fs/ntfs3/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Syzbot reported a WARNING in ntfs_extend_initialized_size.
The data type of in->i_valid and to is u64 in ntfs_file_mmap().
If their values are greater than LLONG_MAX, overflow will occur because
the data types of the parameters valid and new_valid corresponding to
the function ntfs_extend_initialized_size() are loff_t.
Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(),
the "ni->i_valid < to" has been determined, so the same WARN_ON determination
is not required in ntfs_extend_initialized_size().
Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make
a WARN_ON check.
Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
fs/ntfs3/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 6202895a4542..c42454a62314 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -178,7 +178,6 @@ static int ntfs_extend_initialized_size(struct file *file,
}
WARN_ON(is_compressed(ni));
- WARN_ON(valid >= new_valid);
for (;;) {
u32 zerofrom, len;
@@ -400,6 +399,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
}
if (extend_init && !is_compressed(ni)) {
+ WARN_ON(ni->valid >= pos);
err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
if (err)
goto out;
--
2.43.0Hi Edward,
kernel test robot noticed the following build errors:
[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v6.12-rc2 next-20241010]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ntfs3-Fix-WARNING-in-ntfs_extend_initialized_size/20241007-191224
base: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link: https://lore.kernel.org/r/tencent_EE134FDF8DFFA5E18D84121FDDE5DDB41907%40qq.com
patch subject: [PATCH] ntfs3: Fix WARNING in ntfs_extend_initialized_size
config: i386-randconfig-003-20241010 (https://download.01.org/0day-ci/archive/20241010/202410102052.KIxxilgH-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241010/202410102052.KIxxilgH-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410102052.KIxxilgH-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from arch/x86/include/asm/bug.h:99,
from include/linux/bug.h:5,
from include/linux/thread_info.h:13,
from include/linux/spinlock.h:60,
from include/linux/wait.h:9,
from include/linux/wait_bit.h:8,
from include/linux/fs.h:6,
from include/linux/backing-dev.h:13,
from fs/ntfs3/file.c:10:
fs/ntfs3/file.c: In function 'ntfs_extend':
>> fs/ntfs3/file.c:402:29: error: 'struct ntfs_inode' has no member named 'valid'; did you mean 'i_valid'?
402 | WARN_ON(ni->valid >= pos);
| ^~~~~
include/asm-generic/bug.h:123:32: note: in definition of macro 'WARN_ON'
123 | int __ret_warn_on = !!(condition); \
| ^~~~~~~~~
vim +402 fs/ntfs3/file.c
379
380 static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
381 struct file *file)
382 {
383 struct ntfs_inode *ni = ntfs_i(inode);
384 struct address_space *mapping = inode->i_mapping;
385 loff_t end = pos + count;
386 bool extend_init = file && pos > ni->i_valid;
387 int err;
388
389 if (end <= inode->i_size && !extend_init)
390 return 0;
391
392 /* Mark rw ntfs as dirty. It will be cleared at umount. */
393 ntfs_set_state(ni->mi.sbi, NTFS_DIRTY_DIRTY);
394
395 if (end > inode->i_size) {
396 err = ntfs_set_size(inode, end);
397 if (err)
398 goto out;
399 }
400
401 if (extend_init && !is_compressed(ni)) {
> 402 WARN_ON(ni->valid >= pos);
403 err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
404 if (err)
405 goto out;
406 } else {
407 err = 0;
408 }
409
410 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
411 mark_inode_dirty(inode);
412
413 if (IS_SYNC(inode)) {
414 int err2;
415
416 err = filemap_fdatawrite_range(mapping, pos, end - 1);
417 err2 = sync_mapping_buffers(mapping);
418 if (!err)
419 err = err2;
420 err2 = write_inode_now(inode, 1);
421 if (!err)
422 err = err2;
423 if (!err)
424 err = filemap_fdatawait_range(mapping, pos, end - 1);
425 }
426
427 out:
428 return err;
429 }
430
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Edward,
kernel test robot noticed the following build errors:
[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v6.12-rc2 next-20241010]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/ntfs3-Fix-WARNING-in-ntfs_extend_initialized_size/20241007-191224
base: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link: https://lore.kernel.org/r/tencent_EE134FDF8DFFA5E18D84121FDDE5DDB41907%40qq.com
patch subject: [PATCH] ntfs3: Fix WARNING in ntfs_extend_initialized_size
config: i386-buildonly-randconfig-001-20241010 (https://download.01.org/0day-ci/archive/20241010/202410101748.6VtnyCOG-lkp@intel.com/config)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241010/202410101748.6VtnyCOG-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410101748.6VtnyCOG-lkp@intel.com/
All errors (new ones prefixed by >>):
>> fs/ntfs3/file.c:402:15: error: no member named 'valid' in 'struct ntfs_inode'
402 | WARN_ON(ni->valid >= pos);
| ~~ ^
include/asm-generic/bug.h:123:25: note: expanded from macro 'WARN_ON'
123 | int __ret_warn_on = !!(condition); \
| ^~~~~~~~~
1 error generated.
vim +402 fs/ntfs3/file.c
379
380 static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
381 struct file *file)
382 {
383 struct ntfs_inode *ni = ntfs_i(inode);
384 struct address_space *mapping = inode->i_mapping;
385 loff_t end = pos + count;
386 bool extend_init = file && pos > ni->i_valid;
387 int err;
388
389 if (end <= inode->i_size && !extend_init)
390 return 0;
391
392 /* Mark rw ntfs as dirty. It will be cleared at umount. */
393 ntfs_set_state(ni->mi.sbi, NTFS_DIRTY_DIRTY);
394
395 if (end > inode->i_size) {
396 err = ntfs_set_size(inode, end);
397 if (err)
398 goto out;
399 }
400
401 if (extend_init && !is_compressed(ni)) {
> 402 WARN_ON(ni->valid >= pos);
403 err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
404 if (err)
405 goto out;
406 } else {
407 err = 0;
408 }
409
410 inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
411 mark_inode_dirty(inode);
412
413 if (IS_SYNC(inode)) {
414 int err2;
415
416 err = filemap_fdatawrite_range(mapping, pos, end - 1);
417 err2 = sync_mapping_buffers(mapping);
418 if (!err)
419 err = err2;
420 err2 = write_inode_now(inode, 1);
421 if (!err)
422 err = err2;
423 if (!err)
424 err = filemap_fdatawait_range(mapping, pos, end - 1);
425 }
426
427 out:
428 return err;
429 }
430
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Syzbot reported a WARNING in ntfs_extend_initialized_size.
The data type of in->i_valid and to is u64 in ntfs_file_mmap().
If their values are greater than LLONG_MAX, overflow will occur because
the data types of the parameters valid and new_valid corresponding to
the function ntfs_extend_initialized_size() are loff_t.
Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(),
the "ni->i_valid < to" has been determined, so the same WARN_ON determination
is not required in ntfs_extend_initialized_size().
Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make
a WARN_ON check.
Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: typo for ni->i_valid
fs/ntfs3/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 6202895a4542..c42454a62314 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -178,7 +178,6 @@ static int ntfs_extend_initialized_size(struct file *file,
}
WARN_ON(is_compressed(ni));
- WARN_ON(valid >= new_valid);
for (;;) {
u32 zerofrom, len;
@@ -400,6 +399,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
}
if (extend_init && !is_compressed(ni)) {
+ WARN_ON(ni->i_valid >= pos);
err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
if (err)
goto out;
--
2.43.0© 2016 - 2026 Red Hat, Inc.