Description of problem: Running the file system fuzzer against squashfs, I get the following backtrace on the 2.6.18-2798 x86_64 kernel: VFS: brelse: Trying to free free buffer BUG: warning at fs/buffer.c:1277/__brelse() (Not tainted) Call Trace: [<ffffffff8026929b>] show_trace+0x34/0x47 [<ffffffff802692c0>] dump_stack+0x12/0x17 [<ffffffff88576a13>] :squashfs:squashfs_read_data+0x53f/0x57c [<ffffffff885780f3>] :squashfs:squashfs_get_cached_block+0x1ee/0x397 [<ffffffff88579722>] :squashfs:squashfs_iget+0x162/0x12cd [<ffffffff885773c2>] :squashfs:squashfs_fill_super+0x972/0xa3a [<ffffffff802d51db>] get_sb_bdev+0xf8/0x152 [<ffffffff802d4cc9>] vfs_kern_mount+0x93/0x11a [<ffffffff802d4d92>] do_kern_mount+0x36/0x4d [<ffffffff802de132>] do_mount+0x692/0x702 [<ffffffff8024ad02>] sys_mount+0x8a/0xcd [<ffffffff8025c181>] tracesys+0xd1/0xdc DWARF2 unwinder stuck at tracesys+0xd1/0xdc Leftover inexact backtrace: VFS: brelse: Trying to free free buffer BUG: warning at fs/buffer.c:1277/__brelse() (Not tainted) Call Trace: [<ffffffff8026929b>] show_trace+0x34/0x47 [<ffffffff802692c0>] dump_stack+0x12/0x17 [<ffffffff88576a13>] :squashfs:squashfs_read_data+0x53f/0x57c [<ffffffff885780f3>] :squashfs:squashfs_get_cached_block+0x1ee/0x397 [<ffffffff88579722>] :squashfs:squashfs_iget+0x162/0x12cd [<ffffffff885773c2>] :squashfs:squashfs_fill_super+0x972/0xa3a [<ffffffff802d51db>] get_sb_bdev+0xf8/0x152 [<ffffffff802d4cc9>] vfs_kern_mount+0x93/0x11a [<ffffffff802d4d92>] do_kern_mount+0x36/0x4d [<ffffffff802de132>] do_mount+0x692/0x702 [<ffffffff8024ad02>] sys_mount+0x8a/0xcd [<ffffffff8025c181>] tracesys+0xd1/0xdc DWARF2 unwinder stuck at tracesys+0xd1/0xdc Leftover inexact backtrace: SQUASHFS error: sb_bread failed reading block 0x16 SQUASHFS error: Unable to read cache block [2a77:240] SQUASHFS error: Unable to read inode [2a77:240] How reproducible: Always Steps to Reproduce: 1. ./fsfuzz squashfs
Created attachment 139667 [details] problematic image Attached problematic image.
Hm, that may not be the image that caused this exact problem, there are a few of these floating around w/ different problems. The tool steve is using is at http://projects.info-pull.com/mokb/fsfuzzer-0.6-lmh.tgz Point it at squashfs and you'll probably eventually hit the original signature here.
I've fixed this bug. I'm still tracking down another bug thrown up by fsfuzzer, when I've fixed that I'll attach a patch. What version of Squashfs are you using? Phillip
3.1 I think, but we've got a few tweaks in there to cope with the changes other patches in our tree have made (we backported the inode diet stuff from .19 for eg). btw, infamy! http://projects.info-pull.com/mokb/MOKB-02-11-2006.html
Infamy, infamy, they've all got it in for me :-) (apologies to the non-Brits). A listing on MOKB, and the second bug too... Sadly not my idea of a good advertisement. I've submitted my current fufuzz fixes to Squashfs CVS (along with support for NFS). Unfortunately, I've run of time this weekend to do a patch that I could attach here.
Created attachment 141292 [details] Patch for fsfuzz triggered crashes (against Squashfs 3.1) I have attached a patch that fixes this bug, and all other bugs that fsfuzz triggers. With this patch applied Squashfs survived 14 consecutive runs of fsfuzz (I stopped it after 14 runs). Phillip
I built a kernel based off of 2849 + this patch. The kernel does not work. I don't think it makes it to the point where you see the message about decrompressing the kernel and immediately goes back to the BIOS.
"I built a kernel based off of 2849 + this patch. The kernel does not work." This isn't anything to do with my patch. My patch touches three files, all within the Squashfs filesystem. Changes in these won't cause the issues you describe. Phillip
I belive this was fixed in build 2869. Closing.