Description
In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix deadlock in ni_read_folio_cmpr

Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr).
This is caused by a lock inversion deadlock involving the inode mutex
(ni_lock) and page locks.

Scenario:
1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock.
2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in
the compressed frame (including page Y).
3. Concurrently, Task B (e.g., via readahead) has locked page Y and
calls ntfs_read_folio().
4. Task B waits for ni_lock (held by A).
5. Task A waits for page Y lock (held by B).
-> DEADLOCK.

The fix is to restructure locking: do not take ni_lock in ntfs_read_folio().
Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required
page locks for the frame have been successfully acquired. This restores the
correct lock ordering (Page Lock -> ni_lock) consistent with VFS.

[almaz.alexandrovich@paragon-software.com: ni_readpage_cmpr was renamed to ni_read_folio_cmpr]
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A lock inversion deadlock in the Linux kernel’s NTFS‑3G implementation is triggered when concurrent read operations on compressed NTFS pages cause a task to hold a page lock while waiting for the inode mutex, and another task to hold that inode mutex while waiting for the same page lock, leading to a hung kernel thread and a denial‑of‑service condition.

Affected Systems

Linux kernel implementations that include the ntfs3 driver before the patch commits cfe246b3181/e37a75bb866c are affected. The bug resides in the ntfs_read_folio() and ni_read_folio_cmpr() paths of the ntfs3 filesystem module. No specific vendor release numbers are listed, but the vulnerability can be present in any kernel release that has not yet incorporated the deadlock fix.

Risk and Exploitability

Exploitation requires local access to a system with an NTFS‑3G mount and the ability to trigger concurrent read operations, such as by performing background scans or enabling readahead. An adversary could provoke the deadlock by accessing compressed NTFS pages while another read process proceeds, causing kernel thread hangs and potential system unresponsiveness. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the nature of the deadlock means any such concurrency can lead to denial‑of‑service, classifying the risk as high in environments that rely heavily on NTFS‑3G mounts.

Generated by OpenCVE AI on May 27, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the ntfs3 deadlock fix (commits cfe246b3181 and e37a75bb866c).
  • If a kernel upgrade cannot be performed, limit concurrent NTFS‑3G read activity, for example by disabling readahead on NTFS partitions or throttling background file system operations.
  • Replace NTFS‑3G mounts with a native file system such as ext4 or xfs until a patched kernel is available.

Generated by OpenCVE AI on May 27, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix deadlock in ni_read_folio_cmpr Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr). This is caused by a lock inversion deadlock involving the inode mutex (ni_lock) and page locks. Scenario: 1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock. 2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in the compressed frame (including page Y). 3. Concurrently, Task B (e.g., via readahead) has locked page Y and calls ntfs_read_folio(). 4. Task B waits for ni_lock (held by A). 5. Task A waits for page Y lock (held by B). -> DEADLOCK. The fix is to restructure locking: do not take ni_lock in ntfs_read_folio(). Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required page locks for the frame have been successfully acquired. This restores the correct lock ordering (Page Lock -> ni_lock) consistent with VFS. [almaz.alexandrovich@paragon-software.com: ni_readpage_cmpr was renamed to ni_read_folio_cmpr]
Title fs/ntfs3: fix deadlock in ni_read_folio_cmpr
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:15:03.360Z

Reserved: 2026-05-08T13:14:33.088Z

Link: CVE-2025-71309

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:43.517

Modified: 2026-05-27T14:48:31.480

Link: CVE-2025-71309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:15:05Z

Weaknesses

No weakness.