From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 24 Aug 2025 07:03:22 +0000 (+0200)
Subject: 6.12-stable patches
X-Git-Tag: v5.4.297~44
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0b1356b436aceace705eb5462f726aa1416d4276;p=thirdparty%2Fkernel%2Fstable-queue.git

6.12-stable patches

added patches:
	ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch
---

diff --git a/queue-6.12/ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch b/queue-6.12/ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch
new file mode 100644
index 0000000000..8793745aef
--- /dev/null
+++ b/queue-6.12/ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch
@@ -0,0 +1,46 @@
+From 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Mon, 4 Aug 2025 22:11:28 +1000
+Subject: ovl: use I_MUTEX_PARENT when locking parent in ovl_create_temp()
+
+From: NeilBrown <neil@brown.name>
+
+commit 5f1c8965e748c150d580a2ea8fbee1bd80d07a24 upstream.
+
+ovl_create_temp() treats "workdir" as a parent in which it creates an
+object so it should use I_MUTEX_PARENT.
+
+Prior to the commit identified below the lock was taken by the caller
+which sometimes used I_MUTEX_PARENT and sometimes used I_MUTEX_NORMAL.
+The use of I_MUTEX_NORMAL was incorrect but unfortunately copied into
+ovl_create_temp().
+
+Note to backporters: This patch only applies after the last Fixes given
+below (post v6.16).  To fix the bug in v6.7 and later the
+inode_lock() call in ovl_copy_up_workdir() needs to nest using
+I_MUTEX_PARENT.
+
+Link: https://lore.kernel.org/all/67a72070.050a0220.3d72c.0022.GAE@google.com/
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+7836a68852a10ec3d790@syzkaller.appspotmail.com
+Tested-by: syzbot+7836a68852a10ec3d790@syzkaller.appspotmail.com
+Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held")
+Fixes: d2c995581c7c ("ovl: Call ovl_create_temp() without lock held.")
+Signed-off-by: NeilBrown <neil@brown.name>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/copy_up.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -780,7 +780,7 @@ static int ovl_copy_up_workdir(struct ov
+ 		return err;
+ 
+ 	ovl_start_write(c->dentry);
+-	inode_lock(wdir);
++	inode_lock_nested(wdir, I_MUTEX_PARENT);
+ 	temp = ovl_create_temp(ofs, c->workdir, &cattr);
+ 	inode_unlock(wdir);
+ 	ovl_end_write(c->dentry);
diff --git a/queue-6.12/series b/queue-6.12/series
index 47cfbe5302..2da87b8fc1 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -241,3 +241,4 @@ tracing-limit-access-to-parser-buffer-when-trace_get_user-failed.patch
 drm-i915-icl-tc-convert-aux-powered-warn-to-a-debug-message.patch
 compiler-remove-__addressable_asm-_str-again.patch
 drm-i915-icl-tc-cache-the-max-lane-count-value.patch
+ovl-use-i_mutex_parent-when-locking-parent-in-ovl_create_temp.patch