<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/fs/ntfs3, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-24T17:05:53+00:00</updated>
<entry>
<title>Merge tag 'ntfs3_for_7.2' of https://github.com/Paragon-Software-Group/linux-ntfs3</title>
<updated>2026-06-24T17:05:53+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-24T17:05:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f0e6f20cb52b14c2c441f04e21cef0c95d498cac'/>
<id>urn:sha1:f0e6f20cb52b14c2c441f04e21cef0c95d498cac</id>
<content type='text'>
Pull ntfs3 updates from Konstantin Komarov:
 "Added:
   - depth limit to indx_find_buffer() to prevent stack overflow
   - validate split-point offset in indx_insert_into_buffer()
   - bounds check to run_get_highest_vcn()
   - fileattr_get() and fileattr_set() support
   - zero stale pagecache beyond valid data length
   - handle delayed allocation overlap in run lookup
   - validate lcns_follow in log_replay() conversion
   - cap RESTART_TABLE free-chain walker at rt-&gt;used
   - resize log-&gt;one_page_buf when adopting on-disk page size
   - reject direct userspace writes to reserved $LX* xattrs

  Fixed:
   - out-of-bounds read in decompress_lznt()
   - avoid -Wmaybe-uninitialized warnings
   - hold ni_lock across readdir metadata walk
   - preserve non-DOS attribute bits in system.dos_attrib
   - validate index entry key bounds
   - syncing wrong inode on DIRSYNC cross-directory rename
   - validate Dirty Page Table capacity in log_replay() copy_lcns
   - wrong LCN in run_remove_range() when splitting a run
   - allocate iomap inline_data using alloc_page
   - mount failure on 64K page-size kernels
   - out-of-bounds read in ntfs_dir_emit() and hdr_find_e()
   - bound attr_off in UpdateResidentValue against data_off
   - bound DeleteIndexEntryAllocation memmove length
   - bound copy_lcns dp-&gt;page_lcns[] index in analysis pass
   - bound NTFS_DE view.data_off in UpdateRecordData{Root,Allocation}
   - prevent potential lcn remains uninitialized

  Changed:
   - bound to_move in indx_insert_into_root() before hdr_insert_head()
   - call _ntfs_bad_inode() when failing to rename
   - fold resident writeback into writepages loop
   - force waiting for direct I/O completion
   - fold file size handling into ntfs_set_size()
   - reject SEEK_DATA and SEEK_HOLE past EOF early
   - format code, add descriptive comments and remove non-useful"

* tag 'ntfs3_for_7.2' of https://github.com/Paragon-Software-Group/linux-ntfs3: (34 commits)
  ntfs3: reject direct userspace writes to reserved $LX* xattrs
  fs/ntfs3: resize log-&gt;one_page_buf when adopting on-disk page size
  fs/ntfs3: prevent potential lcn remains uninitialized
  ntfs3: cap RESTART_TABLE free-chain walker at rt-&gt;used
  fs/ntfs3: bound NTFS_DE view.data_off in UpdateRecordData{Root,Allocation}
  fs/ntfs3: validate lcns_follow in log_replay conversion
  fs/ntfs3: bound copy_lcns dp-&gt;page_lcns[] index in analysis pass
  fs/ntfs3: bound DeleteIndexEntryAllocation memmove length
  fs/ntfs3: bound attr_off in UpdateResidentValue against data_off
  ntfs3: fix out-of-bounds read in ntfs_dir_emit() and hdr_find_e()
  fs/ntfs3: fix mount failure on 64K page-size kernels
  ntfs3: avoid another -Wmaybe-uninitialized warning
  ntfs3: Allocate iomap inline_data using alloc_page
  fs/ntfs3: format code, deal with comments
  fs/ntfs3: reject SEEK_DATA and SEEK_HOLE past EOF early
  fs/ntfs3: fold file size handling into ntfs_set_size()
  fs/ntfs3: force waiting for direct I/O completion
  fs/ntfs3: fold resident writeback into writepages loop
  fs/ntfs3: handle delayed allocation overlap in run lookup
  fs/ntfs3: zero stale pagecache beyond valid data length
  ...
</content>
</entry>
<entry>
<title>Merge tag 'vfs-7.2-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs</title>
<updated>2026-06-14T22:29:45+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-14T22:29:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=7e0e7bd60d4a812b694c477716597fcb038b00cb'/>
<id>urn:sha1:7e0e7bd60d4a812b694c477716597fcb038b00cb</id>
<content type='text'>
Pull misc vfs updates from Christian Brauner:
 "Features:

   - Reduce pipe-&gt;mutex contention by pre-allocating pages outside the
     lock in anon_pipe_write().

     anon_pipe_write() called alloc_page() once per page while holding
     pipe-&gt;mutex. The allocation can sleep doing direct reclaim and runs
     memcg charging, which extends the critical section and stalls any
     concurrent reader on the same mutex. Now up to 8 pages are
     pre-allocated before the mutex is taken, leftovers are recycled
     into the per-pipe tmp_page[] cache before unlock, and any remainder
     is released after unlock, keeping the allocator out of the critical
     section on both sides. On a writers x readers sweep with 64KB
     writes against a 1 MB pipe throughput improves 6-28% and average
     write latency drops 5-22%; under memory pressure - when the cost of
     holding the mutex across reclaim is highest - throughput improves
     21-48% and latency drops 17-33%. The microbenchmark is added to
     selftests.

   - uaccess/sockptr: fix the ignored_trailing logic in
     copy_struct_to_user() to behave as documented and the usize check
     in copy_struct_from_sockptr() for user pointers, and add
     copy_struct_{from,to}_bounce_buffer() and copy_struct_to_sockptr()
     helpers for upcoming users (IPPROTO_SMBDIRECT, IPPROTO_QUIC).

   - bpf: add a sleepable bpf_real_inode() kfunc that resolves the real
     inode backing a dentry via d_real_inode(). On overlayfs the inode
     attached to the dentry doesn't carry the underlying device
     information; this is used by the filesystem restriction BPF program
     that was merged into systemd.

   - docs: add guidelines for submitting new filesystems, motivated by
     the maintenance burden abandoned and untestable filesystems impose
     on VFS developers, blocking infrastructure work like folio
     conversions and iomap migration.

  Fixes:

   - libfs: set SB_I_NOEXEC and SB_I_NODEV by default in init_pseudo()
     and drop the now-redundant assignments in callers. This began as a
     one-line dma-buf fix for a path_noexec() warning; a pseudo
     filesystem has no reason not to set SB_I_NOEXEC. All init_pseudo()
     callers were audited: the only visible effect is on dma-buf where
     SB_I_NOEXEC silences the warning.

   - Handle set_blocksize() failures in legacy filesystems (bfs, hpfs,
     qnx4, jfs, befs, affs, isofs, minix, ntfs3, omfs). Mounting a
     device with a sector size &gt; PAGE_SIZE crashed roughly half of them;
     the rest had the same missing error handling pattern. Plus a
     follow-up releasing the superblock buffer_head when setting the
     minix v3 block size fails.

   - mount: honour SB_NOUSER in the new mount API.

   - fs/fcntl: fix a SOFTIRQ-unsafe lock order in fasync signaling by
     switching the process-group paths of send_sigio() and send_sigurg()
     from read_lock(&amp;tasklist_lock) to RCU, matching the single-PID
     path.

   - vfs: add an FS_USERNS_DELEGATABLE flag and set it for NFS, fixing
     delegated NFS mounts (fsopen() in a container with the mount
     performed by a privileged daemon) that broke when non-init
     s_user_ns was tied to FS_USERNS_MOUNT.

   - selftests/namespaces: fix a hang in nsid_test where an unreaped
     grandchild kept the TAP pipe write-end open, a waitpid(-1) race in
     listns_efault_test, and a false FAIL on kernels without listns()
     where the tests should SKIP.

   - filelock: fix the break_lease() stub signature for
     CONFIG_FILE_LOCKING=n.

   - init/initramfs_test: wait for the async initramfs unpacking before
     running; the test and do_populate_rootfs() share the parser state.

   - fs/coredump: reduce redundant log noise in
     validate_coredump_safety().

   - iomap: pass the correct length to fserror_report_io() in
     __iomap_write_begin().

   - backing-file: fix the backing_file_open() kerneldoc.

  Cleanups:

   - initramfs: refactor the cpio hex header parsing to use hex2bin()
     instead of the hand-rolled simple_strntoul() which is reverted, and
     extend the initramfs KUnit tests to cover header fields with 0x
     prefixes.

   - Replace __get_free_pages() and friends with kmalloc()/kzalloc()
     across quota, proc, ocfs2/dlm, nilfs2, nfs, nfsd, libfs, jfs, jbd2,
     isofs, fuse, select, namespace, configfs, binfmt_misc, bfs, and the
     do_mounts init code - part of the larger work of replacing page
     allocator calls with kmalloc().

   - Use clear_and_wake_up_bit() in unlock_buffer() and
     journal_end_buffer_io_sync() instead of open-coding the sequence.

   - Drop unused VFS exports: unexport drop_super_exclusive(), remove
     start_removing_user_path_at(), and fold __start_removing_path()
     into start_removing_path().

   - fs/read_write: narrow the __kernel_write() export with
     EXPORT_SYMBOL_FOR_MODULES().

   - vfs: uapi: retire octal and hex constants in favor of (1 &lt;&lt; n) for
     the O_ flags. Finding a free bit for a new flag across the
     architectures was needlessly hard with the mixed bases.

   - dcache: add extra sanity checks of dead dentries in dentry_free()
     via a new DENTRY_WARN_ONCE() that also prints d_flags.

   - iov_iter: use kmemdup_array() in dup_iter() to harden the
     allocation against multiplication overflow.

   - fs/pipe: write to -&gt;poll_usage only once.

   - vfs: remove an always-taken if-branch in find_next_fd().

   - dcache: use kmalloc_flex() for struct external_name in __d_alloc().

   - namei: use QSTR() instead of QSTR_INIT() in path_pts().

   - sync_file_range: delete dead S_ISLNK code.

   - Comment fixes: retire a stale comment in fget_task_next() and fix
     assorted spelling mistakes"

* tag 'vfs-7.2-rc1.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (73 commits)
  backing-file: fix backing_file_open() kerneldoc parameter
  iomap: pass the correct len to fserror_report_io in __iomap_write_begin
  vfs: add FS_USERNS_DELEGATABLE flag and set it for NFS
  filelock: fix break_lease() stub signature for CONFIG_FILE_LOCKING=n
  vfs: uapi: retire octal and hex numbers in favor of (1 &lt;&lt; n) for O_ flags
  bpf: add bpf_real_inode() kfunc
  fs/read_write: Do not export __kernel_write() to the entire world
  libfs: drop redundant SB_I_NOEXEC/SB_I_NODEV in init_pseudo() callers
  libfs: set SB_I_NOEXEC and SB_I_NODEV by default in init_pseudo()
  mount: honour SB_NOUSER in the new mount API
  fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
  selftests/pipe: add pipe_bench microbenchmark
  fs/pipe: pre-allocate pages outside pipe-&gt;mutex in anon_pipe_write
  fs: retire stale comment in fget_task_next()
  fs: fix spelling mistakes in comment
  bfs: replace get_zeroed_page() with kzalloc()
  binfmt_misc: replace __get_free_page() with kmalloc()
  configfs: replace __get_free_pages() with kzalloc()
  fs/namespace: use __getname() to allocate mntpath buffer
  fs/select: replace __get_free_page() with kmalloc()
  ...
</content>
</entry>
<entry>
<title>ntfs3: reject direct userspace writes to reserved $LX* xattrs</title>
<updated>2026-06-10T10:37:10+00:00</updated>
<author>
<name>Konstantin Komarov</name>
<email>almaz.alexandrovich@paragon-software.com</email>
</author>
<published>2026-06-10T10:31:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5b08dccecf825cbf905f348bc6ccb497507e28e2'/>
<id>urn:sha1:5b08dccecf825cbf905f348bc6ccb497507e28e2</id>
<content type='text'>
NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL
permission metadata and reloads them into i_uid, i_gid and i_mode
from ntfs_get_wsl_perm().

Because the empty-prefix xattr handler also lets file owners call
setxattr() on these names directly, an unprivileged writer on a
writable ntfs3 mount can plant root ownership and S_ISUID on their own
file and gain euid 0 after inode reload.

Reject direct userspace writes to the reserved $LX* names. Internal
ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm()
writes them via ntfs_set_ea() directly.

Signed-off-by: Zhen Yan &lt;sdjasjbuaa@gmail.com&gt;
[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users]
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
<entry>
<title>fs/ntfs3: resize log-&gt;one_page_buf when adopting on-disk page size</title>
<updated>2026-06-10T10:37:09+00:00</updated>
<author>
<name>Jamie Nguyen</name>
<email>jamien@nvidia.com</email>
</author>
<published>2026-06-05T04:19:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5a35454179fe1041d9cd286f5d320ce0d448c12a'/>
<id>urn:sha1:5a35454179fe1041d9cd286f5d320ce0d448c12a</id>
<content type='text'>
log_replay() allocates log-&gt;one_page_buf using the page size that was
chosen from the host PAGE_SIZE:

	log-&gt;one_page_buf = kmalloc(log-&gt;page_size, GFP_NOFS);

Later, when a restart area is found, the log page size recorded on disk
is adopted:

	t32 = le32_to_cpu(log-&gt;rst_info.r_page-&gt;sys_page_size);
	if (log-&gt;page_size != t32) {
		log-&gt;l_size = log-&gt;orig_file_size;
		log-&gt;page_size = norm_file_page(t32, &amp;log-&gt;l_size,
						t32 == DefaultLogPageSize);
	}

If the on-disk page size is larger than the size used for the initial
allocation, log-&gt;page_size grows but one_page_buf is left at its
original, smaller size. A subsequent unaligned read_log_page() then
reads log-&gt;page_size bytes into the undersized scratch buffer:

	page_buf = page_off ? log-&gt;one_page_buf : *buffer;
	err = ntfs_read_run_nb_ra(ni-&gt;mi.sbi, &amp;ni-&gt;file.run, page_vbo, page_buf,
				  log-&gt;page_size, NULL, &amp;log-&gt;read_ahead);

overflowing the allocation. This is reachable when mounting a dirty
NTFS volume whose log was formatted with a page size larger than the
buffer initially allocated on the mounting host (for example a 64K-log
volume mounted on a host that allocated a 4K scratch buffer).

Grow one_page_buf when the adopted on-disk page size exceeds the size
used for the initial allocation. On krealloc() failure the original
buffer is left intact and freed by the existing error path.

Fixes: b46acd6a6a627 ("fs/ntfs3: Add NTFS journal")
Reported-by: Carol L Soto &lt;csoto@nvidia.com&gt;
Signed-off-by: Jamie Nguyen &lt;jamien@nvidia.com&gt;
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
<entry>
<title>fs/ntfs3: prevent potential lcn remains uninitialized</title>
<updated>2026-06-10T10:36:51+00:00</updated>
<author>
<name>Edward Adam Davis</name>
<email>eadavis@qq.com</email>
</author>
<published>2026-05-26T08:08:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=57ac2831c8e0f168090d38e3de758c6a59db44db'/>
<id>urn:sha1:57ac2831c8e0f168090d38e3de758c6a59db44db</id>
<content type='text'>
The target VCN being sought was not found within runs[0], causing
run_lookup() to return false. This causes run_lookup_entry() to return
false, which in turn results in a len value of 0, and the new parameter
passed to attr_data_get_block() is NULL. Collectively, these factors
ultimately cause attr_data_get_block_locked() to exit prematurely without
initializing lcn, thereby triggering [1].

To prevent [1], the clen check within ni_seek_data_or_hole() has been
moved to occur before the lcn check.

[1]
BUG: KMSAN: uninit-value in ni_seek_data_or_hole+0x24f/0x5f0 fs/ntfs3/frecord.c:2862
 ni_seek_data_or_hole+0x24f/0x5f0 fs/ntfs3/frecord.c:2862
 ntfs_llseek+0x22a/0x4a0 fs/ntfs3/file.c:1530
 vfs_llseek fs/read_write.c:391 [inline]

Fixes: c61326967728 ("fs/ntfs3: implement llseek SEEK_DATA/SEEK_HOLE by scanning data runs")
Reported-by: syzbot+c2cfe997245202e46f10@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c2cfe997245202e46f10
Signed-off-by: Edward Adam Davis &lt;eadavis@qq.com&gt;
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
<entry>
<title>ntfs3: cap RESTART_TABLE free-chain walker at rt-&gt;used</title>
<updated>2026-06-09T07:54:04+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-05-17T23:41:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=9611f644302c07d21bc8af97e3e06a3d30064253'/>
<id>urn:sha1:9611f644302c07d21bc8af97e3e06a3d30064253</id>
<content type='text'>
A crafted NTFS3 disk image triggers an in-kernel infinite loop at
mount time, hanging the mounting thread and firing the soft-lockup
watchdog within ~22s on multi-CPU hosts (panic with
kernel.softlockup_panic=1).  The bug is reachable from desktop USB
auto-mount on distributions where udisks2 routes the NTFS signature
to the in-tree ntfs3 driver (Arch family and an increasing fraction
of Fedora / openSUSE / RHEL deployments); CAP_SYS_ADMIN-class manual
mount elsewhere.

check_rstbl()'s second walker iterates the free-entry singly-linked
list headed by rt-&gt;first_free with no upper bound on iteration count:

  for (off = ff; off;) {
      if (off == RESTART_ENTRY_ALLOCATED)
          return false;
      off = le32_to_cpu(*(__le32 *)Add2Ptr(rt, off));
      if (off &gt; ts - sizeof(__le32))
          return false;
  }

The existing guards cover three exits: end-of-list (off == 0), the
in-use marker (off == RESTART_ENTRY_ALLOCATED), and out-of-bounds
(off &gt; ts - sizeof(__le32)).  None of the three prevents an
in-bounds cycle.

A crafted on-disk RESTART_TABLE whose free chain contains a
self-loop or A-&gt;B-&gt;A cycle whose offsets satisfy:

  - in range [sizeof(struct RESTART_TABLE), ts - sizeof(__le32)]
  - (off - sizeof(struct RESTART_TABLE)) % rsize == 0

passes all existing guards and spins the mount-time thread forever.
Reproduced in UML by hand-forging a 2 MB NTFS3 image whose journal
RESTART_TABLE first_free = 0x18 and whose entry at offset 0x18
stores 0x18 as its next pointer; mount of the forged image with
the in-tree ntfs3 driver never returns.

Bound the walker by rt-&gt;used.  Each entry on a legitimate free
chain is unique, and the total slot count is ne = le16_to_cpu
(rt-&gt;used).  A traversal that visits more than ne slots is by
construction malformed; reject it as a corrupt RESTART_TABLE.

After this patch, mount of the forged image returns with -EINVAL
and a log_replay failure message, and mkntfs-produced legitimate
images mount cleanly (verified in the same UML harness).

Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
<entry>
<title>fs/ntfs3: bound NTFS_DE view.data_off in UpdateRecordData{Root,Allocation}</title>
<updated>2026-06-09T07:53:43+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-05-19T09:51:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=3e127829e57f5190f612412ece4541cb96d5ec7a'/>
<id>urn:sha1:3e127829e57f5190f612412ece4541cb96d5ec7a</id>
<content type='text'>
In do_action()'s UpdateRecordDataRoot (fslog.c:3489) and
UpdateRecordDataAllocation (fslog.c:3697) cases, the memmove
destination is `Add2Ptr(e, le16_to_cpu(e-&gt;view.data_off))`,
where e-&gt;view.data_off comes from an on-disk NTFS_DE inside
an INDEX_ROOT or INDEX_BUFFER.  Neither case validates
view.data_off + dlen against e-&gt;size; the existing
check_if_index_root / check_if_alloc_index helpers walk the
entry chain and validate the entry's offset, but not its
internal view fields.

The neighbouring read sites (e.g., fs/ntfs3/index.c when
iterating view entries) check view.data_off + view.data_size
&lt;= e-&gt;size.  Apply the same bound at the two memmove sites.

Reproduced under UML+KASAN on mainline 8d90b09e6741 via
pr_warn-only probe instrumentation: with view.data_off forced
to 0xFFFC, the memmove writes 32 bytes past the end of the
NTFS_DE.

This is similar in shape to Pavitra Jha's 2026-05-02 patch
"fs/ntfs3: prevent oob in case UpdateRecordDataRoot"
(&lt;20260502105008.21827-1-jhapavitra98@gmail.com&gt;) which
proposes calling ntfs3_bad_de_range(); that helper does not
exist in mainline.  This patch uses inline checks.

Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
Cc: stable@vger.kernel.org
Reported-by: Pavitra Jha &lt;jhapavitra98@gmail.com&gt;
Closes: https://lore.kernel.org/ntfs3/20260502105008.21827-1-jhapavitra98@gmail.com/
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
<entry>
<title>fs/ntfs3: validate lcns_follow in log_replay conversion</title>
<updated>2026-06-03T14:37:03+00:00</updated>
<author>
<name>Konstantin Komarov</name>
<email>almaz.alexandrovich@paragon-software.com</email>
</author>
<published>2026-06-01T08:57:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6a4c53a2e26a865565bd6a460961e8d6fcb32329'/>
<id>urn:sha1:6a4c53a2e26a865565bd6a460961e8d6fcb32329</id>
<content type='text'>
log_replay() converts DIR_PAGE_ENTRY_32 records into DIR_PAGE_ENTRY
records when replaying version 0 restart tables.

During this conversion, the memmove() length is derived directly from
the on-disk lcns_follow field:

	memmove(&amp;dp-&gt;vcn, &amp;dp0-&gt;vcn_low,
		2 * sizeof(u64) +
				le32_to_cpu(dp-&gt;lcns_follow) * sizeof(u64));

check_rstbl() validates restart table structure, but does not constrain
per-entry lcns_follow values relative to the entry size. A malformed
filesystem image can provide an oversized lcns_follow value, causing
the conversion memmove() to access memory beyond the bounds of the
allocated restart table buffer.

The same field is later used to bound iteration over page_lcns[],
so validating lcns_follow during conversion also prevents downstream
out-of-bounds access from the same malformed metadata.

Compute the maximum valid lcns_follow from the already-validated
restart table entry size and reject entries that exceed this bound.
Reuse the existing t16/t32 scratch variables already declared in
log_replay() to avoid introducing new declarations.

Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha &lt;jhapavitra98@gmail.com&gt;
[almaz.alexandrovich@paragon-software.com: fixed the conflicts]
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
<entry>
<title>fs/ntfs3: bound copy_lcns dp-&gt;page_lcns[] index in analysis pass</title>
<updated>2026-06-03T14:37:02+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-05-15T16:34:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5e7b598660cfa8e5af172cf4c65cffc126333307'/>
<id>urn:sha1:5e7b598660cfa8e5af172cf4c65cffc126333307</id>
<content type='text'>
In log_replay()'s analysis pass, after find_dp() returns a
valid DIR_PAGE_ENTRY for the (target_attr, target_vcn) tuple,
the copy_lcns block walks lrh-&gt;lcns_follow further entries:

	t16 = le16_to_cpu(lrh-&gt;lcns_follow);
	for (i = 0; i &lt; t16; i++) {
	    size_t j = (size_t)(le64_to_cpu(lrh-&gt;target_vcn) -
	                        le64_to_cpu(dp-&gt;vcn));
	    dp-&gt;page_lcns[j + i] = lrh-&gt;page_lcns[i];
	}

find_dp() only validates that target_vcn falls within
[dp-&gt;vcn, dp-&gt;vcn + dp-&gt;lcns_follow), i.e., that the FIRST
cluster is covered.  The walk through the further entries is
not bounded against dp-&gt;lcns_follow.  For a malformed LRH
where target_vcn = dp-&gt;vcn + dp-&gt;lcns_follow - 1 and
lrh-&gt;lcns_follow &gt; 1, the i &gt; 0 writes overflow the dp's
allocated page_lcns[] array.

Add the missing j + lrh-&gt;lcns_follow &lt;= dp-&gt;lcns_follow guard.

Reproduced under UML+KASAN on mainline 8d90b09e6741 as a
slab-out-of-bounds write of size 8 from log_replay+0x68d4 on
the mount path.

This is distinct from Pavitra Jha's 2026-05-02 patch
("fs/ntfs3: validate lcns_follow in log_replay conversion",
&lt;20260502154252.164586-1-jhapavitra98@gmail.com&gt;) which
addresses the separate version-0 dirty-page-table conversion
path's memmove(&amp;dp-&gt;vcn, ...) call.  The two fixes are
complementary; both should land.

Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
[almaz.alexandrovich@paragon-software.com: clang-formatted the changes,
fixed conflicts]
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
<entry>
<title>fs/ntfs3: bound DeleteIndexEntryAllocation memmove length</title>
<updated>2026-06-03T14:37:02+00:00</updated>
<author>
<name>Konstantin Komarov</name>
<email>almaz.alexandrovich@paragon-software.com</email>
</author>
<published>2026-06-02T13:21:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=fc4626bb3656362de8b0ecd56605d47a19ec3518'/>
<id>urn:sha1:fc4626bb3656362de8b0ecd56605d47a19ec3518</id>
<content type='text'>
In do_action()'s DeleteIndexEntryAllocation case, e-&gt;size comes
from an on-disk INDEX_BUFFER entry.  When e-&gt;size makes
e + e-&gt;size point past hdr + hdr-&gt;used,
PtrOffset(e1, Add2Ptr(hdr, used)) returns a negative ptrdiff_t
that is silently cast to a quasi-infinite size_t when passed
to memmove().  The memmove then walks past the destination
buffer.

The sibling DeleteIndexEntryRoot case at fslog.c:3540-3543
already carries the corresponding guard:

	if (PtrOffset(e1, Add2Ptr(hdr, used)) &lt; esize ||
	    Add2Ptr(e, esize) &gt; Add2Ptr(lrh, rec_len) ||
	    used + esize &gt; le32_to_cpu(hdr-&gt;total)) {
		goto dirty_vol;
	}

Apply the same shape to the allocation-path case.  Also reject
esize == 0: memmove(e, e, ...) is a no-op and leaves
hdr-&gt;used unchanged, hiding a malformed entry from the
existing check_index_header() walk.

Reproduced under UML+KASAN on mainline 8d90b09e6741 by
mounting a crafted NTFS image: the unguarded memmove takes a
length of 0xffffffffffffff00 and the kernel oopses in
memmove+0x81/0x1a0 on the do_action+0x36a2 frame.

Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
[almaz.alexandrovich@paragon-software.com: clang-formatted the changes]
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
</content>
</entry>
</feed>
