fs/ntfs/file.c | 17 +++++++++++++---- fs/ntfs/super.c | 19 +++++++++++++------ fs/ntfs/volume.h | 2 ++ 3 files changed, 28 insertions(+), 10 deletions(-)
Protect vol->volume_label with a mutex and snaphost the label before
copy_to_user. This prevent a use-after-free when FS_IOC_SETFSLABEL
replaces the vol->volume_label and FS_IOC_GETTSLABEL reads it
concurrently.
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
---
fs/ntfs/file.c | 17 +++++++++++++----
fs/ntfs/super.c | 19 +++++++++++++------
fs/ntfs/volume.h | 2 ++
3 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c
index e8bea22b81a7..264cf8404385 100644
--- a/fs/ntfs/file.c
+++ b/fs/ntfs/file.c
@@ -707,12 +707,21 @@ static int ntfs_ioctl_get_volume_label(struct file *filp, unsigned long arg)
{
struct ntfs_volume *vol = NTFS_SB(file_inode(filp)->i_sb);
char __user *buf = (char __user *)arg;
+ char label[FSLABEL_MAX];
+ ssize_t len;
+ mutex_lock(&vol->volume_label_lock);
if (!vol->volume_label) {
- if (copy_to_user(buf, "", 1))
- return -EFAULT;
- } else if (copy_to_user(buf, vol->volume_label,
- MIN(FSLABEL_MAX, strlen(vol->volume_label) + 1)))
+ label[0] = '\0';
+ len = 0;
+ } else {
+ len = strscpy(label, vol->volume_label, sizeof(label));
+ if (len == -E2BIG)
+ len = FSLABEL_MAX - 1;
+ }
+ mutex_unlock(&vol->volume_label_lock);
+
+ if (copy_to_user(buf, label, len + 1))
return -EFAULT;
return 0;
}
diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
index 2a5ad7d56bc2..045656fa44f8 100644
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -452,17 +452,23 @@ int ntfs_write_volume_label(struct ntfs_volume *vol, char *label)
ret = ntfs_resident_attr_record_add(vol_ni, AT_VOLUME_NAME, AT_UNNAMED, 0,
(u8 *)uname, uname_len * sizeof(__le16), 0);
out:
- mutex_unlock(&vol_ni->mrec_lock);
- kvfree(uname);
-
if (ret >= 0) {
- kfree(vol->volume_label);
+ char *old_label;
+
+ mutex_lock(&vol->volume_label_lock);
+ old_label = vol->volume_label;
vol->volume_label = new_label;
+ mutex_unlock(&vol->volume_label_lock);
+
+ kfree(old_label);
mark_inode_dirty_sync(vol->vol_ino);
ret = 0;
- } else {
- kfree(new_label);
}
+ mutex_unlock(&vol_ni->mrec_lock);
+ kvfree(uname);
+
+ if (ret < 0)
+ kfree(new_label);
return ret;
}
@@ -2508,6 +2514,7 @@ static int ntfs_init_fs_context(struct fs_context *fc)
NVolSetCaseSensitive(vol);
init_rwsem(&vol->mftbmp_lock);
init_rwsem(&vol->lcnbmp_lock);
+ mutex_init(&vol->volume_label_lock);
fc->s_fs_info = vol;
fc->ops = &ntfs_context_ops;
diff --git a/fs/ntfs/volume.h b/fs/ntfs/volume.h
index e13e1423b2a9..3348394dbc0d 100644
--- a/fs/ntfs/volume.h
+++ b/fs/ntfs/volume.h
@@ -72,6 +72,7 @@
* @vol_flags: Volume flags.
* @major_ver: Ntfs major version of volume.
* @minor_ver: Ntfs minor version of volume.
+ * @volume_label_lock: protects @volume_label.
* @volume_label: volume label.
* @root_ino: The VFS inode of the root directory.
* @secure_ino: The VFS inode of $Secure (NTFS3.0+ only, otherwise NULL).
@@ -131,6 +132,7 @@ struct ntfs_volume {
struct inode *logfile_ino;
struct inode *lcnbmp_ino;
struct rw_semaphore lcnbmp_lock;
+ struct mutex volume_label_lock;
struct inode *vol_ino;
__le16 vol_flags;
u8 major_ver;
---
base-commit: 990319fe6bfbd0e3da3a777052a48f8f22636404
change-id: 20260602-t-serialize-label-e63b90a1c201
Best regards,
--
Thanks,
HyunchulOn Tue, Jun 2, 2026 at 1:53 PM Hyunchul Lee <hyc.lee@gmail.com> wrote: > > Protect vol->volume_label with a mutex and snaphost the label before > copy_to_user. This prevent a use-after-free when FS_IOC_SETFSLABEL > replaces the vol->volume_label and FS_IOC_GETTSLABEL reads it > concurrently. > > Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Applied it to #ntfs-next. Thanks!
© 2016 - 2026 Red Hat, Inc.