Bug#1121013: linux: mksquashfs segfaults ~20% of the times with kernel 6.18
Control: forwarded -1 https://lore.kernel.org/lkml/9401208f-2db1-4397-a615-a03fd7520e53@amd.com/
On Wed, Nov 19, 2025 at 09:34:11PM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Nov 19, 2025 at 07:04:57PM +0100, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Wed, Nov 19, 2025 at 03:03:51PM +0000, Luca Boccassi wrote:
> > > Source: linux
> > > Version: 6.18~rc6-1~exp1
> > > Severity: serious
> > > Justification: breaks other package's autopkgtest
> > >
> > > With kernel 6.18 from experimental mksquashfs segfaults roughly 1 in 4
> > > invocations. This does not happen with the kernel in unstable/testing,
> > > so it looks like a kernel regression.
> > >
> > > Filing at serious as it breaks systemd's autopkgtest:
> > > https://ci.debian.net/packages/s/systemd/unstable/amd64/66358275/#S67
> > >
> > > Trivial to reproduce:
> > >
> > > mkdir -p bar
> > > while mksquashfs bar bar.raw -noappend &>/dev/null; do true; done
> > >
> > > Decoded backtrace is strange, it looks like a pointer is corrupted.
> > > Different invocations result in slightly different crashes, although
> > > all seem to be in the xattr code handling, so that looks like a strong
> > > hint as to where things might have regressed.
> > >
> > > https://sources.debian.org/src/squashfs-tools/1%3A4.7.4-1/squashfs-tools/xattr.c#L631
> > >
> > > #0 0x000055e3c9fddcd9 in read_xattrs (d=d@entry=0x55e3d1388be0,
> > > type=type@entry=1) at ./squashfs-tools/xattr.c:631
> > > entry = 0x40e33
> > > dir_ent = <optimized out>
> > > inode = <optimized out>
> > > filename = 0x7ffeb945bdbb "bar"
> > > xattr_list = 0x0
> > > head = 0x0
> > > count = 0
> > > i = <optimized out>
> > > j = <optimized out>
> > > l1 = <error reading variable l1 (Cannot access memory at
> > > address 0x40e4b)>
> > > l2 = <optimized out>
> > > l3 = <optimized out>
> > > action_add_list = 0x0
> > > __func__ = "read_xattrs"
> > > #1 0x000055e3c9fb571f in create_inode
> > > (dir_info=dir_info@entry=0x55e3d1388b70, dir_ent=0x55e3d1388be0,
> > > type=type@entry=1, byte_size=byte_size@entry=3,
> > > start_block=start_block@entry=0, offset=offset@entry=0,
> > > block_list=0x0, fragment=0x0, dir_in=0x7ffeb9459840, sparse=0) at
> > > ./squashfs-tools/mksquashfs.c:1112
> > > buf = 0x55e3d1388c30
> > > inode_header = {base = {inode_type = 0, mode = 0, uid = 0,
> > > guid = 0, mtime = 3599334970,
> > > inode_number = 32632}, dev = {inode_type = 0, mode = 0,
> > > uid = 0, guid = 0, mtime = 3599334970,
> > > inode_number = 32632, nlink = 0, rdev = 0}, ldev =
> > > {inode_type = 0, mode = 0, uid = 0, guid = 0,
> > > mtime = 3599334970, inode_number = 32632, nlink = 0, rdev
> > > = 0, xattr = 24080}, symlink = {
> > > inode_type = 0, mode = 0, uid = 0, guid = 0, mtime =
> > > 3599334970, inode_number = 32632, nlink = 0,
> > > symlink_size = 0, symlink = 0x7ffeb9459748 "\020^"}, reg =
> > > {inode_type = 0, mode = 0, uid = 0, guid = 0,
> > > mtime = 3599334970, inode_number = 32632, start_block = 0,
> > > fragment = 0, offset = 24080, file_size = 0,
> > > block_list = 0x7ffeb9459750}, lreg = {inode_type = 0, mode
> > > = 0, uid = 0, guid = 0, mtime = 3599334970,
> > > inode_number = 32632, start_block = 0, file_size = 24080,
> > > sparse = 0, nlink = 0, fragment = 0,
> > > offset = 0, xattr = 0, block_list = 0x7ffeb9459768}, dir =
> > > {inode_type = 0, mode = 0, uid = 0, guid = 0,
> > > mtime = 3599334970, inode_number = 32632, start_block = 0,
> > > nlink = 0, file_size = 24080, offset = 0,
> > > parent_inode = 0}, ldir = {inode_type = 0, mode = 0, uid =
> > > 0, guid = 0, mtime = 3599334970,
> > > inode_number = 32632, nlink = 0, file_size = 0,
> > > start_block = 24080, parent_inode = 0, i_count = 0,
> > > offset = 0, xattr = 0, index = 0x7ffeb9459758}, ipc =
> > > {inode_type = 0, mode = 0, uid = 0, guid = 0,
> > > mtime = 3599334970, inode_number = 32632, nlink = 0}, lipc
> > > = {inode_type = 0, mode = 0, uid = 0,
> > > guid = 0, mtime = 3599334970, inode_number = 32632, nlink
> > > = 0, xattr = 0}}
> > > base = 0x7ffeb9459730
> > > inode = <optimized out>
> > > filename = 0x7ffeb945bdbb "bar"
> > > nlink = 1
> > > xattr = <optimized out>
> > > uid = <optimized out>
> > > gid = <optimized out>
> > > mode = <optimized out>
> > > #2 0x000055e3c9fb68a0 in write_dir (dir_info=<optimized out>,
> > > dir=0x7ffeb9459840)
> > > at ./squashfs-tools/mksquashfs.c:1522
> > > dir_size = <optimized out>
> > > data_space = <optimized out>
> > > directory_block = <optimized out>
> > > directory_offset = <optimized out>
> > > i_count = 0
> > > index = 16384
> > > c_byte = <optimized out>
> > > cache = <optimized out>
> > > __func__ = "write_dir"
> > > #3 dir_scan8 (inode=<optimized out>, dir_info=<optimized out>) at
> > > ./squashfs-tools/mksquashfs.c:4647
> > > squashfs_type = <optimized out>
> > > dir = <optimized out>
> > > dir_ent = <optimized out>
> > > file = <optimized out>
> > > #4 0x000055e3c9fbaa85 in do_directory_scans
> > > (dir_ent=dir_ent@entry=0x55e3d1388be0, progress=progress@entry=1)
> > > at ./squashfs-tools/mksquashfs.c:3620
> > > inode = 208
> > > pseudo = <optimized out>
> > > #5 0x000055e3c9fbc041 in scan_single (pathname=0x7ffeb945bdbb "bar",
> > > progress=progress@entry=1)
> > > at ./squashfs-tools/mksquashfs.c:3675
> > > buf = {st_dev = 32, st_ino = 21, st_nlink = 2, st_mode =
> > > 16877, st_uid = 0, st_gid = 0, __pad0 = 0,
> > > st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0,
> > > st_atim = {tv_sec = 1763563405,
> > > tv_nsec = 364000000}, st_mtim = {tv_sec = 1763562938,
> > > tv_nsec = 96000000}, st_ctim = {
> > > tv_sec = 1763562938, tv_nsec = 96000000}, __glibc_reserved
> > > = {0, 0, 0}}
> > > dir_ent = 0x55e3d1388be0
> > > #6 0x000055e3c9fac6b7 in dir_scan (directory=<optimized out>,
> > > progress=1) at ./squashfs-tools/mksquashfs.c:3735
> > > single = <optimized out>
> > > #7 main (argc=<optimized out>, argv=<optimized out>) at
> > > ./squashfs-tools/mksquashfs.c:8769
> > > buf = {st_dev = 32, st_ino = 22, st_nlink = 1, st_mode =
> > > 33188, st_uid = 0, st_gid = 0, __pad0 = 0,
> > > st_rdev = 0, st_size = 4096, st_blksize = 4096, st_blocks =
> > > 8, st_atim = {tv_sec = 1763562951,
> > > tv_nsec = 448000000}, st_mtim = {tv_sec = 1763563405,
> > > tv_nsec = 360000000}, st_ctim = {
> > > tv_sec = 1763563405, tv_nsec = 360000000},
> > > __glibc_reserved = {0, 0, 0}}
> > > source_buf = {st_dev = 32, st_ino = 21, st_nlink = 2, st_mode
> > > = 16877, st_uid = 0, st_gid = 0, __pad0 = 0,
> > > st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0,
> > > st_atim = {tv_sec = 1763563405,
> > > tv_nsec = 360000000}, st_mtim = {tv_sec = 1763562938,
> > > tv_nsec = 96000000}, st_ctim = {
> > > tv_sec = 1763562938, tv_nsec = 96000000}, __glibc_reserved
> > > = {0, 0, 0}}
> > > res = 0
> > > i = <optimized out>
> > > j = <optimized out>
> > > root_name = <optimized out>
> > > inode = <optimized out>
> > > readq = 496
> > > fragq = 498
> > > bwriteq = 496
> > > fwriteq = <optimized out>
> > > total_mem = <optimized out>
> > > progress = 1
> > > force_progress = <optimized out>
> > > percentage = <optimized out>
> > > exclude_option = 0
> > > Xhelp = <optimized out>
> > > fragment = 0x0
> > > command = <optimized out>
> > > single_threaded = <optimized out>
> > > overcommit = 0
> > > repro_opt = <optimized out>
> > > repro_time_opt = <optimized out>
> > > repro_time = 4
> > > __func__ = "main"
> > > (gdb) p l1
> > > Cannot access memory at address 0x40e4b
> > > (gdb) p xattr_add_list
> > > $1 = (struct xattr_add *) 0x0
> > >
> > > https://sources.debian.org/src/squashfs-tools/1%3A4.7.4-1/squashfs-tools/xattr.c#L534
> > >
> > > #0 0x000055a5314fb9e0 in sort_list (head=head@entry=0x55a531fcfa50
> > > <xattr_add_list>, count=54720)
> > > at ./squashfs-tools/xattr.c:534
> > > cur = <optimized out>
> > > l1 = <optimized out>
> > > l2 = 0x83500e000000005d
> > > next = <optimized out>
> > > len1 = 0
> > > len2 = <optimized out>
> > > stride = 1
> > > #1 0x000055a5314fda75 in sort_list (head=0x55a531fcfa50
> > > <xattr_add_list>, count=<optimized out>)
> > > at ./squashfs-tools/xattr.c:534
> > > cur = <optimized out>
> > > l1 = <optimized out>
> > > l2 = <optimized out>
> > > next = <optimized out>
> > > len1 = <optimized out>
> > > len2 = <optimized out>
> > > stride = 1
> > > #2 0x000055a5314ca2cf in main (argc=<optimized out>,
> > > argv=0x7fff771b2b58) at ./squashfs-tools/mksquashfs.c:8381
> > > buf = {st_dev = 60405, st_ino = 4096, st_nlink = 8192, st_mode
> > > = 5, st_uid = 0, st_gid = 61440, __pad0 = 0,
> > > st_rdev = 69632, st_size = 67156, st_blksize = 67156,
> > > st_blocks = 4096, st_atim = {tv_sec = 61440,
> > > tv_nsec = 1}, st_mtim = {tv_sec = 69632, tv_nsec = 77824},
> > > st_ctim = {tv_sec = 73736, tv_nsec = 73856},
> > > __glibc_reserved = {4096, 65536, 3}}
> > > source_buf = {st_dev = 4, st_ino = 17179869188, st_nlink =
> > > 1975252, st_mode = 1975252, st_uid = 0,
> > > st_gid = 1975252, __pad0 = 0, st_rdev = 32, st_size = 32,
> > > st_blksize = 4, st_blocks = 17179869191,
> > > st_atim = {tv_sec = 1977176, tv_nsec = 1981272}, st_mtim =
> > > {tv_sec = 1981272, tv_nsec = 16}, st_ctim = {
> > > tv_sec = 136, tv_nsec = 8}, __glibc_reserved =
> > > {18865251667, 904, 904}}
> > > res = 0
> > > i = 4
> > > j = <optimized out>
> > > root_name = <optimized out>
> > > inode = <optimized out>
> > > readq = 496
> > > fragq = 498
> > > bwriteq = 496
> > > fwriteq = <optimized out>
> > > total_mem = <optimized out>
> > > progress = 1
> > > force_progress = <optimized out>
> > > percentage = <optimized out>
> > > exclude_option = 0
> > > Xhelp = <optimized out>
> > > fragment = 0x0
> > > command = <optimized out>
> > > single_threaded = <optimized out>
> > > overcommit = 0
> > > repro_opt = <optimized out>
> > > repro_time_opt = <optimized out>
> > > repro_time = 4
> > > __func__ = "main"
> >
> > This seems to regress from v6.18-rc5 to v6.18-rc6 so let's see what
> > bisecting the upstream version shows now.
>
> A git bisect leads to adfb6609c680 ("mm/huge_memory: initialise the
> tags of the huge zero folio") as the first bad commit. Bastian, does
> that make sense to you?
>
> I still need to verify, but wanted to share the first found result.
So this was already reported at:
https://lore.kernel.org/lkml/9401208f-2db1-4397-a615-a03fd7520e53@amd.com/
Regards,
Salvatore
Reply to: