rpm segfault on xfs with 64bit inodes

gdb trace

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79441bf in fsmCommitLinks (fsm=0x64e990) at fsm.c:1358
1358 for (i = 0; i < fsm->li->nlink; i++) {
(gdb) bt
#0 0x00007ffff79441bf in fsmCommitLinks (fsm=0x64e990) at fsm.c:1358
#1 fsmStage (fsm=0x64e990, stage=<optimized out>) at fsm.c:2058
#2 0x00007ffff794277a in fsmStage (fsm=fsm@entry=0x64e990, stage=IOSM_PKGINSTALL) at fsm.c:1667
#3 0x00007ffff7945395 in fsmSetup (_fsm=0x64e990, goal=goal@entry=IOSM_PKGINSTALL, afmt=<optimized out>, _ts=_ts@entry=0x6534f0,
    _fi=_fi@entry=0x651c20, cfd=<optimized out>, archiveSize=archiveSize@entry=0x0, failedFile=failedFile@entry=0x6c63a8)
    at fsm.c:739
#4 0x00007ffff794f806 in rpmpsmStage (psm=0x6c62a0, stage=PSM_PROCESS) at psm.c:2629
#5 0x00007ffff794f32c in rpmpsmStage (psm=psm@entry=0x6c62a0, stage=stage@entry=PSM_PKGINSTALL) at psm.c:2910
#6 0x00007ffff797d997 in rpmtsProcess (rollbackFailures=0, ignoreSet=RPMPROB_FILTER_NONE, ts=0x6534f0) at transaction.c:1848
#7 _rpmtsRun (ts=0x6534f0, okProbs=0x0, ignoreSet=RPMPROB_FILTER_NONE) at transaction.c:2263
#8 0x00007ffff796f5aa in rpmcliInstallRun (ts=ts@entry=0x6534f0, okProbs=okProbs@entry=0x654810, ignoreSet=<optimized out>)
    at rpminstall.c:360
#9 0x00007ffff7970270 in rpmcliInstall (ts=ts@entry=0x6534f0, ia=ia@entry=0x7ffff7b95900 <rpmIArgs>, argv=<optimized out>)
    at rpminstall.c:756
#10 0x00000000004031db in main (argc=<optimized out>, argv=<optimized out>) at ./rpmqv.c:996
(gdb)
(gdb) l
1353 for (fsm->li = fsm->links; fsm->li; fsm->li = fsm->li->next) {
1354 if (fsm->li->sb.st_ino == st->st_ino && fsm->li->sb.st_dev == st->st_dev)
1355 break;
1356 }
1357
1358 for (i = 0; i < fsm->li->nlink; i++) {
1359 if (fsm->li->filex[i] < 0) continue;
1360 fsm->ix = fsm->li->filex[i];
1361 rc = fsmNext(fsm, IOSM_MAP);
1362 if (!iosmFileActionSkipped(fsm->action))
(gdb)
(gdb) p *fsm
$1 = {
  path = 0x0,
  lpath = 0x0,
  opath = 0x0,
  digestlen = 16,
  dirName = 0x65ae7c "/usr/share/python2.7/site-packages/reviewboard/hostingsvcs/",
  baseName = 0x68b538 "versionone.pyo",
  fdigest = 0x0,
  digest = 0x66a100 "\030ce(a\275s\300@S\213W-\257\230\212",
  fcontext = 0x0,
  fflags = 0,
  action = FA_CREATE,
  goal = IOSM_PKGINSTALL,
  stage = IOSM_FINI,
  nstage = IOSM_FINI,
  sb = {
    st_dev = 64768,
    st_ino = 304633500,
    st_nlink = 2,
    st_mode = 33188,
    st_uid = 0,
    st_gid = 0,
    __pad0 = 0,
    st_rdev = 0,
    st_size = 1290,
    st_blksize = 0,
    st_blocks = 0,
    st_atim = {
      tv_sec = 0,
      tv_nsec = 0
    },
    st_mtim = {
      tv_sec = 1359060247,
      tv_nsec = 0
    },
    st_ctim = {
      tv_sec = 0,
      tv_nsec = 0
    },
    __unused = {0,
      0,
      0}
  },
  osb = {
    st_dev = 0,
    st_ino = 0,
    st_nlink = 0,
    st_mode = 0,
    st_uid = 0,
    st_gid = 0,
    __pad0 = 0,
    st_rdev = 0,
    st_size = 0,
---Type <return> to continue, or q <return> to quit---
    st_blksize = 0,
    st_blocks = 0,
    st_atim = {
      tv_sec = 0,
      tv_nsec = 0
    },
    st_mtim = {
      tv_sec = 0,
      tv_nsec = ...

http://carme.pld-linux.org/~glen/th/x86_64/xpra-0.7.8-0.2.x86_64.rpm

another rpm that causes rpm (tested on two different hosts) to crash.
the rpm is built similarily on carme: rpm-5.4.10-38.1.x86_64

carme rpm may be producing invalid rpm archive, but rpm binary should not crash on that!

hmm. this seems to be related with lzma compression!

http://carme.pld-linux.org/~glen/th/x86_64/xpra-0.7.8-0.4.x86_64.rpm = Segmentation fault
http://carme.pld-linux.org/~glen/th/x86_64/xpra-0.7.8-0.3.x86_64.rpm = OK

# rpm -qp --yaml xpra-0.7.8-0.3.x86_64.rpm|grep Payload
    - rpmlib(PayloadIsLzma)
  Payloadformat: cpio
  Payloadcompressor: lzma
  Payloadflags: 6

# rpm -qp --yaml xpra-0.7.8-0.4.x86_64.rpm|grep Payload
  Payloadformat: cpio
  Payloadcompressor: gzip
  Payloadflags: 5

host where install was performed:
15:24:40 root[load: 0.69]@blodnatt /tmp# rpm -q xz-libs
xz-libs-5.1.2-2.i686
xz-libs-5.1.2-2.x86_64

host where packages were produced:
glen@carme-pld packages/xpra $ q xz-libs
xz-libs-1:5.1.2-2.x86_64

also some characteristics of host where rpm's were produced. maybe it's relevant:

the filesystem is mounted with xfs 64bit inodes, so the inodes can be >2GiB signed integer

this will became more critical than just "don't build on carme"

19:17:26 glen> arekm: any chance you disable 64bit inode on carme? rpm is crashing and nobody is fixing the bug
19:57:06 +arekm> glen: disabling requires recreating files and there is no tool on linux for that
19:57:25 +arekm> glen: also 64bit inodes is default in recent kernels

18:11:20 baggins> glen: http://<email address hidden>/msg00307.html
18:11:45 baggins> glen: that may be the same problem we see in rpm5 regarding 64bit inodes on xfs

different url that launchpad does not obfuscate for not-signed in users:

http://www.mail-archive.com/bug-cpio%40gnu.org/msg00307.html

Commited missing patch based on rpm.org bugfix in http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=7a9a5505667c681044bacb21c9b84ac66c062fe7

Fix commited in rpm-5.4.10-43

pld rpm5 commit is here:
http://git.pld-linux.org/?p=packages/rpm.git;a=commitdiff;h=10526c23aac60b7b636e4c93862887dbef8e8f15

it still setfaults.

using the attached rpm
https://bugs.launchpad.net/pld-linux/+bug/1104474/+attachment/3571648/+files/reviewboard-1.7.2-0.5.noarch.rpm

13:10:13 root[load: 1.86]@blodnatt /tmp# rpm -Uhv reviewboard-1.7.2-0.5.noarch.rpm --downgrade --force
Preparing... ########################################### [100%]
   1:reviewboard ########################################### [100%]
Segmentation fault
13:10:19 root[load: 1.87]@blodnatt /tmp# rpm -q rpm
BDB2053 Freeing read locks for locker 0x2071: 31474/140254278207488
BDB2053 Freeing read locks for locker 0x2072: 31474/140254278207488
BDB2053 Freeing read locks for locker 0x2078: 31474/140254278207488
BDB2053 Freeing read locks for locker 0x207a: 31474/140254278207488
BDB2053 Freeing read locks for locker 0x207d: 31474/140254278207488
BDB4503 Aborting txn 0x800020d4: 31474/140254278207488
BDB1502 Freeing log information for process: 31474/0, (ref 1)
BDB1502 Freeing log information for process: 31474/0, (ref 1)
BDB1502 Freeing log information for process: 31474/0, (ref 1)
BDB1502 Freeing log information for process: 31474/0, (ref 1)
BDB1502 Freeing log information for process: 31474/0, (ref 1)
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
BDB2017 Freeing mutex for process: 31474/0
rpm-5.4.10-43.x86_64
13:10:30 root[load: 1.60]@blodnatt /tmp#

any chance to fix that rpm won't crash? rpm should not crash if .rpm file is corrupted, it should refuse to install it or recover at it's best guess (if possible)