Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.1.y 2026-04-07T16:43:39+00:00 2026-04-07T16:43:39+00:00 Tobias Gaertner tob.gaertner@me.com 2026-03-29T11:17:03+00:00 urn:sha1:984a415f019536ea2d24de9010744e5302a9a948 The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw addition which can wrap around for large lcn and len values, bypassing the validation. Use check_add_overflow() as is already done for the adjacent prev_lcn + dlcn and vcn64 + len checks added by commit 3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()"). Found by fuzzing with a source-patched harness (LibAFL + QEMU). Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block") Cc: stable@vger.kernel.org Signed-off-by: Tobias Gaertner <tob.gaertner@me.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2026-04-07T16:43:38+00:00 Tobias Gaertner tob.gaertner@me.com 2026-03-29T11:17:02+00:00 urn:sha1:b62567bca47408e6739dee75f02a2113548af875 run_unpack() checks `run_buf < run_last` at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted. Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer. Found by fuzzing with a source-patched harness (LibAFL + QEMU). Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block") Cc: stable@vger.kernel.org Signed-off-by: Tobias Gaertner <tob.gaertner@me.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2026-02-16T16:23:51+00:00 Konstantin Komarov almaz.alexandrovich@paragon-software.com 2026-02-16T16:10:26+00:00 urn:sha1:10d7c95af043b45a85dc738c3271bf760ff3577e This patch implements delayed allocation (delalloc) in ntfs3 driver. It introduces an in-memory delayed-runlist (run_da) and the helpers to track, reserve and later convert those delayed reservations into real clusters at writeback time. The change keeps on-disk formats untouched and focuses on pagecache integration, correctness and safe interaction with fallocate, truncate, and dio/iomap paths. Key points: - add run_da (delay-allocated run tree) and bookkeeping for delayed clusters. - mark ranges as delalloc (DELALLOC_LCN) instead of immediately allocating. Actual allocation performed later (writeback / attr_set_size_ex / explicit flush paths). - direct i/o / iomap paths updated to avoid dio collisions with delalloc: dio falls back or forces allocation of delayed blocks before proceeding. - punch/collapse/truncate/fallocate check and cancel delay-alloc reservations. Sparse/compressed files handled specially. - free-space checks updated (ntfs_check_free_space) to account for reserved delalloc clusters and MFT record budgeting. - delayed allocations are committed on last writer (file release) and on explicit allocation flush paths. Tested-by: syzbot@syzkaller.appspotmail.com Reported-by: syzbot+2bd8e813c7f767aa9bb1@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2026-01-15T04:57:48+00:00 Szymon Wilczek swilczek.lx@gmail.com 2025-12-27T14:43:07+00:00 urn:sha1:08ce2fee1b869ecbfbd94e0eb2630e52203a2e03 Syzbot reported a circular locking dependency between wnd->rw_lock (sbi->used.bitmap) and ni->file.run_lock. The deadlock scenario: 1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock. 2. run_unpack_ex() takes wnd->rw_lock then tries to acquire ni->file.run_lock inside ntfs_refresh_zone(). This creates an AB-BA deadlock. Fix this by using down_read_trylock() instead of down_read() when acquiring run_lock in run_unpack_ex(). If the lock is contended, skip ntfs_refresh_zone() - the MFT zone will be refreshed on the next MFT operation. This breaks the circular dependency since we never block waiting for run_lock while holding wnd->rw_lock. Reported-by: syzbot+d27edf9f96ae85939222@syzkaller.appspotmail.com Tested-by: syzbot+d27edf9f96ae85939222@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222 Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2025-11-17T08:08:49+00:00 Konstantin Komarov almaz.alexandrovich@paragon-software.com 2025-10-30T20:35:24+00:00 urn:sha1:2109b080240ca0e1a3ebe28cf7577ebb00a5d887 Fix incorrect VCN adjustments in attr_collapse_range() that caused filesystem errors or corruption on very fragmented NTFS files when performing collapse-range operations. Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2025-10-17T10:08:43+00:00 Konstantin Komarov almaz.alexandrovich@paragon-software.com 2025-09-18T10:35:24+00:00 urn:sha1:801f614ba263cb37624982b27b4c82f3c3c597a9 Some NTFS volumes failed to mount because sparse data runs were not handled correctly during runlist unpacking. The code performed arithmetic on the special SPARSE_LCN64 marker, leading to invalid LCN values and mount errors. Add an explicit check for the case described above, marking the run as sparse without applying arithmetic. Fixes: 736fc7bf5f68 ("fs: ntfs3: Fix integer overflow in run_unpack()") Cc: stable@vger.kernel.org Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2025-09-10T09:01:39+00:00 Vitaly Grigoryev Vitaly.Grigoryev@kaspersky.com 2025-08-25T10:08:55+00:00 urn:sha1:736fc7bf5f68f6b74a0925b7e072c571838657d2 The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure. Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk. Add overflow check for addition operation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation") Signed-off-by: Vitaly Grigoryev <Vitaly.Grigoryev@kaspersky.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2024-11-01T08:19:53+00:00 Konstantin Komarov almaz.alexandrovich@paragon-software.com 2024-10-10T17:06:59+00:00 urn:sha1:bac89bb33d91cdd75092e15cf59fe6be34571142 Changes made to improve readability and debuggability. Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2024-11-01T08:19:50+00:00 Konstantin Komarov almaz.alexandrovich@paragon-software.com 2024-10-10T17:09:24+00:00 urn:sha1:5fc982fe7eca9d0cf7b25832450ebd4f7c8e1c36 Reported-by: syzbot+7f3761b790fa41d0f3d5@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2024-09-03T13:58:43+00:00 Konstantin Komarov almaz.alexandrovich@paragon-software.com 2024-08-19T13:21:31+00:00 urn:sha1:70dd48ca3af3acb8548b876a84ac31460364cb03 Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>