Commit b854cc65 authored by Miklos Szeredi's avatar Miklos Szeredi
Browse files

ovl: avoid deadlock on directory ioctl 



The function ovl_dir_real_file() currently uses the inode lock to serialize
writes to the od->upperfile field.

However, this function will get called by ovl_ioctl_set_flags(), which
utilizes the inode lock too.  In this case ovl_dir_real_file() will try to
claim a lock that is owned by a function in its call stack, which won't get
released before ovl_dir_real_file() returns.

Fix by replacing the open coded compare and exchange by an explicit atomic
op.

Fixes: 61536bed ("ovl: support [S|G]ETFLAGS and FS[S|G]ETXATTR ioctls for directories")
Cc: stable@vger.kernel.org # v5.10
Reported-by: default avatarIcenowy Zheng <icenowy@aosc.io>
Tested-by: default avatarIcenowy Zheng <icenowy@aosc.io>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent f2b00be4

fs/overlayfs/readdir.c

+7 −16
Original line number Diff line number Diff line
@@ -865,7 +865,7 @@ struct file *ovl_dir_real_file(const struct file *file, bool want_upper) 


	struct ovl_dir_file *od = file->private_data;

	struct dentry *dentry = file->f_path.dentry;

	struct file *realfile = od->realfile;

	struct file *old, *realfile = od->realfile;



	if (!OVL_TYPE_UPPER(ovl_path_type(dentry)))

		return want_upper ? NULL : realfile;
@@ -874,29 +874,20 @@ struct file *ovl_dir_real_file(const struct file *file, bool want_upper) 
	 * Need to check if we started out being a lower dir, but got copied up

	 */

	if (!od->is_upper) {

		struct inode *inode = file_inode(file);



		realfile = READ_ONCE(od->upperfile);

		if (!realfile) {

			struct path upperpath;



			ovl_path_upper(dentry, &upperpath);

			realfile = ovl_dir_open_realfile(file, &upperpath);



			inode_lock(inode);

			if (!od->upperfile) {

				if (IS_ERR(realfile)) {

					inode_unlock(inode);

			if (IS_ERR(realfile))

				return realfile;

				}

				smp_store_release(&od->upperfile, realfile);

			} else {

				/* somebody has beaten us to it */

				if (!IS_ERR(realfile))



			old = cmpxchg_release(&od->upperfile, NULL, realfile);

			if (old) {

				fput(realfile);

				realfile = od->upperfile;

				realfile = old;

			}

			inode_unlock(inode);

		}

	}