ovl: fix deadlock in splice write (c4461ca7) · Commits · e / devices / android_kernel_fairphone_FP5

fs/overlayfs/file.c

+46 −1

Original line number	Diff line number	Diff line
		@@ -296,6 +296,51 @@ static ssize_t ovl_write_iter(struct kiocb iocb, struct iov_iter iter)
		return ret;
		}

		/*
		* Calling iter_file_splice_write() directly from overlay's f_op may deadlock
		* due to lock order inversion between pipe->mutex in iter_file_splice_write()
		* and file_start_write(real.file) in ovl_write_iter().
		*
		* So do everything ovl_write_iter() does and call iter_file_splice_write() on
		* the real file.
		*/
		static ssize_t ovl_splice_write(struct pipe_inode_info pipe, struct file out,
		loff_t *ppos, size_t len, unsigned int flags)
		{
		struct fd real;
		const struct cred *old_cred;
		struct inode *inode = file_inode(out);
		struct inode *realinode = ovl_inode_real(inode);
		ssize_t ret;

		inode_lock(inode);
		/* Update mode */
		ovl_copyattr(realinode, inode);
		ret = file_remove_privs(out);
		if (ret)
		goto out_unlock;

		ret = ovl_real_fdget(out, &real);
		if (ret)
		goto out_unlock;

		old_cred = ovl_override_creds(inode->i_sb);
		file_start_write(real.file);

		ret = iter_file_splice_write(pipe, real.file, ppos, len, flags);

		file_end_write(real.file);
		/* Update size */
		ovl_copyattr(realinode, inode);
		revert_creds(old_cred);
		fdput(real);

		out_unlock:
		inode_unlock(inode);

		return ret;
		}

		static int ovl_fsync(struct file *file, loff_t start, loff_t end, int datasync)
		{
		struct fd real;
		@@ -653,7 +698,7 @@ const struct file_operations ovl_file_operations = {
		.unlocked_ioctl = ovl_ioctl,
		.compat_ioctl = ovl_compat_ioctl,
		.splice_read = generic_file_splice_read,
		.splice_write = iter_file_splice_write,
		.splice_write = ovl_splice_write,

		.copy_file_range = ovl_copy_file_range,
		.remap_file_range = ovl_remap_file_range,