Commit 4c2ed2a3 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'ntfs-for-7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs 

Pull ntfs fixes from Namjae Jeon:

 - Fix a NULL pointer dereference in ntfs_index_walk_down() by
   validating index block allocation

 - Fix a memory leak of the symlink target string in
   ntfs_reparse_set_wsl_symlink() during error paths

 - Prevent VCN overflow and validate lowest_vcn in
   ntfs_mapping_pairs_decompress() to avoid runlist corruption

 - Fix a page reference leak in ntfs_write_iomap_end_resident()
   when attribute search context allocation fails

 - Fix an invalid PTR_ERR() usage on a valid folio pointer in
   __ntfs_bitmap_set_bits_in_run()

 - Correct directory link counting by dropping nlink only when
   the MFT record link count reaches zero for WIN32/DOS aliases

 - Fix an uninitialized variable in ntfs_mapping_pairs_decompress()
   by returning an error pointer directly

* tag 'ntfs-for-7.1-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs:
  ntfs: Use return instead of goto in ntfs_mapping_pairs_decompress()
  ntfs: drop nlink once for WIN32/DOS aliases
  ntfs: fix invalid PTR_ERR() usage in __ntfs_bitmap_set_bits_in_run()
  ntfs: fix error handling in ntfs_write_iomap_end_resident()
  ntfs: fix VCN overflow in ntfs_mapping_pairs_decompress()
  ntfs: fix WSL symlink target leak on reparse failure
  ntfs: fix NULL dereference in ntfs_index_walk_down()
parents f1a5e78a 9e935407

fs/ntfs/bitmap.c

+11 −8
Original line number Diff line number Diff line
@@ -125,7 +125,7 @@ int __ntfs_bitmap_set_bits_in_run(struct inode *vi, const s64 start_bit, 
	struct address_space *mapping;

	struct folio *folio;

	u8 *kaddr;

	int pos, len;

	int pos, len, err;

	u8 bit;

	struct ntfs_inode *ni = NTFS_I(vi);

	struct ntfs_volume *vol = ni->vol;
@@ -201,8 +201,10 @@ int __ntfs_bitmap_set_bits_in_run(struct inode *vi, const s64 start_bit, 


	/* If we are not in the last page, deal with all subsequent pages. */

	while (index < end_index) {

		if (cnt <= 0)

		if (cnt <= 0) {

			err = -EIO;

			goto rollback;

		}



		/* Update @index and get the next folio. */

		folio_mark_dirty(folio);
@@ -214,6 +216,7 @@ int __ntfs_bitmap_set_bits_in_run(struct inode *vi, const s64 start_bit, 
			ntfs_error(vi->i_sb,

				   "Failed to map subsequent page (error %li), aborting.",

				   PTR_ERR(folio));

			err = PTR_ERR(folio);

			goto rollback;

		}
@@ -265,7 +268,7 @@ int __ntfs_bitmap_set_bits_in_run(struct inode *vi, const s64 start_bit, 
	 *	- @count - @cnt is the number of bits that have been modified

	 */

	if (is_rollback)

		return PTR_ERR(folio);

		return err;

	if (count != cnt)

		pos = __ntfs_bitmap_set_bits_in_run(vi, start_bit, count - cnt,

				value ? 0 : 1, true);
@@ -274,14 +277,14 @@ int __ntfs_bitmap_set_bits_in_run(struct inode *vi, const s64 start_bit, 
	if (!pos) {

		/* Rollback was successful. */

		ntfs_error(vi->i_sb,

			"Failed to map subsequent page (error %li), aborting.",

			PTR_ERR(folio));

			"Failed to map subsequent page (error %i), aborting.",

			err);

	} else {

		/* Rollback failed. */

		ntfs_error(vi->i_sb,

			"Failed to map subsequent page (error %li) and rollback failed (error %i). Aborting and leaving inconsistent metadata. Unmount and run chkdsk.",

			PTR_ERR(folio), pos);

			"Failed to map subsequent page (error %i) and rollback failed (error %i). Aborting and leaving inconsistent metadata. Unmount and run chkdsk.",

			err, pos);

		NVolSetErrors(NTFS_SB(vi->i_sb));

	}

	return PTR_ERR(folio);

	return err;

}

fs/ntfs/dir.c

+10 −3
Original line number Diff line number Diff line
@@ -911,8 +911,8 @@ static int ntfs_readdir(struct file *file, struct dir_context *actor) 


	if (next->flags & INDEX_ENTRY_NODE) {

		next = ntfs_index_walk_down(next, ictx);

		if (!next) {

			err = -EIO;

		if (IS_ERR(next)) {

			err = PTR_ERR(next);

			goto out;

		}

	}
@@ -920,7 +920,14 @@ static int ntfs_readdir(struct file *file, struct dir_context *actor) 
	if (next && !(next->flags & INDEX_ENTRY_END))

		goto nextdir;



	while ((next = ntfs_index_next(next, ictx)) != NULL) {

	while (1) {

		next = ntfs_index_next(next, ictx);

		if (IS_ERR(next)) {

			err = PTR_ERR(next);

			goto out;

		}

		if (!next)

			break;

nextdir:

		/* Check the consistency of an index entry */

		if (ntfs_index_entry_inconsistent(ictx, vol, next, COLLATION_FILE_NAME,

fs/ntfs/index.c

+13 −4
Original line number Diff line number Diff line
@@ -1969,15 +1969,19 @@ int ntfs_index_remove(struct ntfs_inode *dir_ni, const void *key, const u32 keyl 
struct index_entry *ntfs_index_walk_down(struct index_entry *ie, struct ntfs_index_context *ictx)

{

	struct index_entry *entry;

	struct index_block *ib;

	s64 vcn;



	entry = ie;

	do {

		vcn = ntfs_ie_get_vcn(entry);

		if (ictx->is_in_root) {

			ib = kvzalloc(ictx->block_size, GFP_NOFS);

			if (!ib)

				return ERR_PTR(-ENOMEM);

			/* down from level zero */

			ictx->ir = NULL;

			ictx->ib = kvzalloc(ictx->block_size, GFP_NOFS);

			ictx->ib = ib;

			ictx->pindex = 1;

			ictx->is_in_root = false;

		} else {
@@ -1991,8 +1995,8 @@ struct index_entry *ntfs_index_walk_down(struct index_entry *ie, struct ntfs_ind 
			ictx->entry = ntfs_ie_get_first(&ictx->ib->index);

			entry = ictx->entry;

		} else

			entry = NULL;

	} while (entry && (entry->flags & INDEX_ENTRY_NODE));

			entry = ERR_PTR(-EIO);

	} while (!IS_ERR(entry) && (entry->flags & INDEX_ENTRY_NODE));



	return entry;

}
@@ -2097,10 +2101,15 @@ struct index_entry *ntfs_index_next(struct index_entry *ie, struct ntfs_index_co 


		/* walk down if it has a subnode */

		if (flags & INDEX_ENTRY_NODE) {

			if (!ictx->ia_ni)

			if (!ictx->ia_ni) {

				ictx->ia_ni = ntfs_ia_open(ictx, ictx->idx_ni);

				if (!ictx->ia_ni)

					return ERR_PTR(-EIO);

			}



			next = ntfs_index_walk_down(next, ictx);

			if (IS_ERR(next))

				return next;

		} else {



			/* walk up it has no subnode, nor data */

fs/ntfs/iomap.c

+3 −3
Original line number Diff line number Diff line
@@ -788,8 +788,7 @@ static int ntfs_write_iomap_end_resident(struct inode *inode, loff_t pos, 
	ctx = ntfs_attr_get_search_ctx(ni, NULL);

	if (!ctx) {

		written = -ENOMEM;

		mutex_unlock(&ni->mrec_lock);

		return written;

		goto err_out;

	}



	err = ntfs_attr_lookup(ni->type, ni->name, ni->name_len,
@@ -810,6 +809,7 @@ static int ntfs_write_iomap_end_resident(struct inode *inode, loff_t pos, 
	memcpy(kattr + pos, iomap_inline_data(iomap, pos), written);

	mark_mft_record_dirty(ctx->ntfs_ino);

err_out:

	if (ctx)

		ntfs_attr_put_search_ctx(ctx);

	put_page(ipage);

	mutex_unlock(&ni->mrec_lock);

fs/ntfs/namei.c

+11 −2
Original line number Diff line number Diff line
@@ -945,6 +945,7 @@ static int ntfs_delete(struct ntfs_inode *ni, struct ntfs_inode *dir_ni, 


	ni_mrec = actx->base_mrec ? actx->base_mrec : actx->mrec;

	ni_mrec->link_count = cpu_to_le16(le16_to_cpu(ni_mrec->link_count) - 1);

	if (!S_ISDIR(VFS_I(ni)->i_mode))

		drop_nlink(VFS_I(ni));



	mark_mft_record_dirty(ni);
@@ -955,6 +956,13 @@ static int ntfs_delete(struct ntfs_inode *ni, struct ntfs_inode *dir_ni, 
		goto search;

	}



	/*

	 * For directories, Drop VFS nlink only when mft record link count

	 * becomes zero. Because we fixes VFS nlink to 1 for directories.

	 */

	if (S_ISDIR(VFS_I(ni)->i_mode) && !le16_to_cpu(ni_mrec->link_count))

		drop_nlink(VFS_I(ni));



	/*

	 * If hard link count is not equal to zero then we are done. In other

	 * case there are no reference to this inode left, so we should free all
@@ -1221,6 +1229,7 @@ static int __ntfs_link(struct ntfs_inode *ni, struct ntfs_inode *dir_ni, 
	}

	/* Increment hard links count. */

	ni_mrec->link_count = cpu_to_le16(le16_to_cpu(ni_mrec->link_count) + 1);

	if (!S_ISDIR(vi->i_mode))

		inc_nlink(VFS_I(ni));



	/* Done! */