[PATCH v1 0/2] fs/squashfs: fix symlink load failure on large images
Allan ELKAIM
allan.elkaim at gmail.com
Thu May 14 20:18:50 CEST 2026
sqfsload fails to load a file through a symlink when the squashfs
image contains a large number of inodes (e.g. a rootfs that includes
the tzdata timezone database).
Root cause: sqfs_read_nest() resolves the symlink by calling itself
recursively without first freeing the parent directory's inode and
directory table buffers. This causes a temporary double allocation
that can exhaust the U-Boot heap. When malloc() subsequently fails
inside sqfs_read_directory_table(), the error goes undetected and
sqfs_search_dir() is called with a NULL pos_list pointer, leading to:
Error: invalid inode reference to directory table.
Failed to load '/boot/Image'
Patch 1 fixes the structural problem (temporary double allocation)
and plugs the silent NULL pointer path in sqfs_read_directory_table().
Patch 2 adds the missing return-value checks on sqfs_dir_offset() that
turn any residual lookup failure into a clean error propagation.
Both patches are independent and can be reviewed separately.
The bug was first observed on U-Boot v2024.01 and is still present
on v2026.04. The patches have been tested on a Raspberry Pi CM4
running U-Boot v2026.04 (Yocto Scarthgap 5.0.17) with a 325 MB
squashfs rootfs containing 22 517 inodes. The symlink
/boot/Image -> Image-6.6.63-v8 now resolves successfully.
This series addresses the bug reported at:
https://lists.denx.de/pipermail/u-boot/2026-May/618533.html
Allan ELKAIM (2):
fs/squashfs: fix heap exhaustion during symlink resolution
fs/squashfs: add sqfs_dir_offset() error checks
fs/squashfs/sqfs.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
--
2.53.0
base-commit: 88dc2788777babfd6322fa655df549a019aa1e69
More information about the U-Boot
mailing list