[PATCH] fs/ntfs3: Fix memory corruption when page_size changes

[PATCH] fs/ntfs3: Fix memory corruption when page_size changes

[Dom Cobley]

The rework in fs/ntfs3: Reduce stack usage
changes log->page_size but doesn't change the associated
log->page_mask and log->page_bits.

That results in the bytes value in read_log_page
getting a negative value, which is bad when it is
passed to memcpy.

The kernel panic can be observed when connecting an
ntfs formatted drive that has previously been connected
to a Windows machine to a Raspberry Pi 5, which by defauilt
uses a 16K kernel pagesize.

Fixes: 865e7a7700d9 ("fs/ntfs3: Reduce stack usage")
Signed-off-by: Dom Cobley <popcornmix@gmail.com>
---
 fs/ntfs3/fslog.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c
index 855519713bf79..b3b83565365e3 100644
--- a/fs/ntfs3/fslog.c
+++ b/fs/ntfs3/fslog.c
@@ -3906,6 +3906,8 @@ int log_replay(struct ntfs_inode *ni, bool *initialized)
 		log->l_size = log->orig_file_size;
 		log->page_size = norm_file_page(t32, &log->l_size,
 						t32 == DefaultLogPageSize);
+		log->page_mask = log->page_size - 1;
+		log->page_bits = blksize_bits(log->page_size);
 	}
 
 	if (log->page_size != t32 ||
-- 
2.34.1

Re: [PATCH] fs/ntfs3: Fix memory corruption when page_size changes

[popcorn mix]

On Fri, Jun 14, 2024 at 4:55 PM Dom Cobley <popcornmix@gmail.com> wrote:
> The kernel panic can be observed when connecting an
> ntfs formatted drive that has previously been connected
> to a Windows machine to a Raspberry Pi 5, which by defauilt
> uses a 16K kernel pagesize.

Here are links to some bug reports about the issue:
https://github.com/raspberrypi/linux/issues/6036
https://forum.libreelec.tv/thread/28620-libreelec-12-0-rpi5-and-ntfs-hdd-problem/?postID=192713#post192713
https://forums.raspberrypi.com/viewtopic.php?p=2203090#p2203090
https://forums.raspberrypi.com/viewtopic.php?t=367545

The common points are it occurs on the (default) 16K pagesize kernel,
but switching to 4K pagesize kernel
avoids the issue.

Issue wasn't present in previous RPiOS LTS kernel (6.1), but is
present in current LTS kernel (6.6).
Revering to 6.1 kernel avoids the issue.

I've confirmed that reverting the commit:
865e7a7700d9 ("fs/ntfs3: Reduce stack usage")

avoids the issue.

This patch avoids the issue for me, and I'd like confirmation it is correct.

Re: [PATCH] fs/ntfs3: Fix memory corruption when page_size changes

[Linux regression tracking (Thorsten Leemhuis)]

[CCing a few lists]

Hi, Thorsten here, the Linux kernel's regression tracker. Top-posting
for once, to make this easily accessible to everyone.

Konstantin, what's the status of this regression report or the patch Dom
Cobley propsed to fix the issue? From here it looks like it fall through
the cracks, but I might be missing something.

Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)
--
Everything you wanna know about Linux kernel regression tracking:
https://linux-regtracking.leemhuis.info/about/#tldr
If I did something stupid, please tell me, as explained on that page.

#regzbot poke

On 14.06.24 18:24, popcorn mix wrote:
> On Fri, Jun 14, 2024 at 4:55 PM Dom Cobley <popcornmix@gmail.com> wrote:
>> The kernel panic can be observed when connecting an
>> ntfs formatted drive that has previously been connected
>> to a Windows machine to a Raspberry Pi 5, which by defauilt
>> uses a 16K kernel pagesize.
> 
> Here are links to some bug reports about the issue:
> https://github.com/raspberrypi/linux/issues/6036
> https://forum.libreelec.tv/thread/28620-libreelec-12-0-rpi5-and-ntfs-hdd-problem/?postID=192713#post192713
> https://forums.raspberrypi.com/viewtopic.php?p=2203090#p2203090
> https://forums.raspberrypi.com/viewtopic.php?t=367545
> 
> The common points are it occurs on the (default) 16K pagesize kernel,
> but switching to 4K pagesize kernel
> avoids the issue.
> 
> Issue wasn't present in previous RPiOS LTS kernel (6.1), but is
> present in current LTS kernel (6.6).
> Revering to 6.1 kernel avoids the issue.
> 
> I've confirmed that reverting the commit:
> 865e7a7700d9 ("fs/ntfs3: Reduce stack usage")
> 
> avoids the issue.
> 
> This patch avoids the issue for me, and I'd like confirmation it is correct.

Re: [PATCH] fs/ntfs3: Fix memory corruption when page_size changes

[Konstantin Komarov]

On 01.07.2024 15:53, Linux regression tracking (Thorsten Leemhuis) wrote:
> [CCing a few lists]
>
> Hi, Thorsten here, the Linux kernel's regression tracker. Top-posting
> for once, to make this easily accessible to everyone.
>
> Konstantin, what's the status of this regression report or the patch Dom
> Cobley propsed to fix the issue? From here it looks like it fall through
> the cracks, but I might be missing something.
>
> Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)
> --
> Everything you wanna know about Linux kernel regression tracking:
> https://linux-regtracking.leemhuis.info/about/#tldr
> If I did something stupid, please tell me, as explained on that page.
>
> #regzbot poke
>
> On 14.06.24 18:24, popcorn mix wrote:
>> On Fri, Jun 14, 2024 at 4:55 PM Dom Cobley <popcornmix@gmail.com> wrote:
>>> The kernel panic can be observed when connecting an
>>> ntfs formatted drive that has previously been connected
>>> to a Windows machine to a Raspberry Pi 5, which by defauilt
>>> uses a 16K kernel pagesize.
>> Here are links to some bug reports about the issue:
>> https://github.com/raspberrypi/linux/issues/6036
>> https://forum.libreelec.tv/thread/28620-libreelec-12-0-rpi5-and-ntfs-hdd-problem/?postID=192713#post192713
>> https://forums.raspberrypi.com/viewtopic.php?p=2203090#p2203090
>> https://forums.raspberrypi.com/viewtopic.php?t=367545
>>
>> The common points are it occurs on the (default) 16K pagesize kernel,
>> but switching to 4K pagesize kernel
>> avoids the issue.
>>
>> Issue wasn't present in previous RPiOS LTS kernel (6.1), but is
>> present in current LTS kernel (6.6).
>> Revering to 6.1 kernel avoids the issue.
>>
>> I've confirmed that reverting the commit:
>> 865e7a7700d9 ("fs/ntfs3: Reduce stack usage")
>>
>> avoids the issue.
>>
>> This patch avoids the issue for me, and I'd like confirmation it is correct.
Hello everyone,

I recently accepted this patch with the same fix:
https://lore.kernel.org/ntfs3/20240529064053.2741996-2-chenhuacai@loongson.cn/.

Unfortunately, I don't have an RPi with a pagesize=16K at hand, so I 
can't practically test it.

Regards, Konstantin