Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2026-03-25T10:05:37+00:00 2026-03-25T10:05:37+00:00 Phillip Lougher phillip@squashfs.org.uk 2026-02-17T05:09:55+00:00 urn:sha1:6b847d65f5b0065e02080c61fad93d57d6686383 commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream. Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases. Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk Fixes: f400e12656ab ("Squashfs: cache operations") Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/ Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Cc: Christian Brauner <brauner@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-05-24T15:27:11+00:00 Thomas Gleixner tglx@linutronix.de 2019-05-20T17:08:00+00:00 urn:sha1:68252eb5f8413a5bdaac8644be9067916e58df8c Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation 51 franklin street fifth floor boston ma 02110 1301 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 23 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190520170857.458548087@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-29T19:44:46+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-29T19:44:46+00:00 urn:sha1:01cfb7937a9af2abb1136c7e89fbf3fd92952956 Anatoly Trosinenko reports that a corrupted squashfs image can cause a kernel oops. It turns out that squashfs can end up being confused about negative fragment lengths. The regular squashfs_read_data() does check for negative lengths, but squashfs_read_metadata() did not, and the fragment size code just blindly trusted the on-disk value. Fix both the fragment parsing and the metadata reading code. Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Phillip Lougher <phillip@squashfs.org.uk> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2016-04-04T17:41:08+00:00 Kirill A. Shutemov kirill.shutemov@linux.intel.com 2016-04-01T12:29:48+00:00 urn:sha1:ea1754a084760e68886f5b725c8eaada9cc57155 Mostly direct substitution with occasional adjustment or removing outdated comments. Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Michal Hocko <mhocko@suse.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2016-04-04T17:41:08+00:00 Kirill A. Shutemov kirill.shutemov@linux.intel.com 2016-04-01T12:29:47+00:00 urn:sha1:09cbfeaf1a5a67bfb3201e0c83c810cecb2efa5a PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time ago with promise that one day it will be possible to implement page cache with bigger chunks than PAGE_SIZE. This promise never materialized. And unlikely will. We have many places where PAGE_CACHE_SIZE assumed to be equal to PAGE_SIZE. And it's constant source of confusion on whether PAGE_CACHE_* or PAGE_* constant should be used in a particular case, especially on the border between fs and mm. Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much breakage to be doable. Let's stop pretending that pages in page cache are special. They are not. The changes are pretty straight-forward: - <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>; - <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>; - PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN}; - page_cache_get() -> get_page(); - page_cache_release() -> put_page(); This patch contains automated changes generated with coccinelle using script below. For some reason, coccinelle doesn't patch header files. I've called spatch for them manually. The only adjustment after coccinelle is revert of changes to PAGE_CAHCE_ALIGN definition: we are going to drop it later. There are few places in the code where coccinelle didn't reach. I'll fix them manually in a separate patch. Comments and documentation also will be addressed with the separate patch. virtual patch @@ expression E; @@ - E << (PAGE_CACHE_SHIFT - PAGE_SHIFT) + E @@ expression E; @@ - E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) + E @@ @@ - PAGE_CACHE_SHIFT + PAGE_SHIFT @@ @@ - PAGE_CACHE_SIZE + PAGE_SIZE @@ @@ - PAGE_CACHE_MASK + PAGE_MASK @@ expression E; @@ - PAGE_CACHE_ALIGN(E) + PAGE_ALIGN(E) @@ expression E; @@ - page_cache_get(E) + get_page(E) @@ expression E; @@ - page_cache_release(E) + put_page(E) Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Michal Hocko <mhocko@suse.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2013-11-20T03:59:01+00:00 Phillip Lougher phillip@squashfs.org.uk 2013-11-18T02:59:12+00:00 urn:sha1:846b730e99518a1c9945afcb2afbe4d08a02ed80 Further generalise the decompressors by adding a page handler abstraction. This adds helpers to allow the decompressors to access and process the output buffers in an implementation independant manner. This allows different types of output buffer to be passed to the decompressors, with the implementation specific aspects handled at decompression time, but without the knowledge being held in the decompressor wrapper code. This will allow the decompressors to handle Squashfs cache buffers, and page cache pages. This patch adds the abstraction and an implementation for the caches. Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> Reviewed-by: Minchan Kim <minchan@kernel.org> 2011-12-30T01:24:13+00:00 Ajeet Yadav ajeet.yadav.77@gmail.com 2011-12-27T09:40:04+00:00 urn:sha1:d7fbd893388d9e86d29b7cfbd5457bcf03496fbf squashfs_cache_get() iterates over all entries to search for block its looking for. Often get() / put() are called for same block. If we cache the current entry index, then we can optimise the subsequent *_get() calls. Signed-off-by: Ajeet Yadav <ajeet.yadav.77@gmail.com> Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> 2011-12-30T01:20:14+00:00 Phillip Lougher phillip@squashfs.org.uk 2011-12-29T03:50:20+00:00 urn:sha1:e552a596687bf0e1802c744a7bb113afbd2bf4d4 squashfs_read_metadata forgets to release the cache block if an error has occurred. Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> 2011-05-27T00:27:35+00:00 Linus Torvalds torvalds@linux-foundation.org 2011-05-27T00:27:35+00:00 urn:sha1:bc9bc72e2f9bb07384c00604d1a40d0b5f62be6c * git://git.kernel.org/pub/scm/linux/kernel/git/pkl/squashfs-linus: Squashfs: update email address Squashfs: add extra sanity checks at mount time Squashfs: add sanity checks to fragment reading at mount time Squashfs: add sanity checks to lookup table reading at mount time Squashfs: add sanity checks to id reading at mount time Squashfs: add sanity checks to xattr reading at mount time Squashfs: reverse order of filesystem table reading Squashfs: move table allocation into squashfs_read_table() 2011-05-26T09:49:11+00:00 Phillip Lougher phillip@lougher.demon.co.uk 2011-05-26T09:39:56+00:00 urn:sha1:d7f2ff6718efa155fd92e481a5960496d084c63f My existing email address may stop working in a month or two, so update email to one that will continue working. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>