This is a note to let you know that I've just added the patch titled ovl: remove privs in ovl_copyfile() to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ovl-remove-privs-in-ovl_copyfile.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 Mon Sep 17 00:00:00 2001 From: Amir Goldstein <amir73il@xxxxxxxxx> Date: Mon, 17 Oct 2022 17:06:38 +0200 Subject: ovl: remove privs in ovl_copyfile() From: Amir Goldstein <amir73il@xxxxxxxxx> commit b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 upstream. Underlying fs doesn't remove privs because copy_range/remap_range are called with privileged mounter credentials. This fixes some failures in fstest generic/673. Fixes: 8ede205541ff ("ovl: add reflink/copyfile/dedup support") Acked-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx> Signed-off-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx> Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/overlayfs/file.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -687,14 +687,23 @@ static loff_t ovl_copyfile(struct file * const struct cred *old_cred; loff_t ret; + inode_lock(inode_out); + if (op != OVL_DEDUPE) { + /* Update mode */ + ovl_copyattr(ovl_inode_real(inode_out), inode_out); + ret = file_remove_privs(file_out); + if (ret) + goto out_unlock; + } + ret = ovl_real_fdget(file_out, &real_out); if (ret) - return ret; + goto out_unlock; ret = ovl_real_fdget(file_in, &real_in); if (ret) { fdput(real_out); - return ret; + goto out_unlock; } old_cred = ovl_override_creds(file_inode(file_out)->i_sb); @@ -723,6 +732,9 @@ static loff_t ovl_copyfile(struct file * fdput(real_in); fdput(real_out); +out_unlock: + inode_unlock(inode_out); + return ret; } Patches currently in stable-queue which might be from amir73il@xxxxxxxxx are queue-5.10/ovl-remove-privs-in-ovl_fallocate.patch queue-5.10/ovl-remove-privs-in-ovl_copyfile.patch