From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com [209.85.161.71])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2CC41EE7B7
	for <linux-kernel@vger.kernel.org>; Sat,  4 Apr 2026 15:07:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.71
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775315260; cv=none; b=X4L4i0WRUtU4CA07i6UXSsEqjMVSkhNmDU/XzDO1D+CQIvTMXl659SB0RSRb6DiacXi3zVAC1ZFdMPnbCsxggmuXgcBsP6q7pG1Wy5RbiHeZehd1Ar/bWCLnN0DwQtFR7xrTOJ9mBIVUmpUe5X5ujQ86YCsiTf+AZ5EKpHPZUAw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775315260; c=relaxed/simple;
	bh=Ll+Wpmb2C379j5AVdeJbo8YVQ7+P5Nr2vXaLan7AzV0=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type; b=QEk+EZChhYmIqtW9SK7QbMw1DqBIhNGu7AxpMxWRoFsWnYLx/iRDTd2crN9TRpraLYMbA9WFOyLY6V2j9TKPOAtExbZo0cCQeejeUi7VwiDQMsFEa5gCp13tpDHXrygP4M1Q1DnAz2nqhfu50QqQBNkc8tKCVlzRQWoHg/qK5rM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.71
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f71.google.com with SMTP id 006d021491bc7-680b7befb84so4162674eaf.3
        for <linux-kernel@vger.kernel.org>; Sat, 04 Apr 2026 08:07:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775315258; x=1775920058;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=jnS7TgY66B0uFomT9c+rgo9zT+ntTRnLxLU3CNinYNk=;
        b=opJSU4xE3ZawHHLEdrW6KVAHZ0MCEtiVJe+VLqfhxmdyVWKJXgPkh8IlJpksHcuOTG
         uivIe9H9k8yMJZvCuLC/tUFKUv7Tuj6jQ2A32KE6FHXDa24a17wtM/bVf3sCeS0E7b86
         vOMLMhBBxjUFHMi4hacg6FoPSZLvHyr1L1Shg/ljiEM3BA9Vy6Z+ayI0binkfP+B+fVl
         07f54aU+9rtGfFKiN2PP9Yh526jLofYXSGc1laAn4adsdB79RM/guN/bcAo6Okehbpfv
         WZbLhM5mPjYSiHl8NKLxr3Il8PdpVR4ZdojzSuiQDOAVNxrNa+t+v9PiNT+vJdWQWYAi
         zqbg==
X-Gm-Message-State: AOJu0YzF7vhgBcpayk9dPDF2IjJK1aRKiwD761cCY3Mi6Y3UQc9kimrw
	he4ws6FrmCcG/Z9ANxIYTH+1W+v6uT954rGFaE6Y0EBSjKuRkfCNcoq8ekebykzYMhj164zGCXj
	KZQcrt5uX59b0D7PwACbROLSTSwEJZ5VpBHbJIBpc0ZjhS5nE5MfzvG3WSic=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:c2d0:20b0:67e:3ee6:d76f with SMTP id
 006d021491bc7-6822152cbe0mr2297619eaf.47.1775315257758; Sat, 04 Apr 2026
 08:07:37 -0700 (PDT)
Date: Sat, 04 Apr 2026 08:07:37 -0700
In-Reply-To: <69cffde1.050a0220.182279.0017.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69d12939.a70a0220.a26f2.000b.GAE@google.com>
Subject: Forwarded: [PATCH] ntfs3: fix deadlock in ntfs_force_shutdown
From: syzbot <syzbot+5f6ca38579a76e303c1c@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ntfs3: fix deadlock in ntfs_force_shutdown
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


ntfs_force_shutdown() calls bdev_freeze() which internally calls
freeze_super(). freeze_super() calls sb_wait_write() which waits
for all active sb_writers holders to finish.

However active writers (ntfs_compress_write) can be stuck waiting
for ni->file.run_lock while holding the sb_writers read lock
acquired via file_start_write() in the VFS layer. This creates
a deadlock where freeze_super() waits for writers that can never
complete because they are blocked on run_lock contention.

Fix by removing bdev_freeze/bdev_thaw entirely. The shutdown bit
NTFS_FLAGS_SHUTDOWN_BIT is already checked at entry of all ntfs3
write paths (file.c, inode.c, namei.c, frecord.c, fsntfs.c,
super.c, xattr.c) and causes them to return errors immediately,
making further writes impossible without risking a deadlock.

Reported-by: syzbot+5f6ca38579a76e303c1c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5f6ca38579a76e303c1c
Fixes: ae91dfe38966 ("fs/ntfs3: implement NTFS3_IOC_SHUTDOWN ioctl")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ntfs3/file.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 7eecf1e01f74..cbbc7d81875f 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -118,18 +118,12 @@ static int ntfs_ioctl_set_volume_label(struct ntfs_sb_info *sbi, u8 __user *buf)
  */
 static int ntfs_force_shutdown(struct super_block *sb, u32 flags)
 {
-	int err;
 	struct ntfs_sb_info *sbi = sb->s_fs_info;
 
 	if (unlikely(ntfs3_forced_shutdown(sb)))
 		return 0;
 
-	/* No additional options yet (flags). */
-	err = bdev_freeze(sb->s_bdev);
-	if (err)
-		return err;
 	set_bit(NTFS_FLAGS_SHUTDOWN_BIT, &sbi->flags);
-	bdev_thaw(sb->s_bdev);
 	return 0;
 }
 
-- 
2.43.0