Bug 2482090 (CVE-2025-71309) - CVE-2025-71309 kernel: fs/ntfs3: fix deadlock in ni_read_folio_cmpr
Summary: CVE-2025-71309 kernel: fs/ntfs3: fix deadlock in ni_read_folio_cmpr
Keywords:
Status: NEW
Alias: CVE-2025-71309
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:10 UTC by OSIDB Bzimport
Modified: 2026-05-28 20:17 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:10:50 UTC
In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix deadlock in ni_read_folio_cmpr

Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr).
This is caused by a lock inversion deadlock involving the inode mutex
(ni_lock) and page locks.

Scenario:
1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock.
2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in
   the compressed frame (including page Y).
3. Concurrently, Task B (e.g., via readahead) has locked page Y and
   calls ntfs_read_folio().
4. Task B waits for ni_lock (held by A).
5. Task A waits for page Y lock (held by B).
   -> DEADLOCK.

The fix is to restructure locking: do not take ni_lock in ntfs_read_folio().
Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required
page locks for the frame have been successfully acquired. This restores the
correct lock ordering (Page Lock -> ni_lock) consistent with VFS.

[almaz.alexandrovich: ni_readpage_cmpr was renamed to ni_read_folio_cmpr]


Note You need to log in before you can comment on or make changes to this bug.