ovl: fix dentry reference leak after changes to underlying layers

syzbot excercised the forbidden practice of moving the workdir under
lowerdir while overlayfs is mounted and tripped a dentry reference leak.

Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held")
Reported-and-tested-by: syzbot+8608bb4553edb8c78f41@syzkaller.appspotmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index 4382881b070948cc21425c330153db7eebd065a0..8bea66c973161615358c3fb45d17872e8b9718e1 100644 (file)
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -753,15 +753,16 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
        path.dentry = temp;
        err = ovl_copy_up_data(c, &path);
        /*
-        * We cannot hold lock_rename() throughout this helper, because or
+        * We cannot hold lock_rename() throughout this helper, because of
         * lock ordering with sb_writers, which shouldn't be held when calling
         * ovl_copy_up_data(), so lock workdir and destdir and make sure that
         * temp wasn't moved before copy up completion or cleanup.
-        * If temp was moved, abort without the cleanup.
         */
        ovl_start_write(c->dentry);
        if (lock_rename(c->workdir, c->destdir) != NULL ||
            temp->d_parent != c->workdir) {
+               /* temp or workdir moved underneath us? abort without cleanup */
+               dput(temp);
                err = -EIO;
                goto unlock;
        } else if (err) {