebp = -1077937264, tf_isp = -711430188,
      tf_ebx = -1077937176, tf_edx = 0, tf_ecx = 0, tf_eax = 136, 
      tf_trapno = 12, tf_err = 2, tf_eip = 134516968, tf_cs = 31, 
      tf_eflags = 663, tf_esp = -1077937324, tf_ss = 47})
     at ../../i386/i386/trap.c:1167
 #13 0xc0271185 in Xint0x80_syscall ()
 #14 0x8048135 in ?? ()
 (kgdb) up 6
 #6  0xc01a58e7 in updatefats (pmp=0xc1bd8000, bp=0xcc18123c, fatbn=7792)
     at ../../msdosfs/msdosfs_fat.c:353
 353                     if (pmp->pm_freeclustercount

For more information, please mail me.

>How-To-Repeat:
On that machine particular machine, every try to write to the filesystem
crashes the system again.

cd /mnt/dose
mkdir test

*** BANG ****

After rebooting the directory "test" is not there.

>Fix:
>Release-Note:
>Audit-Trail:

From: Robert Lillack <rob@lillack.de>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Tue, 28 May 2002 00:20:34 +0200

 After updating my system today it seems to work. I did not change any
 configuration and did not touch that specific partition.
 
 Just wondered why nobody contacted me though it works now.
 
 After all, thanks for the great system.
 
 Rob.
 -- 
 
 ___________________________
 r o b e r t | l i l l a c k
 www.lillaxsitedesign.de/rob
 secure mail key: 0xE7FFDF77
 jabberID: nogger@jabber.org

From: "Andrew Dean" <ferni@shafted.com.au>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Mon, 17 Jun 2002 22:36:29 +1000

 This is a multi-part message in MIME format.
 
 ------=_NextPart_000_002C_01C2164F.6C74B310
 Content-Type: text/plain;
 	charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 I am having the exact same problem with a freebsd system running=20
 
 FreeBSD yoda 4.6-STABLE FreeBSD 4.6-STABLE #0: Mon Jun 17 14:48:58 EST =
 2002=20
 
 i just updated from 4.5-STABLE which i was having the same problem on =
 hoping that the update would fix it.... any ideas?
 
 Andrew
 
 ------=_NextPart_000_002C_01C2164F.6C74B310
 Content-Type: text/html;
 	charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <HTML><HEAD>
 <META http-equiv=3DContent-Type content=3D"text/html; =
 charset=3Diso-8859-1">
 <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
 <STYLE></STYLE>
 </HEAD>
 <BODY bgColor=3D#ffffff>
 <DIV><FONT face=3DArial size=3D2>I am having the exact same problem with =
 a freebsd=20
 system running </FONT></DIV>
 <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
 <DIV><FONT face=3DArial size=3D2>FreeBSD yoda 4.6-STABLE FreeBSD =
 4.6-STABLE #0: Mon=20
 Jun 17 14:48:58 EST 2002 </FONT></DIV>
 <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
 <DIV><FONT face=3DArial size=3D2>i just updated from 4.5-STABLE which i =
 was having=20
 the same problem on hoping that the update would fix it.... any=20
 ideas?</FONT></DIV>
 <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
 <DIV><FONT face=3DArial size=3D2>Andrew</FONT></DIV></BODY></HTML>
 
 ------=_NextPart_000_002C_01C2164F.6C74B310--
 

From: "Simon L. Nielsen" <simon@nitro.dk>
To: freebsd-gnats-submit@FreeBSD.org, rob@lillack.de
Cc:  
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Tue, 13 Aug 2002 22:24:00 +0200

 Hello
 
 I have the same problem where it crashes at msdosfs_fat.c:353.
 
 Sometimes the problem goes away after I have used the partion from
 Windows 2000. Then I can write to the partion from FreeBSD without
 problems and then later after i have used the partion from Windows 2000
 again the problems comes back and i get FreeBSD kernel panics.
 
 It would be really nice if somebody could look at the problem.
 
 -- 
 Simon L. Nielsen

From: "Simon L. Nielsen" <simon@nitro.dk>
To: hiten@uk.FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Wed, 14 Aug 2002 01:18:37 +0200

 --+HP7ph2BbKc20aGI
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2002.08.13 15:14:19 +0000, Hiten Pandya wrote:
 
 > >  I have the same problem where it crashes at msdosfs_fat.c:353.
 > OK.  Could you please provide us with your line 353 and the 5 lines before
 > and after it.  This could help me in finding the code.  Also, could you
 > please tell me what your FreeBSD OS version is, better yet, provide us
 > with your ``uname -a'' output.
 Sure :
 FreeBSD arthur.nitro.dk 4.6.1-RELEASE-p10 FreeBSD 4.6.1-RELEASE-p10 #3: Wed=
  Aug 14 00:22:41 CEST 2002     root@arthur.nitro.dk:/usr/src/sys/compile/AR=
 THUR  i386
 
 >From msdosfs_fat.c is :
 1 /* $FreeBSD: src/sys/msdosfs/msdosfs_fat.c,v 1.23 2000/01/27 14:43:06 nya=
 n Exp $ */
 
 348	 * If we have an FSInfo block, update it.
 349	 */
 350	if (pmp->pm_fsinfo) {
 351		u_long cn =3D pmp->pm_nxtfree;
 352
 353		if (pmp->pm_freeclustercount
 354		    && (pmp->pm_inusemap[cn / N_INUSEBITS]
 355			& (1 << (cn % N_INUSEBITS)))) {
 356			/*
 357			 * The cluster indicated in FSInfo isn't free
 
 I tried adding a printf at line 352 to print cn (pmp->pm_nxtfree).. It
 was a very big number (4294967295 in one test - btw. this number is from
 a later crashdump) which might be to large for the pm_inusemap array...
 I have not had time to look more at the msdosfs code to understant
 exactly was that array is...
 
 > >  Sometimes the problem goes away after I have used the partion from
 > >  Windows 2000. Then I can write to the partion from FreeBSD without
 > >  problems and then later after i have used the partion from Windows 2000
 > >  again the problems comes back and i get FreeBSD kernel panics.
 > Strangely, this problem has not been noticed in the developent (-current)
 > version of FreeBSD, so it could be that this problem was solved over time,
 > and someone actually forgot to merge the delta (correction) into the
 > -stable version of FreeBSD.
 I think the problem could have something to do with large partions...
 For a long time I have been using a 20GB FAT32 partion without any,
 problems but my new msdos partion (on a different disc) is 30GB.
 
 I have been looking a bit throu the NetBSD msdos fs code and found a
 change to the NetBSD code that have not been merged in to FreeBSD that
 might have something to do with this problem :
 
 http://mail-index.netbsd.org/source-changes/2000/03/27/0008.html
 
 -- START
 From: Jaromir Dolecek <jdolecek@netbsd.org>
 
 Add new CLUST_END and use it as parameter to pcbmap() when searching
 for end cluster, instead of explicitly passing 0xffff. This fixes potential
 problem for FAT32, where cluster number may be legally bigger than 0xffff.
 
 Also change clusteralloc() so that fillwith is not explicitly passed by cal=
 ler
 anymore (there is no need to use anything other than CLUST_EOFE).
 -- END
 
 I have tried applying the patches from that commit to FreeBSD but it
 doesn't seem to fix the problem (I will try a bit more tomorrow).
 
 My FAT32 partion is on an extented partion... could pehaps make a
 difference.
 
 There is a bit more info about my system and the bug which might be
 useful in the following mail to freebsd-stable :
 
 http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D16978+0+archive/2002/freebsd=
 -stable/20020804.freebsd-stable
 
 Btw. I have run fsck_msdos and that says the partion is ok now, but the
 first time I ran it there was few errors (can't remember exactly which).
 The first ran was after a panic so that might have be the reason for the
 errors. I don't know if this is important...
 
 --=20
 Simon L. Nielsen
 
 --+HP7ph2BbKc20aGI
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.7 (FreeBSD)
 
 iD8DBQE9WZPM8kocFXgPTRwRAosSAKCGe1tfGvyxbo3RoxhfBgwWkLcw+ACggPg+
 uowoTSf5uyq8TkBZPfhv5/g=
 =TIhB
 -----END PGP SIGNATURE-----
 
 --+HP7ph2BbKc20aGI--

From: Hiten Pandya <hitmaster2k@yahoo.com>
To: "Simon L. Nielsen" <simon@nitro.dk>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Wed, 14 Aug 2002 00:40:03 -0700 (PDT)

 --- "Simon L. Nielsen" <simon@nitro.dk> wrote:
 [ .. mail snipped .. ]
 > I have been looking a bit throu the NetBSD msdos fs code and found a
 > change to the NetBSD code that have not been merged in to FreeBSD that
 > might have something to do with this problem :
 > 
 > http://mail-index.netbsd.org/source-changes/2000/03/27/0008.html
 
 Hello Simon.
 
 Could you please try the patch, which is available at:
 http://www.unixdaemons.com/~hiten/work/msdosfs_vfsops.patch
 
 It applies cleanly to (RELENG_4_6) src/sys/msdosfs/msdosfs_vfsops.c.
 Let me know if your problem occurs after applying this patch, and running
 the new kernel.
 
   -- Hiten
 
 __________________________________________________
 Do You Yahoo!?
 HotJobs - Search Thousands of New Jobs
 http://www.hotjobs.com

From: "Simon L. Nielsen" <simon@nitro.dk>
To: hiten@uk.FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Wed, 21 Aug 2002 00:39:35 +0200

 On 2002.08.14 00:40:03 +0000, Hiten Pandya wrote:
 
 > Could you please try the patch, which is available at:
 > http://www.unixdaemons.com/~hiten/work/msdosfs_vfsops.patch
 I dont have the problem right now (with the patched kernel) but I don't
 see "Next free cluster in FSInfo..." on the console (that should happen
 if I read the patch correct) so I don't think I have the problem on the
 filesystem right now. I have used the parition from Windows 2000 in the
 meantime so that could have "fixed" the problem temporarily.
 
 I will try to run an unpatched kernel and "hope" that the kernel panics
 returns and then test your patch.
 
 -- 
 Simon L. Nielsen

From: "Simon L. Nielsen" <simon@nitro.dk>
To: hiten@uk.FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Sat, 31 Aug 2002 15:21:22 +0200

 --AhhlLboLdkugWU4S
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2002.08.14 00:40:03 +0000, Hiten Pandya wrote:
 
 > Could you please try the patch, which is available at:
 > http://www.unixdaemons.com/~hiten/work/msdosfs_vfsops.patch
 The crash are back now so I applyed the patch. When I try
 to mount the filesystem I get :
 
 Next free cluster in FSInfo (4294967295) exceeds maxcluster (1964992)
 
 So the patch appear to catch the problem.
 
 --=20
 Simon L. Nielsen
 
 --AhhlLboLdkugWU4S
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.7 (FreeBSD)
 
 iD8DBQE9cMLR8kocFXgPTRwRAt3JAKCO7QMNV2NxbnQc3eHnG5/cIOHMmgCg2I0Y
 CY+ALRoAZnuidw5vLioRNVE=
 =CYHs
 -----END PGP SIGNATURE-----
 
 --AhhlLboLdkugWU4S--
State-Changed-From-To: open->feedback 
State-Changed-By: arved 
State-Changed-When: Thu Aug 26 15:50:56 GMT 2004 
State-Changed-Why:  
I think the patch mentioned in this PR was committed as  
1.92 of msdosfs_vfsops.c. 
Can this PR be closed? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37889 

From: Tilman Linneweh <arved@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org, rob@lillack.de
Cc: hmp@FreeBSD.org, simon@FreeBSD.org
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Thu, 26 Aug 2004 17:50:33 +0200

 Hello Hiten, Hello Simon,
 
 If I read cvs log right, the patch mentioned in this PR (which isn't
 available at the URL anymore) was committed as 1.92 of msdosfs_vfsops.c
 
 Can this PR be closed?

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Tilman Linneweh <arved@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org, rob@lillack.de, hmp@FreeBSD.org
Subject: Re: kern/37889: kernel panic when writing to a FAT32 partition
Date: Thu, 26 Aug 2004 18:39:04 +0200

 --5mCyUwZo2JvN/JJP
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2004.08.26 17:50:33 +0200, Tilman Linneweh wrote:
 > Hello Hiten, Hello Simon,
 >=20
 > If I read cvs log right, the patch mentioned in this PR (which isn't
 > available at the URL anymore) was committed as 1.92 of msdosfs_vfsops.c
 >=20
 > Can this PR be closed?
 
 I don't have the setup to test the problem anymore, but AFAIR the
 commited patch prevented the panic.
 
 After the patch it was still impossible to mount the FAT partition,
 but that's probably beyond the scope of this PR to deal with, since
 it's known that msdosfs in FreeBSD is not really perfect.
 
 So, yes I think this PR can be closed.
 
 --=20
 Simon L. Nielsen
 FreeBSD Documentation Team
 
 --5mCyUwZo2JvN/JJP
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (FreeBSD)
 
 iD8DBQFBLhInh9pcDSc1mlERAqXRAKCCGE2h1U1snumWd/D8lteOHI8piQCaAjX7
 NQU+E1QdydR5jcFDmlUU1fQ=
 =Ag77
 -----END PGP SIGNATURE-----
 
 --5mCyUwZo2JvN/JJP--
State-Changed-From-To: feedback->closed 
State-Changed-By: arved 
State-Changed-When: Thu Aug 26 21:52:43 GMT 2004 
State-Changed-Why:  
Thanks simon for confirmation 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37889 
>Unformatted:
