ovl: fail ovl_lock_rename_workdir() if either target is unhashed

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.

Reported-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
Signed-off-by: NeilBrown <neil@brown.name>
Link: https://patch.msgid.link/176429295510.634289.1552337113663461690@noble.neil.brown.name
Tested-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

NeilBrown and committed by

Christian Brauner 4 months ago e9c70084 7b6dcd9b

+2 -2

1 changed file

expand all

overlayfs

util.c

+2 -2

fs/overlayfs/util.c

··· 1234 1234 goto err; 1235 1235 if (trap) 1236 1236 goto err_unlock; 1237 - if (work && work->d_parent != workdir) 1237 + if (work && (work->d_parent != workdir || d_unhashed(work))) 1238 1238 goto err_unlock; 1239 - if (upper && upper->d_parent != upperdir) 1239 + if (upper && (upper->d_parent != upperdir || d_unhashed(upper))) 1240 1240 goto err_unlock; 1241 1241 1242 1242 return 0;