[PATCH 0/2] ntfs3: fix deadlocks in ntfs_readdir caused by ni_lock held across dir_emit

From: Yun Zhou

Date: Tue Jun 30 2026 - 21:31:42 EST


Commit d62cf685d12e ("fs/ntfs3: hold ni_lock across readdir metadata
walk") extended ni_lock to cover the entire directory walk in
ntfs_readdir(), including dir_emit() calls that copy data to userspace.
This introduced multiple deadlocks reported by syzkaller:

1. Recursive ni_lock: ntfs_dir_emit() -> ntfs_iget5() -> mi_read()
tries to acquire ni_lock on a child inode with the same lock class
while the parent's ni_lock is already held.

2. Lock-order inversions: dir_emit() may trigger page faults that need
mmap_lock or mapping->invalidate_lock, conflicting with paths that
acquire those locks before ni_lock (ntfs_fallocate, mmap).

This series fixes both issues:
- Patch 1 removes the ntfs_iget5() call that caused recursive locking.
- Patch 2 releases ni_lock before calling dir_emit(), using the XFS
approach of reading data into stable buffers under the lock, then
emitting to userspace after releasing it.

Yun Zhou (2):
ntfs3: remove ntfs_iget5 call in ntfs_dir_emit to fix recursive
deadlock
ntfs3: release ni_lock before dir_emit in ntfs_readdir to fix
deadlocks

fs/ntfs3/dir.c | 38 ++++++++++++++++++++------------------
1 file changed, 20 insertions(+), 18 deletions(-)

--
2.43.0