[PATCH 6.17 043/146] ovl: fail ovl_lock_rename_workdir() if either target is unhashed

6.17-stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown neil@brown.name

[ Upstream commit e9c70084a64e51b65bb68f810692a03dc8bedffa ]

As well as checking that the parent hasn't changed after getting the lock we need to check that the dentry hasn't been unhashed. Otherwise we might try to rename something that has been removed.

Reported-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.") Signed-off-by: NeilBrown neil@brown.name Link: https://patch.msgid.link/176429295510.634289.1552337113663461690@noble.neil.... Tested-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com Reviewed-by: Amir Goldstein amir73il@gmail.com Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- fs/overlayfs/util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c index 41033bac96cbb..ab652164ffc90 100644 --- a/fs/overlayfs/util.c +++ b/fs/overlayfs/util.c @@ -1234,9 +1234,9 @@ int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *work, goto err; if (trap) goto err_unlock; - if (work && work->d_parent != workdir) + if (work && (work->d_parent != workdir || d_unhashed(work))) goto err_unlock; - if (upper && upper->d_parent != upperdir) + if (upper && (upper->d_parent != upperdir || d_unhashed(upper))) goto err_unlock;

return 0;