From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 394C51170E for ; Mon, 21 Aug 2023 19:54:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 82AD1C433C9; Mon, 21 Aug 2023 19:54:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1692647681; bh=hxLfyn0pQUNRfI3j8a/PWMJVgOTjKQvg6wZeNvfzlTI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yd7WsCuVR5jejgCpDbslD7GLbOJTaZCIWb73vLWhXSNq6y7WXE2fBaVEVLaD0DHsa kpR0lfJ0ygPtJZEcIo/vXJbJ5tkGHfu+EgHPCLYOPh0bd9G1wTxXkmp18g+x8AZNmB 86JdDq/Y+3d0l0i3ZGRajSmR22xjt5cfCcRTkJ0E= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Jia-Ju Bai , Konstantin Komarov , Sasha Levin Subject: [PATCH 6.1 062/194] fs: ntfs3: Fix possible null-pointer dereferences in mi_read() Date: Mon, 21 Aug 2023 21:40:41 +0200 Message-ID: <20230821194125.495349092@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230821194122.695845670@linuxfoundation.org> References: <20230821194122.695845670@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Jia-Ju Bai [ Upstream commit 97498cd610c0d030a7bd49a7efad974790661162 ] In a previous commit 2681631c2973 ("fs/ntfs3: Add null pointer check to attr_load_runs_vcn"), ni can be NULL in attr_load_runs_vcn(), and thus it should be checked before being used. However, in the call stack of this commit, mft_ni in mi_read() is aliased with ni in attr_load_runs_vcn(), and it is also used in mi_read() at two places: mi_read() rw_lock = &mft_ni->file.run_lock -> No check attr_load_runs_vcn(mft_ni, ...) ni (namely mft_ni) is checked in the previous commit attr_load_runs_vcn(..., &mft_ni->file.run) -> No check Thus, to avoid possible null-pointer dereferences, the related checks should be added. These bugs are reported by a static analysis tool implemented by myself, and they are found by extending a known bug fixed in the previous commit. Thus, they could be theoretical bugs. Signed-off-by: Jia-Ju Bai Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin --- fs/ntfs3/record.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index af1e4b364ea8e..07037ec773ac8 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -124,7 +124,7 @@ int mi_read(struct mft_inode *mi, bool is_mft) struct rw_semaphore *rw_lock = NULL; if (is_mounted(sbi)) { - if (!is_mft) { + if (!is_mft && mft_ni) { rw_lock = &mft_ni->file.run_lock; down_read(rw_lock); } @@ -148,7 +148,7 @@ int mi_read(struct mft_inode *mi, bool is_mft) ni_lock(mft_ni); down_write(rw_lock); } - err = attr_load_runs_vcn(mft_ni, ATTR_DATA, NULL, 0, &mft_ni->file.run, + err = attr_load_runs_vcn(mft_ni, ATTR_DATA, NULL, 0, run, vbo >> sbi->cluster_bits); if (rw_lock) { up_write(rw_lock); -- 2.40.1