• Amir Goldstein's avatar
    ovl: fix oops in ovl_indexdir_cleanup() with nfs_export=on · 20396365
    Amir Goldstein authored
    Mounting with nfs_export=on, xfstests overlay/031 triggers a kernel panic
    since v5.8-rc1 overlayfs updates.
    
     overlayfs: orphan index entry (index/00fb1..., ftype=4000, nlink=2)
     BUG: kernel NULL pointer dereference, address: 0000000000000030
     RIP: 0010:ovl_cleanup_and_whiteout+0x28/0x220 [overlay]
    
    Bisect point at commit c21c839b ("ovl: whiteout inode sharing")
    
    Minimal reproducer:
    --------------------------------------------------
    rm -rf l u w m
    mkdir -p l u w m
    mkdir -p l/testdir
    touch l/testdir/testfile
    mount -t overlay -o lowerdir=l,upperdir=u,workdir=w,nfs_export=on overlay m
    echo 1 > m/testdir/testfile
    umount m
    rm -rf u/testdir
    mount -t overlay -o lowerdir=l,upperdir=u,workdir=w,nfs_export=on overlay m
    umount m
    --------------------------------------------------
    
    When mount with nfs_export=on, and fail to verify an orphan index, we're
    cleaning this index from indexdir by calling ovl_cleanup_and_whiteout().
    This dereferences ofs->workdir, that was earlier set to NULL.
    
    The design was that ovl->workdir will point at ovl->indexdir, but we are
    assigning ofs->indexdir to ofs->workdir only after ovl_indexdir_cleanup().
    There is no reason not to do it sooner, because once we get success from
    ofs->indexdir = ovl_workdir_create(... there is no turning back.
    Reported-and-tested-by: default avatarMurphy Zhou <jencce.kernel@gmail.com>
    Fixes: c21c839b ("ovl: whiteout inode sharing")
    Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
    Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    20396365
super.c 47.6 KB