Unverified Commit d1062683 authored Mar 26, 2026 by Zhan Xusheng Committed by Konstantin Komarov Apr 07, 2026

fs/ntfs3: fix potential double iput on d_make_root() failure



d_make_root() consumes the reference to the passed inode: it either
attaches it to the newly created dentry on success, or drops it via
iput() on failure.

In the error path, the code currently does:
    sb->s_root = d_make_root(inode);
    if (!sb->s_root)
        goto put_inode_out;

which leads to a second iput(inode) in put_inode_out. This results in
a double iput and may trigger a use-after-free if the inode gets freed
after the first iput().

Fix this by jumping directly to the common cleanup path, avoiding the
extra iput(inode).

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

parent 984a415f

fs/ntfs3/super.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1704,7 +1704,7 @@ static int ntfs_fill_super(struct super_block sb, struct fs_context fc)
		sb->s_root = d_make_root(inode);
		if (!sb->s_root) {
		err = -ENOMEM;
		goto put_inode_out;
		goto out;
		}

		if (boot2) {