Forwarded: [PATCH] ntfs3: prevent MFT inode resize operations

[syzbot <syzbot+3e58a7dc1a8c00243999@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ntfs3: prevent MFT inode resize operations
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


The MFT (Master File Table) inode does not have its run_lock rwsem
initialized, as noted in ntfs_file_release(). When a truncate operation
is attempted on the MFT inode, ntfs_truncate() tries to acquire the
uninitialized run_lock, triggering a lockdep warning about using a
non-static key.

The MFT is a special system file that should not be resized by user
operations. Add a check in ntfs_setattr() to reject any size change
attempts on the MFT inode with -EPERM before reaching ntfs_truncate().

This is consistent with the existing design where ntfs_file_release()
explicitly skips operations on MFT due to the missing run_lock
initialization.

Reported-by: syzbot+3e58a7dc1a8c00243999@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3e58a7dc1a8c00243999
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ntfs3/file.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 4c90ec2fa2ea..2555850483c4 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -792,7 +792,13 @@ int ntfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
 
 	if (ia_valid & ATTR_SIZE) {
 		loff_t newsize, oldsize;
-
+		ntfs_warn(inode->i_sb,
+			   "DEBUG: Truncating inode %lu (MFT_REC_MFT is %d)",
+			    inode->i_ino, MFT_REC_MFT);
+		if (inode->i_ino == MFT_REC_MFT) {
+			err = -EPERM;
+			goto out;
+		}
 		if (WARN_ON(ni->ni_flags & NI_FLAG_COMPRESSED_MASK)) {
 			/* Should never be here, see ntfs_file_open(). */
 			err = -EOPNOTSUPP;
-- 
2.34.1