Re: [PATCH] ntfs: fix out-of-bounds write in ntfs_index_walk_down()

Next message: Google: "Re: [PATCH] fprobe: Add unregister_fprobe_sync() for synchronous unregistration"
Previous message: Mark Brown: "Re: [PATCH] spi: ch341: correct company name in MODULE_DESCRIPTION"
In reply to: Hyunchul Lee: "Re: [PATCH] ntfs: fix out-of-bounds write in ntfs_index_walk_down()"
Next in thread: DaeMyung Kang: "[PATCH v2] ntfs: fix out-of-bounds write in ntfs_index_walk_down()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Namjae Jeon

Date: Wed May 06 2026 - 21:48:20 EST

> @@ -1979,14 +1980,20 @@ struct index_entry *ntfs_index_walk_down(struct index_entry *ie, struct ntfs_ind
> ib = kvzalloc(ictx->block_size, GFP_NOFS);
> if (!ib)
> return ERR_PTR(-ENOMEM);
> - /* down from level zero */
> + /* is_in_root implies pindex == 0; move to the first child level. */
> + err = ntfs_icx_parent_inc(ictx);
> + if (err) {
> + kvfree(ib);
> + return ERR_PTR(err);
> + }

At this point is_in_root is true, so ->pindex is guaranteed to be 0.
Calling ntfs_icx_parent_inc() which includes an overflow check and
error handling is unnecessary here, and the error handling code
becomes dead code. Directly setting the value will be simpler and
clearer like this.

/*
* Descending from root index (level 0) to the first child level.
* is_in_root == true implies pindex == 0, so advance to level 1.
*/
ictx->pindex = 1;