Re: [PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure

Next message: David Lechner: "Re: [PATCH 0/3] Move adis16203 inclinometer driver out of staging"
Previous message: Akhil P Oommen: "Re: [PATCH v2 2/3] arm64: dts: qcom: kaanpaali: Add USB support for MTP platform"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Al Viro

Date: Sat Apr 04 2026 - 12:15:59 EST

On Thu, Mar 26, 2026 at 05:12:32PM +0800, Zhan Xusheng wrote:
> d_make_root() consumes the reference to the passed inode: it either
> attaches it to the newly created dentry on success, or drops it via
> iput() on failure.
>
> In the error path, the code currently does:
> sb->s_root = d_make_root(inode);
> if (!sb->s_root)
> goto put_inode_out;
>
> which leads to a second iput(inode) in put_inode_out. This results in
> a double iput and may trigger a use-after-free if the inode gets freed
> after the first iput().
>
> Fix this by jumping directly to the common cleanup path, avoiding the
> extra iput(inode).

Matter of fact, the whole put_inode_out should go; if you *ever* get
an inode with NULL ->i_op, it's a bug.

NULL should never be stored there; not even transiently. Yes, ntfs_read_mft()
_is_ bogus, as NTFS folks had been repeatedly told before, to no visible effect.