Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1 2026-05-08T14:50:57+00:00 2026-05-08T14:50:57+00:00 DaeMyung Kang charsyam@gmail.com 2026-05-02T00:49:16+00:00 urn:sha1:6c30af0b203e7d7f63f70df1f2c4694c1e5ed589 ntfs_inode_sync_filename() walks every FILE_NAME attribute and, for each one that points at a different parent, opens the parent index inode with ntfs_iget() and locks index_ni->mrec_lock. All three error branches (NInoBeingDeleted, ntfs_index_ctx_get failure, ntfs_index_lookup failure) drop the parent reference before unlocking: iput(index_vi); mutex_unlock(&index_ni->mrec_lock); continue; index_ni is NTFS_I(index_vi), so the ntfs_inode (and its mrec_lock) is embedded in the inode allocation. If the parent directory is not held outside the icache - no open dentry, recently evicted from dcache, no other concurrent lookup - ntfs_iget() returns with i_count == 1 and our iput() drops the last reference. evict_inode() then runs and destroy_inode() schedules the slab object for RCU free, while mutex_unlock() on the next line is still touching index_ni->mrec_lock. Swap the order so the mutex is dropped while index_vi is still alive, matching the success path at the bottom of the loop which already unlocks before iput(). Reproduced under KASAN with a debug build that forces ntfs_index_ctx_get() to fail when the parent index inode has been opened with i_count == 1. KASAN reports a slab-use-after-free read on the parent's mrec_lock from mutex_unlock() on the writeback worker: BUG: KASAN: slab-use-after-free in __mutex_unlock_slowpath+0xb5/0x970 Read of size 8 at addr ffff8880014b7598 by task kworker/u8:0/12 Workqueue: writeback wb_workfn (flush-253:0) Call Trace: mutex_unlock ntfs_inode_sync_filename __ntfs_write_inode ntfs_write_inode __writeback_single_inode Allocated by task 103: ntfs_alloc_big_inode ntfs_iget ntfs_lookup __x64_sys_mkdir Freed by task 12: ntfs_free_big_inode i_callback rcu_do_batch Last potentially related work creation: call_rcu destroy_inode evict dispose_list evict_inodes ntfs_inode_sync_filename __ntfs_write_inode The buggy address belongs to the object at ffff8880014b7440 which belongs to the cache ntfs_big_inode_cache of size 1800 The freed object is the parent directory inode itself: allocated by mkdir(2) via ntfs_iget(), then released through call_rcu(i_callback) that destroy_inode() scheduled when evict_inodes() ran from inside ntfs_inode_sync_filename(). Re-running the same workload with mutex_unlock() moved before iput() runs cleanly under KASAN. Fixes: af0db57d4293 ("ntfs: update inode operations") Signed-off-by: DaeMyung Kang <charsyam@gmail.com> Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-04-07T09:36:13+00:00 Hyunchul Lee hyc.lee@gmail.com 2026-03-17T05:13:44+00:00 urn:sha1:14f0a13ec79dfa63e143ea45e6530d80bec6e291 Remove redundant out-of-bounds validations. Since ntfs_attr_find and ntfs_external_attr_find now validate the attribute value offsets and lengths against the bounds of the MFT record block, performing subsequent bounds checking in caller functions like ntfs_attr_lookup is no longer necessary. Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-03-16T11:27:52+00:00 Hyunchul Lee hyc.lee@gmail.com 2026-03-13T00:47:01+00:00 urn:sha1:77f58db7391e227f8ff6ef5d83966347d759daed Detected by Smatch. inode.c:1796 load_attribute_list_mount() warn: ignoring unreachable code. Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-03-16T11:27:45+00:00 Hyunchul Lee hyc.lee@gmail.com 2026-03-12T23:59:07+00:00 urn:sha1:4e59f8a1a82beaa49d7796648fc4dc538eff6485 Detected by Smatch. lcnalloc.c:736 ntfs_cluster_alloc() error: we previously assumed 'rl' could be null (see line 719) inode.c:3275 ntfs_inode_close() warn: variable dereferenced before check 'tmp_nis' (see line 3255) attrib.c:4952 ntfs_attr_remove() warn: variable dereferenced before check 'ni' (see line 4951) dir.c:1035 ntfs_readdir() error: we previously assumed 'private' could be null (see line 850) Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-03-16T11:27:30+00:00 Hyunchul Lee hyc.lee@gmail.com 2026-03-11T23:36:24+00:00 urn:sha1:a73258681279bceb4e9210d86204bae14d3ea795 Use NTFS_VOL_GID(not NTFS_VOL_UID) for restoring the gid, and call ntfs_ea_get_wsl_inode() only when $EA_INFORMATION exists. Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-03-06T13:08:42+00:00 Namjae Jeon linkinjeon@kernel.org 2026-03-05T01:46:42+00:00 urn:sha1:e7d82353986c7267fbd03d7385829cc763807b55 This improves log accuracy for NTFS debugging and removes unnecessary reliance on the VFS i_ino field ahead of the core VFS type change. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-03-06T13:08:39+00:00 Namjae Jeon linkinjeon@kernel.org 2026-03-05T01:40:54+00:00 urn:sha1:d9038d99fb5c623f43bcd8b726bfbbe8562648c2 Changes the type of ntfs_inode::mft_no from unsigned long to u64 to safely handle the full 48-bit range without truncation risk, especially in preparation for broader VFS inode number type (i_ino:u64) and to improve consistency with ntfs driver practices. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-02-19T12:48:06+00:00 Namjae Jeon linkinjeon@kernel.org 2026-02-13T01:38:45+00:00 urn:sha1:af0db57d4293cc9fe6ce99fb5592dc2652228c9d Add extent inode loading via ntfs_extent_inode_open() and ntfs_inode_attach_all_extents(). Allow dynamic creation of with ntfs_inode_add_attrlist() when the base MFT record overflows. Introduce ntfs_inode_free_space() to move attributes out of the base record on demand. Implement direct attribute I/O through ntfs_inode_attr_pread() and ntfs_inode_attr_pwrite(). Implement .create, .unlink, .mkdir, .rmdir, .rename, .symlink, .mknod, .link callbacks. Introduce ntfs_non_resident_dealloc_clusters() to free clusters of non-resident attributes during inode eviction. Add ntfs_drop_big_inode() logic to safely truncate and deallocate clusters. Acked-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2026-02-19T12:48:05+00:00 Namjae Jeon linkinjeon@kernel.org 2025-12-30T05:24:16+00:00 urn:sha1:1e9ea7e04472d4e5e12e58c881eaacfb3e49b669 This reverts commit 7ffa8f3d30236e0ab897c30bdb01224ff1fe1c89. Reverts the removal of the classic read-only ntfs driver to serve as the base for a new read-write ntfs implementation. If we stack changes on top of the revert patch, It will significantly reduce the diff size, making the review easier. This revert intentionally excludes the restoration of Kconfig and Makefile. The Kconfig and Makefile will be added back in the final patch of this series, enabling the driver only after all features and improvements have been applied. Acked-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> 2024-01-24T09:47:00+00:00 Matthew Wilcox (Oracle) willy@infradead.org 2024-01-15T07:20:25+00:00 urn:sha1:7ffa8f3d30236e0ab897c30bdb01224ff1fe1c89 The replacement, NTFS3, was merged over two years ago. It is now time to remove the original from the tree as it is the last user of several APIs, and it is not worth changing. Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Link: https://lore.kernel.org/r/20240115072025.2071931-1-willy@infradead.org Acked-by: Namjae Jeon <linkinjeon@kernel.org> Acked-by: Dave Chinner <david@fromorbit.com> Cc: Anton Altaparmakov <anton@tuxera.com> Cc: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org>