]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7b6dcd9)
ovl: fail ovl_lock_rename_workdir() if either target is unhashed
authorNeilBrown <neil@brown.name>
Fri, 28 Nov 2025 01:22:35 +0000 (12:22 +1100)
committerChristian Brauner <brauner@kernel.org>
Fri, 28 Nov 2025 09:42:32 +0000 (10:42 +0100)
As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.

Reported-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
Signed-off-by: NeilBrown <neil@brown.name>
Link: https://patch.msgid.link/176429295510.634289.1552337113663461690@noble.neil.brown.name
Tested-by: syzbot+bfc9a0ccf0de47d04e8c@syzkaller.appspotmail.com
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
fs/overlayfs/util.c patch | blob | blame | history

diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index f76672f2e686a44b8b417afd6bd9e44e6328ed82..82373dd1ce6e862b87a4bce2ee8ba2104a2375fb 100644 (file)
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -1234,9 +1234,9 @@ int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *work,
                goto err;
        if (trap)
                goto err_unlock;
-       if (work && work->d_parent != workdir)
+       if (work && (work->d_parent != workdir || d_unhashed(work)))
                goto err_unlock;
-       if (upper && upper->d_parent != upperdir)
+       if (upper && (upper->d_parent != upperdir || d_unhashed(upper)))
                goto err_unlock;
 
        return 0;
A mirror of Linus' kernel repository