5.4-stable patches

added patches:
	squashfs-fix-uninit-value-in-squashfs_get_parent.patch

diff --git a/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch b/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
index 500fefe7c59416c0296a69d08acc3f9b578b1687..3a797711d6af9806c3a455336de45f58a4b5a653 100644 (file)
--- a/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
+++ b/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
@@ -33,12 +33,10 @@ Link: https://patch.msgid.link/20250929181529.1848157-1-kuba@kernel.org
 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- .../mellanox/mlx5/core/en/port_buffer.h         | 12 ------------
- .../net/ethernet/mellanox/mlx5/core/en_main.c   | 17 +----------------
+ drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h |   12 ----------
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c        |   17 ---------------
  2 files changed, 1 insertion(+), 28 deletions(-)
 
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h
-index 7b852b87a609f..34f55b81a0deb 100644
 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h
 +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h
 @@ -64,23 +64,11 @@ struct mlx5e_port_buffer {
@@ -65,8 +63,6 @@ index 7b852b87a609f..34f55b81a0deb 100644
  
  int mlx5e_port_query_buffer(struct mlx5e_priv *priv,
                            struct mlx5e_port_buffer *port_buffer);
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
-index 41bd16cc9d0f6..b3ba996004f1d 100644
 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
 +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
 @@ -42,7 +42,6 @@
@@ -77,7 +73,7 @@ index 41bd16cc9d0f6..b3ba996004f1d 100644
  #include "en_tc.h"
  #include "en_rep.h"
  #include "en_accel/ipsec.h"
-@@ -2895,11 +2894,9 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_priv *priv)
+@@ -2895,11 +2894,9 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_
        struct mlx5e_params *params = &priv->channels.params;
        struct net_device *netdev = priv->netdev;
        struct mlx5_core_dev *mdev = priv->mdev;
@@ -90,7 +86,7 @@ index 41bd16cc9d0f6..b3ba996004f1d 100644
        err = mlx5e_set_mtu(mdev, params, params->sw_mtu);
        if (err)
                return err;
-@@ -2909,18 +2906,6 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_priv *priv)
+@@ -2909,18 +2906,6 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_
                netdev_warn(netdev, "%s: VPort MTU %d is different than netdev mtu %d\n",
                            __func__, mtu, params->sw_mtu);
  
@@ -109,6 +105,3 @@ index 41bd16cc9d0f6..b3ba996004f1d 100644
        params->sw_mtu = mtu;
        return 0;
  }
--- 
-2.51.0
-

diff --git a/queue-5.4/series b/queue-5.4/series
index b101b7ed433009433b4525283f4623ec531a8bf4..06bc8ce472e9f165bf166f26f83112fc9ca9ab0d 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -70,3 +70,4 @@ drivers-base-node-fix-double-free-in-register_one_no.patch
 nfp-fix-rss-hash-key-size-when-rss-is-not-supported.patch
 net-ena-return-0-in-ena_get_rxfh_key_size-when-rss-h.patch
 revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch
+squashfs-fix-uninit-value-in-squashfs_get_parent.patch

diff --git a/queue-5.4/squashfs-fix-uninit-value-in-squashfs_get_parent.patch b/queue-5.4/squashfs-fix-uninit-value-in-squashfs_get_parent.patch
new file mode 100644 (file)
index 0000000..af4b772
--- /dev/null
+++ b/queue-5.4/squashfs-fix-uninit-value-in-squashfs_get_parent.patch
@@ -0,0 +1,119 @@
+From 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Fri, 19 Sep 2025 00:33:08 +0100
+Subject: Squashfs: fix uninit-value in squashfs_get_parent
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream.
+
+Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
+
+This is caused by open_by_handle_at() being called with a file handle
+containing an invalid parent inode number.  In particular the inode number
+is that of a symbolic link, rather than a directory.
+
+Squashfs_get_parent() gets called with that symbolic link inode, and
+accesses the parent member field.
+
+       unsigned int parent_ino = squashfs_i(inode)->parent;
+
+Because non-directory inodes in Squashfs do not have a parent value, this
+is uninitialised, and this causes an uninitialised value access.
+
+The fix is to initialise parent with the invalid inode 0, which will cause
+an EINVAL error to be returned.
+
+Regular inodes used to share the parent field with the block_list_start
+field.  This is removed in this commit to enable the parent field to
+contain the invalid inode number 0.
+
+Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk
+Fixes: 122601408d20 ("Squashfs: export operations")
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/inode.c         |    7 +++++++
+ fs/squashfs/squashfs_fs_i.h |    2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -165,6 +165,7 @@ int squashfs_read_inode(struct inode *in
+               squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block);
+               squashfs_i(inode)->block_list_start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+               inode->i_data.a_ops = &squashfs_aops;
+ 
+               TRACE("File inode %x:%x, start_block %llx, block_list_start "
+@@ -212,6 +213,7 @@ int squashfs_read_inode(struct inode *in
+               squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block);
+               squashfs_i(inode)->block_list_start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+               inode->i_data.a_ops = &squashfs_aops;
+ 
+               TRACE("File inode %x:%x, start_block %llx, block_list_start "
+@@ -292,6 +294,7 @@ int squashfs_read_inode(struct inode *in
+               inode->i_mode |= S_IFLNK;
+               squashfs_i(inode)->start = block;
+               squashfs_i(inode)->offset = offset;
++              squashfs_i(inode)->parent = 0;
+ 
+               if (type == SQUASHFS_LSYMLINK_TYPE) {
+                       __le32 xattr;
+@@ -329,6 +332,7 @@ int squashfs_read_inode(struct inode *in
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               rdev = le32_to_cpu(sqsh_ino->rdev);
+               init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
++              squashfs_i(inode)->parent = 0;
+ 
+               TRACE("Device inode %x:%x, rdev %x\n",
+                               SQUASHFS_INODE_BLK(ino), offset, rdev);
+@@ -353,6 +357,7 @@ int squashfs_read_inode(struct inode *in
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               rdev = le32_to_cpu(sqsh_ino->rdev);
+               init_special_inode(inode, inode->i_mode, new_decode_dev(rdev));
++              squashfs_i(inode)->parent = 0;
+ 
+               TRACE("Device inode %x:%x, rdev %x\n",
+                               SQUASHFS_INODE_BLK(ino), offset, rdev);
+@@ -373,6 +378,7 @@ int squashfs_read_inode(struct inode *in
+                       inode->i_mode |= S_IFSOCK;
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               init_special_inode(inode, inode->i_mode, 0);
++              squashfs_i(inode)->parent = 0;
+               break;
+       }
+       case SQUASHFS_LFIFO_TYPE:
+@@ -392,6 +398,7 @@ int squashfs_read_inode(struct inode *in
+               inode->i_op = &squashfs_inode_ops;
+               set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               init_special_inode(inode, inode->i_mode, 0);
++              squashfs_i(inode)->parent = 0;
+               break;
+       }
+       default:
+--- a/fs/squashfs/squashfs_fs_i.h
++++ b/fs/squashfs/squashfs_fs_i.h
+@@ -16,6 +16,7 @@ struct squashfs_inode_info {
+       u64             xattr;
+       unsigned int    xattr_size;
+       int             xattr_count;
++      int             parent;
+       union {
+               struct {
+                       u64             fragment_block;
+@@ -27,7 +28,6 @@ struct squashfs_inode_info {
+                       u64             dir_idx_start;
+                       int             dir_idx_offset;
+                       int             dir_idx_cnt;
+-                      int             parent;
+               };
+       };
+       struct inode    vfs_inode;