From nobody Fri Jun 19 08:10:02 2026 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 67CFF28B4FA for ; Sun, 26 Apr 2026 04:02:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777176161; cv=none; b=PvUSyPE7cluPmZ0mls3TaFX83Q3JQUAwYiMhsUyKA6K/sdvz4cxAaxUZMOY4RBoVdfxYAzGTIR9c32znyfoZDIbRbp8EenXdgcztIE2b6uiKLLr2ZPZFHXFWAixgNB8UbD4fEjInHoMsNEaAlDLx8oOgvdgZETdOsQqaJiUwP7Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777176161; c=relaxed/simple; bh=NOPrFI7RLm8u7swVuJKgRPinfyrR/M4hXTZLZJbep1U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EKPM5JBmSxNXBFeJtEMbgfaNZ49g/eEHqlB1YZw1gYzA5cjuyyBVD7CKNTgUmWT1A1LapYr2Dk8OPCN8RjHnNEALHVLVR3s8h7Lq1PbLgqfbUFJML/DBQl8OAUqIRrtPH4V9o+JGWsG5nHtoISOcK6gwlfzUBrog23PpKQcR7Nc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZWymFA4D; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZWymFA4D" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2b240d753ceso17375015ad.3 for ; Sat, 25 Apr 2026 21:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777176159; x=1777780959; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WzH7L75D2jOePwdGm5ThItXQqqZktxKIOM1J4bLi7lU=; b=ZWymFA4DPxhvGuMocQnpnGiaioct8X1Hmj68vq2WIjTOajGew3mzR85Zfx/4DWsuMd UpAcnAjVyFeL4O/nMizX1i8TNU8rjrKCtyFES4zyNugqdMIIWRkzDHQS0r3zTR5cN/Y5 mlu43hXFCDXN2NqcmIF5399w0vtlAclWYomSZXyUsuLko4v2gUJxdOAaJu3p5dZ0Gnej B8jKyAiUosgm1GpJeQ8HVDvTSsO0pN7PbPsfBqJL2uI50r2vOhrHlEA5YIWMbQjkRWG1 zzGiFmTopCRn6kZ0mgQ/sK1SNgnV2w2WtPrjFqt6+v+cZRZqkSXAHpVuFLf1Mzl52tbL 9pzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777176159; x=1777780959; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WzH7L75D2jOePwdGm5ThItXQqqZktxKIOM1J4bLi7lU=; b=T1vTITkDdW6dNKGJrISv3TOqMH0mB5G/+OZk3RQs0uZDjRIHf1te/dL+pwr6ZaLwdX u3iMBY8VeVYji3BUKSiVvtel/jcgDFJzODuur2rndLm7wrWj3qYNp00WEQOLxUzxr9Mp UiO2wkJ7Dj9tnGtfrpEumaL4qmsBWi+JV37kfxq49GZ06v2aYImDRfY9ZwPdmgTDuc5U /rhsTYjgbgp9UKyg0OkT/4zkVv0077TNpQWFFhJparILZW7I8d13RgJRtDyqurvj9jyI a3y5gPY3oHfBtYWn44Zvy47tzTImUpF2YNcrsHb4h6mAer8/cqDkYhqUUNuxGGLtLQJ6 J/hA== X-Forwarded-Encrypted: i=1; AFNElJ86aYbzsjBL6y3hdxiAj54NWoUu85pd8XBtWDOTMcg4IdHmwa0g+zBvZfMGnXtxHpO/TiLwFR6UHYU59vw=@vger.kernel.org X-Gm-Message-State: AOJu0YzvuzRgIanr3qxQN2lYfNEf+Yi5wgej1Px8fAPCslQmaIVASq+p vadtBU6ZSzpUg6VuLWor3vnzzNyGjoI6ILqpBFwNs2s4CXL1MSnK+G8b X-Gm-Gg: AeBDiesGnzY3qIQNMJ5y8+npcocAmj+lzY0M+KzrUrW+2qjZnqAUp5H9ADiQdD423Hi vL98V+gp0WPOEhQ6O9d6+kqdMVaWyqs3nodLlLutrW6KSN8gdWeK5HX4yswVuvjThDwXyWNVbRN 90A4RiVaKF0RvRt2bNzBc9oU8Q0WR+WybKkNhJP8Kwy2JZt103JmMDlUU/NCw56UpW6aGMOqc9k H22XDSBfC1L1CgqTuyLyf5vmtswK9bxk65pBCNBtQFHSEn/yVgkKQI6TmGipZLnhHXQj6B74MrW wSNRxd3RF8reQEKC8iNzbqebXFXwvX5QbSPDSSIVh2AXyAYhzJpfbphxwIB+vG7ZgKXhdIF+nkE 5nFfX3ujy874bA7GB7MEbFdy55UzdJYZma2HDfP180jZ+ZfzqTob/YFuppigIlvK6orTT8QLLtr J9UIekluyo1jru2rcMiHKxgkuDFLQ= X-Received: by 2002:a17:902:8696:b0:2b2:5c84:32ba with SMTP id d9443c01a7336-2b5f9ece9f3mr149677855ad.2.1777176158608; Sat, 25 Apr 2026 21:02:38 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5fab0c17esm265149125ad.41.2026.04.25.21.02.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Apr 2026 21:02:38 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v2 1/2] ntfs: fix NULL dereference in ntfs_index_walk_down() Date: Sun, 26 Apr 2026 13:02:31 +0900 Message-ID: <411dcca8f8b760bf9744a2b590becaf3fb871d84.1777175371.git.charsyam@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_index_walk_down() allocates ictx->ib when descending from the root into an index allocation block. If that allocation fails, the old code still passes the NULL buffer to ntfs_ib_read(), which can write through it via ntfs_inode_attr_pread(). Allocate the index block into a temporary pointer and return -ENOMEM before changing the index context on allocation failure. Also propagate ERR_PTR() through ntfs_index_next() and ntfs_readdir() so walk-down allocation or index block read failures are not mistaken for normal index iteration inside the filesystem. ntfs_readdir() keeps the existing userspace-visible behavior of suppressing readdir errors after marking end_in_iterate; this change only prevents the walk-down failure path from dereferencing NULL internally. The failure was reproduced with failslab fail-nth injection on getdents64; the original module hits a NULL pointer dereference in memcpy_orig through ntfs_ib_read(), while the patched module reaches the same ntfs_index_walk_down() allocation failure without crashing. Fixes: 0a8ac0c1fa0b ("ntfs: update directory operations") Signed-off-by: DaeMyung Kang Reviewed-by: Hyunchul Lee --- fs/ntfs/dir.c | 13 ++++++++++--- fs/ntfs/index.c | 17 +++++++++++++---- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/fs/ntfs/dir.c b/fs/ntfs/dir.c index bfa904d2ce66..20f5c7074bdd 100644 --- a/fs/ntfs/dir.c +++ b/fs/ntfs/dir.c @@ -911,8 +911,8 @@ static int ntfs_readdir(struct file *file, struct dir_c= ontext *actor) =20 if (next->flags & INDEX_ENTRY_NODE) { next =3D ntfs_index_walk_down(next, ictx); - if (!next) { - err =3D -EIO; + if (IS_ERR(next)) { + err =3D PTR_ERR(next); goto out; } } @@ -920,7 +920,14 @@ static int ntfs_readdir(struct file *file, struct dir_= context *actor) if (next && !(next->flags & INDEX_ENTRY_END)) goto nextdir; =20 - while ((next =3D ntfs_index_next(next, ictx)) !=3D NULL) { + while (1) { + next =3D ntfs_index_next(next, ictx); + if (IS_ERR(next)) { + err =3D PTR_ERR(next); + goto out; + } + if (!next) + break; nextdir: /* Check the consistency of an index entry */ if (ntfs_index_entry_inconsistent(ictx, vol, next, COLLATION_FILE_NAME, diff --git a/fs/ntfs/index.c b/fs/ntfs/index.c index 2080f3969137..a547bdcfa456 100644 --- a/fs/ntfs/index.c +++ b/fs/ntfs/index.c @@ -1969,15 +1969,19 @@ int ntfs_index_remove(struct ntfs_inode *dir_ni, co= nst void *key, const u32 keyl struct index_entry *ntfs_index_walk_down(struct index_entry *ie, struct nt= fs_index_context *ictx) { struct index_entry *entry; + struct index_block *ib; s64 vcn; =20 entry =3D ie; do { vcn =3D ntfs_ie_get_vcn(entry); if (ictx->is_in_root) { + ib =3D kvzalloc(ictx->block_size, GFP_NOFS); + if (!ib) + return ERR_PTR(-ENOMEM); /* down from level zero */ ictx->ir =3D NULL; - ictx->ib =3D kvzalloc(ictx->block_size, GFP_NOFS); + ictx->ib =3D ib; ictx->pindex =3D 1; ictx->is_in_root =3D false; } else { @@ -1991,8 +1995,8 @@ struct index_entry *ntfs_index_walk_down(struct index= _entry *ie, struct ntfs_ind ictx->entry =3D ntfs_ie_get_first(&ictx->ib->index); entry =3D ictx->entry; } else - entry =3D NULL; - } while (entry && (entry->flags & INDEX_ENTRY_NODE)); + entry =3D ERR_PTR(-EIO); + } while (!IS_ERR(entry) && (entry->flags & INDEX_ENTRY_NODE)); =20 return entry; } @@ -2097,10 +2101,15 @@ struct index_entry *ntfs_index_next(struct index_en= try *ie, struct ntfs_index_co =20 /* walk down if it has a subnode */ if (flags & INDEX_ENTRY_NODE) { - if (!ictx->ia_ni) + if (!ictx->ia_ni) { ictx->ia_ni =3D ntfs_ia_open(ictx, ictx->idx_ni); + if (!ictx->ia_ni) + return ERR_PTR(-EIO); + } =20 next =3D ntfs_index_walk_down(next, ictx); + if (IS_ERR(next)) + return next; } else { =20 /* walk up it has no subnode, nor data */ --=20 2.43.0 From nobody Fri Jun 19 08:10:02 2026 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5368208D0 for ; Sun, 26 Apr 2026 04:02:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777176165; cv=none; b=R4zJn846cXK/mHJbOGJSM23xHRaFhH2gzJwc5TkT/E/x1BpLrpjzDwTCiOv9h0tkAxo1lytqNdFpZlUyp59VWl2jqs/zEpGrxmVD6A/tks9a/aBPw8M2tP5nAFRDSVtltk57RgXfIQcCfWIekGte0v4+vrhrCCiApYylmhtBWmU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777176165; c=relaxed/simple; bh=sbgyC0F1QWWxsqlHMSvDUx3fIhaVIHxnzkP3GsRbJtI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YD3eUM7Qa1AImGppTTCKBBkdMZSGXDixMZQ3zdKs8GKbmjXUwLn6XE4dOWshq6uKXe+1bOlmvEYuaNTGWU8Nn87rndA9r8Kt9JKDTI+RCqeTUAnR2a9zFkvuY6w6hqfiZXiITaTsl4uGU/sXawm+30+C9reScsvmUnBeP5sFutw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WUFMMIiy; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WUFMMIiy" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2ae1255a90bso7052985ad.1 for ; Sat, 25 Apr 2026 21:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777176163; x=1777780963; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ozsUMKbqTO/Xk5E69vfQ7nhFZDCs1d2jRIQqTzB9tKU=; b=WUFMMIiyXyKI9wQgnAXw9ooFu/3F6XHH2x9tzWu97ISKWoXU2bZ7NYPWJxYq1Ott/Q L3hx6DaAK1EE8HRLwth+pcaNRYomEobV3/+x3xf6EytuQPQuRc0y86Eu7iL8hK3ed6t6 Z0Be4QaY5KEe51iIJNL8cXBwWbQk5EpHp7ERj7zUgWjH0aUggUF9QmCw3pUZkYNqfTi+ xWNH4zlgVu0E1EbjeAIdV8P1IZL6YyOOHPgIfYwHHHgBgJeFQ8NgmQ3MqmvFCosYAj5K nilWfwgx+z/We/Ugm8OJt6pzdCySE1r9wTj6tfBVUFv2BRs7YoVRQam4iktSnpsBz7kz Imkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777176163; x=1777780963; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ozsUMKbqTO/Xk5E69vfQ7nhFZDCs1d2jRIQqTzB9tKU=; b=cGn1PUZsG+dw/J2fzj9HMhtafj8AjGf8e7ATT4F+u0YWS9rzjSYhQXlcDqRhbHMnqw rZ80XQraJen8fiRys5fzpE83ZMSTuyB+kmLvFaiSJwaa6yIMNliC9vApLJwQnsC1Vvkr GT2i1hyNUEi0U65j1EBWR+NR9MQISsoyDOw32sLZ2mkPVmZ5mqxJh6WWL9JQIjQljykA 9848pL9O30vDOgISq788vNeg6au4MjvogiUYaXDaQ9G4adzKes0Nt1NUZNp5GxxnunJ+ tZMpdrpOFws/MWRXQKtqtITLsXGgmY1qxYd8B9lralvAZCi9WxfDGZ/ZV57gwMY1qud3 xMxw== X-Forwarded-Encrypted: i=1; AFNElJ+HjeVjlbJ0PUw8bKXid1Ff4ZdJsMLT0rgyL6clusfuqowUFGbNsQAEwwn/hbVUuPpo7CE64s+ci8JFvE0=@vger.kernel.org X-Gm-Message-State: AOJu0YweI6cSBukAWjzp/SjVQw0lGwlPrnK15tya3wruCw40AwLn44J4 M1gAkaAXgE9Gz/AeptZVPfZ3MtkFB8nmJb+J3GQ26fgXYX0Us18dF2DN X-Gm-Gg: AeBDiet0l0E/o9+R10RUDZHwkTj09ri5JSFTmbMJyLRS4P3geQ/PQsk3UGsNI2D+U8w JrNhmbadqg+EziN0tpsvRZmb1Dr1/mfpFk9JfO9tah7fOxqjDaTOhINmV5goHwjlsfsODL+ApY0 JQEIt8qGsgIIU23gMGb36o7fv2diUDqwn8gEOh8BPQiKUvl0zz92RL4Iy2M9Od52BFWbftGd5tI x9p01yV+POt6L6SGCxQcANKrlJAiSPUxFCIsxtMMmGvysQ9IH34ak91GC2xAWWisAz3Ij0U85/D BmP8mdklCzdBXd7lgwinFtWGNwx1p0h4ryyOXWeTJ3V4Dy+J4GZ6a4KBmlXV2u8RT0oVtgfz/v1 Xft1+VzY17f2nv8elxhU5j8TvIXlJZM7HKqUqpCPgF/xsXZ9xp9SRB2fPK7rBPrdngBD3H4b1ET m/5cMBprqadNnjnICw1UEn5NiPp5Y= X-Received: by 2002:a17:902:8d82:b0:2b0:606b:6fc5 with SMTP id d9443c01a7336-2b5f9f7bc6emr145486155ad.3.1777176163267; Sat, 25 Apr 2026 21:02:43 -0700 (PDT) Received: from ser8.. ([221.156.231.192]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5fab0c17esm265149125ad.41.2026.04.25.21.02.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Apr 2026 21:02:42 -0700 (PDT) From: DaeMyung Kang To: Namjae Jeon , Hyunchul Lee Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, DaeMyung Kang Subject: [PATCH v2 2/2] ntfs: fix WSL symlink target leak on reparse failure Date: Sun, 26 Apr 2026 13:02:32 +0900 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ntfs_reparse_set_wsl_symlink() converts the symlink target into an allocated NLS string and transfers ownership to ni->target only after ntfs_set_ntfs_reparse_data() succeeds. If setting the reparse data fails, the converted target is left unreferenced and leaks. Free the converted target on the reparse update failure path. Use kfree() for the other local failure path as well, matching the ntfs_ucstonls() allocation contract. Fixes: fc053f05ca28 ("ntfs: add reparse and ea operations") Signed-off-by: DaeMyung Kang Reviewed-by: Hyunchul Lee --- fs/ntfs/reparse.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/ntfs/reparse.c b/fs/ntfs/reparse.c index 8f60ec6f66c1..74713716813f 100644 --- a/fs/ntfs/reparse.c +++ b/fs/ntfs/reparse.c @@ -505,7 +505,6 @@ int ntfs_reparse_set_wsl_symlink(struct ntfs_inode *ni, struct reparse_point *reparse; struct wsl_link_reparse_data *data; =20 - utarget =3D (char *)NULL; len =3D ntfs_ucstonls(ni->vol, target, target_len, &utarget, 0); if (len <=3D 0) return -EINVAL; @@ -514,7 +513,7 @@ int ntfs_reparse_set_wsl_symlink(struct ntfs_inode *ni, reparse =3D kvzalloc(reparse_len, GFP_NOFS); if (!reparse) { err =3D -ENOMEM; - kvfree(utarget); + kfree(utarget); } else { data =3D (struct wsl_link_reparse_data *)reparse->reparse_data; reparse->reparse_tag =3D IO_REPARSE_TAG_LX_SYMLINK; @@ -528,6 +527,8 @@ int ntfs_reparse_set_wsl_symlink(struct ntfs_inode *ni, kvfree(reparse); if (!err) ni->target =3D utarget; + else + kfree(utarget); } return err; } --=20 2.43.0