From: NeilBrown <neil@brown.name>
Date: Fri, 28 Nov 2025 01:22:35 +0000 (+1100)
Subject: ovl: fail ovl_lock_rename_workdir() if either target is unhashed
X-Git-Tag: v6.18~7^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e9c70084a64e51b65bb68f810692a03dc8bedffa;p=thirdparty%2Flinux.git

ovl: fail ovl_lock_rename_workdir() if either target is unhashed

As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.

Reported-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
Signed-off-by: NeilBrown <neil@brown.name>
Link: https://patch.msgid.link/176429295510.634289.1552337113663461690@noble.neil.brown.name
Tested-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
---

diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index f76672f2e686a..82373dd1ce6e8 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -1234,9 +1234,9 @@ int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *work,
 		goto err;
 	if (trap)
 		goto err_unlock;
-	if (work && work->d_parent != workdir)
+	if (work && (work->d_parent != workdir || d_unhashed(work)))
 		goto err_unlock;
-	if (upper && upper->d_parent != upperdir)
+	if (upper && (upper->d_parent != upperdir || d_unhashed(upper)))
 		goto err_unlock;
 
 	return 0;