From 14f0a13ec79dfa63e143ea45e6530d80bec6e291 Mon Sep 17 00:00:00 2001
From: Hyunchul Lee <hyc.lee@gmail.com>
Date: Tue, 17 Mar 2026 14:13:44 +0900
Subject: [PATCH] ntfs: remove redundant out-of-bound checks

Remove redundant out-of-bounds validations.
Since ntfs_attr_find and ntfs_external_attr_find
now validate the attribute value offsets and
lengths against the bounds of the MFT record block,
performing subsequent bounds checking in caller
functions like ntfs_attr_lookup is no longer necessary.

Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 fs/ntfs/inode.c | 28 ----------------------------
 fs/ntfs/namei.c |  8 --------
 fs/ntfs/super.c |  6 ------
 3 files changed, 42 deletions(-)

diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 314741a40369..16890d411194 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -757,12 +757,6 @@ static int ntfs_read_locked_inode(struct inode *vi)
 	}
 	a = ctx->attr;
 	/* Get the standard information attribute value. */
-	if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)
-			+ le32_to_cpu(a->data.resident.value_length) >
-			(u8 *)ctx->mrec + vol->mft_record_size) {
-		ntfs_error(vi->i_sb, "Corrupt standard information attribute in inode.");
-		goto unm_err_out;
-	}
 	si = (struct standard_information *)((u8 *)a +
 			le16_to_cpu(a->data.resident.value_offset));
 
@@ -849,13 +843,6 @@ static int ntfs_read_locked_inode(struct inode *vi)
 				goto unm_err_out;
 			}
 		} else /* if (!a->non_resident) */ {
-			if ((u8 *)a + le16_to_cpu(a->data.resident.value_offset)
-					+ le32_to_cpu(
-					a->data.resident.value_length) >
-					(u8 *)ctx->mrec + vol->mft_record_size) {
-				ntfs_error(vi->i_sb, "Corrupt attribute list in inode.");
-				goto unm_err_out;
-			}
 			/* Now copy the attribute list. */
 			memcpy(ni->attr_list, (u8 *)a + le16_to_cpu(
 					a->data.resident.value_offset),
@@ -954,10 +941,6 @@ view_index_meta:
 		ir = (struct index_root *)((u8 *)a +
 				le16_to_cpu(a->data.resident.value_offset));
 		ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length);
-		if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) {
-			ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt.");
-			goto unm_err_out;
-		}
 		index_end = (u8 *)&ir->index +
 				le32_to_cpu(ir->index.index_length);
 		if (index_end > ir_end) {
@@ -1552,10 +1535,6 @@ static int ntfs_read_locked_index_inode(struct inode *base_vi, struct inode *vi)
 
 	ir = (struct index_root *)((u8 *)a + le16_to_cpu(a->data.resident.value_offset));
 	ir_end = (u8 *)ir + le32_to_cpu(a->data.resident.value_length);
-	if (ir_end > (u8 *)ctx->mrec + vol->mft_record_size) {
-		ntfs_error(vi->i_sb, "$INDEX_ROOT attribute is corrupt.");
-		goto unm_err_out;
-	}
 	index_end = (u8 *)&ir->index + le32_to_cpu(ir->index.index_length);
 	if (index_end > ir_end) {
 		ntfs_error(vi->i_sb, "Index is corrupt.");
@@ -1999,13 +1978,6 @@ int ntfs_read_inode_mount(struct inode *vi)
 				goto put_err_out;
 			}
 		} else /* if (!ctx.attr->non_resident) */ {
-			if ((u8 *)a + le16_to_cpu(
-					a->data.resident.value_offset) +
-					le32_to_cpu(a->data.resident.value_length) >
-					(u8 *)ctx->mrec + vol->mft_record_size) {
-				ntfs_error(sb, "Corrupt attribute list attribute.");
-				goto put_err_out;
-			}
 			/* Now copy the attribute list. */
 			memcpy(ni->attr_list, (u8 *)a + le16_to_cpu(
 					a->data.resident.value_offset),
diff --git a/fs/ntfs/namei.c b/fs/ntfs/namei.c
index ba42c566940a..10894de519c3 100644
--- a/fs/ntfs/namei.c
+++ b/fs/ntfs/namei.c
@@ -274,7 +274,6 @@ handle_name:
 			}
 			do {
 				struct attr_record *a;
-				u32 val_len;
 
 				err = ntfs_attr_lookup(AT_FILE_NAME, NULL, 0, 0, 0,
 						NULL, 0, ctx);
@@ -289,15 +288,8 @@ handle_name:
 				a = ctx->attr;
 				if (a->non_resident || a->flags)
 					goto eio_err_out;
-				val_len = le32_to_cpu(a->data.resident.value_length);
-				if (le16_to_cpu(a->data.resident.value_offset) +
-						val_len > le32_to_cpu(a->length))
-					goto eio_err_out;
 				fn = (struct file_name_attr *)((u8 *)ctx->attr + le16_to_cpu(
 							ctx->attr->data.resident.value_offset));
-				if ((u32)(fn->file_name_length * sizeof(__le16) +
-							sizeof(struct file_name_attr)) > val_len)
-					goto eio_err_out;
 			} while (fn->file_name_type != FILE_NAME_WIN32);
 
 			/* Convert the found WIN32 name to current NLS code page. */
diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
index 39a5c3b81001..22dc7865eca7 100644
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -1512,7 +1512,6 @@ iput_volume_failed:
 
 	if (ntfs_attr_lookup(AT_VOLUME_INFORMATION, NULL, 0, 0, 0, NULL, 0,
 			ctx) || ctx->attr->non_resident || ctx->attr->flags) {
-err_put_vol:
 		ntfs_attr_put_search_ctx(ctx);
 get_ctx_vol_failed:
 		unmap_mft_record(NTFS_I(vol->vol_ino));
@@ -1520,11 +1519,6 @@ get_ctx_vol_failed:
 	}
 	vi = (struct volume_information *)((char *)ctx->attr +
 			le16_to_cpu(ctx->attr->data.resident.value_offset));
-	/* Some bounds checks. */
-	if ((u8 *)vi < (u8 *)ctx->attr || (u8 *)vi +
-			le32_to_cpu(ctx->attr->data.resident.value_length) >
-			(u8 *)ctx->attr + le32_to_cpu(ctx->attr->length))
-		goto err_put_vol;
 	/* Copy the volume flags and version to the struct ntfs_volume structure. */
 	vol->vol_flags = vi->flags;
 	vol->major_ver = vi->major_ver;