ovl_copyattr() may be called concurrently from aio completion context without any lock and that could lead to overlay inode attributes getting permanently out of sync with real inode attributes. Similarly, ovl_file_accessed() is always called without any lock to do "compare & copy" of mtime/ctime from realinode to inode. Use ovl inode spinlock to protect those two helpers. Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx> --- fs/overlayfs/file.c | 2 ++ fs/overlayfs/util.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index 4193633c4c7a..c6ad84cf9246 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -249,6 +249,7 @@ static void ovl_file_accessed(struct file *file) if (!upperinode) return; + spin_lock(&inode->i_lock); ctime = inode_get_ctime(inode); uctime = inode_get_ctime(upperinode); if ((!timespec64_equal(&inode->i_mtime, &upperinode->i_mtime) || @@ -256,6 +257,7 @@ static void ovl_file_accessed(struct file *file) inode->i_mtime = upperinode->i_mtime; inode_set_ctime_to_ts(inode, uctime); } + spin_unlock(&inode->i_lock); touch_atime(&file->f_path); } diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c index 89e0d60d35b6..b7922862ece3 100644 --- a/fs/overlayfs/util.c +++ b/fs/overlayfs/util.c @@ -1403,6 +1403,7 @@ void ovl_copyattr(struct inode *inode) realinode = ovl_i_path_real(inode, &realpath); real_idmap = mnt_idmap(realpath.mnt); + spin_lock(&inode->i_lock); vfsuid = i_uid_into_vfsuid(real_idmap, realinode); vfsgid = i_gid_into_vfsgid(real_idmap, realinode); @@ -1413,4 +1414,5 @@ void ovl_copyattr(struct inode *inode) inode->i_mtime = realinode->i_mtime; inode_set_ctime_to_ts(inode, inode_get_ctime(realinode)); i_size_write(inode, i_size_read(realinode)); + spin_unlock(&inode->i_lock); } -- 2.34.1
