Linux Kernel NTFS3 Deadlock Vulnerability in Compressed Frame Handling

A deadlock vulnerability has been identified in the Linux kernel's NTFS3 file system implementation, specifically in the handling of compressed frames. This deadlock arises from a lock inversion issue between the inode mutex and page locks. The problem occurs when one task holds the inode lock and attempts to lock pages in a compressed frame, while another task has already locked one of those pages and is waiting for the inode lock, creating a circular wait condition.

Impact

Exploitation of this vulnerability leads to a deadlock, causing tasks to hang indefinitely while waiting for each other to release locks.

Reproduction

The deadlock can be reproduced by initiating two tasks that interact with the NTFS3 file system's compressed frame handling. Task A should enter the 'ntfs_read_folio' function for a specific page, acquiring the inode lock. Then, Task A should call 'ni_read_folio_cmpr', which attempts to lock all pages in the compressed frame, including a page that Task B has already locked. Task B can then be made to call 'ntfs_read_folio', creating a deadlock by waiting for the inode lock held by Task A, while Task A waits for the page lock held by Task B.

Remediation

The vulnerability has been addressed by changing the locking mechanism. The inode lock should not be acquired in the 'ntfs_read_folio' function. Instead, it should be obtained in 'ni_read_folio_cmpr' only after all necessary page locks have been secured, restoring the correct lock order consistent with the Virtual File System (VFS) requirements.