Commit 9f1c14c1 authored Sep 26, 2025 by Phillip Lougher Committed by Andrew Morton Sep 28, 2025

Squashfs: reject negative file sizes in squashfs_read_inode()

Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.

This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.

This commit checks for a negative file size and returns EINVAL.

[phillip@squashfs.org.uk: only need to check 64 bit quantity]
  Link: https://lkml.kernel.org/r/20250926222305.110103-1-phillip@squashfs.org.uk
Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk


Fixes: 6545b246 ("Squashfs: inode operations")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by:  <syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/


Cc: Amir Goldstein <amir73il@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

parent 94b3f02f

fs/squashfs/inode.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -197,6 +197,10 @@ int squashfs_read_inode(struct inode *inode, long long ino)
		goto failed_read;

		inode->i_size = le64_to_cpu(sqsh_ino->file_size);
		if (inode->i_size < 0) {
		err = -EINVAL;
		goto failed_read;
		}
		frag = le32_to_cpu(sqsh_ino->fragment);
		if (frag != SQUASHFS_INVALID_FRAG) {
		/*