lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <032f7f9d-d92d-4b11-aa18-21eb62a4d2ab@paragon-software.com>
Date: Fri, 16 Jan 2026 14:40:51 +0100
From: Konstantin Komarov <almaz.alexandrovich@...agon-software.com>
To: Szymon Wilczek <swilczek.lx@...il.com>
CC: <ntfs3@...ts.linux.dev>, <linux-kernel@...r.kernel.org>,
	<syzbot+d27edf9f96ae85939222@...kaller.appspotmail.com>
Subject: Re: [PATCH] ntfs3: fix circular locking dependency in run_unpack_ex

On 12/27/25 15:43, Szymon Wilczek wrote:

> Syzbot reported a circular locking dependency between wnd->rw_lock
> (sbi->used.bitmap) and ni->file.run_lock.
>
> The deadlock scenario:
> 1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.
> 2. run_unpack_ex() takes wnd->rw_lock then tries to acquire
>     ni->file.run_lock inside ntfs_refresh_zone().
>
> This creates an AB-BA deadlock.
>
> Fix this by using down_read_trylock() instead of down_read() when
> acquiring run_lock in run_unpack_ex(). If the lock is contended,
> skip ntfs_refresh_zone() - the MFT zone will be refreshed on the
> next MFT operation. This breaks the circular dependency since we
> never block waiting for run_lock while holding wnd->rw_lock.
>
> Reported-by: syzbot+d27edf9f96ae85939222@...kaller.appspotmail.com
> Tested-by: syzbot+d27edf9f96ae85939222@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
> Signed-off-by: Szymon Wilczek <swilczek.lx@...il.com>
> ---
>   fs/ntfs3/run.c | 13 ++++++++-----
>   1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ntfs3/run.c b/fs/ntfs3/run.c
> index 395b20492525..dc59cad4fa37 100644
> --- a/fs/ntfs3/run.c
> +++ b/fs/ntfs3/run.c
> @@ -1131,11 +1131,14 @@ int run_unpack_ex(struct runs_tree *run, struct ntfs_sb_info *sbi, CLST ino,
>   			struct rw_semaphore *lock =
>   				is_mounted(sbi) ? &sbi->mft.ni->file.run_lock :
>   						  NULL;
> -			if (lock)
> -				down_read(lock);
> -			ntfs_refresh_zone(sbi);
> -			if (lock)
> -				up_read(lock);
> +			if (lock) {
> +				if (down_read_trylock(lock)) {
> +					ntfs_refresh_zone(sbi);
> +					up_read(lock);
> +				}
> +			} else {
> +				ntfs_refresh_zone(sbi);
> +			}
>   		}
>   		up_write(&wnd->rw_lock);
>   		if (err)

Thanks for the patch. It is applied.

Regards,
Konstantin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ