[Bug 263853] jmicron RAID taste code can panic if conf is garbage

Sat, 07 May 2022 13:56:15 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263853

            Bug ID: 263853
           Summary: jmicron RAID taste code can panic if conf is garbage
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 233800
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=233800&action=edit
disk image that causes jmicron taste code to panic

During tasting, if the last sector of a newly attached drive looke
enough like a jmicron_raid_conf but meta->disks[] contains no disks,
and meta->spare[] contains one disk, g_raid_md_jmicron_new_disk() may
call g_raid_md_jmicron_start() anyway, leading to a panic.

I've attached a demo disk image, which causes this code in
g_raid_md_jmicron_new_disk() to execute with disks_present = 1 (the
disk being tasted), total_disks = zero (from meta->disks[]), and
total_spare() = one (from meta->spare[]):

          /* If we collected all needed disks - start array. */
          if (mdi->mdio_disks_present == mdi->mdio_total_disks +
              jmicron_meta_total_spare(mdi->mdio_meta))
            g_raid_md_jmicron_start(sc);

Mounting the demo disk image:

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #219
main-n250919-29f81bc20825-dirty: Sat May  7 16:30:27 EDT 2022    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# mdconfig -f taste8a.img
GEOM_RAID: JMicron-0000000: Array JMicron-0000000 created.
GEOM_RAID: JMicron-0000000: No transformation module found for ��.
GEOM_RAID: JMicron-0000000: Volume �� state changed from STARTING to
UNSUPPORTED                                                                     
panic: No disk at position 0!
cpuid = 0
time = 1651920087
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x16e
panic() at panic+0x2a
g_raid_md_jmicron_start_disk() at g_raid_md_jmicron_start_disk+0x350
g_raid_md_jmicron_start() at g_raid_md_jmicron_start+0x1c2
g_raid_md_jmicron_new_disk() at g_raid_md_jmicron_new_disk+0x110
g_raid_md_taste_jmicron() at g_raid_md_taste_jmicron+0x39a
G_RAID_MD_TASTE() at G_RAID_MD_TASTE+0x5a
g_raid_taste() at g_raid_taste+0x15c
g_new_provider_event() at g_new_provider_event+0xb8
one_event() at one_event+0x106
g_run_events() at g_run_events+0x8a
g_event_procbody() at g_event_procbody+0x56
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa
KDB: enter: panic
[ thread pid 13 tid 100017 ]
Stopped at      breakpoint+0xa: c.ldsp  s0,0(sp)
db>

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to