[PATCH 2/3] ntfs: fix MFT bitmap scan 2^32 boundary check

Next message: Cristian Marussi: "[PATCH v4 06/15] firmware: arm_scmi: Drop unused clock rate interfaces"
Previous message: Nishanth Menon: "[PATCH 09/11] soc: ti: knav_dma: Remove dead check on unsigned args.args[0]"
In reply to: DaeMyung Kang: "[PATCH 0/3] ntfs: harden MFT record and attribute parsing"
Next in thread: Namjae Jeon: "Re: [PATCH 2/3] ntfs: fix MFT bitmap scan 2^32 boundary check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: DaeMyung Kang

Date: Fri May 08 2026 - 11:38:14 EST

NTFS MFT record numbers are limited to the 32-bit range, and
ntfs_mft_record_layout() rejects mft_no >= 2^32. The free-MFT-record
bitmap scan in ntfs_mft_bitmap_find_and_alloc_free_rec_nolock() also
guards against this overflow but uses a strict greater than comparison,
allowing record number 2^32 itself through this earlier check.

Every other 2^32 boundary check in fs/ntfs/mft.c uses '>=', so the
strict greater than here is both a real off-by-one and an internal
inconsistency. A model with ll == 2^32 confirms the current check
accepts the value while the corrected check rejects it.

Use '>=' so the boundary matches the layout-time rejection and the
surrounding bitmap-scan checks.

Fixes: d3ad708fecaa ("ntfs: Initial commit")
Signed-off-by: DaeMyung Kang <charsyam@xxxxxxxxx>
---
fs/ntfs/mft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c
index 70c1aa76181b..f8f2e481c5dc 100644
--- a/fs/ntfs/mft.c
+++ b/fs/ntfs/mft.c
@@ -1279,7 +1279,7 @@ static s64 ntfs_mft_bitmap_find_and_alloc_free_rec_nolock(struct ntfs_volume *vo
b = ffz((unsigned long)*byte);
if (b < 8 && b >= (bit & 7)) {
ll = data_pos + (bit & ~7ull) + b;
- if (unlikely(ll > (1ll << 32))) {
+ if (unlikely(ll >= (1ll << 32))) {
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0)
folio_unlock(folio);
kunmap_local(buf);
--
2.34.1