From 2957fa4931a3b658d8e54eda9439d4c57967e8ad Mon Sep 17 00:00:00 2001
From: Amir Goldstein <amir73il@gmail.com>
Date: Tue, 26 Nov 2024 15:53:42 +0100
Subject: [PATCH] fs/backing_file: fix wrong argument in callback

Commit 48b50624aec4 ("backing-file: clean up the API") unintentionally
changed the argument in the ->accessed() callback from the user file to
the backing file.

Fixes: 48b50624aec4 ("backing-file: clean up the API")
Reported-by: syzbot+8d1206605b05ca9a0e6a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-unionfs/67447b3c.050a0220.1cc393.0085.GAE@google.com/
Tested-by: syzbot+8d1206605b05ca9a0e6a@syzkaller.appspotmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Link: https://lore.kernel.org/r/20241126145342.364869-1-amir73il@gmail.com
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/backing-file.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/backing-file.c b/fs/backing-file.c
index 526ddb4d6f76..cbdad8b68474 100644
--- a/fs/backing-file.c
+++ b/fs/backing-file.c
@@ -327,6 +327,7 @@ int backing_file_mmap(struct file *file, struct vm_area_struct *vma,
 		      struct backing_file_ctx *ctx)
 {
 	const struct cred *old_cred;
+	struct file *user_file = vma->vm_file;
 	int ret;
 
 	if (WARN_ON_ONCE(!(file->f_mode & FMODE_BACKING)))
@@ -342,7 +343,7 @@ int backing_file_mmap(struct file *file, struct vm_area_struct *vma,
 	revert_creds_light(old_cred);
 
 	if (ctx->accessed)
-		ctx->accessed(vma->vm_file);
+		ctx->accessed(user_file);
 
 	return ret;
 }