6.6-stable patches

added patches:
	squashfs-fix-uninit-value-in-squashfs_get_parent.patch

diff --git a/queue-6.6/series b/queue-6.6/series
index 94c2498bea2e5e3825a016cb6888054f9d4a4d90..443f46f86a139ca98c87765a128e62e6ccf1b8f6 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -167,3 +167,4 @@ smb-client-fix-crypto-buffers-in-non-linear-memory.patch
 revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
 vhost-vringh-modify-the-return-value-check.patch
 bpf-reject-negative-offsets-for-alu-ops.patch
+squashfs-fix-uninit-value-in-squashfs_get_parent.patch

diff --git a/queue-6.6/squashfs-fix-uninit-value-in-squashfs_get_parent.patch b/queue-6.6/squashfs-fix-uninit-value-in-squashfs_get_parent.patch
new file mode 100644 (file)
index 0000000..af4b772
--- /dev/null
+++ b/queue-6.6/squashfs-fix-uninit-value-in-squashfs_get_parent.patch
@@ -0,0 +1,119 @@
+From 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Fri, 19 Sep 2025 00:33:08 +0100
+Subject: Squashfs: fix uninit-value in squashfs_get_parent
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream.
+
+Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
+
+This is caused by open_by_handle_at() being called with a file handle
+containing an invalid parent inode number.  In particular the inode number
+is that of a symbolic link, rather than a directory.
+
+Squashfs_get_parent() gets called with that symbolic link inode, and
+accesses the parent member field.
+
+       unsigned int parent_ino = squashfs_i(inode)->parent;
+
+Because non-directory inodes in Squashfs do not have a parent value, this
+is uninitialised, and this causes an uninitialised value access.
+
+The fix is to initialise parent with the invalid inode 0, which will cause
+an EINVAL error to be returned.
+
+Regular inodes used to share the parent field with the block_list_start
+field.  This is removed in this commit to enable the parent field to
+contain the invalid inode number 0.
+
+Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk
+Fixes: 122601408d20 ("Squashfs: export operations")
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/inode.c         |    7 +++++++
+ fs/squashfs/squashfs_fs_i.h |    2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -165,6 +165,7 @@ int squashfs_read_inode(struct inode *in
+               squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block);
+               squashfs_i(inode)->block_list_start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+               inode->i_data.a_ops = &squashfs_aops;
+ 
+               TRACE("File inode %x:%x, start_block %llx, block_list_start "
+@@ -212,6 +213,7 @@ int squashfs_read_inode(struct inode *in
+               squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block);
+               squashfs_i(inode)->block_list_start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+               inode->i_data.a_ops = &squashfs_aops;
+ 
+               TRACE("File inode %x:%x, start_block %llx, block_list_start "
+@@ -292,6 +294,7 @@ int squashfs_read_inode(struct inode *in
+               inode->i_mode |= S_IFLNK;
+               squashfs_i(inode)->start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+ 
+               if (type == SQUASHFS_LSYMLINK_TYPE) {
+                       __le32 xattr;
+@@ -329,6 +332,7 @@ int squashfs_read_inode(struct inode *in
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               rdev = le32_to_cpu(sqsh_ino->rdev);
+               init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
++              squashfs_i(inode)->parent = 0;
+ 
+               TRACE("Device inode %x:%x, rdev %x\n",
+                               SQUASHFS_INODE_BLK(ino), offset, rdev);
+@@ -353,6 +357,7 @@ int squashfs_read_inode(struct inode *in
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               rdev = le32_to_cpu(sqsh_ino->rdev);
+               init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
++              squashfs_i(inode)->parent = 0;
+ 
+               TRACE("Device inode %x:%x, rdev %x\n",
+                               SQUASHFS_INODE_BLK(ino), offset, rdev);
+@@ -373,6 +378,7 @@ int squashfs_read_inode(struct inode *in
+                       inode->i_mode |= S_IFSOCK;
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               init_special_inode(inode, inode->i_mode, 0);
++              squashfs_i(inode)->parent = 0;
+               break;
+       }
+       case SQUASHFS_LFIFO_TYPE:
+@@ -392,6 +398,7 @@ int squashfs_read_inode(struct inode *in
+               inode->i_op = &squashfs_inode_ops;
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               init_special_inode(inode, inode->i_mode, 0);
++              squashfs_i(inode)->parent = 0;
+               break;
+       }
+       default:
+--- a/fs/squashfs/squashfs_fs_i.h
++++ b/fs/squashfs/squashfs_fs_i.h
+@@ -16,6 +16,7 @@ struct squashfs_inode_info {
+       u64             xattr;
+       unsigned int    xattr_size;
+       int             xattr_count;
++      int             parent;
+       union {
+               struct {
+                       u64             fragment_block;
+@@ -27,7 +28,6 @@ struct squashfs_inode_info {
+                       u64             dir_idx_start;
+                       int             dir_idx_offset;
+                       int             dir_idx_cnt;
+-                      int             parent;
+               };
+       };
+       struct inode    vfs_inode;