From: Allan ELKAIM <allan.elkaim@gmail.com>
To: u-boot@lists.denx.de
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Joao Marcos Costa <jmcosta944@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Tom Rini <trini@konsulko.com>,
Allan ELKAIM <allan.elkaim@gmail.com>
Subject: [PATCH v1 0/2] fs/squashfs: fix symlink load failure on large images
Date: Thu, 14 May 2026 20:18:50 +0200 [thread overview]
Message-ID: <20260514181854.399679-3-allan.elkaim@gmail.com> (raw)
In-Reply-To: <"CACgNL-F2=KJtZ+gThpx_BuWsn6puqFxK0uLOmnABSS9=rRQmeQ@mail.gmail.com">
sqfsload fails to load a file through a symlink when the squashfs
image contains a large number of inodes (e.g. a rootfs that includes
the tzdata timezone database).
Root cause: sqfs_read_nest() resolves the symlink by calling itself
recursively without first freeing the parent directory's inode and
directory table buffers. This causes a temporary double allocation
that can exhaust the U-Boot heap. When malloc() subsequently fails
inside sqfs_read_directory_table(), the error goes undetected and
sqfs_search_dir() is called with a NULL pos_list pointer, leading to:
Error: invalid inode reference to directory table.
Failed to load '/boot/Image'
Patch 1 fixes the structural problem (temporary double allocation)
and plugs the silent NULL pointer path in sqfs_read_directory_table().
Patch 2 adds the missing return-value checks on sqfs_dir_offset() that
turn any residual lookup failure into a clean error propagation.
Both patches are independent and can be reviewed separately.
The bug was first observed on U-Boot v2024.01 and is still present
on v2026.04. The patches have been tested on a Raspberry Pi CM4
running U-Boot v2026.04 (Yocto Scarthgap 5.0.17) with a 325 MB
squashfs rootfs containing 22 517 inodes. The symlink
/boot/Image -> Image-6.6.63-v8 now resolves successfully.
This series addresses the bug reported at:
https://lists.denx.de/pipermail/u-boot/2026-May/618533.html
Allan ELKAIM (2):
fs/squashfs: fix heap exhaustion during symlink resolution
fs/squashfs: add sqfs_dir_offset() error checks
fs/squashfs/sqfs.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
--
2.53.0
base-commit: 88dc2788777babfd6322fa655df549a019aa1e69
next parent reply other threads:[~2026-05-14 23:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <"CACgNL-F2=KJtZ+gThpx_BuWsn6puqFxK0uLOmnABSS9=rRQmeQ@mail.gmail.com">
2026-05-14 18:18 ` Allan ELKAIM [this message]
2026-05-14 18:18 ` [PATCH v1 1/2] fs/squashfs: fix heap exhaustion during symlink resolution Allan ELKAIM
2026-05-14 18:18 ` [PATCH v1 2/2] fs/squashfs: add sqfs_dir_offset() error checks Allan ELKAIM
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514181854.399679-3-allan.elkaim@gmail.com \
--to=allan.elkaim@gmail.com \
--cc=jmcosta944@gmail.com \
--cc=miquel.raynal@bootlin.com \
--cc=thomas.petazzoni@bootlin.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.