prep divide by zero and kernel panic in devfs

prep divide by zero and kernel panic in devfs

[Nick Owens]

[-- Attachment #1: Type: text/plain, Size: 2705 bytes --]

at the recommendation of folks in #cat-v, i started trying to install
9front into a sparse disk image.

this is how far i got, until i encountered a divide by zero in disk/prep
and subsequently a kernel panic in devfs. the following is on 386.
similar behavior appears on amd64.

; ramfs
; cd /tmp
; disk=`{pwd}^/9front.img
; 
; # 5gb sparse disk
; dd -if /dev/zero -of $disk -bs 1048576 -oseek 5120 -count 1
1+0 records in
1+0 records out
; 
; # mbr
; disk/mbr -m /386/mbr $disk
; 
; # partdisk
; disk/fdisk -baw $disk
adding part failed: plan9: fd out of range or not open
?warning: partitions could not be updated in devsd
; 
; # prepdisk
; bind -b '#k' /dev
; {
	echo disk 9front 512 $disk
	disk/fdisk -p $disk
	echo disk 9front 512 /dev/9front/plan9
	disk/prep -bw -a^(9fat nvram fs) /dev/9front/plan9
	} > /dev/fs/ctl
prep 622: suicide: sys: trap: divide error pc=0x000053db
; ls -l /dev/9front/plan9
--rw-rw-r-- k 0 mischief mischief 5362850304 Mar 20 23:18 /dev/9front/plan9
; sprunge /dev/text

now, if you repeat the commands in { } above:

; ktrace /386/9pccpuf f0108643 f4febb48 <<EOF
  estackx f4febe70
  f4febae8=f01083d8 f4febb08=f0100600 f4febb30=f0108643 f4febb38=f016621b
  f4febb44=f0108643 f4febb48=f01083dc f4febb50=f01667a8 f4febb6c=f0225d0a
  f4febb8c=f0189b37 f4febb98=f01886e1 f4febbb8=f0174d8d f4febbd4=f02357c5
  f4febc40=f02256fa f4febc44=f0225710 f4febc4c=f0225854 f4febc60=f0225d0a
  f4febc68=f02191c3 f4febc78=f020ec88 f4febc80=f017544b f4febc88=f017505d
  f4febc90=f017544b f4febc94=f017544b f4febcac=f0108825 f4febccc=f021a9f1
  f4febcd8=f0189aed f4febce0=f0189b37 f4febd1c=f0177350 f4febd28=f0225710
  f4febd30=f0225854 f4febd38=f020de1e f4febd44=f0225d0a f4febd4c=f021fe3b
  f4febd5c=f0221420 f4febd64=f02214a7 f4febd7c=f02140c6 f4febd98=f02215a4
  f4febdb0=f0107b32 f4febdcc=f0108ae7 f4febddc=f0225d0a f4febde0=f0216f02
  f4febde4=f0218701 f4febdec=f0218721 f4febdf4=f0217142 f4febe1c=f0100600
  f4febe54=00000040 f4febe58=f01007b0 f4febe5c=0000e19e f4febe60=00000023
  f4febe64=00000282 f4febe68=dfffeca0 f4febe6c=0000001b
  EOF
src(0xf0108643); // dumpstack+0x10
src(0xf01667a8); // panic+0xd2
src(0xf020ec88); // cclose+0x3f
src(0xf017544b); // mconfig+0x6a3
src(0xf0177350); // mwrite+0x74
src(0xf02214a7); // write+0x18c
src(0xf02215a4); // syspwrite+0x52
src(0xf0108ae7); // syscall+0x1dc
src(0xf0100600); // forkret
//passing interrupt frame; last pc found at sp=0xf4febe1c
; 

obviously prep and the kernel should not do this, but am i using the
commands right to create a sparse disk image? i didnt test it, but maybe
the fact that the disk image is sparse is what breaks prep and devfs.


[-- Attachment #2: Type: application/pgp-signature, Size: 834 bytes --]

Re: [9front] prep divide by zero and kernel panic in devfs

[cinap_lenrek]

the kernel crash is a off by one bug in error handling codepath
when it tries to clean up state before erroring out:

--- a/sys/src/9/port/devfs.c	Fri Mar 21 16:55:16 2014 +0100
+++ b/sys/src/9/port/devfs.c	Fri Mar 21 18:10:55 2014 +0100
@@ -646,7 +646,7 @@
 Fail:
 		for(i = 1; i < cb->nf; i++)
 			if(idev != nil && idev[i-1] != nil)
-				cclose(idev[i]);
+				cclose(idev[i-1]);
 		if(mp != nil)
 			mdeldev(mp);
 		free(idev);

this has nothing todo with sparsefiles. a sparsefile is a
optimization of the filesystem. it just avoids allocating blocks
containing all zeros, thats all.

you want to use partfs. see the test.disk target in /sys/src/boot/pc/mkfile
devfs is bad because then you need to be hostowner on the machine
and you are manipulating global state to solve a local problem.

--
cinap