From 1815838d77bbca61542381fb6441ffe3927d1f21 Mon Sep 17 00:00:00 2001
From: Nirmoy Das <nirmoyd@nvidia.com>
Date: Mon, 25 May 2026 11:27:42 +0800
Subject: [PATCH] UBUNTU: SAUCE: ovl: keep err zero after successful
 ovl_cache_get()

BugLink: https://bugs.launchpad.net/bugs/2150636

ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
IS_ERR(cache). On success err holds the truncated cache pointer and
can be returned as a bogus non-zero error.

The syzbot reproducer reaches this through overlay-on-overlay readdir:

  getdents64
    iterate_dir(outer overlay file)
      ovl_iterate_merged()
        ovl_cache_get()
          ovl_dir_read_merged()
            ovl_dir_read()
              iterate_dir(inner overlay file)
                ovl_iterate_merged()

Only compute PTR_ERR(cache) on the error path.

Fixes: d25e4b739f83 ("ovl: refactor ovl_iterate() and port to cred guard")
Reported-by: syzbot+a16fb0cce329a320661c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a16fb0cce329a320661c
Cc: stable@vger.kernel.org
Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com>
Link: https://patch.msgid.link/20260514144258.3068715-1-nirmoyd@nvidia.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
(backported from commit 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 linux-next)
[acelan: In the OEM tree ovl_iterate() was not yet refactored into
 ovl_iterate_merged() -- the function still uses ovl_override_creds/
 ovl_revert_creds with a goto-out pattern. Adapted the fix to move
 PTR_ERR(cache) into the IS_ERR(cache) block while preserving the
 existing goto-out error path.]
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
---
 fs/overlayfs/readdir.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
index b65cdfce31ce2..e6135818be100 100644
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -789,9 +789,10 @@ static int ovl_iterate(struct file *file, struct dir_context *ctx)
 		struct ovl_dir_cache *cache;
 
 		cache = ovl_cache_get(dentry);
-		err = PTR_ERR(cache);
-		if (IS_ERR(cache))
+		if (IS_ERR(cache)) {
+			err = PTR_ERR(cache);
 			goto out;
+		}
 
 		od->cache = cache;
 		ovl_seek_cursor(od, ctx->pos);
-- 
2.53.0