Dear Developers and Maintainers, We would like to report a Linux kernel bug titled "BUG: unable to handle kernel paging request in squashfs_cache_delete" on Linux-6.14-rc2, we also reproduce the PoC on the latest 6.14-rc5. Here are the relevant attachments: kernel config: https://drive.google.com/file/d/1s4fpvYKGRUbOcQsv5XZpzU1SVBvqKDZv/view?usp=sharing report: https://drive.google.com/file/d/1nnlAc-_09lCZIL9gSh4llW5jgFIQ2jfO/view?usp=sharing syz reproducer: https://drive.google.com/file/d/13M44vrewnPesGubj5JspZdpnmsPgrFdG/view?usp=sharing C reproducer: https://drive.google.com/file/d/11JZv7wQ7OInDdId6625EyfFw2jSs4UJc/view?usp=sharing I assume this vulnerability may be caused by the missing check for error pointer *cache in fs/squashfs/cache.c:squashfs_cache_delete. When the kernel fail to mount a squashfs (e.g., out of memory), the fs/squashfs/super.c:317:squashfs_cache_init will return an error pointer (e.g., -ENOMEM) and goto failed_mount. However, squashfs_cache_delete only checks if cache is NULL, resulting further deference of invalid cache->entries and cache->pages and crash the kernel. --- fs/squashfs/cache.c +++ fs/squashfs/cache.c @@ -198,6 +198,8 @@ { int i, j; + cache = IS_ERR(cache) ? NULL : cache; + if (cache == NULL) return; I tried the patch above, which can avoid kernel panic after SQUASHFS error. However, I am not sure if my analysis and patch are appropriate. Could you check this issue. With the verification, I would like to submit a patch. Wish you a nice day! Best, Zhiyu
