fs/ntfs3: fix potential double iput on d_make_root() failure

d_make_root() consumes the reference to the passed inode: it either
attaches it to the newly created dentry on success, or drops it via
iput() on failure.

In the error path, the code currently does:
    sb->s_root = d_make_root(inode);
    if (!sb->s_root)
        goto put_inode_out;

which leads to a second iput(inode) in put_inode_out. This results in
a double iput and may trigger a use-after-free if the inode gets freed
after the first iput().

Fix this by jumping directly to the common cleanup path, avoiding the
extra iput(inode).

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 46160b06b6357cdb3f9bd75e8ec21dfe7cedbe97..57922edf1ae19ff8799c9a39ebf5a63387c40364 100644 (file)
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1704,7 +1704,7 @@ load_root:
        sb->s_root = d_make_root(inode);
        if (!sb->s_root) {
                err = -ENOMEM;
-               goto put_inode_out;
+               goto out;
        }
 
        if (boot2) {