From: Eric Sesterhenn <snakebyte@gmx.de>
To: phillip@lougher.demon.co.uk
Cc: linux-fsdevel@vger.kernel.org
Subject: Bug with corrupted squashfs image
Date: Tue, 13 Jan 2009 13:40:27 +0100 [thread overview]
Message-ID: <20090113124027.GB16333@alice> (raw)
hi,
mounting the squashfs image at http://www.cccmz.de/~snakebyte/squashfs.9.img.bz2
results in the following oops:
[ 113.485219] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 113.485615] IP: [<c032b94a>] zlib_inflate+0x85a/0x18d0
[ 113.485883] Oops: 0002 [#1] DEBUG_PAGEALLOC
[ 113.486123] last sysfs file: /sys/block/sda/size
[ 113.486257] Modules linked in: nfsd exportfs nfs lockd nfs_acl auth_rpcgss sunrpc ipv6 fuse unix
[ 113.487294]
[ 113.487464] Pid: 4461, comm: mount Not tainted (2.6.29-rc1 #90)
[ 113.487609] EIP: 0060:[<c032b94a>] EFLAGS: 00010246 CPU: 0
[ 113.487752] EIP is at zlib_inflate+0x85a/0x18d0
[ 113.487889] EAX: 00000000 EBX: 00000003 ECX: 00000001 EDX: 00000000
[ 113.488049] ESI: 00000000 EDI: c7df452b EBP: c7d59c78 ESP: c7d59b6c
[ 113.488049] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 113.488049] Process mount (pid: 4461, ti=c7d59000 task=c7dd3710 task.ti=c7d59000)
[ 113.488049] Stack:
[ 113.488049] c7df0068 c7df0054 c7df02ec 00000036 00000002 00000000 c7d59c08 c014ee4c
[ 113.488049] 00000083 00000031 00000003 00000138 0000011e 00000000 c7990f98 c7df0000
[ 113.488049] c7df052c c7df02ec c7df0050 c7df0068 c7df006c c7df052c 0000003f c7df0054
[ 113.488049] Call Trace:
[ 113.488049] [<c014ee4c>] ? __lock_acquire+0x26c/0x1110
[ 113.488049] [<c0140001>] ? posix_cpu_clock_get+0x1/0x160
[ 113.488049] [<c062a421>] ? mutex_lock_nested+0x1f1/0x2c0
[ 113.488049] [<c062a42b>] ? mutex_lock_nested+0x1fb/0x2c0
[ 113.488049] [<c022277d>] ? squashfs_read_data+0x3fd/0x830
[ 113.488049] [<c02228b9>] ? squashfs_read_data+0x539/0x830
[ 113.488049] [<c022303c>] ? squashfs_cache_get+0x25c/0x330
[ 113.488049] [<c014e941>] ? trace_hardirqs_on_caller+0x151/0x1c0
[ 113.488049] [<c02231ff>] ? squashfs_read_metadata+0x6f/0x140
[ 113.488049] [<c0224f32>] ? squashfs_read_inode+0x82/0x7e0
[ 113.488049] [<c01ba039>] ? new_inode+0x79/0x80
[ 113.488049] [<c02262e2>] ? squashfs_fill_super+0x4c2/0x9a0
[ 113.488049] [<c01a9633>] ? get_sb_bdev+0x123/0x150
[ 113.488049] [<c01b0030>] ? do_lookup+0x130/0x1c0
[ 113.488049] [<c018ba01>] ? kstrdup+0x31/0x60
[ 113.488049] [<c0225c61>] ? squashfs_get_sb+0x21/0x30
[ 113.488049] [<c0225e20>] ? squashfs_fill_super+0x0/0x9a0
[ 113.488049] [<c01a8e69>] ? vfs_kern_mount+0x59/0x130
[ 113.488049] [<c01a8f99>] ? do_kern_mount+0x39/0xe0
[ 113.488049] [<c01be4b4>] ? do_mount+0x434/0x7b0
[ 113.488049] [<c01bc9ac>] ? copy_mount_options+0x3c/0x130
[ 113.488049] [<c01be8b4>] ? sys_mount+0x84/0xb0
[ 113.488049] [<c0103551>] ? sysenter_do_call+0x12/0x31
[ 113.488049] Code: 70 ff ff ff 3b 85 70 ff ff ff 8b b5 30 ff ff ff 0f 46 c8 29 ca 29 8d 70 ff ff ff 89 56 3c 31 d2 90 0f b6 04 17 8b b5 6c ff ff ff <88> 04 16 83 c2 01 39 ca 75 ec 8b 85 30 ff ff ff 01 d6 89 b5 6c
[ 113.488049] EIP: [<c032b94a>] zlib_inflate+0x85a/0x18d0 SS:ESP 0068:c7d59b6c
[ 113.502261] ---[ end trace 42a589fe0cbc2ff1 ]---
(gdb) l *(zlib_inflate+0x85a)
0xc032b94a is in zlib_inflate (lib/zlib_inflate/inflate.c:683).
678 }
679 if (copy > left) copy = left;
680 left -= copy;
681 state->length -= copy;
682 do {
683 *put++ = *from++;
684 } while (--copy);
685 if (state->length == 0) state->mode = LEN;
686 break;
687 case LIT:
I already reported a similar issue to Phillip but got no reply (lost in spam?),
so I duplicate it here:
[ 6053.337097] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 6053.337320] IP: [<c055118f>] zlib_inflate+0xfcc/0x15a9
[ 6053.337488] *pde = 00000000
[ 6053.337619] Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 6053.337892] last sysfs file: /sys/block/ram9/range
[ 6053.337994] Modules linked in:
[ 6053.338020]
[ 6053.338020] Pid: 28143, comm: cat Tainted: G W
(2.6.28-09185-g71dd273 #182) System Name
[ 6053.338020] EIP: 0060:[<c055118f>] EFLAGS: 00010206 CPU: 0
[ 6053.338020] EIP is at zlib_inflate+0xfcc/0x15a9
[ 6053.338020] EAX: 00000075 EBX: c1820000 ECX: 00001000 EDX: 00000000
[ 6053.338020] ESI: c182052c EDI: c18202ec EBP: cc37cc28 ESP: cc37cb10
[ 6053.338020] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 6053.338020] Process cat (pid: 28143, ti=cc37c000 task=cc328000
task.ti=cc37c000)
[ 6053.338020] Stack:
[ 6053.338020] c07f0c15 c10ea164 c07f0c5e 00000001 c18202ec c182052c
000007ff 000001ff
[ 6053.338020] c17477c0 cc37cbb0 00000000 cba5dd38 c182052c 66fee13b
00000581 c1820d74
[ 6053.338020] cd050768 00000000 00000006 00001000 00000001 00000001
00000368 00000000
[ 6053.338020] Call Trace:
[ 6053.338020] [<c07f0c15>] ? schedule+0x91d/0x943
[ 6053.338020] [<c07f0c5e>] ? io_schedule+0x23/0x2d
[ 6053.338020] [<c07f322c>] ? _spin_unlock_irqrestore+0x47/0x5d
[ 6053.338020] [<c07f1021>] ? out_of_line_wait_on_bit+0x5d/0x65
[ 6053.338020] [<c01ba5b8>] ? sync_buffer+0x0/0x3f
[ 6053.338020] [<c013f715>] ? wake_bit_function+0x0/0x48
[ 6053.338020] [<c02632e0>] ? squashfs_read_data+0x56c/0x770
[ 6053.338020] [<c07f314e>] ? _spin_unlock+0x2c/0x41
[ 6053.338020] [<c026383f>] ? squashfs_cache_get+0x155/0x29f
[ 6053.338020] [<c02636e2>] ? squashfs_cache_put+0x53/0x5b
[ 6053.338020] [<c02639a7>] ? squashfs_get_datablock+0x1e/0x23
[ 6053.338020] [<c0264e5c>] ? squashfs_readpage+0x90d/0xb45
[ 6053.338020] [<c017a6e7>] ? add_to_page_cache_locked+0x5e/0xbc
[ 6053.338020] [<c014dd5d>] ? trace_hardirqs_on+0xb/0xd
[ 6053.338020] [<c01814a0>] ? __do_page_cache_readahead+0x13a/0x16a
[ 6053.338020] [<c01816c3>] ? ondemand_readahead+0x108/0x116
[ 6053.338020] [<c0181752>] ? page_cache_sync_readahead+0x1b/0x20
[ 6053.338020] [<c017ba12>] ? generic_file_aio_read+0x227/0x539
[ 6053.338020] [<c019f702>] ? do_sync_read+0xc0/0xfe
[ 6053.338020] [<c01a2541>] ? cp_new_stat64+0xed/0xff
[ 6053.338020] [<c013f6e0>] ? autoremove_wake_function+0x0/0x35
[ 6053.338020] [<c01a29aa>] ? sys_fstat64+0x27/0x2d
[ 6053.338020] [<c019f642>] ? do_sync_read+0x0/0xfe
[ 6053.338020] [<c019fe25>] ? vfs_read+0x8f/0x10b
[ 6053.338020] [<c01a013d>] ? sys_read+0x40/0x65
[ 6053.338020] [<c0102f21>] ? sysenter_do_call+0x12/0x31
[ 6053.338020] Code: ff 01 c7 89 bd 2c ff ff ff 83 7b 3c 00 0f 85 0c f1
ff ff eb 25 83 bd 34 ff ff ff 00 0f 84 b7 02 00 00 8b 43 3c 8b 95 2c ff
ff ff <88> 02 42 ff 8d 34 ff ff ff 89 95 2c ff ff ff c7 03 12 00 00 00
[ 6053.338020] EIP: [<c055118f>] zlib_inflate+0xfcc/0x15a9 SS:ESP
0068:cc37cb10
[ 6053.452067] ---[ end trace 4eaa2a86a8e2da24 ]---
(gdb) l *(zlib_inflate+0xfcc)
0xc055118f is in zlib_inflate (lib/zlib_inflate/inflate.c:689).
684 } while (--copy);
685 if (state->length == 0) state->mode = LEN;
686 break;
687 case LIT:
688 if (left == 0) goto inf_leave;
689 *put++ = (unsigned char)(state->length);
690 left--;
691 state->mode = LEN;
692 break;
693 case CHECK:
This image can be found at http://www.cccmz.de/~snakebyte/squashfs.4.img
Greetings, Eric
next reply other threads:[~2009-01-13 12:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-13 12:40 Eric Sesterhenn [this message]
2009-01-16 17:45 ` [Patch] NULL pointer deref with corrupted squashfs image Eric Sesterhenn
2009-01-16 19:07 ` Jörn Engel
2009-01-16 23:07 ` Tom Rini
2009-01-17 13:49 ` Jörn Engel
2009-01-17 19:38 ` Eric Sesterhenn
2009-01-20 16:47 ` Eric Sesterhenn
2009-01-20 16:47 ` Eric Sesterhenn
2009-01-20 17:57 ` Jörn Engel
2009-01-20 17:57 ` Jörn Engel
2009-01-20 18:47 ` Tom Rini
2009-01-20 18:47 ` Tom Rini
2009-01-21 8:34 ` Eric Sesterhenn
2009-01-21 8:34 ` Eric Sesterhenn
2009-01-21 12:31 ` Phillip Lougher
2009-01-21 12:31 ` Phillip Lougher
2009-01-22 2:48 ` Phillip Lougher
2009-01-22 9:46 ` Jörn Engel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090113124027.GB16333@alice \
--to=snakebyte@gmx.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=phillip@lougher.demon.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.