netbsd-bugs: kern/12156: reading beyond the end of certain partitions panics system

Subject: kern/12156: reading beyond the end of certain partitions panics system
To: None <gnats-bugs@gnats.netbsd.org>
From: John Franklin <franklin@riff.interlan.net>
List: netbsd-bugs
Date: 02/08/2001 13:47:32
>Number:         12156
>Category:       kern
>Synopsis:       reading beyond the end of certain partitions panics system
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 08 13:50:02 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     John Franklin
>Release:        NetBSD-current 8 Feb 01
>Organization:
	
>Environment:
	
System: NetBSD riff 1.5R NetBSD 1.5R (RIFF) #0: Thu Feb 8 15:12:14 EST 2001 root@riff:/usr/src/sys/arch/i386/compile/RIFF i386
Architecture: i386
Machine: i386
>Description:
	
	Under NetBSD-current, it is possible to cause a panic by reading beyond
the end of certain partitions.  On the machine described below, it was
possible to do this with /dev/sd0a, but not /dev/rsd0a nor /dev/sd0d.

	When it does panic, the panic and backtrace are as follows (hand copied
no parameters copied):

panic: getblk: block size invariant failed

getblk() +0xd0
breadn() +0x2b
spec_read() +0x223
ufsspec_read() +0x2d
VOP_READ() +0x38
vn_read() +0x78
dofileread() +0x93
sys_read() +0x67
syscall_plain() +0x98

	/dev/sd0d generated SCSI syslog messages:
	
Feb  8 16:23:07 riff /netbsd: ahc0: target 4 synchronous at 10.0MHz, offset = 0x
f
Feb  8 16:23:07 riff /netbsd: ahc0: target 4 synchronous at 10.0MHz, offset = 0x
f
Feb  8 16:23:07 riff /netbsd: sd0(ahc0:4:0):  Check Condition on CDB: 0x28 00 00
 40 02 b0 00 00 04 00
Feb  8 16:23:07 riff /netbsd: sd0(ahc0:4:0):  Check Condition on CDB: 0x28 00 00
 40 02 b0 00 00 04 00
Feb  8 16:23:07 riff /netbsd:     SENSE KEY:  Illegal Request
Feb  8 16:23:07 riff /netbsd:     SENSE KEY:  Illegal Request 
Feb  8 16:23:07 riff /netbsd:    INFO FIELD:  4194995
Feb  8 16:23:07 riff /netbsd:    INFO FIELD:  4194995
Feb  8 16:23:07 riff /netbsd:      ASC/ASCQ:  Logical Block Address Out of Range
Feb  8 16:23:07 riff /netbsd:      ASC/ASCQ:  Logical Block Address Out of Range
Feb  8 16:23:07 riff /netbsd:      FRU CODE:  0x3
Feb  8 16:23:07 riff /netbsd:      FRU CODE:  0x3
Feb  8 16:23:07 riff /netbsd:          SKSV:  Error in CDB, Offset 7, bit 7
Feb  8 16:23:07 riff /netbsd:          SKSV:  Error in CDB, Offset 7, bit 7
Feb  8 16:23:07 riff /netbsd:
Feb  8 16:23:07 riff /netbsd: 
Feb  8 16:23:07 riff /netbsd: ahc0: target 4 synchronous at 10.0MHz, offset = 0x
f
Feb  8 16:23:07 riff /netbsd: ahc0: target 4 synchronous at 10.0MHz, offset = 0x
f
Feb  8 16:23:07 riff /netbsd: sd0(ahc0:4:0):  Check Condition on CDB: 0x28 00 00
 40 02 b0 00 00 04 00
Feb  8 16:23:07 riff /netbsd: sd0(ahc0:4:0):  Check Condition on CDB: 0x28 00 00
 40 02 b0 00 00 04 00
Feb  8 16:23:07 riff /netbsd:     SENSE KEY:  Illegal Request
Feb  8 16:23:07 riff /netbsd:     SENSE KEY:  Illegal Request
Feb  8 16:23:07 riff /netbsd:    INFO FIELD:  4194995
Feb  8 16:23:07 riff /netbsd:    INFO FIELD:  4194995
Feb  8 16:23:07 riff /netbsd:      ASC/ASCQ:  Logical Block Address Out of Range
Feb  8 16:23:07 riff /netbsd:      ASC/ASCQ:  Logical Block Address Out of Range
Feb  8 16:23:07 riff /netbsd:      FRU CODE:  0x3
Feb  8 16:23:07 riff /netbsd:      FRU CODE:  0x3
Feb  8 16:23:07 riff /netbsd:          SKSV:  Error in CDB, Offset 7, bit 7
Feb  8 16:23:07 riff /netbsd:          SKSV:  Error in CDB, Offset 7, bit 7
Feb  8 16:23:07 riff /netbsd:
Feb  8 16:23:07 riff /netbsd:
Feb  8 16:23:07 riff /netbsd: ahc0: target 4 synchronous at 10.0MHz, offset = 0x
f
Feb  8 16:23:07 riff /netbsd: ahc0: target 4 synchronous at 10.0MHz, offset = 0x
f
Feb  8 16:23:07 riff /netbsd: sd0(ahc0:4:0):  Check Condition on CDB: 0x28 00 00
 40 02 b4 00 00 04 00
Feb  8 16:23:07 riff /netbsd: sd0(ahc0:4:0):  Check Condition on CDB: 0x28 00 00
 40 02 b4 00 00 04 00
Feb  8 16:23:07 riff /netbsd:     SENSE KEY:  Illegal Request
Feb  8 16:23:07 riff /netbsd:     SENSE KEY:  Illegal Request
Feb  8 16:23:07 riff /netbsd:    INFO FIELD:  4194996
Feb  8 16:23:07 riff /netbsd:    INFO FIELD:  4194996
Feb  8 16:23:07 riff /netbsd:      ASC/ASCQ:  Logical Block Address Out of Range
Feb  8 16:23:07 riff /netbsd:      ASC/ASCQ:  Logical Block Address Out of Range
Feb  8 16:23:07 riff /netbsd:      FRU CODE:  0x3
Feb  8 16:23:07 riff /netbsd:      FRU CODE:  0x3
Feb  8 16:23:07 riff /netbsd:          SKSV:  Error in CDB, Offset 2, bit 7
Feb  8 16:23:07 riff /netbsd:          SKSV:  Error in CDB, Offset 2, bit 7
Feb  8 16:23:07 riff /netbsd:
Feb  8 16:23:07 riff /netbsd:

On /dev/wd0d, it caused "transfer errors" which the driver responded to by
downgrading the transfer mode:

Feb  8 16:21:32 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying 
Feb  8 16:21:32 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff last message repeated 2 times
Feb  8 16:21:53 riff /netbsd: wd0: transfer error, downgrading to Ultra-DMA mode
 1
Feb  8 16:21:53 riff last message repeated 2 times 
Feb  8 16:21:53 riff /netbsd: wd0: transfer error, downgrading to Ultra-DMA mode
 1
Feb  8 16:21:53 riff /netbsd: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode
 1 (using DMA data transfers) 
Feb  8 16:21:53 riff /netbsd: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode
 1 (using DMA data transfers) 
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0)
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0)
Feb  8 16:21:53 riff /netbsd: wd0: transfer error, downgrading to DMA mode 2
Feb  8 16:21:53 riff /netbsd: wd0: transfer error, downgrading to DMA mode 2
Feb  8 16:21:53 riff /netbsd: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 (us
ing DMA data transfers)
Feb  8 16:21:53 riff /netbsd: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 (us
ing DMA data transfers)
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff /netbsd: wd0: transfer error, downgrading to PIO mode 4
Feb  8 16:21:53 riff /netbsd: wd0: transfer error, downgrading to PIO mode 4
Feb  8 16:21:53 riff /netbsd: wd0(pciide0:0:0): using PIO mode 4
Feb  8 16:21:53 riff /netbsd: wd0(pciide0:0:0): using PIO mode 4 
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0), retrying
Feb  8 16:21:53 riff last message repeated 3 times
Feb  8 16:21:53 riff /netbsd: wd0d: id not found reading fsbn 16514064 of 165140
64-16514067 (wd0 bn 16514064; cn 16383 tn 0 sn 0)
Feb  8 16:21:53 riff last message repeated 3 times

The system (HP Vectra VL + 3C509 & Adaptec SCSI card):

NetBSD 1.5R (RIFF) #0: Thu Feb  8 15:12:14 EST 2001
    root@riff:/usr/src/sys/arch/i386/compile/RIFF
cpu0: Intel Pentium III (Katmai) (686-class), 601.39 MHz
cpu0: I-cache 16K 32b/line 4-way, D-cache 16K 32b/line 2/4-way
cpu0: L2 cache 512K 32b/line 4-way
cpu0: features 383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR>
cpu0: features 383f9ff<PGE,MCA,CMOV,FGPAT,PSE36,MMX,FXSR,XMM>
total memory = 127 MB
avail memory = 115 MB
using 1658 buffers containing 6632 KB of memory
BIOS32 rev. 0 found at 0xfd78d
mainbus0 (root)
pnpbios0 at mainbus0: code f0000, data 400, entry 891c, control 0 eventp 400
pnpbios0: nodes 18, max len 186
PNP0C02 (mem fff80000-ffffffff, io 80) at pnpbios0 index 0 ignored
PNP0C01 (mem 0-9ffff e8000-fffff 100000-7ffffff) at pnpbios0 index 1 ignored
PNP0200 (io 0-f 81-8f c0-df, dma 4) at pnpbios0 index 2 ignored
PNP0000 (io 20-21 a0-a1, irq 2) at pnpbios0 index 3 ignored
PNP0100 (io 40-43, irq 0) at pnpbios0 index 4 ignored
PNP0B00 (io 70-71, irq 8) at pnpbios0 index 5 ignored
pckbc0 at pnpbios0 index 6 (PNP0303): kbd port
PNP0C04 (io f0-ff, irq 13) at pnpbios0 index 7 ignored
PNP0800 (io 61) at pnpbios0 index 8 ignored
PNP0A03 (io cf8-cff) at pnpbios0 index 9 ignored
PNP0C02 (io 4d0-4d1 8000-803f 1040-104f 10-18 1f 24-25 28-29 2c-2d 30-31 34-35 38-39 3c-3d 50-52 72-77 90-9f a4-a5 a8-a9 ac-ad b0-b5 b8-b9 bc-bd) at pnpbios0 index 10 ignored
PNP0C02 at pnpbios0 index 11 disabled
PNP0C02 (mem cd800-cffff) at pnpbios0 index 13 ignored
pckbc1 at pnpbios0 index 14 (PNP0F13): aux port
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
PNP0501 at pnpbios0 index 15 disabled
PNP0501 at pnpbios0 index 16 disabled
PNP0401 at pnpbios0 index 17 disabled
fdc0 at pnpbios0 index 19 (PNP0700)
fdc0: io 3f0-3f5 3f7, irq 6, dma 2
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled
pchb0 at pci0 dev 0 function 0
pchb0: Intel 82443BX Host Bridge/Controller (rev. 0x03)
ppb0 at pci0 dev 1 function 0: Intel 82443BX AGP Interface (rev. 0x03)
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled
vga0 at pci1 dev 0 function 0: Matrox MGA G200 AGP (rev. 0x03)
wsdisplay0 at vga0: console (80x25, vt100 emulation), using wskbd0
pcib0 at pci0 dev 4 function 0
pcib0: Intel 82371AB PCI-to-ISA Bridge (PIIX4) (rev. 0x02)
pciide0 at pci0 dev 4 function 1: Intel 82371AB IDE controller (PIIX4) (rev. 0x01)
pciide0: bus-master DMA support present
pciide0: primary channel wired to compatibility mode
wd0 at pciide0 channel 0 drive 0: <Maxtor 90871U2>
wd0: drive supports 16-sector PIO transfers, LBA addressing
wd0: 8063 MB, 16383 cyl, 16 head, 63 sec, 512 bytes/sect x 16514064 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 4 (Ultra/66)
pciide0: primary channel interrupting at irq 14
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA data transfers)
pciide0: secondary channel wired to compatibility mode
atapibus0 at pciide0 channel 1
cd0 at atapibus0 drive 0: <CD-532E-B, , 2.0A> type 5 cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2
pciide0: secondary channel interrupting at irq 15
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 (using DMA data transfers)
uhci0 at pci0 dev 4 function 2: Intel 82371AB USB Host Controller (PIIX4) (rev. 0x01)
uhci0: interrupting at irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
Intel 82371AB Power Management Controller (PIIX4) (miscellaneous bridge, revision 0x02) at pci0 dev 4 function 3 not configured
clcs0 at pci0 dev 6 function 0: Cirrus Logic CS4280 CrystalClear Audio Interface (rev. 0x01)
clcs0: interrupting at irq 10
clcs0: Crystal CS4297 codec; headphone, 18 bit DAC, 18 bit ADC, no 3D stereo
audio0 at clcs0: full duplex, independent
midi0 at clcs0: CS4280 MIDI UART
ex0 at pci0 dev 14 function 0: 3Com 3c905B-TX 10/100 Ethernet (rev. 0x24)
ex0: interrupting at irq 11
ex0: MAC address 00:50:da:bb:bc:84
exphy0 at ex0 phy 24: 3Com internal media interface
exphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ahc0 at pci0 dev 16 function 0
ahc0: interrupting at irq 10
ahc0: aic7890/91 Wide Channel A, SCSI Id=7, 16/255 SCBs
scsibus0 at ahc0 channel 0: 16 targets, 8 luns per target
isa0 at pcib0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
lpt0 at isa0 port 0x378-0x37b irq 7
pcppi0 at isa0 port 0x61
midi1 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279: ISA Plug 'n Play device support
npx0 at isa0 port 0xf0-0xff: using exception 16
isapnp0: no ISA Plug 'n Play devices found
apm0 at mainbus0: Power Management spec V1.2
biomask ef65 netmask ef65 ttymask ffe7
scsibus0: waiting 2 seconds for devices to settle...
ahc0: target 4 using 8bit transfers
ahc0: target 4 synchronous at 10.0MHz, offset = 0xf
ahc0: target 4 using tagged queuing
sd0 at scsibus0 target 4 lun 0: <SEAGATE, ST32550N SUN2.1G, 0416> SCSI2 0/direct fixed
sd0: 2048 MB, 3511 cyl, 11 head, 108 sec, 512 bytes/sect x 4194995 sectors
ahc0: target 6 using 16bit transfers
ahc0: target 6 synchronous at 20.0MHz, offset = 0x1f
ahc0: target 6 using tagged queuing
sd1 at scsibus0 target 6 lun 0: <IBM, DNES-309170W, SAH0> SCSI3 0/direct fixed
sd1: 8748 MB, 11474 cyl, 5 head, 312 sec, 512 bytes/sect x 17916240 sectors
IPsec: Initialized Security Association Processing.
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
XFree86 aperture driver version 1.99b
Pentium Pro MTRR support enabled
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
wsmux1: connecting to wsdisplay0

riff# disklabel wd0
# /dev/rwd0d:
type: unknown
disk: mydisk
label: 
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total sectors: 16514064
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

8 partitions:
#        size   offset     fstype   [fsize bsize cpg/sgs]
  a:   566937   127575     4.2BSD     1024  8192    16   # (Cyl.  126*- 688)
  b:  1051344   694512       swap                        # (Cyl.  689 - 1731)
  c:  4187295   127575     unused        0     0         # (Cyl.  126*- 4280*)
  d: 16514064        0     unused        0     0         # (Cyl.    0 - 16382)
  e:  2569014  1745856     4.2BSD     1024  8192    16   # (Cyl. 1732 - 4280*)
  f:  4972527 11541348     4.2BSD     1024  8192    16   # (Cyl. 11449*- 16382*)
  g:   127512       63 Linux Ext2     1024  8192         # (Cyl.    0*- 126*)
  h:  6291747  4314933 Linux Ext2     1024  8192         # (Cyl. 4280*- 10522*)
riff# disklabel sd0
# /dev/rsd0d:
type: SCSI
disk: ST32550N SUN2.1
label: fictitious
flags:
bytes/sector: 512
sectors/track: 108
tracks/cylinder: 11
sectors/cylinder: 1188
cylinders: 3511
total sectors: 4194995
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

4 partitions:
#        size   offset     fstype   [fsize bsize cpg/sgs]
  a:  4194931       64    unknown                        # (Cyl.    0*- 3531*)
  d:  4194995        0     unused        0     0         # (Cyl.    0 - 3531*)


>How-To-Repeat:
	
	dd if=/dev/sd0a of=/dev/null skip=4096k

	(the skip=4096k is not needed to panic the system, it just reduces the
	amount of time before the panic occurs by not having to read the entire
	partition.  skip'ing to the chase, as it were.)
>Fix:
	
	Don't read beyond the end of partition on a raw read of a device or use
the raw device.
>Release-Note:
>Audit-Trail:
>Unformatted: