--- /dev/null
+From 254e69f284d7270e0abdc023ee53b71401c3ba0c Mon Sep 17 00:00:00 2001
+From: ZhangPeng <zhangpeng362@huawei.com>
+Date: Fri, 25 Nov 2022 10:21:59 +0000
+Subject: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
+
+From: ZhangPeng <zhangpeng362@huawei.com>
+
+commit 254e69f284d7270e0abdc023ee53b71401c3ba0c upstream.
+
+Syzbot reported a null-ptr-deref bug:
+
+ntfs3: loop0: Different NTFS' sector size (1024) and media sector size
+(512)
+ntfs3: loop0: Mark volume as dirty due to NTFS errors
+general protection fault, probably for non-canonical address
+0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+RIP: 0010:d_flags_for_inode fs/dcache.c:1980 [inline]
+RIP: 0010:__d_add+0x5ce/0x800 fs/dcache.c:2796
+Call Trace:
+ <TASK>
+ d_splice_alias+0x122/0x3b0 fs/dcache.c:3191
+ lookup_open fs/namei.c:3391 [inline]
+ open_last_lookups fs/namei.c:3481 [inline]
+ path_openat+0x10e6/0x2df0 fs/namei.c:3688
+ do_filp_open+0x264/0x4f0 fs/namei.c:3718
+ do_sys_openat2+0x124/0x4e0 fs/open.c:1310
+ do_sys_open fs/open.c:1326 [inline]
+ __do_sys_open fs/open.c:1334 [inline]
+ __se_sys_open fs/open.c:1330 [inline]
+ __x64_sys_open+0x221/0x270 fs/open.c:1330
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+If the MFT record of ntfs inode is not a base record, inode->i_op can be
+NULL. And a null-ptr-deref may happen:
+
+ntfs_lookup()
+ dir_search_u() # inode->i_op is set to NULL
+ d_splice_alias()
+ __d_add()
+ d_flags_for_inode() # inode->i_op->get_link null-ptr-deref
+
+Fix this by adding a Check on inode->i_op before calling the
+d_splice_alias() function.
+
+Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
+Reported-by: syzbot+a8f26a403c169b7593fe@syzkaller.appspotmail.com
+Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Cc: Rudi Heitbaum <rudi@heitbaum.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/namei.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/ntfs3/namei.c
++++ b/fs/ntfs3/namei.c
+@@ -98,6 +98,16 @@ static struct dentry *ntfs_lookup(struct
+ inode = ERR_PTR(-EINVAL);
+ }
+
++ /*
++ * Check for a null pointer
++ * If the MFT record of ntfs inode is not a base record, inode->i_op can be NULL.
++ * This causes null pointer dereference in d_splice_alias().
++ */
++ if (!IS_ERR(inode) && inode->i_op == NULL) {
++ iput(inode);
++ inode = ERR_PTR(-EINVAL);
++ }
++
+ return d_splice_alias(inode, dentry);
+ }
+
--- /dev/null
+From 6827d50b2c430c329af442b64c9176d174f56521 Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Fri, 30 Dec 2022 14:58:25 +0400
+Subject: fs/ntfs3: Refactoring of various minor issues
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 6827d50b2c430c329af442b64c9176d174f56521 upstream.
+
+Removed unused macro.
+Changed null pointer checking.
+Fixed inconsistent indenting.
+
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Cc: Rudi Heitbaum <rudi@heitbaum.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/bitmap.c | 3 ++-
+ fs/ntfs3/frecord.c | 2 +-
+ fs/ntfs3/fsntfs.c | 6 ++++--
+ fs/ntfs3/namei.c | 2 +-
+ fs/ntfs3/ntfs.h | 3 ---
+ 5 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/ntfs3/bitmap.c
++++ b/fs/ntfs3/bitmap.c
+@@ -658,7 +658,8 @@ int wnd_init(struct wnd_bitmap *wnd, str
+ if (!wnd->bits_last)
+ wnd->bits_last = wbits;
+
+- wnd->free_bits = kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS | __GFP_NOWARN);
++ wnd->free_bits =
++ kcalloc(wnd->nwnd, sizeof(u16), GFP_NOFS | __GFP_NOWARN);
+ if (!wnd->free_bits)
+ return -ENOMEM;
+
+--- a/fs/ntfs3/frecord.c
++++ b/fs/ntfs3/frecord.c
+@@ -1645,7 +1645,7 @@ struct ATTR_FILE_NAME *ni_fname_name(str
+ {
+ struct ATTRIB *attr = NULL;
+ struct ATTR_FILE_NAME *fname;
+- struct le_str *fns;
++ struct le_str *fns;
+
+ if (le)
+ *le = NULL;
+--- a/fs/ntfs3/fsntfs.c
++++ b/fs/ntfs3/fsntfs.c
+@@ -2594,8 +2594,10 @@ static inline bool is_reserved_name(stru
+ if (len == 4 || (len > 4 && le16_to_cpu(name[4]) == '.')) {
+ port_digit = le16_to_cpu(name[3]);
+ if (port_digit >= '1' && port_digit <= '9')
+- if (!ntfs_cmp_names(name, 3, COM_NAME, 3, upcase, false) ||
+- !ntfs_cmp_names(name, 3, LPT_NAME, 3, upcase, false))
++ if (!ntfs_cmp_names(name, 3, COM_NAME, 3, upcase,
++ false) ||
++ !ntfs_cmp_names(name, 3, LPT_NAME, 3, upcase,
++ false))
+ return true;
+ }
+
+--- a/fs/ntfs3/namei.c
++++ b/fs/ntfs3/namei.c
+@@ -93,7 +93,7 @@ static struct dentry *ntfs_lookup(struct
+ * If the MFT record of ntfs inode is not a base record, inode->i_op can be NULL.
+ * This causes null pointer dereference in d_splice_alias().
+ */
+- if (!IS_ERR(inode) && inode->i_op == NULL) {
++ if (!IS_ERR_OR_NULL(inode) && !inode->i_op) {
+ iput(inode);
+ inode = ERR_PTR(-EINVAL);
+ }
+--- a/fs/ntfs3/ntfs.h
++++ b/fs/ntfs3/ntfs.h
+@@ -435,9 +435,6 @@ static inline u64 attr_svcn(const struct
+ return attr->non_res ? le64_to_cpu(attr->nres.svcn) : 0;
+ }
+
+-/* The size of resident attribute by its resident size. */
+-#define BYTES_PER_RESIDENT(b) (0x18 + (b))
+-
+ static_assert(sizeof(struct ATTRIB) == 0x48);
+ static_assert(sizeof(((struct ATTRIB *)NULL)->res) == 0x08);
+ static_assert(sizeof(((struct ATTRIB *)NULL)->nres) == 0x38);
projects / thirdparty / kernel / stable-queue.git / commitdiff
