Re: [PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure

Next message: Lizhi Hou: "Re: [PATCH V1] accel/amdxdna: Handle DETACH_DEBUG_BO through config_debug_bo path"
Previous message: Rob Herring: "Re: [PATCH v5 1/3] dt-bindings: dma: arm-dma350: document combined and per-channel IRQ topologies"
In reply to: Al Viro: "Re: [PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Konstantin Komarov

Date: Tue Apr 07 2026 - 13:23:26 EST

On 3/26/26 10:12, Zhan Xusheng wrote:

[You don't often get email from zhanxusheng1024@xxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

d_make_root() consumes the reference to the passed inode: it either
attaches it to the newly created dentry on success, or drops it via
iput() on failure.

In the error path, the code currently does:
sb->s_root = d_make_root(inode);
if (!sb->s_root)
goto put_inode_out;

which leads to a second iput(inode) in put_inode_out. This results in
a double iput and may trigger a use-after-free if the inode gets freed
after the first iput().

Fix this by jumping directly to the common cleanup path, avoiding the
extra iput(inode).

Signed-off-by: Zhan Xusheng <zhanxusheng@xxxxxxxxxx>
---
fs/ntfs3/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 174a7cb202a0..d0dad15076ca 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1673,7 +1673,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
sb->s_root = d_make_root(inode);
if (!sb->s_root) {
err = -ENOMEM;
- goto put_inode_out;
+ goto out;
}

if (boot2) {
--
2.43.0

Hello,

Thanks for the patch. It was applied.
I'm going to take a closer look at this problem.

Regards,
Konstantin