From: Al Viro <viro@zeniv.linux.org.uk> mainline inclusion from mainline-v7.0-rc1 commit ca2a04e84af79596e5cd9cfe697d5122ec39c8ce category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14789 CVE: CVE-2026-43245 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- ... so don't use __getname() there. Switch it (and ntfs_d_hash(), while we are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash() almost certainly can do with smaller allocations, but let ntfs folks deal with that - keep the allocation size as-is for now. Stop abusing names_cachep in ntfs, period - various uses of that thing in there have nothing to do with pathnames; just use k[mz]alloc() and be done with that. For now let's keep sizes as-in, but AFAICS none of the users actually want PATH_MAX. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com> --- fs/ntfs3/dir.c | 5 ++--- fs/ntfs3/inode.c | 12 ++++++------ fs/ntfs3/namei.c | 9 ++++----- fs/ntfs3/xattr.c | 4 ++-- 4 files changed, 14 insertions(+), 16 deletions(-) diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c index fb438d604040..27713367aa64 100644 --- a/fs/ntfs3/dir.c +++ b/fs/ntfs3/dir.c @@ -390,8 +390,7 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx) if (!dir_emit_dots(file, ctx)) return 0; - /* Allocate PATH_MAX bytes. */ - name = __getname(); + name = kmalloc(PATH_MAX, GFP_KERNEL); if (!name) return -ENOMEM; @@ -470,7 +469,7 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx) out: - __putname(name); + kfree(name); put_indx_node(node); if (err == -ENOENT) { diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c index b1849c4c48e1..c582eb08d5f8 100644 --- a/fs/ntfs3/inode.c +++ b/fs/ntfs3/inode.c @@ -1280,7 +1280,7 @@ struct inode *ntfs_create_inode(struct user_namespace *mnt_userns, fa |= FILE_ATTRIBUTE_READONLY; /* Allocate PATH_MAX bytes. */ - new_de = __getname(); + new_de = kzalloc(PATH_MAX, GFP_KERNEL); if (!new_de) { err = -ENOMEM; goto out1; @@ -1653,7 +1653,7 @@ struct inode *ntfs_create_inode(struct user_namespace *mnt_userns, ntfs_mark_rec_free(sbi, ino); out2: - __putname(new_de); + kfree(new_de); kfree(rp); out1: @@ -1676,7 +1676,7 @@ int ntfs_link_inode(struct inode *inode, struct dentry *dentry) struct ATTR_FILE_NAME *de_name; /* Allocate PATH_MAX bytes. */ - de = __getname(); + de = kzalloc(PATH_MAX, GFP_KERNEL); if (!de) return -ENOMEM; @@ -1699,7 +1699,7 @@ int ntfs_link_inode(struct inode *inode, struct dentry *dentry) err = ni_add_name(ntfs_i(d_inode(dentry->d_parent)), ni, de); out: - __putname(de); + kfree(de); return err; } @@ -1723,7 +1723,7 @@ int ntfs_unlink_inode(struct inode *dir, const struct dentry *dentry) return -EINVAL; /* Allocate PATH_MAX bytes. */ - de = __getname(); + de = kzalloc(PATH_MAX, GFP_KERNEL); if (!de) return -ENOMEM; @@ -1761,7 +1761,7 @@ int ntfs_unlink_inode(struct inode *dir, const struct dentry *dentry) out: ni_unlock(ni); - __putname(de); + kfree(de); return err; } diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c index 18330d982b07..49f5246abfdd 100644 --- a/fs/ntfs3/namei.c +++ b/fs/ntfs3/namei.c @@ -66,7 +66,7 @@ static struct dentry *ntfs_lookup(struct inode *dir, struct dentry *dentry, u32 flags) { struct ntfs_inode *ni = ntfs_i(dir); - struct cpu_str *uni = __getname(); + struct cpu_str *uni = kmalloc(PATH_MAX, GFP_KERNEL); struct inode *inode; int err; @@ -83,7 +83,7 @@ static struct dentry *ntfs_lookup(struct inode *dir, struct dentry *dentry, inode = dir_search_u(dir, uni, NULL); ni_unlock(ni); } - __putname(uni); + kfree(uni); } return d_splice_alias(inode, dentry); @@ -280,8 +280,7 @@ static int ntfs_rename(struct inode *dir, return err; } - /* Allocate PATH_MAX bytes. */ - de = __getname(); + de = kmalloc(PATH_MAX, GFP_KERNEL); if (!de) return -ENOMEM; @@ -325,7 +324,7 @@ static int ntfs_rename(struct inode *dir, ni_unlock(ni); ni_unlock(dir_ni); out: - __putname(de); + kfree(de); return err; } diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c index 24d739000c80..ddec586d4de6 100644 --- a/fs/ntfs3/xattr.c +++ b/fs/ntfs3/xattr.c @@ -533,7 +533,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns, void *buf; /* Allocate PATH_MAX bytes. */ - buf = __getname(); + buf = kmalloc(PATH_MAX, GFP_KERNEL); if (!buf) return ERR_PTR(-ENOMEM); @@ -566,7 +566,7 @@ static struct posix_acl *ntfs_get_acl_ex(struct user_namespace *mnt_userns, if (!IS_ERR(acl)) set_cached_acl(inode, type, acl); - __putname(buf); + kfree(buf); return acl; } -- 2.52.0