fs/ntfs3: fix deadlock in ni_read_folio_cmpr

szymonwilczek · aalexandrovich · commit e37a75bb866c · 2025-12-29T13:33:31.000Z
Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr). This is caused by a lock inversion deadlock involving the inode mutex (ni_lock) and page locks. Scenario: 1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock. 2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in the compressed frame (including page Y). 3. Concurrently, Task B (e.g., via readahead) has locked page Y and calls ntfs_read_folio(). 4. Task B waits for ni_lock (held by A). 5. Task A waits for page Y lock (held by B). -> DEADLOCK. The fix is to restructure locking: do not take ni_lock in ntfs_read_folio(). Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required page locks for the frame have been successfully acquired. This restores the correct lock ordering (Page Lock -> ni_lock) consistent with VFS. Reported-by: syzbot+5af33dd272b913b65880@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5af33dd272b913b65880 Fixes: f35590e ("fs/ntfs3: remove ntfs_bio_pages and use page cache for compressed I/O") Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com> [almaz.alexandrovich@paragon-software.com: ni_readpage_cmpr was renamed to ni_read_folio_cmpr] Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
@@ -2107,7 +2107,9 @@ int ni_read_folio_cmpr(struct ntfs_inode *ni, struct folio *folio)
 		pages[i] = pg;
 	}
 
+	ni_lock(ni);
 	err = ni_read_frame(ni, frame_vbo, pages, pages_per_frame, 0);
+	ni_unlock(ni);
 
 out1:
 	for (i = 0; i < pages_per_frame; i++) {
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
@@ -748,9 +748,8 @@ static int ntfs_read_folio(struct file *file, struct folio *folio)
 	}
 
 	if (is_compressed(ni)) {
-		ni_lock(ni);
+		/* ni_lock is taken inside ni_read_folio_cmpr after page locks */
 		err = ni_read_folio_cmpr(ni, folio);
-		ni_unlock(ni);
 		return err;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -2107,7 +2107,9 @@ int ni_read_folio_cmpr(struct ntfs_inode ni, struct folio folio)`
`2107`	`2107`	`pages[i] = pg;`
`2108`	`2108`	`}`
`2109`	`2109`
	`2110`	`+ ni_lock(ni);`
`2110`	`2111`	`err = ni_read_frame(ni, frame_vbo, pages, pages_per_frame, 0);`
	`2112`	`+ ni_unlock(ni);`
`2111`	`2113`
`2112`	`2114`	`out1:`
`2113`	`2115`	`for (i = 0; i < pages_per_frame; i++) {`
Original file line number	Diff line number	Diff line change
`@@ -748,9 +748,8 @@ static int ntfs_read_folio(struct file file, struct folio folio)`
`748`	`748`	`}`
`749`	`749`
`750`	`750`	`if (is_compressed(ni)) {`
`751`		`- ni_lock(ni);`
	`751`	`+ /* ni_lock is taken inside ni_read_folio_cmpr after page locks */`
`752`	`752`	`err = ni_read_folio_cmpr(ni, folio);`
`753`		`- ni_unlock(ni);`
`754`	`753`	`return err;`
`755`	`754`	`}`
`756`	`755`