12479 – squashfs: BUG in squashfs_read_data() on intentionally corrupted filesystems

Bug 12479 - squashfs: BUG in squashfs_read_data() on intentionally corrupted filesystems

Summary: squashfs: BUG in squashfs_read_data() on intentionally corrupted filesystems

Status:	CLOSED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	squashfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Phillip Lougher

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-01-18 11:28 UTC by Sami Liedes
Modified:	2009-03-09 02:39 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	2.6.29-rc2
Subsystem:
Regression:	---
Bisected commit-id:

Attachments
Fix for the kernel oops reported (3.58 KB, patch) 2009-02-03 19:12 UTC, Phillip Lougher	Details \| Diff
Fix v2 (3.63 KB, patch) 2009-02-07 06:24 UTC, Phillip Lougher	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Sami Liedes 2009-01-18 11:28:59 UTC

Hardware Environment: qemu x86
Software Environment: minimal Debian sid/unstable
Problem Description:

On accessing an intentionally corrupted squashfs filesystem, a "BUG: unable to handle kernel paging request" happens.

Unfortunately I have not been able to produce an image which reproduces this (i.e. this seems to be a heisenbug), but with a few minutes of testing I can reproduce it by randomly breaking a filesystem, mounting, accessing, unmounting and repeating.

Here's a sample of the oopses produced (the last one differs a bit from the others, but I believe it is still the same bug):

------------------------------------------------------------
***** zzuffing ***** seed 501
[  633.616880] BUG: unable to handle kernel paging request at 00039ba8
[  633.617561] IP: [<c04e045a>] zlib_inflate+0x8a3/0x1da9
[  633.617996] *pde = 00000000
[  633.618246] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[  633.618535] last sysfs file:
[  633.618743]
[  633.618885] Pid: 4536, comm: find Not tainted (2.6.29-rc2 #2)
[  633.619210] EIP: 0060:[<c04e045a>] EFLAGS: 00000206 CPU: 0
[  633.619526] EIP is at zlib_inflate+0x8a3/0x1da9
[  633.619745] EAX: 00000064 EBX: 00001000 ECX: 00039ba8 EDX: c7b90000
[  633.619974] ESI: 00000007 EDI: 00001000 EBP: c7b90050 ESP: c7b08c78
[  633.620205]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  633.620452] Process find (pid: 4536, ti=c7b08000 task=c7ac56a0 task.ti=c7b08000)
[  633.620871] Stack:
[  633.621003]  c7b90068 c7b90054 c7b902ec 00000041 0000002e 00000006 00000040 c79fda80
[  633.621475]  00000002 0000012f c7b14ffd 00000170 00000115 c7a3f7b0 00000173 00000000
[  633.621942]  c7a22da8 c7b90000 c7b9052c c7b902ec c7b90050 c7b90068 c7b9006c c7b9052c
[  633.622471] Call Trace:
[  633.622631]  [<c0347649>] squashfs_read_data+0x579/0x7b4
[  633.622917]  [<c0347d34>] squashfs_cache_get+0x29/0x2ce
[  633.623188]  [<c0347f64>] squashfs_cache_get+0x259/0x2ce
[  633.623459]  [<c05c9caf>] _spin_unlock+0x14/0x1c
[  633.623718]  [<c0275f6d>] __dentry_open+0xa7/0x28c
[  633.623968]  [<c0348091>] squashfs_read_metadata+0x64/0xd3
[  633.624137]  [<c03483bc>] squashfs_readdir+0x2bc/0x400
[  633.624137]  [<c0283424>] filldir64+0x0/0xd9
[  633.624137]  [<c05c8b97>] mutex_lock_killable_nested+0x260/0x2e0
[  633.624137]  [<c02836b5>] vfs_readdir+0x42/0x83
[  633.624137]  [<c02836b5>] vfs_readdir+0x42/0x83
[  633.624137]  [<c0283424>] filldir64+0x0/0xd9
[  633.624137]  [<c02836e1>] vfs_readdir+0x6e/0x83
[  633.624137]  [<c028375c>] sys_getdents64+0x66/0xa9
[  633.624137]  [<c02030be>] syscall_call+0x7/0xb
[  633.624137] Code: 8b 9c 24 84 00 00 00 8b 6c 24 7c 89 ac 24 8c 00 00 00 eb 40 8b 5c 24 7c 85 db 0f 84 b2 0b 00 00 8b 54 24 44 8b 42 3c 8b 4c 24 74 <88> 01 8
3 c1 01 89 4c 24 74 83 6c 24 7c 01 c7 02 12 00 00 00 8b
[  633.624137] EIP: [<c04e045a>] zlib_inflate+0x8a3/0x1da9 SS:ESP 0068:c7b08c78
[  633.624195] ---[ end trace bd64820c2a86234e ]---
------------------------------------------------------------

------------------------------------------------------------
[  373.380000] BUG: unable to handle kernel paging request at 00039ba8
[  373.380000] IP: [<c04e052f>] zlib_inflate+0x978/0x1da9
[  373.380000] *pde = 00000000
[  373.380000] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[  373.380000] last sysfs file:
[  373.380000]
[  373.380000] Pid: 2727, comm: find Not tainted (2.6.29-rc2 #2)
[  373.380000] EIP: 0060:[<c04e052f>] EFLAGS: 00000286 CPU: 0
[  373.380000] EIP is at zlib_inflate+0x978/0x1da9
[  373.380000] EAX: 00000064 EBX: 00000007 ECX: 00000005 EDX: 00000000
[  373.380000] ESI: c7ae44d1 EDI: c7ae0000 EBP: 00039ba8 ESP: c7b8cc78
[  373.380000]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  373.380000] Process find (pid: 2727, ti=c7b8c000 task=c7ac3020 task.ti=c7b8c000)
[  373.380000] Stack:
[  373.380000]  c7ae0068 c7ae0054 c7ae02ec 00000041 00000031 00000004 00000041 c79ffa80
[  373.380000]  00000002 00000133 c7ad8ffa 00000c80 00000119 00000000 00000c86 00000000
[  373.380000]  c7ad00a8 c7ae0000 c7ae052c c7ae02ec c7ae0050 c7ae0068 c7ae006c c7ae052c
[  373.380000] Call Trace:
[  373.380000]  [<c0347649>] squashfs_read_data+0x579/0x7b4
[  373.380000]  [<c0347d34>] squashfs_cache_get+0x29/0x2ce
[  373.380000]  [<c0347f64>] squashfs_cache_get+0x259/0x2ce
[  373.380000]  [<c05c9caf>] _spin_unlock+0x14/0x1c
[  373.380000]  [<c0275f6d>] __dentry_open+0xa7/0x28c
[  373.380000]  [<c0348091>] squashfs_read_metadata+0x64/0xd3
[  373.380000]  [<c03483bc>] squashfs_readdir+0x2bc/0x400
[  373.380000]  [<c0283424>] filldir64+0x0/0xd9
[  373.380000]  [<c05c8b97>] mutex_lock_killable_nested+0x260/0x2e0
[  373.380000]  [<c02836b5>] vfs_readdir+0x42/0x83
[  373.380000]  [<c02836b5>] vfs_readdir+0x42/0x83
[  373.380000]  [<c0283424>] filldir64+0x0/0xd9
[  373.380000]  [<c02836e1>] vfs_readdir+0x6e/0x83
[  373.380000]  [<c028375c>] sys_getdents64+0x66/0xa9
[  373.380000]  [<c02030be>] syscall_call+0x7/0xb
[  373.380000] Code: 3c 89 c2 39 c1 77 02 89 c8 3b 44 24 7c 8b 4c 24 7c 0f 46 c8 29 4c 24 7c 29 ca 8b 7c 24 44 89 57 3c 31 d2 0f b6 04 16 8b 6c 24 74 <88> 44 15 00 83 c2 01 39 d1 75 ed 01 cd 89 6c 24 74 8b 44 24 44
[  373.380000] EIP: [<c04e052f>] zlib_inflate+0x978/0x1da9 SS:ESP 0068:c7b8cc78
[  373.390000] ---[ end trace fec7d22c4489f4b4 ]---
------------------------------------------------------------

------------------------------------------------------------
[  247.737646] BUG: unable to handle kernel paging request at 00039ba8
[  247.738059] IP: [<c04e052f>] zlib_inflate+0x978/0x1da9
[  247.738433] *pde = 00000000
[  247.738646] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[  247.738909] last sysfs file:
[  247.739095]
[  247.739234] Pid: 1980, comm: find Not tainted (2.6.29-rc2 #2)
[  247.739518] EIP: 0060:[<c04e052f>] EFLAGS: 00000282 CPU: 0
[  247.739789] EIP is at zlib_inflate+0x978/0x1da9
[  247.740019] EAX: 00000000 EBX: 00000003 ECX: 00000002 EDX: 00000000
[  247.740320] ESI: c7b826bb EDI: c7b80000 EBP: 00039ba8 ESP: c7b98c78
[  247.740621]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  247.740907] Process find (pid: 1980, ti=c7b98000 task=c78d0000 task.ti=c7b98000)
[  247.741258] Stack:
[  247.741386]  c7b80068 c7b80054 c7b802ec 00000041 00000005 00000001 00000040 c7ad0540
[  247.741858]  00000002 0000012f c7b20ff4 00000160 00000115 c7a0b7b0 0000016c 00000000
[  247.742342]  c7a904a8 c7b80000 c7b8052c c7b802ec c7b80050 c7b80068 c7b8006c c7b8052c
[  247.742849] Call Trace:
[  247.743020]  [<c0347649>] squashfs_read_data+0x579/0x7b4
[  247.743313]  [<c0347d34>] squashfs_cache_get+0x29/0x2ce
[  247.743585]  [<c0347f64>] squashfs_cache_get+0x259/0x2ce
[  247.743897]  [<c05c9caf>] _spin_unlock+0x14/0x1c
[  247.743939]  [<c0275f6d>] __dentry_open+0xa7/0x28c
[  247.743939]  [<c0348091>] squashfs_read_metadata+0x64/0xd3
[  247.743939]  [<c03483bc>] squashfs_readdir+0x2bc/0x400
[  247.743939]  [<c0283424>] filldir64+0x0/0xd9
[  247.743939]  [<c05c8b97>] mutex_lock_killable_nested+0x260/0x2e0
[  247.743939]  [<c02836b5>] vfs_readdir+0x42/0x83
[  247.743939]  [<c02836b5>] vfs_readdir+0x42/0x83
[  247.743939]  [<c0283424>] filldir64+0x0/0xd9
[  247.743939]  [<c02836e1>] vfs_readdir+0x6e/0x83
[  247.743939]  [<c028375c>] sys_getdents64+0x66/0xa9
[  247.743939]  [<c02030be>] syscall_call+0x7/0xb
[  247.743939] Code: 3c 89 c2 39 c1 77 02 89 c8 3b 44 24 7c 8b 4c 24 7c 0f 46 c8 29 4c 24 7c 29 ca 8b 7c 24 44 89 57 3c 31 d2 0f b6 04 16 8b 6c 24 74 <88> 44 1
5 00 83 c2 01 39 d1 75 ed 01 cd 89 6c 24 74 8b 44 24 44
[  247.743939] EIP: [<c04e052f>] zlib_inflate+0x978/0x1da9 SS:ESP 0068:c7b98c78
[  247.743996] ---[ end trace 8a63a42f72fc688d ]---
------------------------------------------------------------

------------------------------------------------------------
[  695.650000] BUG: unable to handle kernel paging request at 00039ba8
[  695.650000] IP: [<c04e052f>] zlib_inflate+0x978/0x1da9
[  695.650000] *pde = 00000000
[  695.660000] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[  695.660000] last sysfs file:
[  695.660000]
[  695.660000] Pid: 4794, comm: find Not tainted (2.6.29-rc2 #2)
[  695.660000] EIP: 0060:[<c04e052f>] EFLAGS: 00000282 CPU: 0
[  695.660000] EIP is at zlib_inflate+0x978/0x1da9
[  695.660000] EAX: 00000000 EBX: 00000005 ECX: 00000001 EDX: 00000000
[  695.660000] ESI: c7ba44ec EDI: c7ba0000 EBP: 00039ba8 ESP: c7b31aac
[  695.660000]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  695.660000] Process find (pid: 4794, ti=c7b31000 task=c78b0000 task.ti=c7b31000)
[  695.660000] Stack:
[  695.660000]  c7ba0068 c7ba0054 c7ba02ec 00000031 0000000d 00000004 00000031 c7ac20e0
[  695.660000]  00000002 0000012b c780dff2 00000d80 00000111 c7a137b0 00000d8e 00000000
[  695.660000]  c7a390a8 c7ba0000 c7ba052c c7ba02ec c7ba0050 c7ba0068 c7ba006c c7ba052c
[  695.660000] Call Trace:
[  695.660000]  [<c0347649>] squashfs_read_data+0x579/0x7b4
[  695.660000]  [<c0347d34>] squashfs_cache_get+0x29/0x2ce
[  695.660000]  [<c0347f64>] squashfs_cache_get+0x259/0x2ce
[  695.660000]  [<c0348091>] squashfs_read_metadata+0x64/0xd3
[  695.660000]  [<c03492ac>] squashfs_read_inode+0x7c/0x582
[  695.660000]  [<c0288787>] iget_locked+0x4d/0x11c
[  695.660000]  [<c05c9caf>] _spin_unlock+0x14/0x1c
[  695.660000]  [<c03497e0>] squashfs_iget+0x2e/0x5e
[  695.660000]  [<c0349b9a>] squashfs_lookup+0x38a/0x400
[  695.660000]  [<c0286aab>] d_alloc+0x101/0x16f
[  695.660000]  [<c027e8b6>] do_lookup+0x18c/0x1ad
[  695.660000]  [<c027ff5d>] __link_path_walk+0x6a8/0xd17
[  695.660000]  [<c0280764>] path_walk+0x4f/0xa4
[  695.660000]  [<c0280888>] do_path_lookup+0x81/0x159
[  695.660000]  [<c027f882>] getname+0x79/0xac
[  695.660000]  [<c0281383>] user_path_at+0x41/0x72
[  695.660000]  [<c027a8f5>] vfs_lstat_fd+0x16/0x3d
[  695.660000]  [<c027a9f6>] sys_fstatat64+0x41/0x55
[  695.660000]  [<c028afbe>] mntput_no_expire+0x18/0x10a
[  695.660000]  [<c0275cb1>] filp_close+0x3e/0x5b
[  695.660000]  [<c0275d37>] sys_close+0x69/0xad
[  695.660000]  [<c02030ca>] syscall_exit+0x8/0x1a
[  695.660000]  [<c02030be>] syscall_call+0x7/0xb
[  695.660000] Code: 3c 89 c2 39 c1 77 02 89 c8 3b 44 24 7c 8b 4c 24 7c 0f 46 c8 29 4c 24 7c 29 ca 8b 7c 24 44 89 57 3c 31 d2 0f b6 04 16 8b 6c 24 74 <88> 44 1
5 00 83 c2 01 39 d1 75 ed 01 cd 89 6c 24 74 8b 44 24 44
[  695.660000] EIP: [<c04e052f>] zlib_inflate+0x978/0x1da9 SS:ESP 0068:c7b31aac
[  695.670000] ---[ end trace fd4ff14aac9adeac ]---
------------------------------------------------------------

------------------------------------------------------------
[  375.092081] BUG: unable to handle kernel paging request at 00039ba8
[  375.092711] IP: [<c04e045a>] zlib_inflate+0x8a3/0x1da9
[  375.093092] *pde = 00000000
[  375.093309] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[  375.093556] last sysfs file:
[  375.093723]
[  375.093856] Pid: 2913, comm: find Not tainted (2.6.29-rc2 #2)
[  375.094125] EIP: 0060:[<c04e045a>] EFLAGS: 00000206 CPU: 0
[  375.094382] EIP is at zlib_inflate+0x8a3/0x1da9
[  375.094590] EAX: 00000051 EBX: 00001000 ECX: 00039ba8 EDX: c7bd0000
[  375.094859] ESI: 00000005 EDI: 00001000 EBP: c7bd0050 ESP: c7bceaac
[  375.095123]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  375.095375] Process find (pid: 2913, ti=c7bce000 task=c78969e0 task.ti=c7bce000)
[  375.095690] Stack:
[  375.095800]  c7bd0068 c7bd0054 c7bd02ec 00000061 00000051 00000009 00000044 c79ffd20
[  375.096236]  00000002 0000012b c7bf3000 00000140 00000111 c0962600 00000140 00000000
[  375.096674]  c7bef0a8 c7bd0000 c7bd052c c7bd02ec c7bd0050 c7bd0068 c7bd006c c7bd052c
[  375.097139] Call Trace:
[  375.097285]  [<c0293700>] __find_get_block+0xe/0x166
[  375.097556]  [<c0254f2d>] mempool_alloc+0x2b/0xe0
[  375.097774]  [<c04c733b>] submit_bio+0x5a/0xce
[  375.097982]  [<c0347649>] squashfs_read_data+0x579/0x7b4
[  375.098051]  [<c0347d34>] squashfs_cache_get+0x29/0x2ce
[  375.098051]  [<c0347f64>] squashfs_cache_get+0x259/0x2ce
[  375.098051]  [<c0348091>] squashfs_read_metadata+0x64/0xd3
[  375.098051]  [<c0349704>] squashfs_read_inode+0x4d4/0x582
[  375.098051]  [<c0288751>] iget_locked+0x17/0x11c
[  375.098051]  [<c05c9caf>] _spin_unlock+0x14/0x1c
[  375.098051]  [<c03497e0>] squashfs_iget+0x2e/0x5e
[  375.098051]  [<c0349b9a>] squashfs_lookup+0x38a/0x400
[  375.098051]  [<c0286aab>] d_alloc+0x101/0x16f
[  375.098051]  [<c027e8b6>] do_lookup+0x18c/0x1ad
[  375.098051]  [<c027ff5d>] __link_path_walk+0x6a8/0xd17
[  375.098051]  [<c0278419>] file_move+0x14/0x38
[  375.098051]  [<c0280764>] path_walk+0x4f/0xa4
[  375.098051]  [<c0280888>] do_path_lookup+0x81/0x159
[  375.098051]  [<c027f882>] getname+0x79/0xac
[  375.098051]  [<c0281383>] user_path_at+0x41/0x72
[  375.098051]  [<c027a8f5>] vfs_lstat_fd+0x16/0x3d
[  375.098051]  [<c027a9f6>] sys_fstatat64+0x41/0x55
[  375.098051]  [<c028afbe>] mntput_no_expire+0x18/0x10a
[  375.098051]  [<c0275cb1>] filp_close+0x3e/0x5b
[  375.098051]  [<c0275d37>] sys_close+0x69/0xad
[  375.098051]  [<c02030ca>] syscall_exit+0x8/0x1a
[  375.098051]  [<c02030be>] syscall_call+0x7/0xb
[  375.098051] Code: 8b 9c 24 84 00 00 00 8b 6c 24 7c 89 ac 24 8c 00 00 00 eb 40 8b 5c 24 7c 85 db 0f 84 b2 0b 00 00 8b 54 24 44 8b 42 3c 8b 4c 24 74 <88> 01 83 c1 01 89 4c 24 74 83 6c 24 7c 01 c7 02 12 00 00 00 8b
[  375.098051] EIP: [<c04e045a>] zlib_inflate+0x8a3/0x1da9 SS:ESP 0068:c7bceaac
[  375.098107] ---[ end trace c1eb1179268fa046 ]---
------------------------------------------------------------

Comment 1 Phillip Lougher 2009-01-29 23:04:48 UTC

This appears to be the same bug reported in this thread

http://marc.info/?l=linux-fsdevel&m=123212794425497&w=2

My analysis of the bug is here

http://marc.info/?l=linux-fsdevel&m=123259245729023&w=2

I'll create a patch and attach it.

Comment 2 Phillip Lougher 2009-02-03 19:12:46 UTC

Created attachment 20104 [details]
Fix for the kernel oops reported

Patch submitted to LKML and linux-fsdevel.  Also available from Squashfs git tree at git://git.kernel.org/pub/scm/linux/kernel/git/pkl/squashfs-linus.git

Comment 3 Phillip Lougher 2009-02-07 06:24:26 UTC

Created attachment 20151 [details]
Fix v2

Second version of patch following review...

Comment 4 Phillip Lougher 2009-03-09 02:37:20 UTC

The fix for this has just gone into mainline (to be 2.6.29-rc8).

Note You need to log in before you can comment on or make changes to this bug.