From d1062683bf6b560b31f287eb0ebde4841bc72376 Mon Sep 17 00:00:00 2001
From: Zhan Xusheng <zhanxusheng1024@gmail.com>
Date: Thu, 26 Mar 2026 17:12:32 +0800
Subject: [PATCH] fs/ntfs3: fix potential double iput on d_make_root() failure

d_make_root() consumes the reference to the passed inode: it either
attaches it to the newly created dentry on success, or drops it via
iput() on failure.

In the error path, the code currently does:
    sb->s_root = d_make_root(inode);
    if (!sb->s_root)
        goto put_inode_out;

which leads to a second iput(inode) in put_inode_out. This results in
a double iput and may trigger a use-after-free if the inode gets freed
after the first iput().

Fix this by jumping directly to the common cleanup path, avoiding the
extra iput(inode).

Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
---
 fs/ntfs3/super.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 46160b06b635..57922edf1ae1 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1704,7 +1704,7 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
 	sb->s_root = d_make_root(inode);
 	if (!sb->s_root) {
 		err = -ENOMEM;
-		goto put_inode_out;
+		goto out;
 	}
 
 	if (boot2) {