Bug 211237 - kernel squashfs trying to free a free buffer
kernel squashfs trying to free a free buffer
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-17 20:05 EDT by Steve Grubb
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version: 2.6.18-1.2869
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-23 13:30:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
problematic image (28.85 KB, application/octet-stream)
2006-10-29 09:17 EST, Eric Sandeen
no flags Details
Patch for fsfuzz triggered crashes (against Squashfs 3.1) (11.93 KB, patch)
2006-11-15 13:08 EST, Phillip Lougher
no flags Details | Diff

  None (edit)
Description Steve Grubb 2006-10-17 20:05:20 EDT
Description of problem:
Running the file system fuzzer against squashfs, I get the following backtrace
on the 2.6.18-2798 x86_64 kernel:

VFS: brelse: Trying to free free buffer
BUG: warning at fs/buffer.c:1277/__brelse() (Not tainted)

Call Trace:
 [<ffffffff8026929b>] show_trace+0x34/0x47
 [<ffffffff802692c0>] dump_stack+0x12/0x17
 [<ffffffff88576a13>] :squashfs:squashfs_read_data+0x53f/0x57c
 [<ffffffff885780f3>] :squashfs:squashfs_get_cached_block+0x1ee/0x397
 [<ffffffff88579722>] :squashfs:squashfs_iget+0x162/0x12cd
 [<ffffffff885773c2>] :squashfs:squashfs_fill_super+0x972/0xa3a
 [<ffffffff802d51db>] get_sb_bdev+0xf8/0x152
 [<ffffffff802d4cc9>] vfs_kern_mount+0x93/0x11a
 [<ffffffff802d4d92>] do_kern_mount+0x36/0x4d
 [<ffffffff802de132>] do_mount+0x692/0x702
 [<ffffffff8024ad02>] sys_mount+0x8a/0xcd
 [<ffffffff8025c181>] tracesys+0xd1/0xdc
DWARF2 unwinder stuck at tracesys+0xd1/0xdc
Leftover inexact backtrace:

VFS: brelse: Trying to free free buffer
BUG: warning at fs/buffer.c:1277/__brelse() (Not tainted)

Call Trace:
 [<ffffffff8026929b>] show_trace+0x34/0x47
 [<ffffffff802692c0>] dump_stack+0x12/0x17
 [<ffffffff88576a13>] :squashfs:squashfs_read_data+0x53f/0x57c
 [<ffffffff885780f3>] :squashfs:squashfs_get_cached_block+0x1ee/0x397
 [<ffffffff88579722>] :squashfs:squashfs_iget+0x162/0x12cd
 [<ffffffff885773c2>] :squashfs:squashfs_fill_super+0x972/0xa3a
 [<ffffffff802d51db>] get_sb_bdev+0xf8/0x152
 [<ffffffff802d4cc9>] vfs_kern_mount+0x93/0x11a
 [<ffffffff802d4d92>] do_kern_mount+0x36/0x4d
 [<ffffffff802de132>] do_mount+0x692/0x702
 [<ffffffff8024ad02>] sys_mount+0x8a/0xcd
 [<ffffffff8025c181>] tracesys+0xd1/0xdc
DWARF2 unwinder stuck at tracesys+0xd1/0xdc
Leftover inexact backtrace:

SQUASHFS error: sb_bread failed reading block 0x16
SQUASHFS error: Unable to read cache block [2a77:240]
SQUASHFS error: Unable to read inode [2a77:240]


How reproducible:
Always

Steps to Reproduce:
1. ./fsfuzz squashfs
Comment 1 Eric Sandeen 2006-10-29 09:17:33 EST
Created attachment 139667 [details]
problematic image

Attached problematic image.
Comment 2 Eric Sandeen 2006-10-29 09:43:39 EST
Hm, that may not be the image that caused this exact problem, there are a few of
these floating around w/ different problems.

The tool steve is using is at 
http://projects.info-pull.com/mokb/fsfuzzer-0.6-lmh.tgz

Point it at squashfs and you'll probably eventually hit the original signature here.
Comment 3 Phillip Lougher 2006-10-30 00:02:38 EST
I've fixed this bug.  I'm still tracking down another bug thrown up by fsfuzzer,
when I've fixed that I'll attach a patch.  What version of Squashfs are you using?

Phillip
Comment 4 Dave Jones 2006-11-02 18:26:21 EST
3.1 I think, but we've got a few tweaks in there to cope with the changes other
patches in our tree have made (we backported the inode diet stuff from .19 for eg).

btw, infamy! http://projects.info-pull.com/mokb/MOKB-02-11-2006.html
Comment 5 Phillip Lougher 2006-11-05 22:50:19 EST
Infamy, infamy, they've all got it in for me :-) (apologies to the non-Brits).

A listing on MOKB, and the second bug too...  Sadly not my idea of a good
advertisement.  I've submitted my current fufuzz fixes to Squashfs CVS (along
with support for NFS).  Unfortunately, I've run of time this weekend to do a
patch that I could attach here.
Comment 7 Phillip Lougher 2006-11-15 13:08:50 EST
Created attachment 141292 [details]
Patch for fsfuzz triggered crashes (against Squashfs 3.1)

I have attached a patch that fixes this bug, and all other bugs that fsfuzz
triggers.  With this patch applied Squashfs survived 14 consecutive runs of
fsfuzz (I stopped it after 14 runs).

Phillip
Comment 8 Steve Grubb 2006-11-17 08:07:18 EST
I built a kernel based off of 2849 + this patch. The kernel does not work. I
don't think it makes it to the point where you see the message about
decrompressing the kernel and immediately goes back to the BIOS.
Comment 9 Phillip Lougher 2006-11-17 09:53:23 EST
"I built a kernel based off of 2849 + this patch. The kernel does not work."

This isn't anything to do with my patch.  My patch touches three files, all 
within the Squashfs filesystem.  Changes in these won't cause the issues you 
describe.

Phillip
Comment 10 Steve Grubb 2007-01-23 13:30:59 EST
I belive this was fixed in build 2869. Closing.

Note You need to log in before you can comment on or make changes to this bug.