Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2392815ioo; Sat, 28 May 2022 12:12:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGJrk9gMVVj7n6GibaBN1ycwD+ddUa/sYVQcRMbILfIwLTNBdBi0IktM9KeyII7X+JBMEE X-Received: by 2002:a05:6a00:1348:b0:518:6ef5:ac3 with SMTP id k8-20020a056a00134800b005186ef50ac3mr42813410pfu.69.1653765165379; Sat, 28 May 2022 12:12:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653765165; cv=none; d=google.com; s=arc-20160816; b=R34SAhavHgwG4DN5lfQ2hIILnKZzlMIBfN++pNxbdaIqcinrACMg/3JdMDrYo1G/G5 E4KUklYqT2xeF28AJneb07ejtfpUlLuI2NU/Qo+U9o1E3fyGqPU18SHsHYfvqigfcAyX 2m+HgF9MaTeQYUp6kk/UoNTsq0SxRJbfwEJDmtvWuqVV1b/z2QBBdzYHPOcbKFqgbCqB 2qfT39Z0EG5YfTy+6q8RSPlPzfn+HBT2rT/lRusvqJuZoj4cT66irkbGHtiI2dP7pQ36 XUDvoRnsQyCUmqyUFgSkGnNg5d77Qg2JicjyP+29dbzPGOHYp7JdbeSHmQEgTdBrZy9T ttow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=W0DpAQyoq876DrlqhAskeolqdKC31dHHiEqyp43/xeA=; b=RIyfgfbnbGaf+DKItkLh2Gz3pBfWLPXWiwdsALVBqcM7ql3zc8SB/+8a1slgqsBnFV F98aOgZzgsD6e/dh9PQc90Y/iPK5d4xlXb8k0THYf8I6seFXCGJoG5wGWHRWfYxth6+k DvCgsKkaq3FvK0g8IRwR7vnrKZW+MJMScwp6yeGyE6EAX6rra3KW/snHKpx7wcVCGP40 Ah+OE5MxAFnedSF2U95JHK8JQts/6uU05ly50I0rtvQU4Qqdj7h+TrdSNPPxcBRKUjGO z0BOQ7Q15ajkvcd2X4SOVRMyA3ydAism/rIe6wuQZdLB5yMJnsXnZsdJjvD1Q5kIjh3b BU/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=nVKc598z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id v135-20020a63618d000000b003fbac5bc943si5929666pgb.477.2022.05.28.12.12.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 May 2022 12:12:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=nVKc598z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 591DC2E9E4; Sat, 28 May 2022 11:48:55 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242971AbiEZKX0 (ORCPT + 99 others); Thu, 26 May 2022 06:23:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232742AbiEZKXZ (ORCPT ); Thu, 26 May 2022 06:23:25 -0400 Received: from relayaws-01.paragon-software.com (relayaws-01.paragon-software.com [35.157.23.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF4E8C5DAF for ; Thu, 26 May 2022 03:23:23 -0700 (PDT) Received: from dlg2.mail.paragon-software.com (vdlg-exch-02.paragon-software.com [172.30.1.105]) by relayaws-01.paragon-software.com (Postfix) with ESMTPS id 8B90E217A; Thu, 26 May 2022 10:22:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1653560574; bh=W0DpAQyoq876DrlqhAskeolqdKC31dHHiEqyp43/xeA=; h=Date:Subject:To:CC:References:From:In-Reply-To; b=nVKc598zYVkv4trcv6ycpLzm2MBB7bkuHWBKSVJ48+E/dr80+9RoTkfwTODOmZtK2 HwcMM/G8xbobEczyaUoIDErAZso5CRSRXydi2RKvyx7TroYYiH4ZhoobB4p5g8JRsO lZVB6lSGUDhHkNY+5vv3KitKM+580cIO1AyD0tao= Received: from [172.30.8.65] (172.30.8.65) by vdlg-exch-02.paragon-software.com (172.30.1.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Thu, 26 May 2022 13:23:21 +0300 Message-ID: <14b2ae23-2f7b-401a-dcee-cc6114849022@paragon-software.com> Date: Thu, 26 May 2022 13:22:27 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 Subject: Re: [PATCH] fs/ntfs3: fix null pointer dereference in d_flags_for_inode Content-Language: en-US To: Liangbin Lian , CC: References: <20220506034656.50038-1-jjm2473@gmail.com> From: Almaz Alexandrovich In-Reply-To: <20220506034656.50038-1-jjm2473@gmail.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [172.30.8.65] X-ClientProxiedBy: vdlg-exch-02.paragon-software.com (172.30.1.105) To vdlg-exch-02.paragon-software.com (172.30.1.105) X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello. Thank you for reporting this bug. The bug happens because we don't initialize i_op for records in $Extend. We tested patch on our side, let me know if patch helps you too. fs/ntfs3: Fix missing i_op in ntfs_read_mft There is null pointer dereference because i_op == NULL. The bug happens because we don't initialize i_op for records in $Extend. Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") Reported-by: Liangbin Lian Signed-off-by: Konstantin Komarov diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c index 879952254071..b2cc1191be69 100644 --- a/fs/ntfs3/inode.c +++ b/fs/ntfs3/inode.c @@ -430,6 +430,7 @@ static struct inode *ntfs_read_mft(struct inode *inode, } else if (fname && fname->home.low == cpu_to_le32(MFT_REC_EXTEND) && fname->home.seq == cpu_to_le16(MFT_REC_EXTEND)) { /* Records in $Extend are not a files or general directories. */ + inode->i_op = &ntfs_file_inode_operations; } else { err = -EINVAL; goto out; On 5/6/22 06:46, Liangbin Lian wrote: > ntfs_read_mft may return inode with null i_op, cause null pointer dereference in d_flags_for_inode (inode->i_op->get_link). > Reproduce: > - sudo mount -t ntfs3 -o loop ntfs.img ntfs > - ls ntfs/'$Extend/$Quota' > > The call trace is shown below (striped): > BUG: kernel NULL pointer dereference, address: 0000000000000008 > CPU: 0 PID: 577 Comm: ls Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 > RIP: 0010:d_flags_for_inode+0x65/0x90 > Call Trace: > ntfs_lookup > +--- dir_search_u > | +--- ntfs_iget5 > | +--- ntfs_read_mft > +--- d_splice_alias > +--- __d_add > +--- d_flags_for_inode > > Signed-off-by: Liangbin Lian > --- > fs/ntfs3/inode.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c > index 9eab11e3b..b68d26fa8 100644 > --- a/fs/ntfs3/inode.c > +++ b/fs/ntfs3/inode.c > @@ -45,7 +45,6 @@ static struct inode *ntfs_read_mft(struct inode *inode, > struct MFT_REC *rec; > struct runs_tree *run; > > - inode->i_op = NULL; > /* Setup 'uid' and 'gid' */ > inode->i_uid = sbi->options->fs_uid; > inode->i_gid = sbi->options->fs_gid;