Comment 1 for bug 1535150

I haven't verified this bug report but wanted to mention my initial thoughts on it. An inode that is setuid and world writable is a valid inode. It should remain setuid until it is written to and, at that point, the setuid bit should be stripped. This is done by file_remove_privs(), which must be called by the function assigned to the .write_iter member of a filesystem's file_operations struct.

It sounds like this is possibly not happening on inodes that are copied up by overlayfs.