Re: kern/57307: panic: ffs_blkfree: bad size

[mlelstv%serpens.de@localhost (Michael van Elst)]

The following reply was made to PR kern/57307; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/57307: panic: ffs_blkfree: bad size
Date: Wed, 29 Mar 2023 08:49:34 -0000 (UTC)

 manu%netbsd.org@localhost writes:
 
 >dumpfs says:
 >bsize   32768   shift   15      mask    0xffff8000
 >fsize   4096    shift   12      mask    0xfffff000
 >frag    8       shift   3       fsbtodb 3
 >Reading src/usr.sbin/dumpfs/dumpfs.c
 >fs->fs_frag = 8 hence ffs_fragnum(fs, bno) = 1 & 7 = 1
 >fd->fs_fshift = 12 hence ffs_numfrags(fs, size) = 32768 >> 12 = 8
 
 >The third condition turns into 1 + 8 > 8 and we panic. But I have no idea of wh
 at it means.
 
 You have 32KB blocks split into 8 fragments of 4KB each.
 
 Something wants to use a block starting from fragment 1 (offset 4096)
 but with a size of 32KB, so that exceeds the block size.
 
 
 
 >ffs_check_bad_allocation(1,0,8000,a804,0,28210501,0,c53e8df8,c5621000,c561c344)
 at netbsd:ffs_check_bad_allocation+0x97
 >ffs_blkfree(c5621000,c561c344,1,0,8000,28210501,0,100,fffe8008,c55bc940) at net
 bsd:ffs_blkfree+0x85
 >ffs_truncate(c03a309d,c6b819ac,0,0,0,ffffffff,23,c6db398c,c6b819ac,dd846e58) at
  netbsd:ffs_truncate+0xf8e
 
 
 There are several calls to ffs_blkfree in ffs_truncate. Can you
 identify which one is at ffs_truncate+0xf8e ?
 
 My guess is line 527 that should free 'all whole direct blocks or frags'.
 
 for (i = UFS_NDADDR - 1; i > lastblock; i--) {
         bn = ffs_getdb(fs, oip, i);
         bsize = ffs_blksize(fs, oip, i);
         ...
         ffs_blkfree(fs, oip->i_devvp, bn, bsize, oip->i_number);
         ...
 }
 
 which means there is a bad entry for a direct block. Only the last
 entry (which is handled below this loop) is allowed to reference
 a fragment. Everything here must be aligned to a full block (then
 ffs_fragnum(fs, bno) == 0).