Commit db03d390 authored by Miklos Szeredi's avatar Miklos Szeredi
Browse files

ovl: fix copy-up in tmpfile 



Move ovl_copy_up() call outside of ovl_want_write()/ovl_drop_write()
region, since copy up may also call ovl_want_write() resulting in recursive
locking on sb->s_writers.

Reported-and-tested-by: default avatar <syzbot+85e58cdf5b3136471d4b@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/000000000000f6865106191c3e58@google.com/


Fixes: 9a87907d ("ovl: implement tmpfile")
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 1613e604

fs/overlayfs/dir.c

+4 −4
Original line number Diff line number Diff line
@@ -1314,10 +1314,6 @@ static int ovl_create_tmpfile(struct file *file, struct dentry *dentry, 
	int flags = file->f_flags | OVL_OPEN_FLAGS;

	int err;



	err = ovl_copy_up(dentry->d_parent);

	if (err)

		return err;



	old_cred = ovl_override_creds(dentry->d_sb);

	err = ovl_setup_cred_for_create(dentry, inode, mode, old_cred);

	if (err)
@@ -1360,6 +1356,10 @@ static int ovl_tmpfile(struct mnt_idmap *idmap, struct inode *dir, 
	if (!OVL_FS(dentry->d_sb)->tmpfile)

		return -EOPNOTSUPP;



	err = ovl_copy_up(dentry->d_parent);

	if (err)

		return err;



	err = ovl_want_write(dentry);

	if (err)

		return err;