kernel/linux.git/fs/ntfs/runlist.c, branch linux-7.1.y

ntfs: fix out-of-bounds write in ntfs_rl_collapse_range() merge path

2026-05-08T14:51:07+00:00

ntfs_rl_collapse_range() merges the run on the left of the collapsed region with the run on its right when they are contiguous. The contiguous check chooses a clamped index when @new_1st_cnt is 0: i = new_1st_cnt == 0 ? 1 : new_1st_cnt; if (ntfs_rle_lcn_contiguous(&new_rl[i - 1], &new_rl[i])) { but the merge itself uses the unclamped value: s_rl = &new_rl[new_1st_cnt - 1]; s_rl->length += s_rl[1].length; When @new_1st_cnt is 0 this computes &new_rl[-1] and writes 8 bytes before the kvcalloc() runlist buffer. The path is reachable through fallocate(FALLOC_FL_COLLAPSE_RANGE) starting at vcn 0 against an attribute whose first run after the collapsed region and the following run are holes. In that case ntfs_rle_lcn_contiguous() returns true because both checked entries are LCN_HOLE, so the merge path is entered with @new_1st_cnt still 0. Such consecutive holes do not occur on a well-formed runlist (NTFS keeps runlists coalesced in memory), so this OOB path is only reachable from a crafted volume. A normal runlist has no element to the left of vcn 0, so the left/right merge is not valid when @new_1st_cnt is 0. Require @new_1st_cnt to be positive before checking or performing the merge. This skips the merge entirely in that case instead of clamping the merge target. The out-of-bounds write can corrupt an adjacent slab object. On a non-KASAN kernel, it is reachable after a crafted NTFS volume has been mounted read-write with the legacy fs/ntfs driver, by a local user that has write access to the crafted file. Fixes: 11ccc9107dc4 ("ntfs: update runlist handling and cluster allocator") Suggested-by: Hyunchul Lee Signed-off-by: DaeMyung Kang Reviewed-by: Hyunchul Lee Signed-off-by: Namjae Jeon

ntfs: Use return instead of goto in ntfs_mapping_pairs_decompress()

2026-04-29T22:05:48+00:00

Clang warns (or errors with CONFIG_WERROR=y / W=e): fs/ntfs/runlist.c:755:6: error: variable 'rl' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] 755 | if (overflows_type(lowest_vcn, vcn)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... fs/ntfs/runlist.c:971:9: note: uninitialized use occurs here 971 | kvfree(rl); | ^~ ... rl has not been allocated at this point so the 'goto err_out' should really just be a return of the error pointer -EIO. Signed-off-by: Nathan Chancellor Reviewed-by: Hyunchul Lee Signed-off-by: Namjae Jeon

ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()

2026-04-27T13:31:19+00:00

In ntfs_mapping_pairs_decompress(), lowest_vcn is read from on-disk metadata and used as the initial vcn without validation. A malformed value can introduce an invalid (e.g. negative) vcn, corrupting the runlist from the start. Additionally, the accumulation vcn += deltaxcn does not check for s64 overflow. A crafted mapping pairs array can wrap vcn to a negative value, breaking the monotonically- increasing invariant relied upon by ntfs_rl_vcn_to_lcn() and related helpers. Fix this by validating lowest_vcn and using check_add_overflow() for vcn accumulation. Signed-off-by: Zhan Xusheng Reviewed-by: Hyunchul Lee Signed-off-by: Namjae Jeon

ntfs: fix variable dereferenced before check warnings

2026-03-16T11:27:45+00:00

Detected by Smatch. lcnalloc.c:736 ntfs_cluster_alloc() error: we previously assumed 'rl' could be null (see line 719) inode.c:3275 ntfs_inode_close() warn: variable dereferenced before check 'tmp_nis' (see line 3255) attrib.c:4952 ntfs_attr_remove() warn: variable dereferenced before check 'ni' (see line 4951) dir.c:1035 ntfs_readdir() error: we previously assumed 'private' could be null (see line 850) Signed-off-by: Hyunchul Lee Signed-off-by: Namjae Jeon

ntfs: add missing newlines to pr_err() messages

2026-03-10T08:52:13+00:00

There is an inconsistent use of pr_err() statements in the current code. Many error messages are missing the \n termination, what results in the messages being printed with a delay, only after a next printk() line is printed. It prevents relying on printk() to monitor the driver errors. This patch is modifying only text messages, no functional change. Signed-off-by: Woody Suwalski Signed-off-by: Namjae Jeon

ntfs: update runlist handling and cluster allocator

2026-02-19T12:50:52+00:00

Updates runlist handling and cluster allocation to support contiguous allocations and filesystem trimming. Improve the runlist API to handle allocation failures and introduces discard support. Acked-by: Christoph Hellwig Signed-off-by: Hyunchul Lee Signed-off-by: Namjae Jeon

Revert "fs: Remove NTFS classic"

2026-02-19T12:48:05+00:00

This reverts commit 7ffa8f3d30236e0ab897c30bdb01224ff1fe1c89. Reverts the removal of the classic read-only ntfs driver to serve as the base for a new read-write ntfs implementation. If we stack changes on top of the revert patch, It will significantly reduce the diff size, making the review easier. This revert intentionally excludes the restoration of Kconfig and Makefile. The Kconfig and Makefile will be added back in the final patch of this series, enabling the driver only after all features and improvements have been applied. Acked-by: Christoph Hellwig Signed-off-by: Namjae Jeon

fs: Remove NTFS classic

2024-01-24T09:47:00+00:00

The replacement, NTFS3, was merged over two years ago. It is now time to remove the original from the tree as it is the last user of several APIs, and it is not worth changing. Signed-off-by: Matthew Wilcox (Oracle) Link: https://lore.kernel.org/r/20240115072025.2071931-1-willy@infradead.org Acked-by: Namjae Jeon Acked-by: Dave Chinner Cc: Anton Altaparmakov Cc: Namjae Jeon Signed-off-by: Christian Brauner

ntfs: fix multiple kernel-doc warnings

2023-02-03T06:50:03+00:00

Fix many W=1 kernel-doc warnings in fs/ntfs/: fs/ntfs/aops.c:30: warning: Incorrect use of kernel-doc format: * ntfs_end_buffer_async_read - async io completion for reading attributes fs/ntfs/aops.c:46: warning: expecting prototype for aops.c(). Prototype was for ntfs_end_buffer_async_read() instead fs/ntfs/aops.c:1655: warning: cannot understand function prototype: 'const struct address_space_operations ntfs_normal_aops = ' fs/ntfs/aops.c:1670: warning: cannot understand function prototype: 'const struct address_space_operations ntfs_compressed_aops = ' fs/ntfs/aops.c:1685: warning: cannot understand function prototype: 'const struct address_space_operations ntfs_mst_aops = ' fs/ntfs/compress.c:22: warning: Incorrect use of kernel-doc format: * ntfs_compression_constants - enum of constants used in the compression code fs/ntfs/compress.c:24: warning: cannot understand function prototype: 'typedef enum ' fs/ntfs/compress.c:47: warning: cannot understand function prototype: 'u8 *ntfs_compression_buffer; ' fs/ntfs/compress.c:52: warning: expecting prototype for ntfs_cb_lock(). Prototype was for DEFINE_SPINLOCK() instead fs/ntfs/dir.c:21: warning: Incorrect use of kernel-doc format: * The little endian Unicode string $I30 as a global constant. fs/ntfs/dir.c:23: warning: cannot understand function prototype: 'ntfschar I30[5] = ' fs/ntfs/inode.c:31: warning: Incorrect use of kernel-doc format: * ntfs_test_inode - compare two (possibly fake) inodes for equality fs/ntfs/inode.c:47: warning: expecting prototype for inode.c(). Prototype was for ntfs_test_inode() instead fs/ntfs/inode.c:2956: warning: expecting prototype for ntfs_write_inode(). Prototype was for __ntfs_write_inode() instead fs/ntfs/mft.c:24: warning: expecting prototype for mft.c - NTFS kernel mft record operations. Part of the Linux(). Prototype was for MAX_BHS() instead fs/ntfs/namei.c:263: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Inode operations for directories. fs/ntfs/namei.c:368: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * Export operations allowing NFS exporting of mounted NTFS partitions. fs/ntfs/runlist.c:16: warning: Incorrect use of kernel-doc format: * ntfs_rl_mm - runlist memmove fs/ntfs/runlist.c:22: warning: expecting prototype for runlist.c - NTFS runlist handling code. Part of the Linux(). Prototype was for ntfs_rl_mm() instead fs/ntfs/super.c:61: warning: missing initial short description on line: * simple_getbool - fs/ntfs/super.c:2661: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst * The complete super operations. Link: https://lkml.kernel.org/r/20230109010041.21442-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Cc: Anton Altaparmakov Signed-off-by: Andrew Morton

ntfs: remove (un)?likely() from IS_ERR() conditions

2019-09-26T17:10:44+00:00

"likely(!IS_ERR(x))" is excessive. IS_ERR() already uses unlikely() internally. Link: http://lkml.kernel.org/r/20190829165025.15750-11-efremov@linux.com Signed-off-by: Denis Efremov Cc: Anton Altaparmakov Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds