fs/ntfs3: fix potential double iput on d_make_root() failure

Zhan Xusheng · aalexandrovich · commit d1062683bf6b · 2026-04-07T18:43:39.000+02:00
d_make_root() consumes the reference to the passed inode: it either
attaches it to the newly created dentry on success, or drops it via
iput() on failure.

In the error path, the code currently does:
    sb-&gt;s_root = d_make_root(inode);
    if (!sb-&gt;s_root)
        goto put_inode_out;

which leads to a second iput(inode) in put_inode_out. This results in
a double iput and may trigger a use-after-free if the inode gets freed
after the first iput().

Fix this by jumping directly to the common cleanup path, avoiding the
extra iput(inode).

Signed-off-by: Zhan Xusheng &lt;zhanxusheng@xiaomi.com&gt;
Signed-off-by: Konstantin Komarov &lt;almaz.alexandrovich@paragon-software.com&gt;
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
@@ -1704,7 +1704,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
 	sb->s_root = d_make_root(inode);
 	if (!sb->s_root) {
 		err = -ENOMEM;
-		goto put_inode_out;
+		goto out;
 	}
 
 	if (boot2) {

Original file line number	Diff line number	Diff line change
`@@ -1704,7 +1704,7 @@ static int ntfs_fill_super(struct super_block sb, struct fs_context fc)`
`1704`	`1704`	`sb->s_root = d_make_root(inode);`
`1705`	`1705`	`if (!sb->s_root) {`
`1706`	`1706`	`err = -ENOMEM;`
`1707`		`- goto put_inode_out;`
	`1707`	`+ goto out;`
`1708`	`1708`	`}`
`1709`	`1709`
`1710`	`1710`	`if (boot2) {`