ovl_copy_up() will retrieve sb_writers, and ovl_want_write will also retrieve
sb_writers, adjusting the order of their execution to avoid deadlocks.

Reported-by: syzbot+b778ac10fe2a0cd72517@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 fs/overlayfs/dir.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 116f542442dd..ab65e98a1def 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -1314,10 +1314,6 @@ static int ovl_create_tmpfile(struct file *file, struct dentry *dentry,
 	int flags = file->f_flags | OVL_OPEN_FLAGS;
 	int err;
 
-	err = ovl_copy_up(dentry->d_parent);
-	if (err)
-		return err;
-
 	old_cred = ovl_override_creds(dentry->d_sb);
 	err = ovl_setup_cred_for_create(dentry, inode, mode, old_cred);
 	if (err)
@@ -1360,6 +1356,10 @@ static int ovl_tmpfile(struct mnt_idmap *idmap, struct inode *dir,
 	if (!OVL_FS(dentry->d_sb)->tmpfile)
 		return -EOPNOTSUPP;
 
+	err = ovl_copy_up(dentry->d_parent);
+	if (err)
+		return err;
+
 	err = ovl_want_write(dentry);
 	if (err)
 		return err;
-- 
2.43.0

On Fri, 14 Jun 2024 at 03:05, Lizhi Xu <lizhi.xu@windriver.com> wrote:
>
> ovl_copy_up() will retrieve sb_writers, and ovl_want_write will also retrieve
> sb_writers, adjusting the order of their execution to avoid deadlocks.
>
> Reported-by: syzbot+b778ac10fe2a0cd72517@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>

Thank you.

This is already fixed in:

git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs.git #overlayfs-next

Will send a pull request to Linus in the following weeks.

Thanks,
Miklos