From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4DAF346A07; Tue, 6 Jan 2026 17:15:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767719731; cv=none; b=XQ05DzD3x8n44xSwKewthA8R/Q5BDb3kg3tZ9oEmEoE12KqzWNgWHvzVQjYQATbsMgikZbbjdq9V42EXSZcfsyeBK4231+Np7CvG3NQASUzv+wSBlgK3wTjtUMjKORzqAOrtBTylyql5qgueqDeUUzuirL/rV2pb1TC/605HEA0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767719731; c=relaxed/simple; bh=lX7o+KZWL6/awuoc/5wv1j5ty+1/q9L90gYfN9hjJAw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nkLpo1oJWSo7LpLL5ZMYugsHh78BhCmMF2Qlgzc9qskoAueW4j4e8BG9svEJbJ1P/Whe+BgpJb2xHDTpGO8+/Bsl5AzzBS8VK3b/oJHA5bkkwg1vrFsBGuXdsQLy7sDoy6Ps9IRbzMhDMGAZwheJ9TqivSn/Lb7HKoLOFOXj+tQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=QNel0K+R; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="QNel0K+R" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A05CC116C6; Tue, 6 Jan 2026 17:15:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1767719730; bh=lX7o+KZWL6/awuoc/5wv1j5ty+1/q9L90gYfN9hjJAw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QNel0K+REbIiSo2vun07eXuAr9zWzT7vcXDS+jXLA7MWvJB3+bZsZkyXM2PmCLgPH deZbjnsTTwMv/iIhiGlCQZh4BiYDibuCHDSlh3nrzlDvNcJPHHtwOEitXGREqE2jBu 334TWv7H/FyhldQ592S7Nw0Mx/fPoSrUFbTE1d0Y= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+f4f84b57a01d6b8364ad@syzkaller.appspotmail.com, Pedro Demarchi Gomes , Konstantin Komarov , Sasha Levin Subject: [PATCH 6.12 022/567] ntfs: set dummy blocksize to read boot_block when mounting Date: Tue, 6 Jan 2026 17:56:44 +0100 Message-ID: <20260106170452.164883042@linuxfoundation.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260106170451.332875001@linuxfoundation.org> References: <20260106170451.332875001@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Pedro Demarchi Gomes [ Upstream commit d1693a7d5a38acf6424235a6070bcf5b186a360d ] When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0) Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero. Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug. Reported-by: syzbot+f4f84b57a01d6b8364ad@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f4f84b57a01d6b8364ad Signed-off-by: Pedro Demarchi Gomes [almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling] Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin --- fs/ntfs3/super.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 6a0f6b0a3ab2a..89d126c155c7d 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -892,6 +892,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, sbi->volume.blocks = dev_size >> PAGE_SHIFT; + /* Set dummy blocksize to read boot_block. */ + if (!sb_min_blocksize(sb, PAGE_SIZE)) { + return -EINVAL; + } + read_boot: bh = ntfs_bread(sb, boot_block); if (!bh) -- 2.51.0