[PATCH v2 0/3] fs/squashfs: fix symlink load failure on large images
Allan ELKAIM
allan.elkaim at gmail.com
Thu Jun 11 11:43:44 CEST 2026
sqfsload fails to load a file through a symlink when the squashfs
image contains a large number of inodes (e.g. a rootfs that includes
the tzdata timezone database).
Root cause: sqfs_read_nest() resolves the symlink by calling itself
recursively without first freeing the parent directory's inode and
directory table buffers. This causes a temporary double allocation
that can exhaust the U-Boot heap. When malloc() subsequently fails
inside sqfs_read_directory_table(), the error goes undetected and
sqfs_search_dir() is called with a NULL pos_list pointer, leading to:
Error: invalid inode reference to directory table.
Failed to load '/boot/Image'
Patch 1 fixes the structural problem (temporary double allocation)
and plugs the silent NULL pointer path in sqfs_read_directory_table().
Patch 2 adds the missing return-value checks on sqfs_dir_offset() that
turn any residual lookup failure into a clean error propagation.
Patch 3 (new in v2) fixes a pre-existing leak of dirs->entry when
an inode lookup fails in sqfs_search_dir(), spotted while addressing
the v1 review comments.
All patches are independent and can be reviewed separately.
The bug was first observed on U-Boot v2024.01 and is still present
on v2026.04. The patches have been tested on a Raspberry Pi CM4
running U-Boot v2026.04 (Yocto Scarthgap 5.0.17) with a 325 MB
squashfs rootfs containing 22 517 inodes. The symlink
/boot/Image -> Image-6.6.63-v8 now resolves successfully.
This series addresses the bug reported at:
https://lists.denx.de/pipermail/u-boot/2026-May/618533.html
Note: this series supersedes the single patch sent earlier as
"[PATCH v2] fs/squashfs: fix missing error checks causing Synchronous
Abort" in the v1 thread; please disregard that email.
Changes in v2:
- Free dirs->entry and reset it to NULL in the two error paths
reachable while a directory entry is held, so a lookup failure
no longer leaks the entry (reported by Richard Genoud)
- New patch, fixing a pre-existing leak of the same kind as the ones
addressed in patch 2 (suggested by Richard Genoud's review)
Allan ELKAIM (3):
fs/squashfs: fix heap exhaustion during symlink resolution
fs/squashfs: add sqfs_dir_offset() error checks
fs/squashfs: fix dirs->entry leak on inode lookup failure
fs/squashfs/sqfs.c | 44 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 4 deletions(-)
--
2.53.0
base-commit: 88dc2788777babfd6322fa655df549a019aa1e69
branch: squashfs-v2
More information about the U-Boot
mailing list