On Fri, Dec 01, 2023 at 05:59:27AM +0000, Klemens Nanni wrote: > -current amd64 sometimes dumps core when creating a FAT32 image. > Minimal reproducer below; other FS types, sizes or files are stable, > FAT32 seems to be the culprit. I don't have time to look into this. > > $ cd /usr/src/*bin/makefs > $ make DEBUG=-g > $ mkdir empty/ > $ until ! ./obj/makefs -t msdos -o fat_type=32 -s 257M ./empty.img > ./empty/ ; do true ; done > [...] > > Takes a few seconds/retries at most for me. > > Creating `./empty.img' > ./empty.img: 525272 sectors in 65659 FAT32 clusters (4096 bytes/cluster) > MBR type: 11 > bps=512 spc=8 res=32 nft=2 mid=0xf0 spt=63 hds=255 hid=0 bsec=526336 > bspf=513 rdcl=2 infs=1 bkbs=2 > Segmentation fault (core dumped) > > $ egdb -q ./obj/makefs ./makefs.core -batch -ex bt > [New process 372642] > Core was generated by `makefs'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 0x000008b6b4acb899 in msdosfs_mount (devvp=0x7be6c6083870, > flags=<optimized out>) at /s/usr.sbin/makefs/msdos/msdosfs_vfsops.c:287 > 287 && !memcmp(fp->fsisig4, "\0\0\125\252", 4)) > #0 0x000008b6b4acb899 in msdosfs_mount (devvp=0x7be6c6083870, > flags=<optimized out>) at /s/usr.sbin/makefs/msdos/msdosfs_vfsops.c:287 > #1 0x000008b6b4ac64fb in msdos_makefs (image=0x7be6c6083bcc > "./empty.img", dir=0x7be6c6083bdc "./empty/", root=0x8b927f57660, > fsopts=0x7be6c60838d0) at /s/usr.sbin/makefs/msdos.c:149 > #2 0x000008b6b4ab6343 in main (argc=2, argv=<optimized out>) at > /s/usr.sbin/makefs/makefs.c:211 > > It always chokes on fp->fsisig4. >
buffer is 512 bytes, struct fsinfo is 1024. I don't know the MSDOS layout, but pmp->pm_BytesPerSec is probably not right for the bread. -Otto #0 0x000009b048ddc8d9 in msdosfs_mount (devvp=0x79af007c6050, flags=<optimized out>) at /usr/src/usr.sbin/makefs/msdos/msdosfs_vfsops.c:287 287 && !memcmp(fp->fsisig4, "\0\0\125\252", 4)) (gdb) print bp $1 = (struct mkfsbuf *) 0x9b2cf0fcc80 (gdb) print *bp $2 = {b_data = 0x9b2cf123e00, b_bufsize = 512, b_bcount = 512, b_blkno = 1, b_lblkno = 1, b_fs = 0x79af007c60b0, b_tailq = {tqe_next = 0x0, tqe_prev = 0x9b048de2848 <buftail>}} (gdb) list 282 goto error_exit; 283 fp = (struct fsinfo *)bp->b_data; 284 if (!memcmp(fp->fsisig1, "RRaA", 4) 285 && !memcmp(fp->fsisig2, "rrAa", 4) 286 && !memcmp(fp->fsisig3, "\0\0\125\252", 4) 287 && !memcmp(fp->fsisig4, "\0\0\125\252", 4)) 288 pmp->pm_nxtfree = getulong(fp->fsinxtfree); 289 else 290 pmp->pm_fsinfo = 0; 291 brelse(bp, 0); (gdb) ptype /o struct fsinfo /* offset | size */ type = struct fsinfo { /* 0 | 4 */ u_int8_t fsisig1[4]; /* 4 | 480 */ u_int8_t fsifill1[480]; /* 484 | 4 */ u_int8_t fsisig2[4]; /* 488 | 4 */ u_int8_t fsinfree[4]; /* 492 | 4 */ u_int8_t fsinxtfree[4]; /* 496 | 12 */ u_int8_t fsifill2[12]; /* 508 | 4 */ u_int8_t fsisig3[4]; /* 512 | 508 */ u_int8_t fsifill3[508]; /* 1020 | 4 */ u_int8_t fsisig4[4]; /* total size (bytes): 1024 */ }