>From 5cbdc1dd457f85fdbaa8f5840feeffee41f9aaae Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Thu, 2 Oct 2025 10:15:06 +0200
Subject: [PATCH] ns: Fix mnt ns ida handling in copy_mnt_ns()

Commit be5f21d3985f ("ns: add ns_common_free()") modified error cleanup
and started to free wrong inode number from the ida. Fix it.

Reported-by: syzbot+e0f8855a87443d6a2413@syzkaller.appspotmail.com
Fixes: be5f21d3985f ("ns: add ns_common_free()")
Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/namespace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index dc01b14c58cd..1ba97d745019 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -4165,7 +4165,7 @@ struct mnt_namespace *copy_mnt_ns(u64 flags, struct mnt_namespace *ns,
 	new = copy_tree(old, old->mnt.mnt_root, copy_flags);
 	if (IS_ERR(new)) {
 		namespace_unlock();
-		ns_common_free(ns);
+		ns_common_free(new_ns);
 		dec_mnt_namespaces(new_ns->ucounts);
 		mnt_ns_release(new_ns);
 		return ERR_CAST(new);
-- 
2.51.0