From admin@citylink.dinoex.sub.org  Sun Feb  6 22:12:23 2005
Return-Path: <admin@citylink.dinoex.sub.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C031E16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  6 Feb 2005 22:12:23 +0000 (GMT)
Received: from uucp.dinoex.sub.de (uucp.dinoex.sub.de [194.45.71.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3A2E143D1D
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  6 Feb 2005 22:12:22 +0000 (GMT)
	(envelope-from admin@citylink.dinoex.sub.org)
Received: from uucp.dinoex.sub.de (uucp@uucp.dinoex.sub.de [194.45.71.2] (may be forged))
	by uucp.dinoex.sub.de (8.13.3/8.13.3) with ESMTP id j16MCAmV090282
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 6 Feb 2005 23:12:10 +0100 (CET)
	(envelope-from admin@citylink.dinoex.sub.org)
Received: from citylink.dinoex.sub.org (uucp@localhost)
	by uucp.dinoex.sub.de (8.13.3/8.13.3/Submit) with UUCP id j16MCA7b090281
	for FreeBSD-gnats-submit@freebsd.org; Sun, 6 Feb 2005 23:12:10 +0100 (CET)
	(envelope-from admin@citylink.dinoex.sub.org)
Received: from gate.oper.dinoex.org (gate-e [192.168.98.2])
	by citylink.dinoex.sub.de (8.13.1/8.13.1) with ESMTP id j16M6jpo008781
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 6 Feb 2005 23:06:45 +0100 (CET)
	(envelope-from admin@gate.oper.dinoex.org)
Received: from gate.oper.dinoex.org (gate-e [192.168.98.2])
	by gate.oper.dinoex.org (8.13.1/8.13.1) with ESMTP id j16M5urq008001
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 6 Feb 2005 23:05:56 +0100 (CET)
	(envelope-from admin@gate.oper.dinoex.org)
Received: (from admin@localhost)
	by gate.oper.dinoex.org (8.13.1/8.13.1/Submit) id j16M5tDW007999;
	Sun, 6 Feb 2005 23:05:55 +0100 (CET)
	(envelope-from admin)
Message-Id: <200502062205.j16M5tDW007999@gate.oper.dinoex.org>
Date: Sun, 6 Feb 2005 23:05:55 +0100 (CET)
From: Peter Much <pmc@citylink.dinoex.sub.org>
Reply-To: Peter Much <pmc@citylink.dinoex.sub.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: newfs -g largevalue, mkdir, panic
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         77181
>Category:       kern
>Synopsis:       [newfs] [patch] newfs -g largevalue, mkdir, panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mckusick
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 06 22:20:14 GMT 2005
>Closed-Date:    Thu Jan 07 06:00:47 UTC 2010
>Last-Modified:  Thu Jan 07 06:00:47 UTC 2010
>Originator:     Peter Much
>Release:        FreeBSD 5.3-RELEASE-p4 i386
>Organization:
n/a
>Environment:
System: FreeBSD gate.oper.dinoex.org 5.3-RELEASE-p4 FreeBSD 5.3-RELEASE-p4 #4: Sun Jan 30 21:53:17 CET 2005 root@edge.oper.dinoex.org:/usr/src/sys/i386/compile/E1R53V1 i386

	
>Description:

	create 5G filesystem on gvinum drive (single drive, no mirror, no stripe).
	newfs -g 104857600 -U
	mount it, and mkdir some directories.
	panic, integer divide fault.

>How-To-Repeat:

	Was quite reproducible. First directoriy within directory
	crashed it. Here is the dumpfs header:

magic   19540119 (UFS2) time    Sun Feb  6 22:09:11 2005
superblock location     65536   id      [ 42066452 b1313aa3 ]
ncg     28      size    2621440 blocks  2538519
bsize   16384   shift   14      mask    0xffffc000
fsize   2048    shift   11      mask    0xfffff800
frag    8       shift   3       fsbtodb 2
minfree 8%      optim   time    symlinklen 120
maxbsize 16384  maxbpg  2048    maxcontig 8     contigsumsize 8
nbfree  317308  ndir    6       nifree  659448  nffree  49
bpg     11761   fpg     94088   ipg     23552
nindir  2048    inopb   64      maxfilesize     140806241583103
sbsize  2048    cgsize  16384   csaddr  3000    cssize  2048
sblkno  40      cblkno  48      iblkno  56      dblkno  3000
cgrotor 15      fmod    0       ronly   0       clean   0
avgfpdir 64     avgfilesize 104857600
flags   unclean soft-updates
fsmnt   /j/conn/var/spool/files
volname         swuid   0


>Fix:

	Now I dont use the -g option. Actually I just found it and
	thought, lets try it out - have not yet researched what it
	functionally does. And I know that my value is way large and 
	is not in good match with the blocksize.
	But as this can be harmful in such a way (and not only on
	performance), we need some plausibility check in newfs.
	(And now I put kerneldebugger back into my config - btw,
	there seems no longer anywhere the nice explanations for such
	options as was in the former LINT file - where one could
	easily pick what could be eventually needed.)
>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: Peter Much <pmc@citylink.dinoex.sub.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Re: kern/77181: newfs -g largevalue, mkdir, panic
Date: Tue, 8 Feb 2005 21:31:40 +1100 (EST)

 On Sun, 6 Feb 2005, Peter Much wrote:
 
 > >Description:
 >
 > 	create 5G filesystem on gvinum drive (single drive, no mirror, no stripe).
 > 	newfs -g 104857600 -U
 > 	mount it, and mkdir some directories.
 > 	panic, integer divide fault.
 
 There is another PR or two about this.  I have the following note about
 fixing it someday:
 
 %%%
 Index: ffs_alloc.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_alloc.c,v
 retrieving revision 1.121
 diff -u -2 -r1.121 ffs_alloc.c
 --- ffs_alloc.c	16 Jun 2004 09:47:25 -0000	1.121
 +++ ffs_alloc.c	28 Oct 2004 15:12:47 -0000
 @@ -964,4 +991,11 @@
  		minbfree = 1;
  	cgsize = fs->fs_fsize * fs->fs_fpg;
 +	/*
 +	 * XXX the following multiplication can overflow, since newfs can
 +	 * be abused to set fs_avgfilesize and fs_avgfpdir to preposterous
 +	 * values.  For the particular preposterous values of (64M, 64),
 +	 * the multiplication overflows to 0 and then dirsize = 0 sometimes
 +	 * causes division by 0.
 +	 */
  	dirsize = fs->fs_avgfilesize * fs->fs_avgfpdir;
  	curdirsize = avgndir ? (cgsize - avgbfree * fs->fs_bsize) / avgndir : 0;
 %%%
 

 This should be fixed primarily in newfs.  newfs should refuse to create
 file systems that cannot work.  It already limits many parameters.  Something
 (fsck or the kernel or both) should check for and fix such parameters, since
 they may occur in old file systems.
 
 > >Fix:
 >
 > 	Now I dont use the -g option. Actually I just found it and
 > 	thought, lets try it out - have not yet researched what it
 > 	functionally does. And I know that my value is way large and
 > 	is not in good match with the blocksize.
 
 Another fix is to not use the -g option (or -h option) :-).  I've never
 used them.  These options came with the new `dirpref' algorithm on
 2001/04/10 (to help control that algorithm), so I guess there has not
 been much use of them.  See the cvs log message for newfs.c 1.35 for
 vastly many more details than are in the man page.
 
 > 	(And now I put kerneldebugger back into my config - btw,
 > 	there seems no longer anywhere the nice explanations for such
 > 	options as was in the former LINT file - where one could
 > 	easily pick what could be eventually needed.)
 
 Try the NOTES file.
 
 Bruce
Responsible-Changed-From-To: freebsd-bugs->mckusick 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sat Mar 8 20:05:30 UTC 2008 
Responsible-Changed-Why:  
Assign bug relating to UFS newfs to Kirk. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77181 
State-Changed-From-To: open->closed 
State-Changed-By: mckusick 
State-Changed-When: Thu Jan 7 05:59:14 UTC 2010 
State-Changed-Why:  
This was fixed in r172113 by Bjoern A. Zeeb on 2007-09-10. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77181 
>Unformatted:
