[PATCH] ntfs: Avoid NULL pointer dereference in ntfs_iomap_submit_read()

[Eric Naim <dnaim@cachyos.org>]

ctx->read_ctx can be NULL when ntfs_iomap_submit_read is called, leading
to below trace:

[   44.977614] BUG: kernel NULL pointer dereference, address: 0000000000000040
[   44.977617] #PF: supervisor write access in kernel mode
[   44.977618] #PF: error_code(0x0002) - not-present page
[   44.977619] PGD 0 P4D 0
[   44.977621] Oops: Oops: 0002 [#1] SMP
[   44.977623] CPU: 0 UID: 1000 PID: 5010 Comm: pool-4 Kdump: loaded Tainted: G     U     OE       7.0.1-1-cachyos-bmq-hakuu-tlto-gdc7bc3c05102 #7 PREEMPT(full)  c202625180654aea7fdad2184acc19b9c28ed6ee
[   44.977626] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[   44.977626] Hardware name: ASUSTeK COMPUTER INC. ASUS TUF Gaming F16 FX607JV_FX607JV/FX607JV, BIOS FX607JV.316 10/13/2025
[   44.977627] RIP: 0010:ntfs_swap_activate.llvm.1224280209124021557+0x2d/0x3c0 [ntfs]
[   44.977631] Code: fa 0f 1f 44 00 00 48 c7 c1 78 76 93 a2 e9 2b 2d cc de cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 48 8b 7f 18 <48> c7 47 40 60 04 aa a2 e9 56 c9 fd de cc cc cc cc cc cc f3 0f 1e
[   44.977632] RSP: 0018:ffffc90023c27648 EFLAGS: 00010282
[   44.977633] RAX: ffffffffa2aa0440 RBX: ffffc90023c27758 RCX: 0000000000001000
[   44.977634] RDX: 0000000000001000 RSI: 0000000006f20000 RDI: 0000000000000000
[   44.977635] RBP: 0000000006f20000 R08: 0000000000000000 R09: ffffc90023c27680
[   44.977636] R10: 0000000000000009 R11: 0000000006f203ff R12: ffffc90023c27650
[   44.977637] R13: ffffea000810e0c0 R14: ffffffffa2937678 R15: ffffc90023c27658
[   44.977638] FS:  00007fffa7fff6c0(0000) GS:ffff888d29052000(0000) knlGS:0000000000000000
[   44.977639] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   44.977640] CR2: 0000000000000040 CR3: 0000000160320004 CR4: 0000000000f72ef0
[   44.977641] PKRU: 55555554
[   44.977641] Call Trace:
[   44.977642]  <TASK>
[   44.977643]  iomap_read_folio+0xe2/0x180
[   44.977647]  ntfs_read_folio.llvm.1224280209124021557+0x69/0xe0 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
[   44.977650]  do_read_cache_folio.llvm.11351189850855672942+0x1a9/0x310
[   44.977652]  ? cleanup_module+0x1f0/0x1f0 [fat f3f47899f717abaf282870f380e376f623b66fa1]
[   44.977654]  ntfs_mft_record_alloc+0x8df/0x2bd0 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
[   44.977657]  ntfs_get_parent.llvm.15803940035981701475+0x569/0x1780 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
[   44.977659]  ? kmem_cache_alloc_noprof+0x187/0x420
[   44.977660]  ntfs_create.llvm.15803940035981701475+0x106/0x170 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
[   44.977662]  path_openat+0x541/0xdb0
[   44.977664]  do_file_open+0xd7/0x190
[   44.977666]  do_sys_openat2+0x76/0xe0
[   44.977668]  __x64_sys_openat+0x80/0xa0
[   44.977669]  do_syscall_64+0xf8/0x350
[   44.977671]  ? do_statx_fd+0x100/0x140
[   44.977672]  ? ext4_listxattr+0x1d9/0x200
[   44.977674]  ? listxattr+0xfe/0x150
[   44.977675]  ? __x64_sys_flistxattr+0x7a/0xa0
[   44.977677]  ? do_syscall_64+0x133/0x350
[   44.977678]  ? __x64_sys_flistxattr+0x7a/0xa0
[   44.977679]  ? do_syscall_64+0x133/0x350
[   44.977681]  ? rcu_report_qs_rdp+0xca/0x180
[   44.977683]  ? sched_clock+0x10/0x20
[   44.977684]  ? sched_clock_cpu+0x10/0x190
[   44.977685]  ? irqtime_account_irq+0x28/0xa0
[   44.977687]  ? do_syscall_64+0x133/0x350
[   44.977688]  entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   44.977689] RIP: 0033:0x7ffff58b00e2
[   44.977713] Code: 08 0f 85 b1 3d ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66
[   44.977714] RSP: 002b:00007fffa7ffd8c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   44.977715] RAX: ffffffffffffffda RBX: 00007fffa00db6a0 RCX: 00007ffff58b00e2
[   44.977716] RDX: 00000000000800c1 RSI: 00007fffa00db940 RDI: ffffffffffffff9c
[   44.977716] RBP: 00007fffa0069970 R08: 0000000000000000 R09: 0000000000000000
[   44.977717] R10: 00000000000001a4 R11: 0000000000000246 R12: 00007fffa0068f10
[   44.977717] R13: 0000000000000000 R14: 00007fffa7ffdb90 R15: 00005555580ea620
[   44.977719]  </TASK>
[   44.977719] Modules linked in: uinput(E) ccm(E) rfcomm(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) nft_masq(E) nft_ct(E) veth(E) nft_reject_ipv4(E) nf_reject_ipv4(E) nft_reject(E) act_csum(E) cls_u32(E) sch_htb(E) nf_conntrack_netlink(E) xt_nat(E) xt_tcpudp(E) xt_conntrack(E) xt_MASQUERADE(E) bridge(E) stp(E) llc(E) xfrm_user(E) xfrm_algo(E) tun(E) xt_set(E) ip_set(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) xt_addrtype(E) nft_compat(E) x_tables(E) nf_tables(E) overlay(E) cdc_ncm(E) cdc_ether(E) usbnet(E) mii(E) ipheth(E) vmnet(OE) cmac(E) algif_hash(E) algif_skcipher(E) af_alg(E) bnep(E) nls_utf8(E) vfat(E) ntfs(E) fat(E) hid_logitech_hidpp(E) uvcvideo(E) uvc(E) btusb(E) videobuf2_vmalloc(E) btmtk(E) videobuf2_memops(E) btrtl(E) videobuf2_v4l2(E) btbcm(E) videobuf2_common(E) btintel(E) apple_mfi_fastcharge(E) videodev(E) bluetooth(E) snd_hda_codec_intelhdmi(E) snd_sof_pci_intel_tgl(E) snd_sof_pci_intel_cnl(E) snd_sof_intel_hda_generic(E) soundwire_intel(E)
[   44.977739]  snd_sof_intel_hda_sdw_bpt(E) snd_sof_intel_hda_common(E) snd_soc_hdac_hda(E) intel_uncore_frequency(E) snd_sof_intel_hda_mlink(E) intel_uncore_frequency_common(E) intel_tcc_cooling(E) snd_sof_intel_hda(E) soundwire_cadence(E) x86_pkg_temp_thermal(E) snd_sof_pci(E) intel_powerclamp(E) snd_sof_xtensa_dsp(E) coretemp(E) snd_sof(E) iwlmld(E) snd_sof_utils(E) snd_soc_acpi_intel_match(E) snd_soc_acpi_intel_sdca_quirks(E) snd_hda_codec_alc269(E) ucsi_acpi(E) soundwire_generic_allocation(E) mac80211(E) snd_hda_codec_realtek_lib(E) snd_soc_sdw_utils(E) typec_ucsi(E) snd_hda_scodec_component(E) kvm_intel(E) snd_soc_acpi(E) ptp(E) typec(E) snd_hda_codec_generic(E) soundwire_bus(E) pps_core(E) roles(E) spd5118(E) mei_hdcp(E) mei_pxp(E) intel_rapl_msr(E) asus_nb_wmi(E) libarc4(E) snd_hda_codec_nvhdmi(E) snd_soc_sdca(E) snd_hda_codec_hdmi(E) kvm(E) crc8(E) irqbypass(E) snd_soc_avs(E) ghash_clmulni_intel(E) aesni_intel(E) snd_soc_hda_codec(E) processor_thermal_device_pci(E) gf128mul(E) asus_armoury(E)
[   44.977755]  snd_hda_ext_core(E) snd_hda_intel(E) rapl(E) processor_thermal_device(E) snd_hda_codec(E) snd_usb_audio(E) intel_cstate(E) processor_thermal_power_floor(E) iwlwifi(E) firmware_attributes_class(E) r8169(E) snd_soc_core(E) snd_usbmidi_lib(E) snd_hda_core(E) processor_thermal_wt_hint(E) spi_nor(E) processor_thermal_wt_req(E) asus_wmi(E) snd_ump(E) snd_hda_scodec_cs35l41_spi(E) realtek(E) snd_intel_dspcfg(E) ac97_bus(E) intel_uncore(E) mousedev(E) joydev(E) sparse_keymap(E) wmi_bmof(E) pcspkr(E) mtd(E) nvidia_wmi_ec_backlight(E) snd_rawmidi(E) processor_thermal_rfim(E) snd_hda_scodec_cs35l41_i2c(E) hid_logitech_dj(E) snd_pcm_dmaengine(E) mdio_devres(E) snd_intel_sdw_acpi(E) cfg80211(E) processor_thermal_mbox(E) i2c_i801(E) snd_seq_device(E) snd_hda_scodec_cs35l41(E) snd_compress(E) snd_hwdep(E) libphy(E) platform_temperature_control(E) snd_soc_cs_amp_lib(E) i2c_smbus(E) snd_pcm(E) processor_thermal_rapl(E) i2c_mux(E) snd_soc_cs35l41_lib(E) mdio_bus(E) uas(E) snd_timer(E) cs_dsp(E) rfkill(E)
[   44.977771]  intel_rapl_common(E) mei_me(E) snd(E) processor_thermal_soc_slider(E) mei(E) hid_cmedia(E) usb_storage(E) mc(E) soundcore(E) platform_profile(E) serial_multi_instantiate(E) intel_pmc_core(E) intel_pmc_ssram_telemetry(E) pmt_telemetry(E) int3400_thermal(E) pmt_discovery(E) int3403_thermal(E) thunderbolt(E) pmt_class(E) pinctrl_alderlake(E) int340x_thermal_zone(E) acpi_thermal_rel(E) acpi_pad(E) acpi_tad(E) mac_hid(E) tcp_bbr(E) sch_cake(E) vmmon(OE) sg(E) vmw_vmci(E) ntsync(E) dm_mod(E) i2c_dev(E) pkcs8_key_parser(E) crypto_user(E) nfnetlink(E) zram(E) 842_decompress(E) 842_compress(E) lz4hc_compress(E) lz4_compress(E) xe(E) nvme(E) nvme_core(E) nvidia_drm(OE) intel_vsec(E) nvme_keyring(E) drm_gpusvm_helper(E) nvme_auth(E) nvidia_uvm(OE) drm_suballoc_helper(E) hkdf(E) gpu_sched(E) nvidia_modeset(OE) drm_gpuvm(E) drm_exec(E) i2c_algo_bit(E) drm_display_helper(E) intel_lpss_pci(E) spi_intel_pci(E) cec(E) intel_lpss(E) spi_intel(E) idma64(E) drm_buddy(E) serio_raw(E) nvidia(OE) drm_ttm_helper(E) video(E)
[   44.977790]  wmi(E) ttm(E)
[   44.977791] Unloaded tainted modules: acpi_cpufreq(E):1 fjes(E):2 ie31200_edac(E):1
[   44.977793] CR2: 0000000000000040
[   44.977795] ---[ end trace 0000000000000000 ]---

Return early if it is NULL.

Fixes: 8b4064e6146e ("ntfs: zero out stale data in straddle block beyond initialized_size")
Signed-off-by: Eric Naim <dnaim@cachyos.org>
---
 fs/ntfs/aops.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c
index 1fbf832ad165..f39b6eda251e 100644
--- a/fs/ntfs/aops.c
+++ b/fs/ntfs/aops.c
@@ -41,6 +41,9 @@ static void ntfs_iomap_bio_submit_read(const struct iomap_iter *iter,
 	struct iomap_read_folio_ctx *ctx)
 {
 	struct bio *bio = ctx->read_ctx;
+	if (!bio)
+		return;
+
 	bio->bi_end_io = ntfs_iomap_read_end_io;
 	submit_bio(bio);
 }
-- 
2.54.0