2467158 – (CVE-2026-43127) CVE-2026-43127 kernel: ntfs3: fix circular locking dependency in run_unpack_ex

Bug 2467158 (CVE-2026-43127) - CVE-2026-43127 kernel: ntfs3: fix circular locking dependency in run_unpack_ex

Summary: CVE-2026-43127 kernel: ntfs3: fix circular locking dependency in run_unpack_ex

Keywords:
Status:	NEW
Alias:	CVE-2026-43127
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-06 13:07 UTC by OSIDB Bzimport
Modified:	2026-05-06 17:53 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-06 13:07:38 UTC

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: fix circular locking dependency in run_unpack_ex

Syzbot reported a circular locking dependency between wnd->rw_lock
(sbi->used.bitmap) and ni->file.run_lock.

The deadlock scenario:
1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.
2. run_unpack_ex() takes wnd->rw_lock then tries to acquire
   ni->file.run_lock inside ntfs_refresh_zone().

This creates an AB-BA deadlock.

Fix this by using down_read_trylock() instead of down_read() when
acquiring run_lock in run_unpack_ex(). If the lock is contended,
skip ntfs_refresh_zone() - the MFT zone will be refreshed on the
next MFT operation. This breaks the circular dependency since we
never block waiting for run_lock while holding wnd->rw_lock.

Comment 1 Keith Grant 2026-05-06 17:50:55 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050620-CVE-2026-43127-aa44@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.