ovl: fix BUG_ON() in may_delete() when called from ovl_cleanup()

If function ovl_instantiate() returns an error, ovl_cleanup will be called
and try to remove newdentry from wdir, but the newdentry has been moved to
udir at this time.  This will causes BUG_ON(victim->d_parent->d_inode !=
dir) in fs/namei.c:may_delete.

Signed-off-by: chenying <chenying.kernel@bytedance.com>
Fixes: 01b39dcc9568 ("ovl: use inode_insert5() to hash a newly created inode")
Link: https://lore.kernel.org/linux-unionfs/e6496a94-a161-dc04-c38a-d2544633acb4@bytedance.com/
Cc: <stable@vger.kernel.org> # v4.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 9154222883e6432b61da112dd994d2ba050f8321..1fefb2b8960e94a8c9a7a1b81a5e70b83af4520f 100644 (file)
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -545,8 +545,10 @@ static int ovl_create_over_whiteout(struct dentry *dentry, struct inode *inode,
                        goto out_cleanup;
        }
        err = ovl_instantiate(dentry, inode, newdentry, hardlink);
-       if (err)
-               goto out_cleanup;
+       if (err) {
+               ovl_cleanup(udir, newdentry);
+               dput(newdentry);
+       }
 out_dput:
        dput(upper);
 out_unlock: