From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 24 Aug 2025 07:03:31 +0000 (+0200)
Subject: 6.16-stable patches
X-Git-Tag: v5.4.297~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2451668d6d20fbfb8534f4301cee7fcb71187379;p=thirdparty%2Fkernel%2Fstable-queue.git

6.16-stable patches

added patches:
	ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch
---

diff --git a/queue-6.16/ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch b/queue-6.16/ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch
new file mode 100644
index 0000000000..239af6223b
--- /dev/null
+++ b/queue-6.16/ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch
@@ -0,0 +1,46 @@
+From 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Mon, 4 Aug 2025 22:11:28 +1000
+Subject: ovl: use I_MUTEX_PARENT when locking parent in ovl_create_temp()
+
+From: NeilBrown <neil@brown.name>
+
+commit 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 upstream.
+
+ovl_create_temp() treats "workdir" as a parent in which it creates an
+object so it should use I_MUTEX_PARENT.
+
+Prior to the commit identified below the lock was taken by the caller
+which sometimes used I_MUTEX_PARENT and sometimes used I_MUTEX_NORMAL.
+The use of I_MUTEX_NORMAL was incorrect but unfortunately copied into
+ovl_create_temp().
+
+Note to backporters: This patch only applies after the last Fixes given
+below (post v6.16).  To fix the bug in v6.7 and later the
+inode_lock() call in ovl_copy_up_workdir() needs to nest using
+I_MUTEX_PARENT.
+
+Link: https://lore.kernel.org/all/67a72070.050a0220.3d72c.0022.GAE@google.com/
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+7836a68852a10ec3d790@syzkaller.appspotmail.com
+Tested-by: syzbot+7836a68852a10ec3d790@syzkaller.appspotmail.com
+Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held")
+Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
+Signed-off-by: NeilBrown <neil@brown.name>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/copy_up.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -779,7 +779,7 @@ static int ovl_copy_up_workdir(struct ov
+ 		return err;
+ 
+ 	ovl_start_write(c->dentry);
+-	inode_lock(wdir);
++	inode_lock_nested(wdir, I_MUTEX_PARENT);
+ 	temp = ovl_create_temp(ofs, c->workdir, &cattr);
+ 	inode_unlock(wdir);
+ 	ovl_end_write(c->dentry);
diff --git a/queue-6.16/series b/queue-6.16/series
index 9420f4d7fd..fc1a771cd8 100644
--- a/queue-6.16/series
+++ b/queue-6.16/series
@@ -328,3 +328,4 @@ usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch
 usb-dwc3-pci-add-support-for-the-intel-wildcat-lake.patch
 tracing-remove-unneeded-goto-out-logic.patch
 tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch
+ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch