From nobody Mon Jun 8 04:19:35 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EF3C29E117 for ; Sun, 7 Jun 2026 05:17:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809452; cv=none; b=qXSkirtRUa4pHh+duad68s4y9T9sO/39Ay/0RFPhYspMUK6DwWF+IuKtBX0ixVbKm5vboG2iCdatHM0YZByaofCLCz9BoyNeg2qAWOksYCphnrmdDGBVkaR+VtMcUoq47F9L7FFn53PG7AwNugrc0H4dXmoH3QZVthhgmnJ6Y/4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809452; c=relaxed/simple; bh=j+xZy8gt8DDV+QgucaCN87y/EmcwMb0teW0b/sea2b4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FNqWMXNmQyxta9xWDgvu9wD3eduSwRFtjCQHCKLbzyaZrn0d4M9peR4NfxO4zTT6OG45xqV3aFvzAqcKo9XPd1q3sFrw1T4Es+NoNvs6ew4ra27+VE76MwN7YyN0UhsGSwYJBf4LWOrg5Zu2jXyub9kVQbZrFwnGRGaKOV1I8bI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Bg9c7Ck0; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Bg9c7Ck0" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-36bc065c298so299951a91.2 for ; Sat, 06 Jun 2026 22:17:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780809451; x=1781414251; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s/xh4ji4ljzs7Ld2VhqWZs4IQIsCD/V0jgUFhhnWvko=; b=Bg9c7Ck0L7xjNgIWEDnGguzpc867L2BAS5vr7QEM/Qg7br8Z6+LAlr4mn4jmpOQLQi 3GXNspQcrg4yOyfH/b5R3tDshIsvkszEqsHL+iQkjb+fH07OzMkp7TvBkbS3KmDSDkao JVCqDmDkgQZ0Lbgj98abD3ncD8zeRQ8cTfC3gX4mrrceZ0/vmbTRJ5cjTuSHqx10EGg+ lB5V/bv/dgdf++achcWip4zupIRr9xnMA3nUzQWEaSOyZfPqaKVmqb3TZHWqVOoKj4Ib pOfiOagv4cuLVC4Bdu4AtHN+f8zlGZYBuoSCChleIk4LLVdKiCQSi4ixc+uNC+vp94Yb qr6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780809451; x=1781414251; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=s/xh4ji4ljzs7Ld2VhqWZs4IQIsCD/V0jgUFhhnWvko=; b=byMlfv09w2gL64/KMdef1zcx/Q3BU26d0H+AjUDgNA9gZFSTMpolqHVV8m3feJ4v/I 7LLqw4FdYZ1r7HvB0jHa/zMMbqAqpO+Qz2Kg1xiEiSlC5y0s45PXtbhV+wTDsP+1Hhy4 gNUd7AGTmpaSiMsKPVl8lRgxZPGzs9l8e+qQuVQGE6Hz6kxAKli4Y/MIydPSFZV9GTBM H8loWhdZvZWuo99LBLQxOd89gUth7OOk6IzdJbti7LUqCl+lDGaa4+U6KZE49rsFmyyZ 78iXEb6cMBHYc+h7moXSKlrFztW2tNy8uB22oyEiOGgG3+5K/DRYLKwL9yXeZI/yo9qV oLbA== X-Forwarded-Encrypted: i=1; AFNElJ9/HmZ/x8mBjPeBnCJJOwMagzekniR/TYXPuLQNZYQF1nciQGVP1nSXlEglSXS1xwIthLvK/JHZEDawzjs=@vger.kernel.org X-Gm-Message-State: AOJu0YzSYS0hUAoBzJK1Cew4/hMJd6EmfkBkTIWUq5oWaKa2dPL+mlzM 3r/Oe33Ynv15NDM1RNK4EYyT3h0oUKTppHS/6rfmEP2JDkxk8Kutzc5UCJC/4g== X-Gm-Gg: Acq92OF4TOnDvBARG9SOsN2ibeJ8XAsaaVH52YPnOeCAMj+8/WZCVp7c/iLadCSoAel EOAdQgviTxwa8Bu/suir2+Ql6V0twQwQZzzzuuLEQloMHuEdBW3UsyBWm1e2I0iAV/19ambqyEt Lzs3wYg7AIcZppyGHFl4tEidDtU8z1XS6R8nn/rRwSqZoXXcOYKsb091Fz9aarsRtJt3jAHvEVZ zKi2vUA8qJ5uU+D3JDgErJtlK52IqO6NyYOVTxWxtA/CzGfi+Rjh1r8AQF54bzBj6u9k6TX/yWw eKkLZpQrjm/uYSGog9XZRcysj00KwCdlf+aYUZWwsURD2ijhs/XCpHlhdpyng7AqMgcBSzCQAU6 LiBjLGe7PRuz7kyABREr2/qjuE+auehBjrlElMaUYIKXGygpnMZ9LMj+SmwNDITBz0UI/Kgwgob cmbZZg5uNY5aRlaPJEKZeBFvJCRIY= X-Received: by 2002:a17:90b:2708:b0:368:f0a:1c49 with SMTP id 98e67ed59e1d1-370ebdfd031mr5330721a91.0.1780809450653; Sat, 06 Jun 2026 22:17:30 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-842828e5638sm14494648b3a.50.2026.06.06.22.17.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Jun 2026 22:17:30 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v5 1/4] ntfs: reject non-resident records for resident-only attributes Date: Sun, 7 Jun 2026 14:17:20 +0900 Message-ID: <20260607051723.1499833-2-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260607051723.1499833-1-charsyam@gmail.com> References: <20260607051723.1499833-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The shared lookup-time attribute validator rejects non-resident $FILE_NAME and $VOLUME_NAME records because their formats require resident values and callers handle returned records as resident attributes. Other resident-only attribute types still pass through the generic non-resident mapping-pairs checks. That leaves real resident/non-resident union confusion paths. Inode load looks up $STANDARD_INFORMATION and then reads data.resident.value_offset without checking a->non_resident. ntfs_inode_sync_standard_information() does the same when updating the standard information value. ntfs_write_volume_flags() also looks up $VOLUME_INFORMATION and reads data.resident.value_offset directly. $INDEX_ROOT callers in dir.c and index.c depend on the same lookup contract before consuming the resident index root value. Reject non-resident records for all resident-only attribute types in the shared validator. Keep the existing $FILE_NAME and $VOLUME_NAME behavior, but factor it through a helper and extend it to $STANDARD_INFORMATION, $OBJECT_ID, $VOLUME_INFORMATION, $INDEX_ROOT, and $EA_INFORMATION. For $OBJECT_ID and $EA_INFORMATION this is contract hardening for resident-only formats; this patch only rejects the non-resident form and does not add new resident value validation for those types. Signed-off-by: DaeMyung Kang --- fs/ntfs/attrib.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c index 7e293b85ad19..0fb2b6acf8b2 100644 --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -595,6 +595,22 @@ static u32 ntfs_resident_attr_min_value_length(const _= _le32 type) } } =20 +static bool ntfs_attr_type_must_be_resident(const __le32 type) +{ + switch (type) { + case AT_STANDARD_INFORMATION: + case AT_FILE_NAME: + case AT_OBJECT_ID: + case AT_VOLUME_NAME: + case AT_VOLUME_INFORMATION: + case AT_INDEX_ROOT: + case AT_EA_INFORMATION: + return true; + default: + return false; + } +} + static bool ntfs_file_name_attr_value_is_valid(const u8 *value, const u32 = value_length) { const struct file_name_attr *fn; @@ -665,7 +681,7 @@ static bool ntfs_attr_value_is_valid(struct ntfs_volume= *vol, u32 min_len; =20 if (a->non_resident) { - if (a->type =3D=3D AT_FILE_NAME || a->type =3D=3D AT_VOLUME_NAME) + if (ntfs_attr_type_must_be_resident(a->type)) goto corrupt; if (!ntfs_non_resident_attr_value_is_valid(a)) goto corrupt; --=20 2.43.0 From nobody Mon Jun 8 04:19:35 2026 Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9934521767D for ; Sun, 7 Jun 2026 05:17:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809455; cv=none; b=tywfVisf/PKb9POS8pFs2Zib8OD5JU2qWud4o9v1l16hn9E3Y21hJ8G2EtIwE5E8yfS90ObWzDt5MwkVEh0w/VKgiMktaLPIZZoSo50WU2Ox/BRxEvufwVjDVfliT5HKOCH5591iT7ZxVWPpsHMWQ/XAUVBdU+gRq3MyJM1JreI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809455; c=relaxed/simple; bh=ucnCmrpZK4oZmkzG6Jt9S94iUMt/cUtqMgjAb/QKyJQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Hv75N1zj+ftN63dPxoRjIoSQFb5XZgFyjD3Yortl8llArxDRhsx4P6oMLCWWsmA1BkZZwmmtrHcszIrtdDBm61ojaAnXU4XqdoSJsjOAITM5Uin0ycDcwmFajB+nSG9atYbjeBbT3fyuvDaUeD25MQ5HtXHHd6JOq3gtW6ZA2po= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cH6w70sg; arc=none smtp.client-ip=209.85.215.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cH6w70sg" Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-c85640eaf62so134830a12.1 for ; Sat, 06 Jun 2026 22:17:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780809453; x=1781414253; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/BFzewBXDPu8WcOFDTKVnb1gI7mZ7ojJ9QPb768ADSw=; b=cH6w70sgRCfIN0l9J4ADhsBQwYYfmCW0Sc/AR59hNJXjskqAu7stC+bAxn1mgNVqU4 j4S4o+fd9nPShKJN3P25dh15N+9i1modG+iO2Xxkv8iQsthrgBOoAKDFJE9ZmfVxziqs n4rbml+u9GQulS0trZa8lDULxcyXY83bUzT5ATj752Hr+jEKUihC9tTsO0fJjrRXTGVD 7OWsbaHn7HIsJdmCRLuO+VzzfZeu6GPVvK5UJz1pglEp5umP+g185kd1/uuI8vo8knaE 7hAJOFn/SsxurMX2H5CX7gtMKCFbcE9Ix5wath/JdiwbE+Ly/iE5Fby/C7oE46PLNmNr WZ0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780809453; x=1781414253; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/BFzewBXDPu8WcOFDTKVnb1gI7mZ7ojJ9QPb768ADSw=; b=oWHlh/uGM8tSZogZRNSCGyrnYfPQiev3oCJmT9pCUqflYqrCZDYTLGImgNClX3X5kA r1haj/7RI4wn2ZhVTij49qksDtVGoOjmWxGHnUIgls/Isd+w3lOx2dQYzuvC38LllKyj L8FcotXTQrPMroaRoDDO2Hn72+OSxQZauXKINAEZp6hsbqJGtMnX6Hz9luSyo91OX4Sk Ieq9iKTJV6WOIgpXvFlTbi3jnwTcBtnIZVob1fACDHwrmmGpcEc612jyibiRBaKG72PK sIvnR1srkasrapOyXeR4vVgvIPRkBqweaHVi+7hBJTdB+VGABcLAw1OrdKoBsyDJBfgt YT+A== X-Forwarded-Encrypted: i=1; AFNElJ/UQ/FW+M4rUY9hQ3UUN1jZ2HzgeS8q7xEiu0riRs1EqgBztU9T4b4t737c7VDbI/nwe9plN2m4wlzukPc=@vger.kernel.org X-Gm-Message-State: AOJu0Yx0tP0o9DoC9EmCxflTsvFnLj0/JkqQQQCV4lfM2mScWaA3mWZw k0ZUJY2aaFOVWpqlRGNKUDFleZXPWstSrjdVClc0QAVfAakLsUiOJvDiZ3vBWg== X-Gm-Gg: Acq92OEeJgnchkA1bNQkuxugXlI8v1crx0WcDJWjNWQPkXra4rNn5w4XVYsvfmMJKjE Aph7IqMeE5/KQSRwz7fJjiLaseaGu/AERz6JNDkvHRUs84oZkUCtbZut1f29v5uHfTK1X0cJdvg 0az6F688WpcF8XGgYRqDU9OJlQFOSijnpdYgGJeaecqOjdaAefHMhbGUfePwpYSwqswCqxTfbLE pOVXKEgFNy6jJiSddDNVx1XLbpp22YUT0/SY3h2d4UlQfKAbwnT69g8MGE9O3PWcm0f1BLCWfIZ 5pQWKkH3tNV3EW+cT2iWn/8mSjZkffe97d/L27FtRVv7g0dho3oK4COhAvZII+D+CoCnTF6wFiZ 9V9RaCvf4TXpaQcVrWpeTlHquiTN0UqxLUqkgLwi4ReJs8XClTyNhs+1Zm6pGFyTdYBjjSuda+4 jHVls4I08Yn2jXQgsRzgpPCgLcNTL2N6DGG2dWZw== X-Received: by 2002:a05:6a00:b45:b0:842:6fec:12a1 with SMTP id d2e1a72fcca58-842b0f46d65mr4992820b3a.7.1780809452867; Sat, 06 Jun 2026 22:17:32 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-842828e5638sm14494648b3a.50.2026.06.06.22.17.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Jun 2026 22:17:32 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v5 2/4] ntfs: grow index root value before reparent header update Date: Sun, 7 Jun 2026 14:17:21 +0900 Message-ID: <20260607051723.1499833-3-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260607051723.1499833-1-charsyam@gmail.com> References: <20260607051723.1499833-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_ir_reparent() moves the resident index root entries into an index block and leaves a small root stub containing the child VCN. That root stub can be larger than the existing resident value. For example, an empty root with value_length 48 has an index area of 32 bytes, while the large-index root stub needs index_length and allocated_size of 40 bytes. The current code publishes the larger index.index_length and index.allocated_size before resizing the resident value. If the resize returns -ENOSPC, the recovery path can call ntfs_inode_add_attrlist(), which looks attributes up again while the root header says allocated_size 40 but the resident value still only provides 32 bytes of index area. Lookup-time $INDEX_ROOT validation then correctly rejects that transient layout as corrupt. This reproduces as a generic/013 failure under qemu. In the failing run, the transient root had value_len=3D48, index_size=3D32, index_length=3D40, = and allocated_size=3D40, and ntfsprogs-plus ntfsck reported "Corrupt index root in MFT record 1177". When the root stub grows, resize the resident value before publishing the larger root header. If the resize fails, the old root remains valid for recovery lookups. Keep the existing header-before-resize ordering for shrink or same-size cases so the resident value never temporarily exposes an allocated_size beyond its bounds. Signed-off-by: DaeMyung Kang --- fs/ntfs/index.c | 78 ++++++++++++++++++++++++++++++------------------- 1 file changed, 48 insertions(+), 30 deletions(-) diff --git a/fs/ntfs/index.c b/fs/ntfs/index.c index 146e011c1a41..ab9a4bc36f0b 100644 --- a/fs/ntfs/index.c +++ b/fs/ntfs/index.c @@ -1173,6 +1173,8 @@ static int ntfs_ir_reparent(struct ntfs_index_context= *icx) struct index_entry *ie; struct index_block *ib =3D NULL; s64 new_ib_vcn; + u32 index_length; + u32 old_value_length; int ix_root_size; int ret =3D 0; =20 @@ -1220,6 +1222,21 @@ static int ntfs_ir_reparent(struct ntfs_index_contex= t *icx) goto clear_bmp; } =20 + old_value_length =3D le32_to_cpu(ctx->attr->data.resident.value_length); + index_length =3D le32_to_cpu(ir->index.entries_offset) + + sizeof(struct index_entry_header) + sizeof(s64); + ix_root_size =3D offsetof(struct index_root, index) + index_length; + /* Grow the resident value before publishing the larger root header. */ + if (ix_root_size > old_value_length) { + ret =3D ntfs_resident_attr_value_resize(ctx->mrec, ctx->attr, ix_root_si= ze); + if (ret) + goto resize_failed; + + icx->idx_ni->data_size =3D ix_root_size; + icx->idx_ni->initialized_size =3D ix_root_size; + icx->idx_ni->allocated_size =3D (ix_root_size + 7) & ~7; + } + ntfs_ir_nill(ir); =20 ie =3D ntfs_ie_get_first(&ir->index); @@ -1228,48 +1245,49 @@ static int ntfs_ir_reparent(struct ntfs_index_conte= xt *icx) =20 ir->index.flags =3D LARGE_INDEX; NInoSetIndexAllocPresent(icx->idx_ni); - ir->index.index_length =3D cpu_to_le32(le32_to_cpu(ir->index.entries_offs= et) + - le16_to_cpu(ie->length)); + ir->index.index_length =3D cpu_to_le32(index_length); ir->index.allocated_size =3D ir->index.index_length; =20 - ix_root_size =3D sizeof(struct index_root) - sizeof(struct index_header) + - le32_to_cpu(ir->index.allocated_size); - ret =3D ntfs_resident_attr_value_resize(ctx->mrec, ctx->attr, ix_root_si= ze); - if (ret) { - /* - * When there is no space to build a non-resident - * index, we may have to move the root to an extent - */ - if ((ret =3D=3D -ENOSPC) && (ctx->al_entry || !ntfs_inode_add_attrlist(i= cx->idx_ni))) { + if (ix_root_size <=3D old_value_length) { + ret =3D ntfs_resident_attr_value_resize(ctx->mrec, ctx->attr, ix_root_si= ze); + if (ret) + goto resize_failed; + + icx->idx_ni->data_size =3D ix_root_size; + icx->idx_ni->initialized_size =3D ix_root_size; + icx->idx_ni->allocated_size =3D (ix_root_size + 7) & ~7; + } + ntfs_ie_set_vcn(ie, new_ib_vcn); + goto err_out; + +resize_failed: + /* + * When there is no space to build a non-resident + * index, we may have to move the root to an extent + */ + if ((ret =3D=3D -ENOSPC) && (ctx->al_entry || !ntfs_inode_add_attrlist(ic= x->idx_ni))) { + ntfs_attr_put_search_ctx(ctx); + ctx =3D NULL; + ir =3D ntfs_ir_lookup(icx->idx_ni, icx->name, icx->name_len, &ctx); + if (ir && !ntfs_attr_record_move_away(ctx, ix_root_size - + le32_to_cpu(ctx->attr->data.resident.value_length))) { + if (ntfs_attrlist_update(ctx->base_ntfs_ino ? + ctx->base_ntfs_ino : ctx->ntfs_ino)) + goto clear_bmp; ntfs_attr_put_search_ctx(ctx); ctx =3D NULL; - ir =3D ntfs_ir_lookup(icx->idx_ni, icx->name, icx->name_len, &ctx); - if (ir && !ntfs_attr_record_move_away(ctx, ix_root_size - - le32_to_cpu(ctx->attr->data.resident.value_length))) { - if (ntfs_attrlist_update(ctx->base_ntfs_ino ? - ctx->base_ntfs_ino : ctx->ntfs_ino)) - goto clear_bmp; - ntfs_attr_put_search_ctx(ctx); - ctx =3D NULL; - goto retry; - } + goto retry; } - goto clear_bmp; - } else { - icx->idx_ni->data_size =3D icx->idx_ni->initialized_size =3D ix_root_siz= e; - icx->idx_ni->allocated_size =3D (ix_root_size + 7) & ~7; } - ntfs_ie_set_vcn(ie, new_ib_vcn); - +clear_bmp: + ntfs_ibm_clear(icx, new_ib_vcn); + goto err_out; err_out: kvfree(ib); if (ctx) ntfs_attr_put_search_ctx(ctx); out: return ret; -clear_bmp: - ntfs_ibm_clear(icx, new_ib_vcn); - goto err_out; } =20 /* --=20 2.43.0 From nobody Mon Jun 8 04:19:35 2026 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C75F2989BC for ; Sun, 7 Jun 2026 05:17:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809459; cv=none; b=Wm/80w0UcU9Bj3IByTC57dVVxQjQOpq07vqbSzeUUziwpi+5e7u/oaabutlYNKI3vNhed+v8N2x9RDlHmCDNQkYpSepuqic6eNdyrmi7I5fT7d4kDHciLr5ZvVglyiV7zxi9Q8wLoqVxf++tdVjbzAFoVjMlQ+S1hKFRAcvor0M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809459; c=relaxed/simple; bh=7aEKoCbAZP8jKDextGuPOy3ovK/navVFADXy48US3yM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VlFXaONH+rk/oUTZvKRMD/RMUxqTljduGQjd3Nr6pTcJKavTtpC3fIxfHtouXxYr5BzrJf4l+mlOqDnTuDa/LPCc3KkIEb0Ur1ZZ69IPEKIuv+OaVU8yiBL6gofGukulb5M3eud4JU39in5pW0Vt8ggzF93A6N/9bAJivyHeZt8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WbWk0/83; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WbWk0/83" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-8423f241792so83790b3a.1 for ; Sat, 06 Jun 2026 22:17:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780809456; x=1781414256; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OUmwuBjLvF0gJnDu5WwguMvo2blC3awnfJ4Cf5R95CQ=; b=WbWk0/83P5HUgg2SorlR0ankmqpPp54656ILwHLFKZugHOvmFxr/flfZRMWBpA1OVv +XUzzN8lAsr/PDJO0W+xekDeVMjaU881wRXjdOW3Ff2vejl7xjcD/Gnz3yOUnLBGdE/L mv1imPVPtADhwDDupST4RULXABc0pLS4wiK5aq1D2DXFoXrSZPr60sV6+MJ0cR4YSrH8 s1zGepgM/6EtiPTmSOeS33OPl+HjTL0dXkGQWAlCQQvIQ+vYow2GyUHeu0y4MxuKCYGo EbFgJuhCzcqoSTbDxjhTnPSgQDt47Y32BOD2K0lQ94zJ6yfarRXfZw7w2LUnMkLCh/EV se0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780809456; x=1781414256; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=OUmwuBjLvF0gJnDu5WwguMvo2blC3awnfJ4Cf5R95CQ=; b=RpBysQSCsrXtjcR9f3iVXOAS4dd+QFYLp3SNFYrpRx/128r5QTC/929Tsg59FKhI1O L/91fia9WzFwoR5Khk6WFOHtHI1IrU9EiwZIOEHzw020fmFFzwsjAMxp6UKCAT2UA41Z 3yRJeXR100PKNv0zgIzE0O/Y8b9/HUXP5xDxnWy31j2BxkWILTla2PFu6EHOnRDHUeDX 0LJQ4ooMbtoOde/8Ep52nLBUEz28BXkBCGhv5aJJpditF0EbbgkTzh5dbu7kKVqaOGLy DHhrAxdwFw6fRiO74foUcDsiudi/9+y9JMnQQF0SqT4kEL6L6KuT1KFg7eK6Bt/Ye7vy Ua5A== X-Forwarded-Encrypted: i=1; AFNElJ+qVo+rcbSYz4vhCN4dx5zsUMtZkchVaPTKCOCSjR84rxonkuLGp0GxMPzHk2+C0bjh9iiTSwtgMSrorG4=@vger.kernel.org X-Gm-Message-State: AOJu0YxLKUmhTY7jiW2VPIIatfo39teqR2IfYmPHE2y6r5gA26RppGa7 0l+yGXJPRw9PMwkD2nFkwz4ot/UHSY3/Ya9ADxKECLoa4PExD8iD7AVM X-Gm-Gg: Acq92OGaywuB6B/m1i7VLUhXLDr/Ds0x89fdQyeQruLpSKNr3uaSGGE8tUImwdq4/Vc BKrgM3enPQKVXhOz5RGjkoYGt/0bi2VO7h4SDyGhy/VukovSfhwa691NhruOlUkxQFPlSugsHEg YrZVYygtR2KeFhUqDRA6FRblg+ibXQguy8aqOqiRBIZSskKl8YIIArKcUUY1tRunNplpAZAWHOX uCbSC69pz+m3DnzV/AUDOGV1HJPwkqGgtgr/HFVeTBbbTvplaCPslCoF7Di0v8PoYc/RV9t/hAU onn6fw83o8EnxZ8NHnmUNvOHSKSebUOYOqM90i3oxijBMCsGCrlwzJkv1MuQbBIBYh8gUn9b/wc X8QYJbEVXnJ2xOsLugbPHEISL2YLMD6GjwFY8Z7tefpVkZlab7YjuIrj006rupvqHWt8KVLXcy2 3S0Z9LB/rekoXDi56LWEbUTVNRM2zE+ZX4qSf4Eg== X-Received: by 2002:a05:6a00:a203:b0:834:dfb5:6e7f with SMTP id d2e1a72fcca58-842b0d4c5c2mr4955360b3a.2.1780809455818; Sat, 06 Jun 2026 22:17:35 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-842828e5638sm14494648b3a.50.2026.06.06.22.17.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Jun 2026 22:17:35 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v5 3/4] ntfs: update index root allocated size before shrink Date: Sun, 7 Jun 2026 14:17:22 +0900 Message-ID: <20260607051723.1499833-4-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260607051723.1499833-1-charsyam@gmail.com> References: <20260607051723.1499833-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_ir_truncate() currently shrinks the resident $INDEX_ROOT value first and only updates index.allocated_size after re-looking up the attribute. During that relookup, the resident value_length can already be smaller while index.allocated_size still contains the old larger size. That leaves a transiently inconsistent $INDEX_ROOT layout and prevents lookup-time $INDEX_ROOT validation from being enabled: validation can correctly reject allocated_size extending past the newly shrunk resident value. When shrinking, lower index.allocated_size before shrinking value_length. If the truncate fails, restore the old allocated_size. Keep the existing grow ordering because the old allocated_size remains within the enlarged resident value until it is updated after the relookup. The shrink path is safe because the new value_length still covers struct index_root, so the index.allocated_size field remains present while it is updated first. Signed-off-by: DaeMyung Kang --- fs/ntfs/index.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/fs/ntfs/index.c b/fs/ntfs/index.c index ab9a4bc36f0b..a411ca7fe629 100644 --- a/fs/ntfs/index.c +++ b/fs/ntfs/index.c @@ -1298,9 +1298,16 @@ static int ntfs_ir_reparent(struct ntfs_index_contex= t *icx) static int ntfs_ir_truncate(struct ntfs_index_context *icx, int data_size) { int ret; + u32 old_allocated_size; + bool shrink; =20 ntfs_debug("Entering\n"); =20 + old_allocated_size =3D le32_to_cpu(icx->ir->index.allocated_size); + shrink =3D data_size < old_allocated_size; + if (shrink) + icx->ir->index.allocated_size =3D cpu_to_le32(data_size); + /* * INDEX_ROOT must be resident and its entries can be moved to * struct index_block, so ENOSPC isn't a real error. @@ -1312,9 +1319,14 @@ static int ntfs_ir_truncate(struct ntfs_index_contex= t *icx, int data_size) if (!icx->ir) return -ENOENT; =20 - icx->ir->index.allocated_size =3D cpu_to_le32(data_size); - } else if (ret !=3D -ENOSPC) - ntfs_error(icx->idx_ni->vol->sb, "Failed to truncate INDEX_ROOT"); + if (!shrink) + icx->ir->index.allocated_size =3D cpu_to_le32(data_size); + } else { + if (shrink) + icx->ir->index.allocated_size =3D cpu_to_le32(old_allocated_size); + if (ret !=3D -ENOSPC) + ntfs_error(icx->idx_ni->vol->sb, "Failed to truncate INDEX_ROOT"); + } =20 return ret; } --=20 2.43.0 From nobody Mon Jun 8 04:19:35 2026 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 570972874E6 for ; Sun, 7 Jun 2026 05:17:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809460; cv=none; b=Lyb1PkClBw8PNkjKlpAyi5iuqQSjiiEjDyYtgtiBjv3OcL1nGdmvFRFKObusQuzcfL/OdbQkGNEiyHjnf1F9CMV8/vKSVPoDiTg6b5pUZWfimn3L/q94Ye9z/DHgR1ypuu4tyq5/JLR2mdgm++Wbe+0Mc6xEelSscDbPplhsvlY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780809460; c=relaxed/simple; bh=v0FBSHIKiW9lnEit+UkePQ6b37Ht1w5NjycqmlL3Ptw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ck1fYC9gjujryw/rwssey4pBigGLdZDVfptmJQ3vlDuX3TIq7ZUKA5U39/sI+0Bx0sIINrYtM4GVi2Y5s1f4QvxS7o2S1u3vKKx3Au+II/sSW9mgMCx2+hpHJNjal/yvNJAEcvXgRAyrKArQcH24JdAM/j6Vg/hDpuHGISydspU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=p2/UeL0z; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="p2/UeL0z" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2bf22eab320so2964675ad.2 for ; Sat, 06 Jun 2026 22:17:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780809458; x=1781414258; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CI8yVfevv6ra0nY4MhczUOj4WKWNeHenXaOHU4XUI8g=; b=p2/UeL0zu6eBClSIiHJrtcajGocM4iUBmoa7boWEZhSOYSGUO4BFRqa5YkCTGxdVGX mnUH+62WNZnA+wG8U1ruadPImaM4qlvjnSSoiH9VxJMIIFZwYZv3ZeUokArwO8tkBqq0 FBWQKBpe5VytlbIYjPFVG3ueggCID/6fKZVH5FvftFB8pOMMo2gJ/0TfVg3vG9Nb8Ugm xd8LL3ZB8NzhmZzpT2p6I81F841/PRazUeAEYk0Fgj9cewv4GTOxPL2vlFZDra30lz2H i0WxoF5Z4+/sJI2VQ04xwqsMNRFO02BKVkdJ2+vlwO5fTy+ySyUeJ0KARBhlIEWM68P+ SHwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780809458; x=1781414258; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=CI8yVfevv6ra0nY4MhczUOj4WKWNeHenXaOHU4XUI8g=; b=L04Y66S1WNy1nGXfNf6aqCLbQP4c4I0uIu9qgGvU60C7PQqTb9HlmwZ7SRQDVZ7v/K EXXaw5gSFUouBRuK+9D6W44FBrO67dwyq45h1kvA3IOmlYBuhntZHyovFmXvmzhrYryj /+lUCCqWWMUOxuWFdggRRmlObeU3MMi3w9dTfF+1nPhzNKGIw7KZhLXWJyghFcJ2AtxC +r4ZmsdfFK4oNzBytT4Kc5g5hVDZJxZYCBENEs4Hvstny7gCpG7tRK4LKbF+wMwEUYpj 23swXnVZLqWK6pJmViYTzFdW4Q65iRXToyqkRPTX2BeE65AQgF6dHdJu0mfGXcnkoNow 6dAw== X-Forwarded-Encrypted: i=1; AFNElJ+Y1I5enMkDtqcp8sSSrR5UJ2odL1XzugOysDs2LTgVP8pS7rNnULfIjaqiAaLbOWxWfXGP8Yi0LMFhBoQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyXySWYf7l9j2/5iJz0GPTslSG6hvmwZc3oGucr+NMbwwptBgxc giiXmA5kyQg7pNfN6PC2RAtH5T4w4/4x0swO0VfY3tIZwrU171kCYsWd X-Gm-Gg: Acq92OGeHQXX4HAD0bBJF1486vZwFtf2wKlnlUnW4KT7I/CsgDb6r2SBfDJlMFEHFmW km4T8+sKdHEdZ15q/5g+J8S4ZFvwbSay34hJFEVVmegGalmWTzP/SktZvgL2psPqmiCBmd87tco DGqvuAK6VO5xVokdf0/G0xQrfrmgfxHwYQkZeLrsGb8OI1EWLgEIHJr9fFueiLBIMazvUArPjwn 8v8VDykbRyiTHyrEolzbrKOs6lx0CAF/yuHRd8fJbSq4dszr8I6t0sW0MJjtC7w4QTNOJPI3XvT ZW/me2FOBy5oymzl2Qn/QUJaTFJlZ61Chebmr0H7Omv5fp2C1lc4RaEHpBUkQuU4Pbhlukm3aun Uids3O6HH41MzP8k0ZieRu6QX5xJMqe5TFe/xqjHkjKMAdSdISCJ5/TViYfssMapVdg9Xl2o4h/ NdZJ8S5lYPK59+e767w626pwPGtgyUWXs5JEYQKQ== X-Received: by 2002:a17:90b:538b:b0:36d:f28a:c5e2 with SMTP id 98e67ed59e1d1-370f1eec20amr5843761a91.8.1780809458553; Sat, 06 Jun 2026 22:17:38 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-842828e5638sm14494648b3a.50.2026.06.06.22.17.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Jun 2026 22:17:38 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v5 4/4] ntfs: validate index root allocated_size on lookup Date: Sun, 7 Jun 2026 14:17:23 +0900 Message-ID: <20260607051723.1499833-5-charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260607051723.1499833-1-charsyam@gmail.com> References: <20260607051723.1499833-1-charsyam@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The resident $INDEX_ROOT validator already checks the index root header fields, but it still does not bound index_length through allocated_size or ensure allocated_size stays within the resident index area. Callers consume index.allocated_size as the resident root capacity. ntfs_ie_add() uses it to decide whether an insertion can be done in place, and ntfs_ie_insert() then updates the root without re-checking the resident value boundary. Read allocated_size in the resident $INDEX_ROOT validator, require it to be 8-byte aligned, require index_length <=3D allocated_size, and require allocated_size <=3D the resident index area. Valid slack remains allowed. Signed-off-by: DaeMyung Kang --- fs/ntfs/attrib.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c index cf49eade6b22..49c8f1f3b9dd 100644 --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -657,15 +657,19 @@ static bool ntfs_index_root_attr_value_is_valid(const= u8 *value, const u32 value u32 index_size; u32 entries_offset; u32 index_length; + u32 allocated_size; =20 ir =3D (const struct index_root *)value; index_size =3D value_length - offsetof(struct index_root, index); entries_offset =3D le32_to_cpu(ir->index.entries_offset); index_length =3D le32_to_cpu(ir->index.index_length); + allocated_size =3D le32_to_cpu(ir->index.allocated_size); =20 - if ((entries_offset | index_length) & 7 || + if ((entries_offset | index_length | allocated_size) & 7 || entries_offset < sizeof(struct index_header) || entries_offset > index_length || + index_length > allocated_size || + allocated_size > index_size || index_length - entries_offset < sizeof(struct index_entry_header)) return false; =20 --=20 2.43.0