[PATCH 0/2] ntfs3: fix deadlocks in ntfs_readdir caused by ni_lock held across dir_emit
From: Yun Zhou
Date: Tue Jun 30 2026 - 21:31:42 EST
Commit d62cf685d12e ("fs/ntfs3: hold ni_lock across readdir metadata
walk") extended ni_lock to cover the entire directory walk in
ntfs_readdir(), including dir_emit() calls that copy data to userspace.
This introduced multiple deadlocks reported by syzkaller:
1. Recursive ni_lock: ntfs_dir_emit() -> ntfs_iget5() -> mi_read()
tries to acquire ni_lock on a child inode with the same lock class
while the parent's ni_lock is already held.
2. Lock-order inversions: dir_emit() may trigger page faults that need
mmap_lock or mapping->invalidate_lock, conflicting with paths that
acquire those locks before ni_lock (ntfs_fallocate, mmap).
This series fixes both issues:
- Patch 1 removes the ntfs_iget5() call that caused recursive locking.
- Patch 2 releases ni_lock before calling dir_emit(), using the XFS
approach of reading data into stable buffers under the lock, then
emitting to userspace after releasing it.
Yun Zhou (2):
ntfs3: remove ntfs_iget5 call in ntfs_dir_emit to fix recursive
deadlock
ntfs3: release ni_lock before dir_emit in ntfs_readdir to fix
deadlocks
fs/ntfs3/dir.c | 38 ++++++++++++++++++++------------------
1 file changed, 20 insertions(+), 18 deletions(-)
--
2.43.0