ovl: fail ovl_lock_rename_workdir() if either target is unhashed

[ Upstream commit e9c70084a64e51b65bb68f810692a03dc8bedffa ]

As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.

Reported-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
Signed-off-by: NeilBrown <neil@brown.name>
Link: https://patch.msgid.link/176429295510.634289.1552337113663461690@noble.neil.brown.name
Tested-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 41033bac96cbbb711103178e599876263c96d66a..ab652164ffc90c2a2490e548db48cedc9bfa4d00 100644 (file)
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -1234,9 +1234,9 @@ int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *work,
                goto err;
        if (trap)
                goto err_unlock;
-       if (work && work->d_parent != workdir)
+       if (work && (work->d_parent != workdir || d_unhashed(work)))
                goto err_unlock;
-       if (upper && upper->d_parent != upperdir)
+       if (upper && (upper->d_parent != upperdir || d_unhashed(upper)))
                goto err_unlock;
 
        return 0;