diff options
| author | Szymon Wilczek <swilczek.lx@gmail.com> | 2025-12-22 16:10:10 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-02-26 15:01:28 -0800 |
| commit | cfe246b318106e1691bd6c9466c739e8559d25c2 (patch) | |
| tree | 5abceb005556028afd8ad30fcb9f9028b8f32883 /fs/ntfs3 | |
| parent | bce124ddbcdc157bbbe8df2efdc64531dc80a8df (diff) | |
fs/ntfs3: fix deadlock in ni_read_folio_cmpr
[ Upstream commit e37a75bb866c29da954b51d0dd7670406246d9ee ]
Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr).
This is caused by a lock inversion deadlock involving the inode mutex
(ni_lock) and page locks.
Scenario:
1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock.
2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in
the compressed frame (including page Y).
3. Concurrently, Task B (e.g., via readahead) has locked page Y and
calls ntfs_read_folio().
4. Task B waits for ni_lock (held by A).
5. Task A waits for page Y lock (held by B).
-> DEADLOCK.
The fix is to restructure locking: do not take ni_lock in ntfs_read_folio().
Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required
page locks for the frame have been successfully acquired. This restores the
correct lock ordering (Page Lock -> ni_lock) consistent with VFS.
Reported-by: syzbot+5af33dd272b913b65880@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5af33dd272b913b65880
Fixes: f35590ee26f5 ("fs/ntfs3: remove ntfs_bio_pages and use page cache for compressed I/O")
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
[almaz.alexandrovich@paragon-software.com: ni_readpage_cmpr was renamed to ni_read_folio_cmpr]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs/ntfs3')
| -rw-r--r-- | fs/ntfs3/frecord.c | 2 | ||||
| -rw-r--r-- | fs/ntfs3/inode.c | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c index 7e3d61de2f8f..d5bbd47e1ee9 100644 --- a/fs/ntfs3/frecord.c +++ b/fs/ntfs3/frecord.c @@ -2107,7 +2107,9 @@ int ni_read_folio_cmpr(struct ntfs_inode *ni, struct folio *folio) pages[i] = pg; } + ni_lock(ni); err = ni_read_frame(ni, frame_vbo, pages, pages_per_frame, 0); + ni_unlock(ni); out1: for (i = 0; i < pages_per_frame; i++) { diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c index 1319b99dfeb4..ec8e954f4426 100644 --- a/fs/ntfs3/inode.c +++ b/fs/ntfs3/inode.c @@ -735,9 +735,8 @@ static int ntfs_read_folio(struct file *file, struct folio *folio) } if (is_compressed(ni)) { - ni_lock(ni); + /* ni_lock is taken inside ni_read_folio_cmpr after page locks */ err = ni_read_folio_cmpr(ni, folio); - ni_unlock(ni); return err; } |