[PATCH] ntfs3: reject empty iomap before reading its LCN

From: Yousef Alhouseen

Date: Tue Jun 30 2026 - 17:18:11 EST


attr_data_get_block() can return success with a zero run length when no
cached or on-disk mapping covers a read VCN. In that case it does not
initialize the LCN output.

Check the returned length before comparing the LCN against the special
mapping values. This preserves the existing -EINVAL result for an empty
mapping without passing an uninitialized LCN to the comparisons.

Fixes: ecbb433f9a8e ("fs/ntfs3: fold file size handling into ntfs_set_size()")
Reported-by: syzbot+4b4ec878e25fafefa70f@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=4b4ec878e25fafefa70f
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
fs/ntfs3/inode.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index c43101cc064d..a428f03a695d 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -777,6 +777,8 @@ static int ntfs_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
if (err) {
return err;
}
+ if (!clen)
+ return -EINVAL;

if (lcn == EOF_LCN) {
/* request out of file. */
@@ -811,11 +813,6 @@ static int ntfs_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
return 0;
}

- if (!clen) {
- /* broken file? */
- return -EINVAL;
- }
-
iomap->bdev = inode->i_sb->s_bdev;
iomap->offset = offset;
iomap->length = ((loff_t)clen << cluster_bits) - off;
--
2.55.0