ntfs3: fix double free of sbi->options->nls and clarify ownership of fc->fs_private

commit 02f312754c87 ("ntfs3: fix use-after-free of sbi->options in cmp_fnames") introduced a use-after-free bug
due to improper handling of sbi->options in error paths. This resulted in crashes when superblock cleanup
is performed in ntfs_put_super.

This patch ensures that the options structure and its subfields are properly freed, preventing the memory
corruption and use-after-free errors.

Fixes: 02f312754c87 ("ntfs3: fix use-after-free of sbi->options in cmp_fnames")
Reported-by: syzbot+cc433e4cd6d54736bf80@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cc433e4cd6d54736bf80
Signed-off-by: YangWen <anmuxixixi@gmail.com>
[almaz.alexandrovich@paragon-software.com: added fixes and closes tags]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index a478ec510640211f1eae2e4ded1ded5d66c8c8cc..96f56333cf9983af19bf60d6142fdbc1ea2cea76 100644 (file)
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -705,7 +705,7 @@ static void ntfs_put_super(struct super_block *sb)
 
        if (sbi->options) {
                unload_nls(sbi->options->nls);
-               kfree(sbi->options->nls);
+               kfree(sbi->options->nls_name);
                kfree(sbi->options);
                sbi->options = NULL;
        }
@@ -1251,6 +1251,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
                }
        }
        sbi->options = options;
+       fc->fs_private = NULL;
        sb->s_flags |= SB_NODIRATIME;
        sb->s_magic = 0x7366746e; // "ntfs"
        sb->s_op = &ntfs_sops;
@@ -1676,7 +1677,7 @@ put_inode_out:
 out:
        if (sbi && sbi->options) {
                unload_nls(sbi->options->nls);
-               kfree(sbi->options->nls);
+               kfree(sbi->options->nls_name);
                kfree(sbi->options);
                sbi->options = NULL;
        }