Hi, On Wed, Nov 19, 2025 at 03:03:51PM +0000, Luca Boccassi wrote: > Source: linux > Version: 6.18~rc6-1~exp1 > Severity: serious > Justification: breaks other package's autopkgtest > > With kernel 6.18 from experimental mksquashfs segfaults roughly 1 in 4 > invocations. This does not happen with the kernel in unstable/testing, > so it looks like a kernel regression. > > Filing at serious as it breaks systemd's autopkgtest: > https://ci.debian.net/packages/s/systemd/unstable/amd64/66358275/#S67 > > Trivial to reproduce: > > mkdir -p bar > while mksquashfs bar bar.raw -noappend &>/dev/null; do true; done > > Decoded backtrace is strange, it looks like a pointer is corrupted. > Different invocations result in slightly different crashes, although > all seem to be in the xattr code handling, so that looks like a strong > hint as to where things might have regressed. > > https://sources.debian.org/src/squashfs-tools/1%3A4.7.4-1/squashfs-tools/xattr.c#L631 > > #0 0x000055e3c9fddcd9 in read_xattrs (d=d@entry=0x55e3d1388be0, > type=type@entry=1) at ./squashfs-tools/xattr.c:631 > entry = 0x40e33 > dir_ent = <optimized out> > inode = <optimized out> > filename = 0x7ffeb945bdbb "bar" > xattr_list = 0x0 > head = 0x0 > count = 0 > i = <optimized out> > j = <optimized out> > l1 = <error reading variable l1 (Cannot access memory at > address 0x40e4b)> > l2 = <optimized out> > l3 = <optimized out> > action_add_list = 0x0 > __func__ = "read_xattrs" > #1 0x000055e3c9fb571f in create_inode > (dir_info=dir_info@entry=0x55e3d1388b70, dir_ent=0x55e3d1388be0, > type=type@entry=1, byte_size=byte_size@entry=3, > start_block=start_block@entry=0, offset=offset@entry=0, > block_list=0x0, fragment=0x0, dir_in=0x7ffeb9459840, sparse=0) at > ./squashfs-tools/mksquashfs.c:1112 > buf = 0x55e3d1388c30 > inode_header = {base = {inode_type = 0, mode = 0, uid = 0, > guid = 0, mtime = 3599334970, > inode_number = 32632}, dev = {inode_type = 0, mode = 0, > uid = 0, guid = 0, mtime = 3599334970, > inode_number = 32632, nlink = 0, rdev = 0}, ldev = > {inode_type = 0, mode = 0, uid = 0, guid = 0, > mtime = 3599334970, inode_number = 32632, nlink = 0, rdev > = 0, xattr = 24080}, symlink = { > inode_type = 0, mode = 0, uid = 0, guid = 0, mtime = > 3599334970, inode_number = 32632, nlink = 0, > symlink_size = 0, symlink = 0x7ffeb9459748 "\020^"}, reg = > {inode_type = 0, mode = 0, uid = 0, guid = 0, > mtime = 3599334970, inode_number = 32632, start_block = 0, > fragment = 0, offset = 24080, file_size = 0, > block_list = 0x7ffeb9459750}, lreg = {inode_type = 0, mode > = 0, uid = 0, guid = 0, mtime = 3599334970, > inode_number = 32632, start_block = 0, file_size = 24080, > sparse = 0, nlink = 0, fragment = 0, > offset = 0, xattr = 0, block_list = 0x7ffeb9459768}, dir = > {inode_type = 0, mode = 0, uid = 0, guid = 0, > mtime = 3599334970, inode_number = 32632, start_block = 0, > nlink = 0, file_size = 24080, offset = 0, > parent_inode = 0}, ldir = {inode_type = 0, mode = 0, uid = > 0, guid = 0, mtime = 3599334970, > inode_number = 32632, nlink = 0, file_size = 0, > start_block = 24080, parent_inode = 0, i_count = 0, > offset = 0, xattr = 0, index = 0x7ffeb9459758}, ipc = > {inode_type = 0, mode = 0, uid = 0, guid = 0, > mtime = 3599334970, inode_number = 32632, nlink = 0}, lipc > = {inode_type = 0, mode = 0, uid = 0, > guid = 0, mtime = 3599334970, inode_number = 32632, nlink > = 0, xattr = 0}} > base = 0x7ffeb9459730 > inode = <optimized out> > filename = 0x7ffeb945bdbb "bar" > nlink = 1 > xattr = <optimized out> > uid = <optimized out> > gid = <optimized out> > mode = <optimized out> > #2 0x000055e3c9fb68a0 in write_dir (dir_info=<optimized out>, > dir=0x7ffeb9459840) > at ./squashfs-tools/mksquashfs.c:1522 > dir_size = <optimized out> > data_space = <optimized out> > directory_block = <optimized out> > directory_offset = <optimized out> > i_count = 0 > index = 16384 > c_byte = <optimized out> > cache = <optimized out> > __func__ = "write_dir" > #3 dir_scan8 (inode=<optimized out>, dir_info=<optimized out>) at > ./squashfs-tools/mksquashfs.c:4647 > squashfs_type = <optimized out> > dir = <optimized out> > dir_ent = <optimized out> > file = <optimized out> > #4 0x000055e3c9fbaa85 in do_directory_scans > (dir_ent=dir_ent@entry=0x55e3d1388be0, progress=progress@entry=1) > at ./squashfs-tools/mksquashfs.c:3620 > inode = 208 > pseudo = <optimized out> > #5 0x000055e3c9fbc041 in scan_single (pathname=0x7ffeb945bdbb "bar", > progress=progress@entry=1) > at ./squashfs-tools/mksquashfs.c:3675 > buf = {st_dev = 32, st_ino = 21, st_nlink = 2, st_mode = > 16877, st_uid = 0, st_gid = 0, __pad0 = 0, > st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, > st_atim = {tv_sec = 1763563405, > tv_nsec = 364000000}, st_mtim = {tv_sec = 1763562938, > tv_nsec = 96000000}, st_ctim = { > tv_sec = 1763562938, tv_nsec = 96000000}, __glibc_reserved > = {0, 0, 0}} > dir_ent = 0x55e3d1388be0 > #6 0x000055e3c9fac6b7 in dir_scan (directory=<optimized out>, > progress=1) at ./squashfs-tools/mksquashfs.c:3735 > single = <optimized out> > #7 main (argc=<optimized out>, argv=<optimized out>) at > ./squashfs-tools/mksquashfs.c:8769 > buf = {st_dev = 32, st_ino = 22, st_nlink = 1, st_mode = > 33188, st_uid = 0, st_gid = 0, __pad0 = 0, > st_rdev = 0, st_size = 4096, st_blksize = 4096, st_blocks = > 8, st_atim = {tv_sec = 1763562951, > tv_nsec = 448000000}, st_mtim = {tv_sec = 1763563405, > tv_nsec = 360000000}, st_ctim = { > tv_sec = 1763563405, tv_nsec = 360000000}, > __glibc_reserved = {0, 0, 0}} > source_buf = {st_dev = 32, st_ino = 21, st_nlink = 2, st_mode > = 16877, st_uid = 0, st_gid = 0, __pad0 = 0, > st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, > st_atim = {tv_sec = 1763563405, > tv_nsec = 360000000}, st_mtim = {tv_sec = 1763562938, > tv_nsec = 96000000}, st_ctim = { > tv_sec = 1763562938, tv_nsec = 96000000}, __glibc_reserved > = {0, 0, 0}} > res = 0 > i = <optimized out> > j = <optimized out> > root_name = <optimized out> > inode = <optimized out> > readq = 496 > fragq = 498 > bwriteq = 496 > fwriteq = <optimized out> > total_mem = <optimized out> > progress = 1 > force_progress = <optimized out> > percentage = <optimized out> > exclude_option = 0 > Xhelp = <optimized out> > fragment = 0x0 > command = <optimized out> > single_threaded = <optimized out> > overcommit = 0 > repro_opt = <optimized out> > repro_time_opt = <optimized out> > repro_time = 4 > __func__ = "main" > (gdb) p l1 > Cannot access memory at address 0x40e4b > (gdb) p xattr_add_list > $1 = (struct xattr_add *) 0x0 > > https://sources.debian.org/src/squashfs-tools/1%3A4.7.4-1/squashfs-tools/xattr.c#L534 > > #0 0x000055a5314fb9e0 in sort_list (head=head@entry=0x55a531fcfa50 > <xattr_add_list>, count=54720) > at ./squashfs-tools/xattr.c:534 > cur = <optimized out> > l1 = <optimized out> > l2 = 0x83500e000000005d > next = <optimized out> > len1 = 0 > len2 = <optimized out> > stride = 1 > #1 0x000055a5314fda75 in sort_list (head=0x55a531fcfa50 > <xattr_add_list>, count=<optimized out>) > at ./squashfs-tools/xattr.c:534 > cur = <optimized out> > l1 = <optimized out> > l2 = <optimized out> > next = <optimized out> > len1 = <optimized out> > len2 = <optimized out> > stride = 1 > #2 0x000055a5314ca2cf in main (argc=<optimized out>, > argv=0x7fff771b2b58) at ./squashfs-tools/mksquashfs.c:8381 > buf = {st_dev = 60405, st_ino = 4096, st_nlink = 8192, st_mode > = 5, st_uid = 0, st_gid = 61440, __pad0 = 0, > st_rdev = 69632, st_size = 67156, st_blksize = 67156, > st_blocks = 4096, st_atim = {tv_sec = 61440, > tv_nsec = 1}, st_mtim = {tv_sec = 69632, tv_nsec = 77824}, > st_ctim = {tv_sec = 73736, tv_nsec = 73856}, > __glibc_reserved = {4096, 65536, 3}} > source_buf = {st_dev = 4, st_ino = 17179869188, st_nlink = > 1975252, st_mode = 1975252, st_uid = 0, > st_gid = 1975252, __pad0 = 0, st_rdev = 32, st_size = 32, > st_blksize = 4, st_blocks = 17179869191, > st_atim = {tv_sec = 1977176, tv_nsec = 1981272}, st_mtim = > {tv_sec = 1981272, tv_nsec = 16}, st_ctim = { > tv_sec = 136, tv_nsec = 8}, __glibc_reserved = > {18865251667, 904, 904}} > res = 0 > i = 4 > j = <optimized out> > root_name = <optimized out> > inode = <optimized out> > readq = 496 > fragq = 498 > bwriteq = 496 > fwriteq = <optimized out> > total_mem = <optimized out> > progress = 1 > force_progress = <optimized out> > percentage = <optimized out> > exclude_option = 0 > Xhelp = <optimized out> > fragment = 0x0 > command = <optimized out> > single_threaded = <optimized out> > overcommit = 0 > repro_opt = <optimized out> > repro_time_opt = <optimized out> > repro_time = 4 > __func__ = "main"
This seems to regress from v6.18-rc5 to v6.18-rc6 so let's see what bisecting the upstream version shows now. Regards, Salvatore
