[PATCH 6.12 138/414] ovl: Fix nested backing file paths

6.12-stable review patch. If anyone has any objections, please let me know.

------------------

From: André Almeida andrealmeid@igalia.com

commit 924577e4f6ca473de1528953a0e13505fae61d7b upstream.

When the lowerdir of an overlayfs is a merged directory of another overlayfs, ovl_open_realfile() will fail to open the real file and point to a lower dentry copy, without the proper parent path. After this, d_path() will then display the path incorrectly as if the file is placed in the root directory.

This bug can be triggered with the following setup:

mkdir -p ovl-A/lower ovl-A/upper ovl-A/merge ovl-A/work mkdir -p ovl-B/upper ovl-B/merge ovl-B/work

cp /bin/cat ovl-A/lower/

mount -t overlay overlay -o \ lowerdir=ovl-A/lower,upperdir=ovl-A/upper,workdir=ovl-A/work \ ovl-A/merge

mount -t overlay overlay -o \ lowerdir=ovl-A/merge,upperdir=ovl-B/upper,workdir=ovl-B/work \ ovl-B/merge

ovl-A/merge/cat /proc/self/maps | grep --color cat ovl-B/merge/cat /proc/self/maps | grep --color cat

The first cat will correctly show `/ovl-A/merge/cat`, while the second one shows just `/cat`.

To fix that, uses file_user_path() inside of backing_file_open() to get the correct file path for the dentry.

Co-developed-by: John Schoenick johns@valvesoftware.com Signed-off-by: John Schoenick johns@valvesoftware.com Signed-off-by: André Almeida andrealmeid@igalia.com Fixes: def3ae83da02 ("fs: store real path instead of fake path in backing file f_path") Cc: stable@vger.kernel.org # v6.7 Signed-off-by: Miklos Szeredi mszeredi@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/overlayfs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -48,8 +48,8 @@ static struct file *ovl_open_realfile(co if (!inode_owner_or_capable(real_idmap, realinode)) flags &= ~O_NOATIME;

- realfile = backing_file_open(&file->f_path, flags, realpath, - current_cred()); + realfile = backing_file_open(file_user_path((struct file *) file), + flags, realpath, current_cred()); } revert_creds(old_cred);