ovl: call posix_acl_release() after error checking

The current placement of posix_acl_release() in ovl_set_or_remove_acl()
means it can be called on an error pointer instead of actual acls.
Fix this by moving the posix_acl_release() call after the error handling.

Fixes: 0e641857322f ("ovl: implement set acl method") # mainline only
Reported-by: syzbot+3f6ef1c4586bb6fd1f61@syzkaller.appspotmail.com
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>

diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 77a77fd..ee6dfa5 100644 (file)
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -621,11 +621,11 @@ static int ovl_set_or_remove_acl(struct dentry *dentry, struct inode *inode,
                real_acl = vfs_get_acl(mnt_user_ns(realpath.mnt), realdentry,
                                       acl_name);
                revert_creds(old_cred);
-               posix_acl_release(real_acl);
                if (IS_ERR(real_acl)) {
                        err = PTR_ERR(real_acl);
                        goto out_drop_write;
                }
+               posix_acl_release(real_acl);
        }
 
        if (!upperdentry) {