The inode mode loaded from corrupted disk might by error contain the file
type bits. Since the file type bits are set by squashfs_read_inode() using
bitwise OR, the file type bits must not be set by squashfs_new_inode() from
squashfs_read_inode(); otherwise, an invalid file type bits later confuses
may_open().

Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/squashfs/inode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
index d5918eba27e3..dee8fa016930 100644
--- a/fs/squashfs/inode.c
+++ b/fs/squashfs/inode.c
@@ -68,6 +68,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode,
 	inode->i_mode = le16_to_cpu(sqsh_ino->mode);
 	inode->i_size = 0;
 
+	/* File type must not be set at this moment, for it will later be set by the caller. */
+	if (inode->i_mode & S_IFMT)
+		err = -EIO;
+
 	return err;
 }
 
-- 
2.50.1

On 13/08/2025 08:17, Tetsuo Handa wrote:
> The inode mode loaded from corrupted disk might by error contain the file
> type bits. Since the file type bits are set by squashfs_read_inode() using
> bitwise OR, the file type bits must not be set by squashfs_new_inode() from
> squashfs_read_inode(); otherwise, an invalid file type bits later confuses
> may_open().
>
> Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Reviewed-by: Phillip Lougher <phillip@squashfs.org.uk>