[PATCH] fs/ntfs3: take run_lock when freeing offs_folio in ni_decompress_file

From: Weiming Shi

Date: Fri Jun 26 2026 - 06:24:25 EST


attr_wof_frame_info() allocates, caches and dereferences
ni->file.offs_folio under down_write(&ni->file.run_lock).
ni_decompress_file() frees the same folio with folio_put() without
taking run_lock. When a WOF externally-compressed file is opened for
write, ni_decompress_file() can drop the last reference while a
concurrent O_RDONLY reader is dereferencing the folio in
attr_wof_frame_info(), leading to a use-after-free:

BUG: KASAN: use-after-free in attr_wof_frame_info (fs/ntfs3/attrib.c:1619)
Read of size 4 at addr ffff8880120c9000 by task exploit
Call Trace:
attr_wof_frame_info (fs/ntfs3/attrib.c:1619)
ni_read_frame (fs/ntfs3/frecord.c:2421)
ni_read_folio_cmpr (fs/ntfs3/frecord.c:1916)
ntfs_read_folio (fs/ntfs3/inode.c:648)
read_pages (mm/readahead.c:181)
page_cache_ra_unbounded (mm/readahead.c:292)
force_page_cache_ra (mm/readahead.c:364)
page_cache_sync_ra (mm/readahead.c:573)
filemap_get_pages (mm/filemap.c:2688)
filemap_read (mm/filemap.c:2806)
generic_file_read_iter (mm/filemap.c:2994)
ntfs_file_read_iter (fs/ntfs3/file.c:842)
vfs_read (fs/read_write.c:574)
__x64_sys_pread64 (fs/read_write.c:773)

Take run_lock around the folio_put(), as is done for every other
access to ni->file.offs_folio.

Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Reported-by: Xiang Mei <xmei5@xxxxxxx>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@xxxxxxxxx>
---
fs/ntfs3/frecord.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 2b49bc077558..b11961a1f8d8 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -2148,10 +2148,13 @@ int ni_decompress_file(struct ntfs_inode *ni)

/* Clear cached flag. */
ni->ni_flags &= ~NI_FLAG_COMPRESSED_MASK;
+ /* offs_folio is accessed under run_lock in attr_wof_frame_info(). */
+ down_write(&ni->file.run_lock);
if (ni->file.offs_folio) {
folio_put(ni->file.offs_folio);
ni->file.offs_folio = NULL;
}
+ up_write(&ni->file.run_lock);
mapping->a_ops = &ntfs_aops;

out:
--
2.43.0