From: Eric Naim <dnaim@cachyos.org>
To: Namjae Jeon <linkinjeon@kernel.org>,
Hyunchul Lee <hyc.lee@gmail.com>,
Richard Cochran <richardcochran@gmail.com>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, llvm@lists.linux.dev
Subject: Re: [PATCH] ntfs: Avoid NULL pointer dereference in ntfs_iomap_submit_read()
Date: Thu, 23 Apr 2026 11:38:00 +0000 [thread overview]
Message-ID: <96fbbaf4-281c-4789-b170-4cee26bce011@cachyos.org> (raw)
In-Reply-To: <20260423104119.414765-1-dnaim@cachyos.org>
On 4/23/26 6:41 PM, Eric Naim wrote:
> ctx->read_ctx can be NULL when ntfs_iomap_submit_read is called, leading
> to below trace:
>
> [ 44.977614] BUG: kernel NULL pointer dereference, address: 0000000000000040
> [ 44.977617] #PF: supervisor write access in kernel mode
> [ 44.977618] #PF: error_code(0x0002) - not-present page
> [ 44.977619] PGD 0 P4D 0
> [ 44.977621] Oops: Oops: 0002 [#1] SMP
> [ 44.977623] CPU: 0 UID: 1000 PID: 5010 Comm: pool-4 Kdump: loaded Tainted: G U OE 7.0.1-1-cachyos-bmq-hakuu-tlto-gdc7bc3c05102 #7 PREEMPT(full) c202625180654aea7fdad2184acc19b9c28ed6ee
> [ 44.977626] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
> [ 44.977626] Hardware name: ASUSTeK COMPUTER INC. ASUS TUF Gaming F16 FX607JV_FX607JV/FX607JV, BIOS FX607JV.316 10/13/2025
> [ 44.977627] RIP: 0010:ntfs_swap_activate.llvm.1224280209124021557+0x2d/0x3c0 [ntfs]
> [ 44.977631] Code: fa 0f 1f 44 00 00 48 c7 c1 78 76 93 a2 e9 2b 2d cc de cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 48 8b 7f 18 <48> c7 47 40 60 04 aa a2 e9 56 c9 fd de cc cc cc cc cc cc f3 0f 1e
> [ 44.977632] RSP: 0018:ffffc90023c27648 EFLAGS: 00010282
> [ 44.977633] RAX: ffffffffa2aa0440 RBX: ffffc90023c27758 RCX: 0000000000001000
> [ 44.977634] RDX: 0000000000001000 RSI: 0000000006f20000 RDI: 0000000000000000
> [ 44.977635] RBP: 0000000006f20000 R08: 0000000000000000 R09: ffffc90023c27680
> [ 44.977636] R10: 0000000000000009 R11: 0000000006f203ff R12: ffffc90023c27650
> [ 44.977637] R13: ffffea000810e0c0 R14: ffffffffa2937678 R15: ffffc90023c27658
> [ 44.977638] FS: 00007fffa7fff6c0(0000) GS:ffff888d29052000(0000) knlGS:0000000000000000
> [ 44.977639] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 44.977640] CR2: 0000000000000040 CR3: 0000000160320004 CR4: 0000000000f72ef0
> [ 44.977641] PKRU: 55555554
> [ 44.977641] Call Trace:
> [ 44.977642] <TASK>
> [ 44.977643] iomap_read_folio+0xe2/0x180
> [ 44.977647] ntfs_read_folio.llvm.1224280209124021557+0x69/0xe0 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
> [ 44.977650] do_read_cache_folio.llvm.11351189850855672942+0x1a9/0x310
> [ 44.977652] ? cleanup_module+0x1f0/0x1f0 [fat f3f47899f717abaf282870f380e376f623b66fa1]
> [ 44.977654] ntfs_mft_record_alloc+0x8df/0x2bd0 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
> [ 44.977657] ntfs_get_parent.llvm.15803940035981701475+0x569/0x1780 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
> [ 44.977659] ? kmem_cache_alloc_noprof+0x187/0x420
> [ 44.977660] ntfs_create.llvm.15803940035981701475+0x106/0x170 [ntfs df169bf55ac22e619ebd511d6378b3aa21a54f15]
> [ 44.977662] path_openat+0x541/0xdb0
> [ 44.977664] do_file_open+0xd7/0x190
> [ 44.977666] do_sys_openat2+0x76/0xe0
> [ 44.977668] __x64_sys_openat+0x80/0xa0
> [ 44.977669] do_syscall_64+0xf8/0x350
> [ 44.977671] ? do_statx_fd+0x100/0x140
> [ 44.977672] ? ext4_listxattr+0x1d9/0x200
> [ 44.977674] ? listxattr+0xfe/0x150
> [ 44.977675] ? __x64_sys_flistxattr+0x7a/0xa0
> [ 44.977677] ? do_syscall_64+0x133/0x350
> [ 44.977678] ? __x64_sys_flistxattr+0x7a/0xa0
> [ 44.977679] ? do_syscall_64+0x133/0x350
> [ 44.977681] ? rcu_report_qs_rdp+0xca/0x180
> [ 44.977683] ? sched_clock+0x10/0x20
> [ 44.977684] ? sched_clock_cpu+0x10/0x190
> [ 44.977685] ? irqtime_account_irq+0x28/0xa0
> [ 44.977687] ? do_syscall_64+0x133/0x350
> [ 44.977688] entry_SYSCALL_64_after_hwframe+0x4b/0x53
> [ 44.977689] RIP: 0033:0x7ffff58b00e2
> [ 44.977713] Code: 08 0f 85 b1 3d ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66
> [ 44.977714] RSP: 002b:00007fffa7ffd8c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> [ 44.977715] RAX: ffffffffffffffda RBX: 00007fffa00db6a0 RCX: 00007ffff58b00e2
> [ 44.977716] RDX: 00000000000800c1 RSI: 00007fffa00db940 RDI: ffffffffffffff9c
> [ 44.977716] RBP: 00007fffa0069970 R08: 0000000000000000 R09: 0000000000000000
> [ 44.977717] R10: 00000000000001a4 R11: 0000000000000246 R12: 00007fffa0068f10
> [ 44.977717] R13: 0000000000000000 R14: 00007fffa7ffdb90 R15: 00005555580ea620
> [ 44.977719] </TASK>
> [ 44.977719] Modules linked in: uinput(E) ccm(E) rfcomm(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) nft_masq(E) nft_ct(E) veth(E) nft_reject_ipv4(E) nf_reject_ipv4(E) nft_reject(E) act_csum(E) cls_u32(E) sch_htb(E) nf_conntrack_netlink(E) xt_nat(E) xt_tcpudp(E) xt_conntrack(E) xt_MASQUERADE(E) bridge(E) stp(E) llc(E) xfrm_user(E) xfrm_algo(E) tun(E) xt_set(E) ip_set(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) xt_addrtype(E) nft_compat(E) x_tables(E) nf_tables(E) overlay(E) cdc_ncm(E) cdc_ether(E) usbnet(E) mii(E) ipheth(E) vmnet(OE) cmac(E) algif_hash(E) algif_skcipher(E) af_alg(E) bnep(E) nls_utf8(E) vfat(E) ntfs(E) fat(E) hid_logitech_hidpp(E) uvcvideo(E) uvc(E) btusb(E) videobuf2_vmalloc(E) btmtk(E) videobuf2_memops(E) btrtl(E) videobuf2_v4l2(E) btbcm(E) videobuf2_common(E) btintel(E) apple_mfi_fastcharge(E) videodev(E) bluetooth(E) snd_hda_codec_intelhdmi(E) snd_sof_pci_intel_tgl(E) snd_sof_pci_intel_cnl(E) snd_sof_intel_hda_generic(E) soundwire_intel(E)
> [ 44.977739] snd_sof_intel_hda_sdw_bpt(E) snd_sof_intel_hda_common(E) snd_soc_hdac_hda(E) intel_uncore_frequency(E) snd_sof_intel_hda_mlink(E) intel_uncore_frequency_common(E) intel_tcc_cooling(E) snd_sof_intel_hda(E) soundwire_cadence(E) x86_pkg_temp_thermal(E) snd_sof_pci(E) intel_powerclamp(E) snd_sof_xtensa_dsp(E) coretemp(E) snd_sof(E) iwlmld(E) snd_sof_utils(E) snd_soc_acpi_intel_match(E) snd_soc_acpi_intel_sdca_quirks(E) snd_hda_codec_alc269(E) ucsi_acpi(E) soundwire_generic_allocation(E) mac80211(E) snd_hda_codec_realtek_lib(E) snd_soc_sdw_utils(E) typec_ucsi(E) snd_hda_scodec_component(E) kvm_intel(E) snd_soc_acpi(E) ptp(E) typec(E) snd_hda_codec_generic(E) soundwire_bus(E) pps_core(E) roles(E) spd5118(E) mei_hdcp(E) mei_pxp(E) intel_rapl_msr(E) asus_nb_wmi(E) libarc4(E) snd_hda_codec_nvhdmi(E) snd_soc_sdca(E) snd_hda_codec_hdmi(E) kvm(E) crc8(E) irqbypass(E) snd_soc_avs(E) ghash_clmulni_intel(E) aesni_intel(E) snd_soc_hda_codec(E) processor_thermal_device_pci(E) gf128mul(E) asus_armoury(E)
> [ 44.977755] snd_hda_ext_core(E) snd_hda_intel(E) rapl(E) processor_thermal_device(E) snd_hda_codec(E) snd_usb_audio(E) intel_cstate(E) processor_thermal_power_floor(E) iwlwifi(E) firmware_attributes_class(E) r8169(E) snd_soc_core(E) snd_usbmidi_lib(E) snd_hda_core(E) processor_thermal_wt_hint(E) spi_nor(E) processor_thermal_wt_req(E) asus_wmi(E) snd_ump(E) snd_hda_scodec_cs35l41_spi(E) realtek(E) snd_intel_dspcfg(E) ac97_bus(E) intel_uncore(E) mousedev(E) joydev(E) sparse_keymap(E) wmi_bmof(E) pcspkr(E) mtd(E) nvidia_wmi_ec_backlight(E) snd_rawmidi(E) processor_thermal_rfim(E) snd_hda_scodec_cs35l41_i2c(E) hid_logitech_dj(E) snd_pcm_dmaengine(E) mdio_devres(E) snd_intel_sdw_acpi(E) cfg80211(E) processor_thermal_mbox(E) i2c_i801(E) snd_seq_device(E) snd_hda_scodec_cs35l41(E) snd_compress(E) snd_hwdep(E) libphy(E) platform_temperature_control(E) snd_soc_cs_amp_lib(E) i2c_smbus(E) snd_pcm(E) processor_thermal_rapl(E) i2c_mux(E) snd_soc_cs35l41_lib(E) mdio_bus(E) uas(E) snd_timer(E) cs_dsp(E) rfkill(E)
> [ 44.977771] intel_rapl_common(E) mei_me(E) snd(E) processor_thermal_soc_slider(E) mei(E) hid_cmedia(E) usb_storage(E) mc(E) soundcore(E) platform_profile(E) serial_multi_instantiate(E) intel_pmc_core(E) intel_pmc_ssram_telemetry(E) pmt_telemetry(E) int3400_thermal(E) pmt_discovery(E) int3403_thermal(E) thunderbolt(E) pmt_class(E) pinctrl_alderlake(E) int340x_thermal_zone(E) acpi_thermal_rel(E) acpi_pad(E) acpi_tad(E) mac_hid(E) tcp_bbr(E) sch_cake(E) vmmon(OE) sg(E) vmw_vmci(E) ntsync(E) dm_mod(E) i2c_dev(E) pkcs8_key_parser(E) crypto_user(E) nfnetlink(E) zram(E) 842_decompress(E) 842_compress(E) lz4hc_compress(E) lz4_compress(E) xe(E) nvme(E) nvme_core(E) nvidia_drm(OE) intel_vsec(E) nvme_keyring(E) drm_gpusvm_helper(E) nvme_auth(E) nvidia_uvm(OE) drm_suballoc_helper(E) hkdf(E) gpu_sched(E) nvidia_modeset(OE) drm_gpuvm(E) drm_exec(E) i2c_algo_bit(E) drm_display_helper(E) intel_lpss_pci(E) spi_intel_pci(E) cec(E) intel_lpss(E) spi_intel(E) idma64(E) drm_buddy(E) serio_raw(E) nvidia(OE) drm_ttm_helper(E) video(E)
> [ 44.977790] wmi(E) ttm(E)
> [ 44.977791] Unloaded tainted modules: acpi_cpufreq(E):1 fjes(E):2 ie31200_edac(E):1
> [ 44.977793] CR2: 0000000000000040
> [ 44.977795] ---[ end trace 0000000000000000 ]---
>
> Return early if it is NULL.
>
> Fixes: 8b4064e6146e ("ntfs: zero out stale data in straddle block beyond initialized_size")
> Signed-off-by: Eric Naim <dnaim@cachyos.org>
> ---
> fs/ntfs/aops.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c
> index 1fbf832ad165..f39b6eda251e 100644
> --- a/fs/ntfs/aops.c
> +++ b/fs/ntfs/aops.c
> @@ -41,6 +41,9 @@ static void ntfs_iomap_bio_submit_read(const struct iomap_iter *iter,
> struct iomap_read_folio_ctx *ctx)
> {
> struct bio *bio = ctx->read_ctx;
> + if (!bio)
> + return;
> +
> bio->bi_end_io = ntfs_iomap_read_end_io;
> submit_bio(bio);
> }
Argh, sorry for the noise. This is impossible because of 19fb5f978075. Please
disregard this.
--
Regards,
Eric
prev parent reply other threads:[~2026-04-23 11:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 10:41 [PATCH] ntfs: Avoid NULL pointer dereference in ntfs_iomap_submit_read() Eric Naim
2026-04-23 11:38 ` Eric Naim [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=96fbbaf4-281c-4789-b170-4cee26bce011@cachyos.org \
--to=dnaim@cachyos.org \
--cc=hyc.lee@gmail.com \
--cc=justinstitt@google.com \
--cc=linkinjeon@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=richardcochran@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox