| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <176429295510.634289.1552337113663461690@noble.neil.brown.name>
Date: Fri, 28 Nov 2025 12:22:35 +1100
From: NeilBrown <neilb@...mail.net>
To: "syzbot" <syzbot+bfc9a0ccf0de47d04e8c@...kaller.appspotmail.com>
Cc: amir73il@...il.com, brauner@...nel.org, linux-kernel@...r.kernel.org,
linux-unionfs@...r.kernel.org, miklos@...redi.hu,
syzkaller-bugs@...glegroups.com
Subject:
[PATCH] ovl: fail ovl_lock_rename_workdir() if either target is unhashed
From: NeilBrown <neil@...wn.name>
As well as checking that the parent hasn't changed after getting the
lock we need to check that the dentry hasn't been unhashed.
Otherwise we might try to rename something that has been removed.
Reported-by: syzbot+bfc9a0ccf0de47d04e8c@...kaller.appspotmail.com
Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
Signed-off-by: NeilBrown <neil@...wn.name>
---
fs/overlayfs/util.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index f76672f2e686..82373dd1ce6e 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -1234,9 +1234,9 @@ int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *work,
goto err;
if (trap)
goto err_unlock;
- if (work && work->d_parent != workdir)
+ if (work && (work->d_parent != workdir || d_unhashed(work)))
goto err_unlock;
- if (upper && upper->d_parent != upperdir)
+ if (upper && (upper->d_parent != upperdir || d_unhashed(upper)))
goto err_unlock;
return 0;
--
2.50.0.107.gf914562f5916.dirty
Powered by blists - more mailing lists