From: Zhan Xusheng <zhanxusheng1024@gmail.com>
Date: Thu, 26 Mar 2026 09:12:32 +0000 (+0800)
Subject: fs/ntfs3: fix potential double iput on d_make_root() failure
X-Git-Tag: ceph-for-7.1-rc4~166^2~3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d1062683bf6b560b31f287eb0ebde4841bc72376;p=ceph-client.git

fs/ntfs3: fix potential double iput on d_make_root() failure

d_make_root() consumes the reference to the passed inode: it either
attaches it to the newly created dentry on success, or drops it via
iput() on failure.

In the error path, the code currently does:
    sb->s_root = d_make_root(inode);
    if (!sb->s_root)
        goto put_inode_out;

which leads to a second iput(inode) in put_inode_out. This results in
a double iput and may trigger a use-after-free if the inode gets freed
after the first iput().

Fix this by jumping directly to the common cleanup path, avoiding the
extra iput(inode).

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 46160b06b635..57922edf1ae1 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1704,7 +1704,7 @@ load_root:
 	sb->s_root = d_make_root(inode);
 	if (!sb->s_root) {
 		err = -ENOMEM;
-		goto put_inode_out;
+		goto out;
 	}
 
 	if (boot2) {