[PATCH 1/2] ntfs3: remove ntfs_iget5 call in ntfs_dir_emit to fix recursive deadlock

From: Yun Zhou

Date: Tue Jun 30 2026 - 21:31:43 EST


ntfs_dir_emit() calls ntfs_iget5() to refine the directory entry type
by reading the child inode's MFT record. However, ntfs_dir_emit() is
called from ntfs_readdir() under the parent directory's ni_lock, and
ntfs_iget5() -> mi_read() tries to acquire ni_lock on the child inode
with the same lock class, triggering a recursive locking deadlock.

Remove the ntfs_iget5() call. The dt_type derived from the directory
entry's FILE_ATTRIBUTE_DIRECTORY flag is sufficient for readdir. The
original code's own comment noted this approach was "not good idea".

Reported-by: syzbot+17f812893d5906837f33@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=17f812893d5906837f33
Fixes: d62cf685d12e ("fs/ntfs3: hold ni_lock across readdir metadata walk")
Signed-off-by: Yun Zhou <yun.zhou@xxxxxxxxxxxxx>
---
fs/ntfs3/dir.c | 16 ----------------
1 file changed, 16 deletions(-)

diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index 873d52233003..07de564a2c47 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -327,22 +327,6 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
*/
dt_type = (fname->dup.fa & FILE_ATTRIBUTE_DIRECTORY) ? DT_DIR : DT_REG;

- /*
- * It is not reliable to detect the type of name using duplicated information
- * stored in parent directory.
- * The only correct way to get the type of name - read MFT record and find ATTR_STD.
- * The code below is not good idea.
- * It does additional locks/reads just to get the type of name.
- * Should we use additional mount option to enable branch below?
- */
- if (fname->dup.extend_data && ino != ni->mi.rno) {
- struct inode *inode = ntfs_iget5(sbi->sb, &e->ref, NULL);
- if (!IS_ERR_OR_NULL(inode)) {
- dt_type = fs_umode_to_dtype(inode->i_mode);
- iput(inode);
- }
- }
-
return dir_emit(ctx, (s8 *)name, name_len, ino, dt_type);
}

--
2.43.0