Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0.10 2026-05-23T11:09:12+00:00 2026-05-23T11:09:12+00:00 Pengpeng Hou pengpeng@iscas.ac.cn 2026-03-27T06:19:55+00:00 urn:sha1:5cd0707b81cb4589f00aec5c4c1288bd0980d2a4 [ Upstream commit a6cd43fe9b083fa23fe1595666d5738856cb261a ] ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s() and stores the result in sbi->volume.label. The converted label is later exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only returns the number of bytes written and does not add a trailing NUL. If the converted label fills the entire fixed buffer, ntfs3_label_show() can read past the end of sbi->volume.label while looking for a terminator. Terminate the cached label explicitly after a successful conversion and clamp the exact-full case to the last byte of the buffer. Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:09:11+00:00 Deepanshu Kartikey kartikey406@gmail.com 2026-03-19T07:45:46+00:00 urn:sha1:2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54 [ Upstream commit d7ea8495fd307b58f8867acd81a1b40075b1d3ba ] When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments. The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1). Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup. The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here! Reported-by: syzbot+c1e9aedbd913fadad617@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c1e9aedbd913fadad617 Fixes: c380b52f6c57 ("fs/ntfs3: Change new sparse cluster processing") Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:09:10+00:00 Edward Adam Davis eadavis@qq.com 2026-02-23T08:01:13+00:00 urn:sha1:485f750cac3d8bdf5552a0e3d79ce5e3a03ece49 [ Upstream commit e98266e823a1fa06fe6499df61aeaac2fd6f7a49 ] syzbot reported a uninit-value in ntfs_iomap_begin [1]. Since runs was not touched yet, run_lookup_entry() immediately fails and returns false, which makes the value of "*len" 0. Simultaneously, the new value and err value are also 0, causing the logic in attr_data_get_block_locked() to jump directly to ok, ultimately resulting in *lcn being triggered before it is set [1]. In ntfs_iomap_begin(), the check for a 0 value in clen is moved forward to before updating lcn to avoid this [1]. [1] BUG: KMSAN: uninit-value in ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 iomap_iter+0x9b7/0x1540 fs/iomap/iter.c:110 Local variable lcn created at: ntfs_iomap_begin+0x15d/0x1460 fs/ntfs3/inode.c:786 Fixes: 10d7c95af043 ("fs/ntfs3: add delayed-allocation (delalloc) support") Reported-by: syzbot+7be88937363ac7ab7bb0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7be88937363ac7ab7bb0 Tested-by: syzbot+7be88937363ac7ab7bb0@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-07T04:14:14+00:00 Tobias Gaertner tob.gaertner@me.com 2026-03-29T11:17:03+00:00 urn:sha1:6175d09c23bec4b60860ee9a0170308ff4b56e10 commit 984a415f019536ea2d24de9010744e5302a9a948 upstream. The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw addition which can wrap around for large lcn and len values, bypassing the validation. Use check_add_overflow() as is already done for the adjacent prev_lcn + dlcn and vcn64 + len checks added by commit 3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()"). Found by fuzzing with a source-patched harness (LibAFL + QEMU). Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block") Cc: stable@vger.kernel.org Signed-off-by: Tobias Gaertner <tob.gaertner@me.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-07T04:14:14+00:00 Tobias Gaertner tob.gaertner@me.com 2026-03-29T11:17:02+00:00 urn:sha1:41aadf5cb482793a24e05aa136224e179a778586 commit b62567bca47408e6739dee75f02a2113548af875 upstream. run_unpack() checks `run_buf < run_last` at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted. Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer. Found by fuzzing with a source-patched harness (LibAFL + QEMU). Fixes: 82cae269cfa95 ("fs/ntfs3: Add initialization of super block") Cc: stable@vger.kernel.org Signed-off-by: Tobias Gaertner <tob.gaertner@me.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-27T13:30:17+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-09T14:37:15+00:00 urn:sha1:f79d0403ea20a81bc29105bba54fbcab54e8c403 commit 0ca0485e4b2e837ebb6cbd4f2451aba665a03e4b upstream. check_file_record() validates rec->total against the record size but never validates rec->used. The do_action() journal-replay handlers read rec->used from disk and use it to compute memmove lengths: DeleteAttribute: memmove(attr, ..., used - asize - roff) CreateAttribute: memmove(..., attr, used - roff) change_attr_size: memmove(..., used - PtrOffset(rec, next)) When rec->used is smaller than the offset of a validated attribute, or larger than the record size, these subtractions can underflow allowing us to copy huge amounts of memory in to a 4kb buffer, generally considered a bad idea overall. This requires a corrupted filesystem, which isn't a threat model the kernel really needs to worry about, but checking for such an obvious out-of-bounds value is good to keep things robust, especially on journal replay Fix this up by bounding rec->used correctly. This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot") which checked different values in this same switch statement. Cc: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal") Cc: stable <stable@kernel.org> Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2026-02-19T04:50:32+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-19T04:50:32+00:00 urn:sha1:eeccf287a2a517954b57cf9d733b3cf5d47afa34 Pull more MM updates from Andrew Morton: - "mm/vmscan: fix demotion targets checks in reclaim/demotion" fixes a couple of issues in the demotion code - pages were failed demotion and were finding themselves demoted into disallowed nodes (Bing Jiao) - "Remove XA_ZERO from error recovery of dup_mmap()" fixes a rare mapledtree race and performs a number of cleanups (Liam Howlett) - "mm: add bitmap VMA flag helpers and convert all mmap_prepare to use them" implements a lot of cleanups following on from the conversion of the VMA flags into a bitmap (Lorenzo Stoakes) - "support batch checking of references and unmapping for large folios" implements batching to greatly improve the performance of reclaiming clean file-backed large folios (Baolin Wang) - "selftests/mm: add memory failure selftests" does as claimed (Miaohe Lin) * tag 'mm-stable-2026-02-18-19-48' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (36 commits) mm/page_alloc: clear page->private in free_pages_prepare() selftests/mm: add memory failure dirty pagecache test selftests/mm: add memory failure clean pagecache test selftests/mm: add memory failure anonymous page test mm: rmap: support batched unmapping for file large folios arm64: mm: implement the architecture-specific clear_flush_young_ptes() arm64: mm: support batch clearing of the young flag for large folios arm64: mm: factor out the address and ptep alignment into a new helper mm: rmap: support batched checks of the references for large folios tools/testing/vma: add VMA userland tests for VMA flag functions tools/testing/vma: separate out vma_internal.h into logical headers tools/testing/vma: separate VMA userland tests into separate files mm: make vm_area_desc utilise vma_flags_t only mm: update all remaining mmap_prepare users to use vma_flags_t mm: update shmem_[kernel]_file_*() functions to use vma_flags_t mm: update secretmem to use VMA flags on mmap_prepare mm: update hugetlbfs to use VMA flags on mmap_prepare mm: add basic VMA flag operation helper functions tools: bitmap: add missing bitmap_[subset(), andnot()] mm: add mk_vma_flags() bitmap flag macro helper ... 2026-02-17T23:37:06+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-17T23:37:06+00:00 urn:sha1:75a452d31ba697fc986609dd4905294e07687992 Pull ntfs3 updates from Konstantin Komarov: "New code: - improve readahead for bitmap initialization and large directory scans - fsync files by syncing parent inodes - drop of preallocated clusters for sparse and compressed files - zero-fill folios beyond i_valid in ntfs_read_folio() - implement llseek SEEK_DATA/SEEK_HOLE by scanning data runs - implement iomap-based file operations - allow explicit boolean acl/prealloc mount options - fall-through between switch labels - delayed-allocation (delalloc) support Fixes: - check return value of indx_find to avoid infinite loop - initialize new folios before use - infinite loop in attr_load_runs_range on inconsistent metadata - infinite loop triggered by zero-sized ATTR_LIST - ntfs_mount_options leak in ntfs_fill_super() - deadlock in ni_read_folio_cmpr - circular locking dependency in run_unpack_ex - prevent infinite loops caused by the next valid being the same - restore NULL folio initialization in ntfs_writepages() - slab-out-of-bounds read in DeleteIndexEntryRoot Updates: - allow readdir() to finish after directory mutations without rewinddir() - handle attr_set_size() errors when truncating files - make ntfs_writeback_ops static - refactor duplicate kmemdup pattern in do_action() - avoid calling run_get_entry() when run == NULL in ntfs_read_run_nb_ra() Replaced: - use wait_on_buffer() directly - rename ni_readpage_cmpr into ni_read_folio_cmpr" * tag 'ntfs3_for_7.0' of https://github.com/Paragon-Software-Group/linux-ntfs3: (26 commits) fs/ntfs3: add delayed-allocation (delalloc) support fs/ntfs3: avoid calling run_get_entry() when run == NULL in ntfs_read_run_nb_ra() fs/ntfs3: add fall-through between switch labels fs/ntfs3: allow explicit boolean acl/prealloc mount options fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot ntfs3: Restore NULL folio initialization in ntfs_writepages() ntfs3: Refactor duplicate kmemdup pattern in do_action() fs/ntfs3: prevent infinite loops caused by the next valid being the same fs/ntfs3: make ntfs_writeback_ops static ntfs3: fix circular locking dependency in run_unpack_ex fs/ntfs3: implement iomap-based file operations fs/ntfs3: fix deadlock in ni_read_folio_cmpr fs/ntfs3: implement llseek SEEK_DATA/SEEK_HOLE by scanning data runs fs/ntfs3: zero-fill folios beyond i_valid in ntfs_read_folio() fs/ntfs3: handle attr_set_size() errors when truncating files fs/ntfs3: drop preallocated clusters for sparse and compressed files fs/ntfs3: fsync files by syncing parent inodes fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super() fs/ntfs3: allow readdir() to finish after directory mutations without rewinddir() fs/ntfs3: improve readahead for bitmap initialization and large directory scans ... 2026-02-16T16:23:51+00:00 Konstantin Komarov almaz.alexandrovich@paragon-software.com 2026-02-16T16:10:26+00:00 urn:sha1:10d7c95af043b45a85dc738c3271bf760ff3577e This patch implements delayed allocation (delalloc) in ntfs3 driver. It introduces an in-memory delayed-runlist (run_da) and the helpers to track, reserve and later convert those delayed reservations into real clusters at writeback time. The change keeps on-disk formats untouched and focuses on pagecache integration, correctness and safe interaction with fallocate, truncate, and dio/iomap paths. Key points: - add run_da (delay-allocated run tree) and bookkeeping for delayed clusters. - mark ranges as delalloc (DELALLOC_LCN) instead of immediately allocating. Actual allocation performed later (writeback / attr_set_size_ex / explicit flush paths). - direct i/o / iomap paths updated to avoid dio collisions with delalloc: dio falls back or forces allocation of delayed blocks before proceeding. - punch/collapse/truncate/fallocate check and cancel delay-alloc reservations. Sparse/compressed files handled specially. - free-space checks updated (ntfs_check_free_space) to account for reserved delalloc clusters and MFT record budgeting. - delayed allocations are committed on last writer (file release) and on explicit allocation flush paths. Tested-by: syzbot@syzkaller.appspotmail.com Reported-by: syzbot+2bd8e813c7f767aa9bb1@syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>