[GIT PULL] ntfs fixes for 7.1-rc5
From: Namjae Jeon
Date: Tue May 19 2026 - 06:09:23 EST
Hi Linus,
This is ntfs fixes pull request for v7.1-rc5. I add the description of
this pull request below. Please pull the following ntfs fixes.
Thanks!
The following changes since commit 66edb901bf874d9e0787326ba12d3548b2da8700:
Merge tag 'v7.1-p3' of
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
(2026-05-02 12:31:43 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/ntfs.git
tags/ntfs-for-7.1-rc5
for you to fetch changes up to 2beaa98b46c4cc90ed8a674f27a586d7f547bbe5:
ntfs: restore $MFT mirror contents check (2026-05-11 23:30:48 +0900)
----------------------------------------------------------------
Description for this pull request:
- Check the index depth limit via ntfs_icx_parent_inc(), avoiding context
corruption from excessively deep child chains.
- Switch security descriptor allocation to kzalloc() to avoid leaking
uninitialized memory.
- Prevent an inconsistent state where vol->volume_label becomes NULL on
allocation failure.
- Validate MFT records by verifying that attrs_offset sits within
bytes_in_use.
- Fix an off-by-one boundary comparison, correctly catching the
out-of-range MFT record number
- Validate the attribute name offset and length bounds prior to AT_UNUSED
enumeration.
- Check for a valid left neighbor before runlist merges to prevent an
8byte out-of-bounds write on crafted volumes.
- Add the missing record comparison against $MFTMirr during mount.
- Fix wrong inode lookup when writing extent MFT records.
- Redirty folio on memory allocation failure in ntfs_write_mft_block().
- Capture and propagate $MFTMirr sync errors during writeback.
- Ensure MFT mirror and synchronous writes wait for I/O completion.
- Fix buffer overflow/heap over-read in ntfs_bdev_write() when cluster
size is smaller than PAGE_SIZE.
- Fix use-after-free in ntfs_inode_sync_filename() when parent index inode
is evicted while still holding its mrec_lock.
- Update resident attribute length validation to match $AttrDef.
- Fix refcount underflow and UAF of the global upcase table.
- Fix two smatch warnings.
----------------------------------------------------------------
DaeMyung Kang (15):
ntfs: use base mft_no when looking up base inode for extent record
ntfs: redirty folio when ntfs_write_mft_block() runs out of memory
ntfs: capture mft mirror sync errors in ntfs_write_mft_block()
ntfs: wait for sync mft writes to complete
ntfs: fix copy length in ntfs_bdev_write() for non-page-aligned start
ntfs: avoid use-after-free of index inode in ntfs_inode_sync_filename()
ntfs: fix default_upcase refcount underflow and UAF on fs_context teardown
ntfs: fix out-of-bounds write in ntfs_rl_collapse_range() merge path
ntfs: fix out-of-bounds write in ntfs_index_walk_down()
ntfs: avoid leaking uninitialised bytes in new security descriptors
ntfs: validate MFT attrs_offset against bytes_in_use
ntfs: fix MFT bitmap scan 2^32 boundary check
ntfs: validate attribute name bounds before returning it
ntfs: fix empty_buf and ra lifetime bugs in ntfs_empty_logfile()
ntfs: restore $MFT mirror contents check
Hyunchul Lee (1):
ntfs: match ntfs_resident_attr_min_value_length with $AttrDef
Namjae Jeon (2):
ntfs: fix variable dereferenced before check ni and attr in
ntfs_attrlist_entry_add()
ntfs: fix variable dereferenced before check ni in ntfs_attr_open()
Zhan Xusheng (1):
ntfs: fix missing kstrdup() error check in ntfs_write_volume_label()
fs/ntfs/attrib.c | 46 +++++++++++++--------------
fs/ntfs/attrlist.c | 7 ++--
fs/ntfs/bdev-io.c | 7 ++--
fs/ntfs/index.c | 17 +++++++---
fs/ntfs/inode.c | 6 ++--
fs/ntfs/logfile.c | 5 ++-
fs/ntfs/mft.c | 93 ++++++++++++++++++++++++++++++++++++++----------------
fs/ntfs/namei.c | 4 +--
fs/ntfs/runlist.c | 9 +++---
fs/ntfs/super.c | 35 ++++++++++++++++----
10 files changed, 149 insertions(+), 80 deletions(-)