From nobody Fri Jun 19 09:05:20 2026 Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E02037CD34 for ; Sat, 25 Apr 2026 18:42:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777142572; cv=none; b=KWpMs64w0uDIjYF6OIReWJ7WKm8V9SQ4uz3L5FWFOeQqLXAXe1TZMr59QzKoAthH4/5zATHRm1aPtclTCrWiBMm0uLigwVtMihil3PTIBjFI0lhxXVP5IoUS+dJ4uLYXTbUBJLKaRkDNUS61k8natqCeD6WRYGt6meFmqzNo5wI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777142572; c=relaxed/simple; bh=7vjQFDQ3ngEfFpRcZSO66m3dz8MlsyyYwJ6Y/OWi6nw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OwznHsFw9naU2fsnVAeGMpprbLYF4jy+JUOxtM+v7FoomI96GDGGPAMAnpuX+VIDckiTfAa9sbJPKL3MUfm9usHs4E3U/iQIlTimm06UskOZPDnTjZbsTE1sU5n3igFUPkgftez6VScmKbfDpUdEsIIpK5+al6Pto0F7wiE5hA8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=D3Fcu2g7; arc=none smtp.client-ip=209.85.216.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="D3Fcu2g7" Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-35fba4f0a53so1467806a91.0 for ; Sat, 25 Apr 2026 11:42:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777142571; x=1777747371; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i6T7QXBLhmGguBHO1L+/WMwTbhQuI0+KzV9ksg4NtKw=; b=D3Fcu2g7kSIpN4IEqpFscIPIGWGzMf/vh23owWwJyjVPS4tJcWybXTPmTMQrSq+Bd6 lrRLhToo53c3hGqOZOdZ3tOOB1Z4WkeV4txv3O1wPBnG/hoCpMftKvGTPrLtBiJmqf+O wd9nn7zFypXR2Mu78X5S9JenCFrSpGZtmxprt2EItltXoHkZYStvoMJAvnsuXzWxYqaL dfbu/FVj1XxxwvpSPFo3RcoCEWg39rPp60gRE2L7CZa1cNc210dk5sLVK36H5UECr3qt pbgDdcOP4ovJG08cIFe+x94yyq+4eWV8DvFnJEbDoBtGrFfuHCSrDic0cvZbXIOmhy+3 XWyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777142571; x=1777747371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=i6T7QXBLhmGguBHO1L+/WMwTbhQuI0+KzV9ksg4NtKw=; b=e9TNZXS1thYEvk9mJeriNxmdbsa25RvDJW3oYhK6C70XC5C7JaLQkomczv+3cc4drc EcPMh8qjl/CWobShLMyWfBflPf0BN2W9+hOTxvnO/engcZmOWmoaDHUGk0DxMe/6t+Fn G++FF6p/9/jsq1VoHQM2gaeNgFjL5YnJ/ArDeqXK5kXVDZSBTYiutGPwK9dOBgUPOHjW oZsOFgKbesF7pJ0bgitoZUgh4VJXWilFXuka0Hmu4BfR4MioAGqY9GfX7BQtl6puuEqz 84x1DE4uwzWF+ViLg0IWEqxi6saH1aE9zCKK9Jnblx0Bv8za/RJ1DJc73xBQxABZvLWx hkJg== X-Forwarded-Encrypted: i=1; AFNElJ8q5boO5IHVUA3YSlse0Ofi7u8u8xvAd6s9R54eBCapbTIGnUk9AIxStdAlNlSB24e0UBByQrXk48gp1QA=@vger.kernel.org X-Gm-Message-State: AOJu0YxV5cZGw7KKnuU7PMDHN24PcfSSLIjCgVN3ULL1YLijJdDa0/dp WdycYmBEcrsNxztc3PHomDApv9fR9KAhffiD6QtDexFd9g0PRu/tmtsi X-Gm-Gg: AeBDiet/d/5O6lwI4f2xkdQqE5jyZqKFgMWlf9QRVWU31Rs7jjuwRhlR0I3HdLv8I2W NyNhrWmjfkxFzwSLfcCO+YEmtel5tsP8Cdu1TjoTkqIwwpPm8HpdBBrpIh46Wg3+tKZzhGymQRz OD4UXKPpkHcZIBiM1uMiX2/Nln3P/qa5ulyzqR90u/l9Naz5461HLWOe0WSIQmtzOcrgoedOjJt C1i5y66qzGeoJuywE1ILCG4i0qvK8E4jM79plPaQG7yYlBjA/JBDy6sOrQ2tLXLkRSEb/WtO6oU 9P1Nq/dxFqObeHvn+oSNBNulRy/W7rYVQmStebGytP/wqNAsVLmxXZnScBVPGXeADCOuUa+zRWh D0I6kMnJgmw9jZ4EGVSfekYvdb5QnD/xdhdtkIinMkDHfgabuicxnQ3WX7EUzggkkP1zfn/BweU 7u6h5gAeS4UC9ssENEuRvG8FQn4MY= X-Received: by 2002:a05:6a20:2583:b0:39f:c9b1:52ce with SMTP id adf61e73a8af0-3a08d8fe2a9mr23390576637.8.1777142570922; Sat, 25 Apr 2026 11:42:50 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f8ebba485sm33975874b3a.38.2026.04.25.11.42.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Apr 2026 11:42:50 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH 1/2] ntfs: fix NULL dereference in ntfs_index_walk_down() Date: Sun, 26 Apr 2026 03:42:42 +0900 Message-ID: <20260425184243.116396-2-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260425184243.116396-1-charsyam@gmail.com> References: <20260425184243.116396-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_index_walk_down() allocates ictx->ib when descending from the root into an index allocation block. If that allocation fails, the old code still passes the NULL buffer to ntfs_ib_read(), which can write through it via ntfs_inode_attr_pread(). Allocate the index block into a temporary pointer and return -ENOMEM before changing the index context on allocation failure. Also propagate ERR_PTR() through ntfs_index_next() and ntfs_readdir() so walk-down allocation or index block read failures are not mistaken for normal index iteration inside the filesystem. ntfs_readdir() keeps the existing userspace-visible behavior of suppressing readdir errors after marking end_in_iterate; this change only prevents the walk-down failure path from dereferencing NULL internally. The failure was reproduced with failslab fail-nth injection on getdents64; the original module hits a NULL pointer dereference in memcpy_orig through ntfs_ib_read(), while the patched module reaches the same ntfs_index_walk_down() allocation failure without crashing. Fixes: 0a8ac0c1fa0b ("ntfs: update directory operations") Signed-off-by: DaeMyung Kang --- fs/ntfs/dir.c | 13 ++++++++++--- fs/ntfs/index.c | 17 +++++++++++++---- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/fs/ntfs/dir.c b/fs/ntfs/dir.c index bfa904d2ce66..20f5c7074bdd 100644 --- a/fs/ntfs/dir.c +++ b/fs/ntfs/dir.c @@ -911,8 +911,8 @@ static int ntfs_readdir(struct file *file, struct dir_c= ontext *actor) =20 if (next->flags & INDEX_ENTRY_NODE) { next =3D ntfs_index_walk_down(next, ictx); - if (!next) { - err =3D -EIO; + if (IS_ERR(next)) { + err =3D PTR_ERR(next); goto out; } } @@ -920,7 +920,14 @@ static int ntfs_readdir(struct file *file, struct dir_= context *actor) if (next && !(next->flags & INDEX_ENTRY_END)) goto nextdir; =20 - while ((next =3D ntfs_index_next(next, ictx)) !=3D NULL) { + while (1) { + next =3D ntfs_index_next(next, ictx); + if (IS_ERR(next)) { + err =3D PTR_ERR(next); + goto out; + } + if (!next) + break; nextdir: /* Check the consistency of an index entry */ if (ntfs_index_entry_inconsistent(ictx, vol, next, COLLATION_FILE_NAME, diff --git a/fs/ntfs/index.c b/fs/ntfs/index.c index 2080f3969137..f50082708bd1 100644 --- a/fs/ntfs/index.c +++ b/fs/ntfs/index.c @@ -1969,15 +1969,19 @@ int ntfs_index_remove(struct ntfs_inode *dir_ni, co= nst void *key, const u32 keyl struct index_entry *ntfs_index_walk_down(struct index_entry *ie, struct nt= fs_index_context *ictx) { struct index_entry *entry; + struct index_block *ib; s64 vcn; =20 entry =3D ie; do { vcn =3D ntfs_ie_get_vcn(entry); if (ictx->is_in_root) { + ib =3D kvzalloc(ictx->block_size, GFP_NOFS); + if (!ib) + return ERR_PTR(-ENOMEM); /* down from level zero */ ictx->ir =3D NULL; - ictx->ib =3D kvzalloc(ictx->block_size, GFP_NOFS); + ictx->ib =3D ib; ictx->pindex =3D 1; ictx->is_in_root =3D false; } else { @@ -1991,8 +1995,8 @@ struct index_entry *ntfs_index_walk_down(struct index= _entry *ie, struct ntfs_ind ictx->entry =3D ntfs_ie_get_first(&ictx->ib->index); entry =3D ictx->entry; } else - entry =3D NULL; - } while (entry && (entry->flags & INDEX_ENTRY_NODE)); + entry =3D ERR_PTR(-EIO); + } while (!IS_ERR_OR_NULL(entry) && (entry->flags & INDEX_ENTRY_NODE)); =20 return entry; } @@ -2097,10 +2101,15 @@ struct index_entry *ntfs_index_next(struct index_en= try *ie, struct ntfs_index_co =20 /* walk down if it has a subnode */ if (flags & INDEX_ENTRY_NODE) { - if (!ictx->ia_ni) + if (!ictx->ia_ni) { ictx->ia_ni =3D ntfs_ia_open(ictx, ictx->idx_ni); + if (!ictx->ia_ni) + return ERR_PTR(-EIO); + } =20 next =3D ntfs_index_walk_down(next, ictx); + if (IS_ERR(next)) + return next; } else { =20 /* walk up it has no subnode, nor data */ --=20 2.43.0 From nobody Fri Jun 19 09:05:20 2026 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2985F37C0F0 for ; Sat, 25 Apr 2026 18:42:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777142575; cv=none; b=SyEt0lV8QNMeQ/agw/UHxTD8mMC6UOB8LvVvxXn22ktV07r2LrVwYKT1ixBdc7kFdKvgaZsz+qF2XVVaGvsYvSpre8RI19kyFzbP8H5fDzApJwRXsEFB4hoATcQzDhNL9oRltWCfi3emXU/xMeMg8fB6fdP/MtPIPzcUJk8G19Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777142575; c=relaxed/simple; bh=sbgyC0F1QWWxsqlHMSvDUx3fIhaVIHxnzkP3GsRbJtI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=M7zj3+93/AC50MSwuDEjmLYnrxGDjRui6pWiNwcp6QT+U4m7ursnXrWDf2tcjvpL7RyVbEbAUUL45giBFDyW0580aOQKeLA8INOjCPfvAOUPDqJ4zsZZMUSyWCBb9jjHZNSH22sXCbJJ/9HlvdqCqlaCXw/h3IxAvc/8FK62OkI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Mg3SoQKp; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Mg3SoQKp" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2ae3a007bd1so9241925ad.2 for ; Sat, 25 Apr 2026 11:42:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777142573; x=1777747373; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ozsUMKbqTO/Xk5E69vfQ7nhFZDCs1d2jRIQqTzB9tKU=; b=Mg3SoQKp3Zya2ZB9/NL/Vdf/F2LXWV35L0/g4BV+Vv1tX1B5nQa48JJYlT09idTZeH PKgJzzK8WdfFOy+valuQt0IbyRRBBI51Sz344zykfwZTAbA8P4n0tDAtyCiAWODfr9xO GjAsS/5NzXIUXZqSzFNVOeFFJJART8ss6iK5RdnWuD5pHiu4pcBkXbx3IOQdyBbZGmHN 0wIyBIIJ1HQsOJJrw0ymxTtHyycwxwqzuCh8DnHLqhE2WQP69L6R2iptvVXGGBiB49kU wPEEC235TCkZp27Sgh6GHDUdrqn1GCA4Z71g+vhIRe9j47PmWBnMRof5WbFGe7oZ+TQA CpYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777142573; x=1777747373; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ozsUMKbqTO/Xk5E69vfQ7nhFZDCs1d2jRIQqTzB9tKU=; b=fUpUbmG78epkNLhMUrghsGrfKwzceJZ5HDxEHDl5XeBiZ/A7MbfBF2vF47YJGgUJhv 5OBXZdG7MEz52VWBbbUadWu195z3iaNtIAzSIiyHsMt5sZAvWLglzBe1JWnUJ6Dj5fB4 AeZnU5Fu7Jd4bi4CSUNRJ7m9ylSUM93Cglh2gOsFLkEMxZxbgWGHTJfhkHp85KE3kJtX 90M79beQnuoPYWKtIun0+CfSPdnWPVdYB7UehiqiQ2YOzoBCxHILBPomT7FtrMzUdZkc 8L3LBhydT4BO4oy40fDIbzAhcGLcAUZVxj4gR0XmOz/0B3aQusknsyY4PW0H/V4jbOSq KEVQ== X-Forwarded-Encrypted: i=1; AFNElJ/mJ+SrUr9E3F8msqWq4hvYw4SNzYakrAOH/TpORF9UMDwHZsR+KON8kKDMU4HB4Se5So5IwNoOZaR+rDU=@vger.kernel.org X-Gm-Message-State: AOJu0Yzdyb8bQybkfnF3InVzTkcWU0Sr9mDEJnv6n8ejehBcjHJdXIdH VpchSoYvDuGi5riLXLnnDIeHTh9iqC4xXm2PPsc+pNv/I62nXI66WY3l X-Gm-Gg: AeBDies93DGK/JyIlRXcw/dCob9TXnRbT6m7ClxpNNV6GIffJ5ywoPdtTbqbEn0BS2W LbeB767DhNuDMM2W+GO2md6dyHoqJu6Uu16gMFy4Us8lHkC3BbL7p5sSX7NZ0AtHq6s5XjiVswC kBsfgqMyRezbzTj1HpqvTXIhMa/jv+5oGbxmao9omyhKjnhvvc70lAqi85Wvx2XwFAnZr4jeL0r xCpU5DkXrMC79ZFTzqKPf2mOdgGwR2Zeyk3OckgKqnh5krzvdeo0nAbiXBZBjtihPRGB5phee6p xWcRMB8fUayZurKlAJCfqWALmcC/iRVgJPt8UR49Ypp9M6KXESyzCOSG39ffU0wqPbS/TK8GaRO fEkUPuLLXC5XR4c/HDhiFV24YlS6NefUKiC2Q09OMytwD0KZm27hpOUii3jTikR+7fGsaHHjJBO +IMEI5EOophzePNZGqsClM178vXfQ= X-Received: by 2002:a05:6a21:7001:b0:3a3:1814:20a2 with SMTP id adf61e73a8af0-3a3181421d7mr8896061637.5.1777142573521; Sat, 25 Apr 2026 11:42:53 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f8ebba485sm33975874b3a.38.2026.04.25.11.42.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Apr 2026 11:42:53 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH 2/2] ntfs: fix WSL symlink target leak on reparse failure Date: Sun, 26 Apr 2026 03:42:43 +0900 Message-ID: <20260425184243.116396-3-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260425184243.116396-1-charsyam@gmail.com> References: <20260425184243.116396-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_reparse_set_wsl_symlink() converts the symlink target into an allocated NLS string and transfers ownership to ni->target only after ntfs_set_ntfs_reparse_data() succeeds. If setting the reparse data fails, the converted target is left unreferenced and leaks. Free the converted target on the reparse update failure path. Use kfree() for the other local failure path as well, matching the ntfs_ucstonls() allocation contract. Fixes: fc053f05ca28 ("ntfs: add reparse and ea operations") Signed-off-by: DaeMyung Kang --- fs/ntfs/reparse.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/ntfs/reparse.c b/fs/ntfs/reparse.c index 8f60ec6f66c1..74713716813f 100644 --- a/fs/ntfs/reparse.c +++ b/fs/ntfs/reparse.c @@ -505,7 +505,6 @@ int ntfs_reparse_set_wsl_symlink(struct ntfs_inode *ni, struct reparse_point *reparse; struct wsl_link_reparse_data *data; =20 - utarget =3D (char *)NULL; len =3D ntfs_ucstonls(ni->vol, target, target_len, &utarget, 0); if (len <=3D 0) return -EINVAL; @@ -514,7 +513,7 @@ int ntfs_reparse_set_wsl_symlink(struct ntfs_inode *ni, reparse =3D kvzalloc(reparse_len, GFP_NOFS); if (!reparse) { err =3D -ENOMEM; - kvfree(utarget); + kfree(utarget); } else { data =3D (struct wsl_link_reparse_data *)reparse->reparse_data; reparse->reparse_tag =3D IO_REPARSE_TAG_LX_SYMLINK; @@ -528,6 +527,8 @@ int ntfs_reparse_set_wsl_symlink(struct ntfs_inode *ni, kvfree(reparse); if (!err) ni->target =3D utarget; + else + kfree(utarget); } return err; } --=20 2.43.0