On Fri, Dec 01, 2023 at 05:59:27AM +0000, Klemens Nanni wrote:
> -current amd64 sometimes dumps core when creating a FAT32 image.
> Minimal reproducer below; other FS types, sizes or files are stable,
> FAT32 seems to be the culprit. I don't have time to look into this.
>
> $ cd /usr/src/*bin/makefs
> $ make DEBUG=-g
> $ mkdir empty/
> $ until ! ./obj/makefs -t msdos -o fat_type=32 -s 257M ./empty.img
> ./empty/ ; do true ; done
> [...]
>
> Takes a few seconds/retries at most for me.
>
> Creating `./empty.img'
> ./empty.img: 525272 sectors in 65659 FAT32 clusters (4096 bytes/cluster)
> MBR type: 11
> bps=512 spc=8 res=32 nft=2 mid=0xf0 spt=63 hds=255 hid=0 bsec=526336
> bspf=513 rdcl=2 infs=1 bkbs=2
> Segmentation fault (core dumped)
>
> $ egdb -q ./obj/makefs ./makefs.core -batch -ex bt
> [New process 372642]
> Core was generated by `makefs'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 0x000008b6b4acb899 in msdosfs_mount (devvp=0x7be6c6083870,
> flags=<optimized out>) at /s/usr.sbin/makefs/msdos/msdosfs_vfsops.c:287
> 287 && !memcmp(fp->fsisig4, "\0\0\125\252", 4))
> #0 0x000008b6b4acb899 in msdosfs_mount (devvp=0x7be6c6083870,
> flags=<optimized out>) at /s/usr.sbin/makefs/msdos/msdosfs_vfsops.c:287
> #1 0x000008b6b4ac64fb in msdos_makefs (image=0x7be6c6083bcc
> "./empty.img", dir=0x7be6c6083bdc "./empty/", root=0x8b927f57660,
> fsopts=0x7be6c60838d0) at /s/usr.sbin/makefs/msdos.c:149
> #2 0x000008b6b4ab6343 in main (argc=2, argv=<optimized out>) at
> /s/usr.sbin/makefs/makefs.c:211
>
> It always chokes on fp->fsisig4.
>
buffer is 512 bytes, struct fsinfo is 1024. I don't know the MSDOS
layout, but pmp->pm_BytesPerSec is probably not right for the bread.
-Otto
#0 0x000009b048ddc8d9 in msdosfs_mount (devvp=0x79af007c6050,
flags=<optimized out>) at /usr/src/usr.sbin/makefs/msdos/msdosfs_vfsops.c:287
287 && !memcmp(fp->fsisig4, "\0\0\125\252", 4))
(gdb) print bp
$1 = (struct mkfsbuf *) 0x9b2cf0fcc80
(gdb) print *bp
$2 = {b_data = 0x9b2cf123e00, b_bufsize = 512, b_bcount = 512, b_blkno
= 1, b_lblkno = 1, b_fs = 0x79af007c60b0, b_tailq = {tqe_next = 0x0,
tqe_prev = 0x9b048de2848 <buftail>}}
(gdb) list
282 goto error_exit;
283 fp = (struct fsinfo *)bp->b_data;
284 if (!memcmp(fp->fsisig1, "RRaA", 4)
285 && !memcmp(fp->fsisig2, "rrAa", 4)
286 && !memcmp(fp->fsisig3, "\0\0\125\252", 4)
287 && !memcmp(fp->fsisig4, "\0\0\125\252", 4))
288 pmp->pm_nxtfree = getulong(fp->fsinxtfree);
289 else
290 pmp->pm_fsinfo = 0;
291 brelse(bp, 0);
(gdb) ptype /o struct fsinfo
/* offset | size */ type = struct fsinfo {
/* 0 | 4 */ u_int8_t fsisig1[4];
/* 4 | 480 */ u_int8_t fsifill1[480];
/* 484 | 4 */ u_int8_t fsisig2[4];
/* 488 | 4 */ u_int8_t fsinfree[4];
/* 492 | 4 */ u_int8_t fsinxtfree[4];
/* 496 | 12 */ u_int8_t fsifill2[12];
/* 508 | 4 */ u_int8_t fsisig3[4];
/* 512 | 508 */ u_int8_t fsifill3[508];
/* 1020 | 4 */ u_int8_t fsisig4[4];
/* total size (bytes): 1024 */
}
