In the Linux kernel, the following vulnerability has been resolved:
ovl: fix leaked dentry
Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock:
overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (_ptrval){i=3f33,n=file3} still in use (1) [unmount of overlay overlay] ... WARNING: CPU: 1 PID: 432 at umountcheck.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umountcheck.cold+0x107/0x14d ... Call Trace: dwalk+0x28c/0x950 ? dentrylruisolate+0x2b0/0x2b0 ? _kasanslabfree+0x12/0x20 doonetree+0x33/0x60 shrinkdcacheforumount+0x78/0x1d0 genericshutdownsuper+0x70/0x440 killanonsuper+0x3e/0x70 deactivatelockedsuper+0xc4/0x160 deactivatesuper+0xfa/0x140 cleanupmnt+0x22e/0x370 _cleanupmnt+0x1a/0x30 taskworkrun+0x139/0x210 doexit+0xb0c/0x2820 ? _kasancheckread+0x1d/0x30 ? findheldlock+0x35/0x160 ? lockrelease+0x1b6/0x660 ? mmupdatenextowner+0xa20/0xa20 ? reacquireheldlocks+0x3f0/0x3f0 ? _sanitizercovtraceconstcmp4+0x22/0x30 dogroupexit+0x135/0x380 _dosysexitgroup.isra.0+0x20/0x20 _x64sysexitgroup+0x3c/0x50 dosyscall64+0x45/0x70 entrySYSCALL64after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day...
This fix has been tested with a syzkaller reproducer.