Re: [Squashfs-devel] PROBLEM: mount empty SquashFS

[Greg KH <greg@kroah.com>]

On Tue, Sep 04, 2012 at 08:52:44PM +0200, Geert Uytterhoeven wrote:
> Hi Phillip,
> 
> On Wed, Aug 1, 2012 at 6:25 AM, Phillip Lougher
> <phillip@lougher.demon.co.uk> wrote:
> > Cyril Strejc wrote:
> >> I have problem when mounting empty SquashFS. Mount syscall ends with EINVAL.
> >>
> >> Kernel vesions: mainline
> >> SquashFS tools version: 4.2
> >>
> >> Steps to reproduce:
> >> 1. create empty directory (mkdir empty)
> >> 2. create SquashFS image (my mksquashfs output below)
> >> 3. mount image using block or loop device (strace output below)
> >>
> >> I've add some printk to
> >> super.c: squashfs_fill_super()
> >>
> >> /* code starts here */
> >> ...
> >> handle_fragments:
> >>      fragments = le32_to_cpu(sblk->fragments);
> >>      printk("fragments = %u\n", fragments);
> >> ...
> >> check_directory_table:
> >>      /* Sanity check directory_table */
> >>      if (msblk->directory_table >= next_table) {
> >>          printk("directory_table = %llu, next_table = %llu\n",
> >> msblk->directory_table, next_table);
> >>                  err = -EINVAL;
> >>                  printk("mount error: 16\n");
> >>                  goto failed_mount;
> >>          }
> >> ...
> >>
> >> dmesg after mount:
> >> fragments = 0
> >> directory_table = 125, next_table = 125
> >> mount error: 16
> >>
> >>
> >> I hardly understand these details. Please, do You have any idea?
> >>
> >
> > Hi Cyril,
> >
> > This is a Squashfs kernel bug introduced by some extra superblock
> > sanity checks added in kernel 3.0.  These extra sanity checks were
> > necessary to harden Squashfs against corrupted Squashfs filesystems
> > generated by the latest version of fsfuzzer (a tool used to randomly
> > corrupt filesystems with the aim of making the filesystem code
> > behave badly).
> >
> > I discovered the sanity checks mistakenly flagged empty filesystems
> > as invalid in January, and added a fix to the mainline kernel, FYI
> > the commit is here:
> >
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cc37f75a9ffbbfcb1c3297534f293c8284e3c5a6
> >
> > This bug has been fixed in kernel versions 3.3 and newer, but, kernel
> > versions 3.0, 3.1 and 3.2 unfortunately have this bug.
> >
> > There's really only three solutions to this problem:
> >
> > - upgrade to a later kernel, 3.3 or newer,
> > - apply the above commit to your kernel, or
> > - avoid generating empty filesystems and trying to mount them
> >
> > The one obvious question that arises here is why are you generating
> > completely empty filesystems and then trying to mount them?  An
> > empty Squashfs filesystem doesn't seem to serve any useful purpose?
> 
> I can easily imagine a system that has an optional filesystem mounted,
> which may be empty. For such a system, it's a regression.
> 
> So I think this warrants application to the stable 3.0, 3.1, and 3.2 branches.
> Commit cc37f75a9ffbbfcb1c3297534f293c8284e3c5a6 ("Squashfs: fix
> mount time sanity check for corrupted superblock") seems to cherry-pick just
> fine on v3.0.42, v3.1.10, and v3.2.28.

Queued up for 3.0.y, thanks.

greg k-h