ovl: fix missing negative dentry check in ovl_rename()

commit a295aef603e109a47af355477326bd41151765b6 upstream.

The following reproducer

  mkdir lower upper work merge
  touch lower/old
  touch lower/new
  mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
  rm merge/new
  mv merge/old merge/new & unlink upper/new

may result in this race:

PROCESS A:
  rename("merge/old", "merge/new");
  overwrite=true,ovl_lower_positive(old)=true,
  ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE

PROCESS B:
  unlink("upper/new");

PROCESS A:
  lookup newdentry in new_upperdir
  call vfs_rename() with negative newdentry and RENAME_EXCHANGE

Fix by adding the missing check for negative newdentry.

Signed-off-by: Zheng Liang <zhengliang6@huawei.com>
Fixes: e9be9d5e76e3 ("overlay filesystem")
Cc: <stable@vger.kernel.org> # v3.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 08b595c..16955a3 100644 (file)
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -1214,9 +1214,13 @@ static int ovl_rename(struct inode *olddir, struct dentry *old,
                                goto out_dput;
                }
        } else {
-               if (!d_is_negative(newdentry) &&
-                   (!new_opaque || !ovl_is_whiteout(newdentry)))
-                       goto out_dput;
+               if (!d_is_negative(newdentry)) {
+                       if (!new_opaque || !ovl_is_whiteout(newdentry))
+                               goto out_dput;
+               } else {
+                       if (flags & RENAME_EXCHANGE)
+                               goto out_dput;
+               }
        }
 
        if (olddentry == trap)