From eb8e6cc8731e7bf686cc4faf3df06604032bbb63 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 13 Oct 2025 09:50:03 +0200 Subject: [PATCH] 5.4-stable patches added patches: squashfs-fix-uninit-value-in-squashfs_get_parent.patch --- ...-update-and-set-xon-xoff-upon-mtu-se.patch | 15 +-- queue-5.4/series | 1 + ...-uninit-value-in-squashfs_get_parent.patch | 119 ++++++++++++++++++ 3 files changed, 124 insertions(+), 11 deletions(-) create mode 100644 queue-5.4/squashfs-fix-uninit-value-in-squashfs_get_parent.patch diff --git a/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch b/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch index 500fefe7c5..3a797711d6 100644 --- a/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch +++ b/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch @@ -33,12 +33,10 @@ Link: https://patch.msgid.link/20250929181529.1848157-1-kuba@kernel.org Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin --- - .../mellanox/mlx5/core/en/port_buffer.h | 12 ------------ - .../net/ethernet/mellanox/mlx5/core/en_main.c | 17 +---------------- + drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 ---------- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 --------------- 2 files changed, 1 insertion(+), 28 deletions(-) -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h -index 7b852b87a609f..34f55b81a0deb 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h @@ -64,23 +64,11 @@ struct mlx5e_port_buffer { @@ -65,8 +63,6 @@ index 7b852b87a609f..34f55b81a0deb 100644 int mlx5e_port_query_buffer(struct mlx5e_priv *priv, struct mlx5e_port_buffer *port_buffer); -diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c -index 41bd16cc9d0f6..b3ba996004f1d 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -42,7 +42,6 @@ @@ -77,7 +73,7 @@ index 41bd16cc9d0f6..b3ba996004f1d 100644 #include "en_tc.h" #include "en_rep.h" #include "en_accel/ipsec.h" -@@ -2895,11 +2894,9 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_priv *priv) +@@ -2895,11 +2894,9 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_ struct mlx5e_params *params = &priv->channels.params; struct net_device *netdev = priv->netdev; struct mlx5_core_dev *mdev = priv->mdev; @@ -90,7 +86,7 @@ index 41bd16cc9d0f6..b3ba996004f1d 100644 err = mlx5e_set_mtu(mdev, params, params->sw_mtu); if (err) return err; -@@ -2909,18 +2906,6 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_priv *priv) +@@ -2909,18 +2906,6 @@ int mlx5e_set_dev_port_mtu(struct mlx5e_ netdev_warn(netdev, "%s: VPort MTU %d is different than netdev mtu %d\n", __func__, mtu, params->sw_mtu); @@ -109,6 +105,3 @@ index 41bd16cc9d0f6..b3ba996004f1d 100644 params->sw_mtu = mtu; return 0; } --- -2.51.0 - diff --git a/queue-5.4/series b/queue-5.4/series index b101b7ed43..06bc8ce472 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -70,3 +70,4 @@ drivers-base-node-fix-double-free-in-register_one_no.patch nfp-fix-rss-hash-key-size-when-rss-is-not-supported.patch net-ena-return-0-in-ena_get_rxfh_key_size-when-rss-h.patch revert-net-mlx5e-update-and-set-xon-xoff-upon-mtu-se.patch +squashfs-fix-uninit-value-in-squashfs_get_parent.patch diff --git a/queue-5.4/squashfs-fix-uninit-value-in-squashfs_get_parent.patch b/queue-5.4/squashfs-fix-uninit-value-in-squashfs_get_parent.patch new file mode 100644 index 0000000000..af4b772b65 --- /dev/null +++ b/queue-5.4/squashfs-fix-uninit-value-in-squashfs_get_parent.patch @@ -0,0 +1,119 @@ +From 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Fri, 19 Sep 2025 00:33:08 +0100 +Subject: Squashfs: fix uninit-value in squashfs_get_parent + +From: Phillip Lougher + +commit 74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf upstream. + +Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. + +This is caused by open_by_handle_at() being called with a file handle +containing an invalid parent inode number. In particular the inode number +is that of a symbolic link, rather than a directory. + +Squashfs_get_parent() gets called with that symbolic link inode, and +accesses the parent member field. + + unsigned int parent_ino = squashfs_i(inode)->parent; + +Because non-directory inodes in Squashfs do not have a parent value, this +is uninitialised, and this causes an uninitialised value access. + +The fix is to initialise parent with the invalid inode 0, which will cause +an EINVAL error to be returned. + +Regular inodes used to share the parent field with the block_list_start +field. This is removed in this commit to enable the parent field to +contain the invalid inode number 0. + +Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk +Fixes: 122601408d20 ("Squashfs: export operations") +Signed-off-by: Phillip Lougher +Reported-by: syzbot+157bdef5cf596ad0da2c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/ +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 7 +++++++ + fs/squashfs/squashfs_fs_i.h | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -165,6 +165,7 @@ int squashfs_read_inode(struct inode *in + squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block); + squashfs_i(inode)->block_list_start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + inode->i_data.a_ops = &squashfs_aops; + + TRACE("File inode %x:%x, start_block %llx, block_list_start " +@@ -212,6 +213,7 @@ int squashfs_read_inode(struct inode *in + squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block); + squashfs_i(inode)->block_list_start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + inode->i_data.a_ops = &squashfs_aops; + + TRACE("File inode %x:%x, start_block %llx, block_list_start " +@@ -292,6 +294,7 @@ int squashfs_read_inode(struct inode *in + inode->i_mode |= S_IFLNK; + squashfs_i(inode)->start = block; + squashfs_i(inode)->offset = offset; ++ squashfs_i(inode)->parent = 0; + + if (type == SQUASHFS_LSYMLINK_TYPE) { + __le32 xattr; +@@ -329,6 +332,7 @@ int squashfs_read_inode(struct inode *in + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + rdev = le32_to_cpu(sqsh_ino->rdev); + init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); ++ squashfs_i(inode)->parent = 0; + + TRACE("Device inode %x:%x, rdev %x\n", + SQUASHFS_INODE_BLK(ino), offset, rdev); +@@ -353,6 +357,7 @@ int squashfs_read_inode(struct inode *in + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + rdev = le32_to_cpu(sqsh_ino->rdev); + init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); ++ squashfs_i(inode)->parent = 0; + + TRACE("Device inode %x:%x, rdev %x\n", + SQUASHFS_INODE_BLK(ino), offset, rdev); +@@ -373,6 +378,7 @@ int squashfs_read_inode(struct inode *in + inode->i_mode |= S_IFSOCK; + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + init_special_inode(inode, inode->i_mode, 0); ++ squashfs_i(inode)->parent = 0; + break; + } + case SQUASHFS_LFIFO_TYPE: +@@ -392,6 +398,7 @@ int squashfs_read_inode(struct inode *in + inode->i_op = &squashfs_inode_ops; + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + init_special_inode(inode, inode->i_mode, 0); ++ squashfs_i(inode)->parent = 0; + break; + } + default: +--- a/fs/squashfs/squashfs_fs_i.h ++++ b/fs/squashfs/squashfs_fs_i.h +@@ -16,6 +16,7 @@ struct squashfs_inode_info { + u64 xattr; + unsigned int xattr_size; + int xattr_count; ++ int parent; + union { + struct { + u64 fragment_block; +@@ -27,7 +28,6 @@ struct squashfs_inode_info { + u64 dir_idx_start; + int dir_idx_offset; + int dir_idx_cnt; +- int parent; + }; + }; + struct inode vfs_inode; -- 2.47.3