Commit 679ee5af authored May 09, 2026 by DaeMyung Kang Committed by Namjae Jeon May 10, 2026

ntfs: fix MFT bitmap scan 2^32 boundary check



NTFS MFT record numbers are limited to the 32-bit range, and
ntfs_mft_record_layout() rejects mft_no >= 2^32.  The free-MFT-record
bitmap scan in ntfs_mft_bitmap_find_and_alloc_free_rec_nolock() also
guards against this overflow but uses a strict greater than comparison,
allowing record number 2^32 itself through this earlier check.

Every other 2^32 boundary check in fs/ntfs/mft.c uses '>=', so the
strict greater than here is both a real off-by-one and an internal
inconsistency.  A model with ll == 2^32 confirms the current check
accepts the value while the corrected check rejects it.

Use '>=' so the boundary matches the layout-time rejection and the
surrounding bitmap-scan checks.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

parent 6098790c

fs/ntfs/mft.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1064,7 +1064,7 @@ static s64 ntfs_mft_bitmap_find_and_alloc_free_rec_nolock(struct ntfs_volume *vo
		b = ffz((unsigned long)*byte);
		if (b < 8 && b >= (bit & 7)) {
		ll = data_pos + (bit & ~7ull) + b;
		if (unlikely(ll > (1ll << 32))) {
		if (unlikely(ll >= (1ll << 32))) {
		folio_unlock(folio);
		kunmap_local(buf);
		folio_put(folio);