[PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure

[PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure

[Zhan Xusheng]

d_make_root() consumes the reference to the passed inode: it either
attaches it to the newly created dentry on success, or drops it via
iput() on failure.

In the error path, the code currently does:
    sb->s_root = d_make_root(inode);
    if (!sb->s_root)
        goto put_inode_out;

which leads to a second iput(inode) in put_inode_out. This results in
a double iput and may trigger a use-after-free if the inode gets freed
after the first iput().

Fix this by jumping directly to the common cleanup path, avoiding the
extra iput(inode).

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
---
 fs/ntfs3/super.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 174a7cb202a0..d0dad15076ca 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1673,7 +1673,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
 	sb->s_root = d_make_root(inode);
 	if (!sb->s_root) {
 		err = -ENOMEM;
-		goto put_inode_out;
+		goto out;
 	}
 
 	if (boot2) {
-- 
2.43.0

Re: [PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure

[Al Viro]

On Thu, Mar 26, 2026 at 05:12:32PM +0800, Zhan Xusheng wrote:
> d_make_root() consumes the reference to the passed inode: it either
> attaches it to the newly created dentry on success, or drops it via
> iput() on failure.
> 
> In the error path, the code currently does:
>     sb->s_root = d_make_root(inode);
>     if (!sb->s_root)
>         goto put_inode_out;
> 
> which leads to a second iput(inode) in put_inode_out. This results in
> a double iput and may trigger a use-after-free if the inode gets freed
> after the first iput().
> 
> Fix this by jumping directly to the common cleanup path, avoiding the
> extra iput(inode).

Matter of fact, the whole put_inode_out should go; if you *ever* get
an inode with NULL ->i_op, it's a bug.

NULL should never be stored there; not even transiently.  Yes, ntfs_read_mft()
_is_ bogus, as NTFS folks had been repeatedly told before, to no visible effect.

Re: [PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure

[Konstantin Komarov]

On 3/26/26 10:12, Zhan Xusheng wrote:

> [You don't often get email from zhanxusheng1024@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> d_make_root() consumes the reference to the passed inode: it either
> attaches it to the newly created dentry on success, or drops it via
> iput() on failure.
>
> In the error path, the code currently does:
>      sb->s_root = d_make_root(inode);
>      if (!sb->s_root)
>          goto put_inode_out;
>
> which leads to a second iput(inode) in put_inode_out. This results in
> a double iput and may trigger a use-after-free if the inode gets freed
> after the first iput().
>
> Fix this by jumping directly to the common cleanup path, avoiding the
> extra iput(inode).
>
> Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
> ---
>   fs/ntfs3/super.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
> index 174a7cb202a0..d0dad15076ca 100644
> --- a/fs/ntfs3/super.c
> +++ b/fs/ntfs3/super.c
> @@ -1673,7 +1673,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
>          sb->s_root = d_make_root(inode);
>          if (!sb->s_root) {
>                  err = -ENOMEM;
> -               goto put_inode_out;
> +               goto out;
>          }
>
>          if (boot2) {
> --
> 2.43.0
>
Hello,

Thanks for the patch. It was applied.
I'm going to take a closer look at this problem.

Regards,
Konstantin