1. Patchew
  2. linux
  3. View series

[PATCH v2 0/2] ntfs: fix index walk NULL deref and WSL symlink leak

DaeMyung Kang posted 2 patches 1 month, 3 weeks ago 
fs/ntfs/dir.c     | 13 ++++++++++---
fs/ntfs/index.c   | 17 +++++++++++++----
fs/ntfs/reparse.c |  5 +++--
3 files changed, 26 insertions(+), 9 deletions(-)
[PATCH v2 0/2] ntfs: fix index walk NULL deref and WSL symlink leak
Posted by DaeMyung Kang 1 month, 3 weeks ago 
v2:
  - 1/2: switch IS_ERR_OR_NULL() to IS_ERR() in the walk_down loop
    (Namjae Jeon).

v1: https://lore.kernel.org/all/20260425184243.116396-1-charsyam@gmail.com/

Two independent fixes for the new fs/ntfs/ that landed in v7.1-rc1.

  1/2 fixes a NULL dereference in ntfs_index_walk_down(). When
      kvzalloc() for ictx->ib fails, or ntfs_ib_read() fails mid
      traversal, the function previously returned a state that
      ntfs_index_next() and ntfs_readdir() could not distinguish
      from end-of-directory, and ntfs_ib_read() itself could write
      through a NULL ictx->ib. Errors are now propagated as
      ERR_PTR() through ntfs_index_next() up to ntfs_readdir().
      Reproduced with failslab fault injection on getdents64; the
      reproducer is described in the commit log.

  2/2 fixes a target-string leak in ntfs_reparse_set_wsl_symlink()
      when ntfs_set_ntfs_reparse_data() fails. Also switches the
      kvfree() on the local failure path to kfree() to match the
      kmalloc() done by ntfs_ucstonls().

The two patches are independent and may be applied in any order.

DaeMyung Kang (2):
  ntfs: fix NULL dereference in ntfs_index_walk_down()
  ntfs: fix WSL symlink target leak on reparse failure

 fs/ntfs/dir.c     | 13 ++++++++++---
 fs/ntfs/index.c   | 17 +++++++++++++----
 fs/ntfs/reparse.c |  5 +++--
 3 files changed, 26 insertions(+), 9 deletions(-)

-- 
2.43.0
Re: [PATCH v2 0/2] ntfs: fix index walk NULL deref and WSL symlink leak
Posted by Namjae Jeon 1 month, 3 weeks ago 
On Sun, Apr 26, 2026 at 1:02 PM DaeMyung Kang <charsyam@gmail.com> wrote:
>
> v2:
>   - 1/2: switch IS_ERR_OR_NULL() to IS_ERR() in the walk_down loop
>     (Namjae Jeon).
>
> v1: https://lore.kernel.org/all/20260425184243.116396-1-charsyam@gmail.com/
>
> Two independent fixes for the new fs/ntfs/ that landed in v7.1-rc1.
>
>   1/2 fixes a NULL dereference in ntfs_index_walk_down(). When
>       kvzalloc() for ictx->ib fails, or ntfs_ib_read() fails mid
>       traversal, the function previously returned a state that
>       ntfs_index_next() and ntfs_readdir() could not distinguish
>       from end-of-directory, and ntfs_ib_read() itself could write
>       through a NULL ictx->ib. Errors are now propagated as
>       ERR_PTR() through ntfs_index_next() up to ntfs_readdir().
>       Reproduced with failslab fault injection on getdents64; the
>       reproducer is described in the commit log.
>
>   2/2 fixes a target-string leak in ntfs_reparse_set_wsl_symlink()
>       when ntfs_set_ntfs_reparse_data() fails. Also switches the
>       kvfree() on the local failure path to kfree() to match the
>       kmalloc() done by ntfs_ucstonls().
>
> The two patches are independent and may be applied in any order.
>
> DaeMyung Kang (2):
>   ntfs: fix NULL dereference in ntfs_index_walk_down()
>   ntfs: fix WSL symlink target leak on reparse failure
Applied them to #ntfs-next.
Thanks!

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.