1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2011 Novell Inc.
4 * Copyright (C) 2016 Red Hat, Inc.
5 */
6
7 #include <linux/fs.h>
8 #include <linux/cred.h>
9 #include <linux/ctype.h>
10 #include <linux/namei.h>
11 #include <linux/xattr.h>
12 #include <linux/ratelimit.h>
13 #include <linux/mount.h>
14 #include <linux/exportfs.h>
15 #include "overlayfs.h"
16
17 struct ovl_lookup_data {
18 struct super_block *sb;
19 struct qstr name;
20 bool is_dir;
21 bool opaque;
22 bool stop;
23 bool last;
24 char *redirect;
25 bool metacopy;
26 };
27
ovl_check_redirect(struct dentry * dentry,struct ovl_lookup_data * d,size_t prelen,const char * post)28 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
29 size_t prelen, const char *post)
30 {
31 int res;
32 char *buf;
33 struct ovl_fs *ofs = OVL_FS(d->sb);
34
35 buf = ovl_get_redirect_xattr(ofs, dentry, prelen + strlen(post));
36 if (IS_ERR_OR_NULL(buf))
37 return PTR_ERR(buf);
38
39 if (buf[0] == '/') {
40 /*
41 * One of the ancestor path elements in an absolute path
42 * lookup in ovl_lookup_layer() could have been opaque and
43 * that will stop further lookup in lower layers (d->stop=true)
44 * But we have found an absolute redirect in decendant path
45 * element and that should force continue lookup in lower
46 * layers (reset d->stop).
47 */
48 d->stop = false;
49 } else {
50 res = strlen(buf) + 1;
51 memmove(buf + prelen, buf, res);
52 memcpy(buf, d->name.name, prelen);
53 }
54
55 strcat(buf, post);
56 kfree(d->redirect);
57 d->redirect = buf;
58 d->name.name = d->redirect;
59 d->name.len = strlen(d->redirect);
60
61 return 0;
62 }
63
ovl_acceptable(void * ctx,struct dentry * dentry)64 static int ovl_acceptable(void *ctx, struct dentry *dentry)
65 {
66 /*
67 * A non-dir origin may be disconnected, which is fine, because
68 * we only need it for its unique inode number.
69 */
70 if (!d_is_dir(dentry))
71 return 1;
72
73 /* Don't decode a deleted empty directory */
74 if (d_unhashed(dentry))
75 return 0;
76
77 /* Check if directory belongs to the layer we are decoding from */
78 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root);
79 }
80
81 /*
82 * Check validity of an overlay file handle buffer.
83 *
84 * Return 0 for a valid file handle.
85 * Return -ENODATA for "origin unknown".
86 * Return <0 for an invalid file handle.
87 */
ovl_check_fb_len(struct ovl_fb * fb,int fb_len)88 int ovl_check_fb_len(struct ovl_fb *fb, int fb_len)
89 {
90 if (fb_len < sizeof(struct ovl_fb) || fb_len < fb->len)
91 return -EINVAL;
92
93 if (fb->magic != OVL_FH_MAGIC)
94 return -EINVAL;
95
96 /* Treat larger version and unknown flags as "origin unknown" */
97 if (fb->version > OVL_FH_VERSION || fb->flags & ~OVL_FH_FLAG_ALL)
98 return -ENODATA;
99
100 /* Treat endianness mismatch as "origin unknown" */
101 if (!(fb->flags & OVL_FH_FLAG_ANY_ENDIAN) &&
102 (fb->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN)
103 return -ENODATA;
104
105 return 0;
106 }
107
ovl_get_fh(struct ovl_fs * ofs,struct dentry * dentry,enum ovl_xattr ox)108 static struct ovl_fh *ovl_get_fh(struct ovl_fs *ofs, struct dentry *dentry,
109 enum ovl_xattr ox)
110 {
111 ssize_t res;
112 int err;
113 struct ovl_fh *fh = NULL;
114
115 res = ovl_do_getxattr(ofs, dentry, ox, NULL, 0);
116 if (res < 0) {
117 if (res == -ENODATA || res == -EOPNOTSUPP)
118 return NULL;
119 goto fail;
120 }
121 /* Zero size value means "copied up but origin unknown" */
122 if (res == 0)
123 return NULL;
124
125 fh = kzalloc(res + OVL_FH_WIRE_OFFSET, GFP_KERNEL);
126 if (!fh)
127 return ERR_PTR(-ENOMEM);
128
129 res = ovl_do_getxattr(ofs, dentry, ox, fh->buf, res);
130 if (res < 0)
131 goto fail;
132
133 err = ovl_check_fb_len(&fh->fb, res);
134 if (err < 0) {
135 if (err == -ENODATA)
136 goto out;
137 goto invalid;
138 }
139
140 return fh;
141
142 out:
143 kfree(fh);
144 return NULL;
145
146 fail:
147 pr_warn_ratelimited("failed to get origin (%zi)\n", res);
148 goto out;
149 invalid:
150 pr_warn_ratelimited("invalid origin (%*phN)\n", (int)res, fh);
151 goto out;
152 }
153
ovl_decode_real_fh(struct ovl_fh * fh,struct vfsmount * mnt,bool connected)154 struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt,
155 bool connected)
156 {
157 struct dentry *real;
158 int bytes;
159
160 /*
161 * Make sure that the stored uuid matches the uuid of the lower
162 * layer where file handle will be decoded.
163 */
164 if (!uuid_equal(&fh->fb.uuid, &mnt->mnt_sb->s_uuid))
165 return NULL;
166
167 bytes = (fh->fb.len - offsetof(struct ovl_fb, fid));
168 real = exportfs_decode_fh(mnt, (struct fid *)fh->fb.fid,
169 bytes >> 2, (int)fh->fb.type,
170 connected ? ovl_acceptable : NULL, mnt);
171 if (IS_ERR(real)) {
172 /*
173 * Treat stale file handle to lower file as "origin unknown".
174 * upper file handle could become stale when upper file is
175 * unlinked and this information is needed to handle stale
176 * index entries correctly.
177 */
178 if (real == ERR_PTR(-ESTALE) &&
179 !(fh->fb.flags & OVL_FH_FLAG_PATH_UPPER))
180 real = NULL;
181 return real;
182 }
183
184 if (ovl_dentry_weird(real)) {
185 dput(real);
186 return NULL;
187 }
188
189 return real;
190 }
191
ovl_is_opaquedir(struct super_block * sb,struct dentry * dentry)192 static bool ovl_is_opaquedir(struct super_block *sb, struct dentry *dentry)
193 {
194 return ovl_check_dir_xattr(sb, dentry, OVL_XATTR_OPAQUE);
195 }
196
ovl_lookup_positive_unlocked(const char * name,struct dentry * base,int len,bool drop_negative)197 static struct dentry *ovl_lookup_positive_unlocked(const char *name,
198 struct dentry *base, int len,
199 bool drop_negative)
200 {
201 struct dentry *ret = lookup_one_len_unlocked(name, base, len);
202
203 if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) {
204 if (drop_negative && ret->d_lockref.count == 1) {
205 spin_lock(&ret->d_lock);
206 /* Recheck condition under lock */
207 if (d_is_negative(ret) && ret->d_lockref.count == 1)
208 __d_drop(ret);
209 spin_unlock(&ret->d_lock);
210 }
211 dput(ret);
212 ret = ERR_PTR(-ENOENT);
213 }
214 return ret;
215 }
216
ovl_lookup_single(struct dentry * base,struct ovl_lookup_data * d,const char * name,unsigned int namelen,size_t prelen,const char * post,struct dentry ** ret,bool drop_negative)217 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
218 const char *name, unsigned int namelen,
219 size_t prelen, const char *post,
220 struct dentry **ret, bool drop_negative)
221 {
222 struct dentry *this;
223 int err;
224 bool last_element = !post[0];
225
226 this = ovl_lookup_positive_unlocked(name, base, namelen, drop_negative);
227 if (IS_ERR(this)) {
228 err = PTR_ERR(this);
229 this = NULL;
230 if (err == -ENOENT || err == -ENAMETOOLONG)
231 goto out;
232 goto out_err;
233 }
234
235 if (ovl_dentry_weird(this)) {
236 /* Don't support traversing automounts and other weirdness */
237 err = -EREMOTE;
238 goto out_err;
239 }
240 if (ovl_is_whiteout(this)) {
241 d->stop = d->opaque = true;
242 goto put_and_out;
243 }
244 /*
245 * This dentry should be a regular file if previous layer lookup
246 * found a metacopy dentry.
247 */
248 if (last_element && d->metacopy && !d_is_reg(this)) {
249 d->stop = true;
250 goto put_and_out;
251 }
252 if (!d_can_lookup(this)) {
253 if (d->is_dir || !last_element) {
254 d->stop = true;
255 goto put_and_out;
256 }
257 err = ovl_check_metacopy_xattr(OVL_FS(d->sb), this);
258 if (err < 0)
259 goto out_err;
260
261 d->metacopy = err;
262 d->stop = !d->metacopy;
263 if (!d->metacopy || d->last)
264 goto out;
265 } else {
266 if (ovl_lookup_trap_inode(d->sb, this)) {
267 /* Caught in a trap of overlapping layers */
268 err = -ELOOP;
269 goto out_err;
270 }
271
272 if (last_element)
273 d->is_dir = true;
274 if (d->last)
275 goto out;
276
277 if (ovl_is_opaquedir(d->sb, this)) {
278 d->stop = true;
279 if (last_element)
280 d->opaque = true;
281 goto out;
282 }
283 }
284 err = ovl_check_redirect(this, d, prelen, post);
285 if (err)
286 goto out_err;
287 out:
288 *ret = this;
289 return 0;
290
291 put_and_out:
292 dput(this);
293 this = NULL;
294 goto out;
295
296 out_err:
297 dput(this);
298 return err;
299 }
300
ovl_lookup_layer(struct dentry * base,struct ovl_lookup_data * d,struct dentry ** ret,bool drop_negative)301 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
302 struct dentry **ret, bool drop_negative)
303 {
304 /* Counting down from the end, since the prefix can change */
305 size_t rem = d->name.len - 1;
306 struct dentry *dentry = NULL;
307 int err;
308
309 if (d->name.name[0] != '/')
310 return ovl_lookup_single(base, d, d->name.name, d->name.len,
311 0, "", ret, drop_negative);
312
313 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
314 const char *s = d->name.name + d->name.len - rem;
315 const char *next = strchrnul(s, '/');
316 size_t thislen = next - s;
317 bool end = !next[0];
318
319 /* Verify we did not go off the rails */
320 if (WARN_ON(s[-1] != '/'))
321 return -EIO;
322
323 err = ovl_lookup_single(base, d, s, thislen,
324 d->name.len - rem, next, &base,
325 drop_negative);
326 dput(dentry);
327 if (err)
328 return err;
329 dentry = base;
330 if (end)
331 break;
332
333 rem -= thislen + 1;
334
335 if (WARN_ON(rem >= d->name.len))
336 return -EIO;
337 }
338 *ret = dentry;
339 return 0;
340 }
341
342
ovl_check_origin_fh(struct ovl_fs * ofs,struct ovl_fh * fh,bool connected,struct dentry * upperdentry,struct ovl_path ** stackp)343 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected,
344 struct dentry *upperdentry, struct ovl_path **stackp)
345 {
346 struct dentry *origin = NULL;
347 int i;
348
349 for (i = 1; i < ofs->numlayer; i++) {
350 /*
351 * If lower fs uuid is not unique among lower fs we cannot match
352 * fh->uuid to layer.
353 */
354 if (ofs->layers[i].fsid &&
355 ofs->layers[i].fs->bad_uuid)
356 continue;
357
358 origin = ovl_decode_real_fh(fh, ofs->layers[i].mnt,
359 connected);
360 if (origin)
361 break;
362 }
363
364 if (!origin)
365 return -ESTALE;
366 else if (IS_ERR(origin))
367 return PTR_ERR(origin);
368
369 if (upperdentry && !ovl_is_whiteout(upperdentry) &&
370 inode_wrong_type(d_inode(upperdentry), d_inode(origin)->i_mode))
371 goto invalid;
372
373 if (!*stackp)
374 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL);
375 if (!*stackp) {
376 dput(origin);
377 return -ENOMEM;
378 }
379 **stackp = (struct ovl_path){
380 .dentry = origin,
381 .layer = &ofs->layers[i]
382 };
383
384 return 0;
385
386 invalid:
387 pr_warn_ratelimited("invalid origin (%pd2, ftype=%x, origin ftype=%x).\n",
388 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT,
389 d_inode(origin)->i_mode & S_IFMT);
390 dput(origin);
391 return -EIO;
392 }
393
ovl_check_origin(struct ovl_fs * ofs,struct dentry * upperdentry,struct ovl_path ** stackp)394 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry,
395 struct ovl_path **stackp)
396 {
397 struct ovl_fh *fh = ovl_get_fh(ofs, upperdentry, OVL_XATTR_ORIGIN);
398 int err;
399
400 if (IS_ERR_OR_NULL(fh))
401 return PTR_ERR(fh);
402
403 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp);
404 kfree(fh);
405
406 if (err) {
407 if (err == -ESTALE)
408 return 0;
409 return err;
410 }
411
412 return 0;
413 }
414
415 /*
416 * Verify that @fh matches the file handle stored in xattr @name.
417 * Return 0 on match, -ESTALE on mismatch, < 0 on error.
418 */
ovl_verify_fh(struct ovl_fs * ofs,struct dentry * dentry,enum ovl_xattr ox,const struct ovl_fh * fh)419 static int ovl_verify_fh(struct ovl_fs *ofs, struct dentry *dentry,
420 enum ovl_xattr ox, const struct ovl_fh *fh)
421 {
422 struct ovl_fh *ofh = ovl_get_fh(ofs, dentry, ox);
423 int err = 0;
424
425 if (!ofh)
426 return -ENODATA;
427
428 if (IS_ERR(ofh))
429 return PTR_ERR(ofh);
430
431 if (fh->fb.len != ofh->fb.len || memcmp(&fh->fb, &ofh->fb, fh->fb.len))
432 err = -ESTALE;
433
434 kfree(ofh);
435 return err;
436 }
437
438 /*
439 * Verify that @real dentry matches the file handle stored in xattr @name.
440 *
441 * If @set is true and there is no stored file handle, encode @real and store
442 * file handle in xattr @name.
443 *
444 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error.
445 */
ovl_verify_set_fh(struct ovl_fs * ofs,struct dentry * dentry,enum ovl_xattr ox,struct dentry * real,bool is_upper,bool set)446 int ovl_verify_set_fh(struct ovl_fs *ofs, struct dentry *dentry,
447 enum ovl_xattr ox, struct dentry *real, bool is_upper,
448 bool set)
449 {
450 struct inode *inode;
451 struct ovl_fh *fh;
452 int err;
453
454 fh = ovl_encode_real_fh(real, is_upper);
455 err = PTR_ERR(fh);
456 if (IS_ERR(fh)) {
457 fh = NULL;
458 goto fail;
459 }
460
461 err = ovl_verify_fh(ofs, dentry, ox, fh);
462 if (set && err == -ENODATA)
463 err = ovl_do_setxattr(ofs, dentry, ox, fh->buf, fh->fb.len);
464 if (err)
465 goto fail;
466
467 out:
468 kfree(fh);
469 return err;
470
471 fail:
472 inode = d_inode(real);
473 pr_warn_ratelimited("failed to verify %s (%pd2, ino=%lu, err=%i)\n",
474 is_upper ? "upper" : "origin", real,
475 inode ? inode->i_ino : 0, err);
476 goto out;
477 }
478
479 /* Get upper dentry from index */
ovl_index_upper(struct ovl_fs * ofs,struct dentry * index)480 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index)
481 {
482 struct ovl_fh *fh;
483 struct dentry *upper;
484
485 if (!d_is_dir(index))
486 return dget(index);
487
488 fh = ovl_get_fh(ofs, index, OVL_XATTR_UPPER);
489 if (IS_ERR_OR_NULL(fh))
490 return ERR_CAST(fh);
491
492 upper = ovl_decode_real_fh(fh, ovl_upper_mnt(ofs), true);
493 kfree(fh);
494
495 if (IS_ERR_OR_NULL(upper))
496 return upper ?: ERR_PTR(-ESTALE);
497
498 if (!d_is_dir(upper)) {
499 pr_warn_ratelimited("invalid index upper (%pd2, upper=%pd2).\n",
500 index, upper);
501 dput(upper);
502 return ERR_PTR(-EIO);
503 }
504
505 return upper;
506 }
507
508 /*
509 * Verify that an index entry name matches the origin file handle stored in
510 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path.
511 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error.
512 */
ovl_verify_index(struct ovl_fs * ofs,struct dentry * index)513 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
514 {
515 struct ovl_fh *fh = NULL;
516 size_t len;
517 struct ovl_path origin = { };
518 struct ovl_path *stack = &origin;
519 struct dentry *upper = NULL;
520 int err;
521
522 if (!d_inode(index))
523 return 0;
524
525 err = -EINVAL;
526 if (index->d_name.len < sizeof(struct ovl_fb)*2)
527 goto fail;
528
529 err = -ENOMEM;
530 len = index->d_name.len / 2;
531 fh = kzalloc(len + OVL_FH_WIRE_OFFSET, GFP_KERNEL);
532 if (!fh)
533 goto fail;
534
535 err = -EINVAL;
536 if (hex2bin(fh->buf, index->d_name.name, len))
537 goto fail;
538
539 err = ovl_check_fb_len(&fh->fb, len);
540 if (err)
541 goto fail;
542
543 /*
544 * Whiteout index entries are used as an indication that an exported
545 * overlay file handle should be treated as stale (i.e. after unlink
546 * of the overlay inode). These entries contain no origin xattr.
547 */
548 if (ovl_is_whiteout(index))
549 goto out;
550
551 /*
552 * Verifying directory index entries are not stale is expensive, so
553 * only verify stale dir index if NFS export is enabled.
554 */
555 if (d_is_dir(index) && !ofs->config.nfs_export)
556 goto out;
557
558 /*
559 * Directory index entries should have 'upper' xattr pointing to the
560 * real upper dir. Non-dir index entries are hardlinks to the upper
561 * real inode. For non-dir index, we can read the copy up origin xattr
562 * directly from the index dentry, but for dir index we first need to
563 * decode the upper directory.
564 */
565 upper = ovl_index_upper(ofs, index);
566 if (IS_ERR_OR_NULL(upper)) {
567 err = PTR_ERR(upper);
568 /*
569 * Directory index entries with no 'upper' xattr need to be
570 * removed. When dir index entry has a stale 'upper' xattr,
571 * we assume that upper dir was removed and we treat the dir
572 * index as orphan entry that needs to be whited out.
573 */
574 if (err == -ESTALE)
575 goto orphan;
576 else if (!err)
577 err = -ESTALE;
578 goto fail;
579 }
580
581 err = ovl_verify_fh(ofs, upper, OVL_XATTR_ORIGIN, fh);
582 dput(upper);
583 if (err)
584 goto fail;
585
586 /* Check if non-dir index is orphan and don't warn before cleaning it */
587 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) {
588 err = ovl_check_origin_fh(ofs, fh, false, index, &stack);
589 if (err)
590 goto fail;
591
592 if (ovl_get_nlink(ofs, origin.dentry, index, 0) == 0)
593 goto orphan;
594 }
595
596 out:
597 dput(origin.dentry);
598 kfree(fh);
599 return err;
600
601 fail:
602 pr_warn_ratelimited("failed to verify index (%pd2, ftype=%x, err=%i)\n",
603 index, d_inode(index)->i_mode & S_IFMT, err);
604 goto out;
605
606 orphan:
607 pr_warn_ratelimited("orphan index entry (%pd2, ftype=%x, nlink=%u)\n",
608 index, d_inode(index)->i_mode & S_IFMT,
609 d_inode(index)->i_nlink);
610 err = -ENOENT;
611 goto out;
612 }
613
ovl_get_index_name_fh(struct ovl_fh * fh,struct qstr * name)614 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name)
615 {
616 char *n, *s;
617
618 n = kcalloc(fh->fb.len, 2, GFP_KERNEL);
619 if (!n)
620 return -ENOMEM;
621
622 s = bin2hex(n, fh->buf, fh->fb.len);
623 *name = (struct qstr) QSTR_INIT(n, s - n);
624
625 return 0;
626
627 }
628
629 /*
630 * Lookup in indexdir for the index entry of a lower real inode or a copy up
631 * origin inode. The index entry name is the hex representation of the lower
632 * inode file handle.
633 *
634 * If the index dentry in negative, then either no lower aliases have been
635 * copied up yet, or aliases have been copied up in older kernels and are
636 * not indexed.
637 *
638 * If the index dentry for a copy up origin inode is positive, but points
639 * to an inode different than the upper inode, then either the upper inode
640 * has been copied up and not indexed or it was indexed, but since then
641 * index dir was cleared. Either way, that index cannot be used to indentify
642 * the overlay inode.
643 */
ovl_get_index_name(struct dentry * origin,struct qstr * name)644 int ovl_get_index_name(struct dentry *origin, struct qstr *name)
645 {
646 struct ovl_fh *fh;
647 int err;
648
649 fh = ovl_encode_real_fh(origin, false);
650 if (IS_ERR(fh))
651 return PTR_ERR(fh);
652
653 err = ovl_get_index_name_fh(fh, name);
654
655 kfree(fh);
656 return err;
657 }
658
659 /* Lookup index by file handle for NFS export */
ovl_get_index_fh(struct ovl_fs * ofs,struct ovl_fh * fh)660 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh)
661 {
662 struct dentry *index;
663 struct qstr name;
664 int err;
665
666 err = ovl_get_index_name_fh(fh, &name);
667 if (err)
668 return ERR_PTR(err);
669
670 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len);
671 kfree(name.name);
672 if (IS_ERR(index)) {
673 if (PTR_ERR(index) == -ENOENT)
674 index = NULL;
675 return index;
676 }
677
678 if (ovl_is_whiteout(index))
679 err = -ESTALE;
680 else if (ovl_dentry_weird(index))
681 err = -EIO;
682 else
683 return index;
684
685 dput(index);
686 return ERR_PTR(err);
687 }
688
ovl_lookup_index(struct ovl_fs * ofs,struct dentry * upper,struct dentry * origin,bool verify)689 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper,
690 struct dentry *origin, bool verify)
691 {
692 struct dentry *index;
693 struct inode *inode;
694 struct qstr name;
695 bool is_dir = d_is_dir(origin);
696 int err;
697
698 err = ovl_get_index_name(origin, &name);
699 if (err)
700 return ERR_PTR(err);
701
702 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len);
703 if (IS_ERR(index)) {
704 err = PTR_ERR(index);
705 if (err == -ENOENT) {
706 index = NULL;
707 goto out;
708 }
709 pr_warn_ratelimited("failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n"
710 "overlayfs: mount with '-o index=off' to disable inodes index.\n",
711 d_inode(origin)->i_ino, name.len, name.name,
712 err);
713 goto out;
714 }
715
716 inode = d_inode(index);
717 if (ovl_is_whiteout(index) && !verify) {
718 /*
719 * When index lookup is called with !verify for decoding an
720 * overlay file handle, a whiteout index implies that decode
721 * should treat file handle as stale and no need to print a
722 * warning about it.
723 */
724 dput(index);
725 index = ERR_PTR(-ESTALE);
726 goto out;
727 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
728 inode_wrong_type(inode, d_inode(origin)->i_mode)) {
729 /*
730 * Index should always be of the same file type as origin
731 * except for the case of a whiteout index. A whiteout
732 * index should only exist if all lower aliases have been
733 * unlinked, which means that finding a lower origin on lookup
734 * whose index is a whiteout should be treated as an error.
735 */
736 pr_warn_ratelimited("bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n",
737 index, d_inode(index)->i_mode & S_IFMT,
738 d_inode(origin)->i_mode & S_IFMT);
739 goto fail;
740 } else if (is_dir && verify) {
741 if (!upper) {
742 pr_warn_ratelimited("suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n",
743 origin, index);
744 goto fail;
745 }
746
747 /* Verify that dir index 'upper' xattr points to upper dir */
748 err = ovl_verify_upper(ofs, index, upper, false);
749 if (err) {
750 if (err == -ESTALE) {
751 pr_warn_ratelimited("suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n",
752 upper, origin, index);
753 }
754 goto fail;
755 }
756 } else if (upper && d_inode(upper) != inode) {
757 goto out_dput;
758 }
759 out:
760 kfree(name.name);
761 return index;
762
763 out_dput:
764 dput(index);
765 index = NULL;
766 goto out;
767
768 fail:
769 dput(index);
770 index = ERR_PTR(-EIO);
771 goto out;
772 }
773
774 /*
775 * Returns next layer in stack starting from top.
776 * Returns -1 if this is the last layer.
777 */
ovl_path_next(int idx,struct dentry * dentry,struct path * path)778 int ovl_path_next(int idx, struct dentry *dentry, struct path *path)
779 {
780 struct ovl_entry *oe = dentry->d_fsdata;
781
782 BUG_ON(idx < 0);
783 if (idx == 0) {
784 ovl_path_upper(dentry, path);
785 if (path->dentry)
786 return oe->numlower ? 1 : -1;
787 idx++;
788 }
789 BUG_ON(idx > oe->numlower);
790 path->dentry = oe->lowerstack[idx - 1].dentry;
791 path->mnt = oe->lowerstack[idx - 1].layer->mnt;
792
793 return (idx < oe->numlower) ? idx + 1 : -1;
794 }
795
796 /* Fix missing 'origin' xattr */
ovl_fix_origin(struct ovl_fs * ofs,struct dentry * dentry,struct dentry * lower,struct dentry * upper)797 static int ovl_fix_origin(struct ovl_fs *ofs, struct dentry *dentry,
798 struct dentry *lower, struct dentry *upper)
799 {
800 int err;
801
802 if (ovl_check_origin_xattr(ofs, upper))
803 return 0;
804
805 err = ovl_want_write(dentry);
806 if (err)
807 return err;
808
809 err = ovl_set_origin(dentry, lower, upper);
810 if (!err)
811 err = ovl_set_impure(dentry->d_parent, upper->d_parent);
812
813 ovl_drop_write(dentry);
814 return err;
815 }
816
ovl_lookup(struct inode * dir,struct dentry * dentry,unsigned int flags)817 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
818 unsigned int flags)
819 {
820 struct ovl_entry *oe;
821 const struct cred *old_cred;
822 struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
823 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
824 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata;
825 struct ovl_path *stack = NULL, *origin_path = NULL;
826 struct dentry *upperdir, *upperdentry = NULL;
827 struct dentry *origin = NULL;
828 struct dentry *index = NULL;
829 unsigned int ctr = 0;
830 struct inode *inode = NULL;
831 bool upperopaque = false;
832 char *upperredirect = NULL;
833 struct dentry *this;
834 unsigned int i;
835 int err;
836 bool uppermetacopy = false;
837 struct ovl_lookup_data d = {
838 .sb = dentry->d_sb,
839 .name = dentry->d_name,
840 .is_dir = false,
841 .opaque = false,
842 .stop = false,
843 .last = ofs->config.redirect_follow ? false : !poe->numlower,
844 .redirect = NULL,
845 .metacopy = false,
846 };
847
848 if (dentry->d_name.len > ofs->namelen)
849 return ERR_PTR(-ENAMETOOLONG);
850
851 old_cred = ovl_override_creds(dentry->d_sb);
852 upperdir = ovl_dentry_upper(dentry->d_parent);
853 if (upperdir) {
854 err = ovl_lookup_layer(upperdir, &d, &upperdentry, true);
855 if (err)
856 goto out;
857
858 if (upperdentry && upperdentry->d_flags & DCACHE_OP_REAL) {
859 dput(upperdentry);
860 err = -EREMOTE;
861 goto out;
862 }
863 if (upperdentry && !d.is_dir) {
864 /*
865 * Lookup copy up origin by decoding origin file handle.
866 * We may get a disconnected dentry, which is fine,
867 * because we only need to hold the origin inode in
868 * cache and use its inode number. We may even get a
869 * connected dentry, that is not under any of the lower
870 * layers root. That is also fine for using it's inode
871 * number - it's the same as if we held a reference
872 * to a dentry in lower layer that was moved under us.
873 */
874 err = ovl_check_origin(ofs, upperdentry, &origin_path);
875 if (err)
876 goto out_put_upper;
877
878 if (d.metacopy)
879 uppermetacopy = true;
880 }
881
882 if (d.redirect) {
883 err = -ENOMEM;
884 upperredirect = kstrdup(d.redirect, GFP_KERNEL);
885 if (!upperredirect)
886 goto out_put_upper;
887 if (d.redirect[0] == '/')
888 poe = roe;
889 }
890 upperopaque = d.opaque;
891 }
892
893 if (!d.stop && poe->numlower) {
894 err = -ENOMEM;
895 stack = kcalloc(ofs->numlayer - 1, sizeof(struct ovl_path),
896 GFP_KERNEL);
897 if (!stack)
898 goto out_put_upper;
899 }
900
901 for (i = 0; !d.stop && i < poe->numlower; i++) {
902 struct ovl_path lower = poe->lowerstack[i];
903
904 if (!ofs->config.redirect_follow)
905 d.last = i == poe->numlower - 1;
906 else
907 d.last = lower.layer->idx == roe->numlower;
908
909 err = ovl_lookup_layer(lower.dentry, &d, &this, false);
910 if (err)
911 goto out_put;
912
913 if (!this)
914 continue;
915
916 if ((uppermetacopy || d.metacopy) && !ofs->config.metacopy) {
917 dput(this);
918 err = -EPERM;
919 pr_warn_ratelimited("refusing to follow metacopy origin for (%pd2)\n", dentry);
920 goto out_put;
921 }
922
923 /*
924 * If no origin fh is stored in upper of a merge dir, store fh
925 * of lower dir and set upper parent "impure".
926 */
927 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) {
928 err = ovl_fix_origin(ofs, dentry, this, upperdentry);
929 if (err) {
930 dput(this);
931 goto out_put;
932 }
933 }
934
935 /*
936 * When "verify_lower" feature is enabled, do not merge with a
937 * lower dir that does not match a stored origin xattr. In any
938 * case, only verified origin is used for index lookup.
939 *
940 * For non-dir dentry, if index=on, then ensure origin
941 * matches the dentry found using path based lookup,
942 * otherwise error out.
943 */
944 if (upperdentry && !ctr &&
945 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) ||
946 (!d.is_dir && ofs->config.index && origin_path))) {
947 err = ovl_verify_origin(ofs, upperdentry, this, false);
948 if (err) {
949 dput(this);
950 if (d.is_dir)
951 break;
952 goto out_put;
953 }
954 origin = this;
955 }
956
957 if (d.metacopy && ctr) {
958 /*
959 * Do not store intermediate metacopy dentries in
960 * lower chain, except top most lower metacopy dentry.
961 * Continue the loop so that if there is an absolute
962 * redirect on this dentry, poe can be reset to roe.
963 */
964 dput(this);
965 this = NULL;
966 } else {
967 stack[ctr].dentry = this;
968 stack[ctr].layer = lower.layer;
969 ctr++;
970 }
971
972 /*
973 * Following redirects can have security consequences: it's like
974 * a symlink into the lower layer without the permission checks.
975 * This is only a problem if the upper layer is untrusted (e.g
976 * comes from an USB drive). This can allow a non-readable file
977 * or directory to become readable.
978 *
979 * Only following redirects when redirects are enabled disables
980 * this attack vector when not necessary.
981 */
982 err = -EPERM;
983 if (d.redirect && !ofs->config.redirect_follow) {
984 pr_warn_ratelimited("refusing to follow redirect for (%pd2)\n",
985 dentry);
986 goto out_put;
987 }
988
989 if (d.stop)
990 break;
991
992 if (d.redirect && d.redirect[0] == '/' && poe != roe) {
993 poe = roe;
994 /* Find the current layer on the root dentry */
995 i = lower.layer->idx - 1;
996 }
997 }
998
999 /*
1000 * For regular non-metacopy upper dentries, there is no lower
1001 * path based lookup, hence ctr will be zero. If a dentry is found
1002 * using ORIGIN xattr on upper, install it in stack.
1003 *
1004 * For metacopy dentry, path based lookup will find lower dentries.
1005 * Just make sure a corresponding data dentry has been found.
1006 */
1007 if (d.metacopy || (uppermetacopy && !ctr)) {
1008 err = -EIO;
1009 goto out_put;
1010 } else if (!d.is_dir && upperdentry && !ctr && origin_path) {
1011 if (WARN_ON(stack != NULL)) {
1012 err = -EIO;
1013 goto out_put;
1014 }
1015 stack = origin_path;
1016 ctr = 1;
1017 origin = origin_path->dentry;
1018 origin_path = NULL;
1019 }
1020
1021 /*
1022 * Always lookup index if there is no-upperdentry.
1023 *
1024 * For the case of upperdentry, we have set origin by now if it
1025 * needed to be set. There are basically three cases.
1026 *
1027 * For directories, lookup index by lower inode and verify it matches
1028 * upper inode. We only trust dir index if we verified that lower dir
1029 * matches origin, otherwise dir index entries may be inconsistent
1030 * and we ignore them.
1031 *
1032 * For regular upper, we already set origin if upper had ORIGIN
1033 * xattr. There is no verification though as there is no path
1034 * based dentry lookup in lower in this case.
1035 *
1036 * For metacopy upper, we set a verified origin already if index
1037 * is enabled and if upper had an ORIGIN xattr.
1038 *
1039 */
1040 if (!upperdentry && ctr)
1041 origin = stack[0].dentry;
1042
1043 if (origin && ovl_indexdir(dentry->d_sb) &&
1044 (!d.is_dir || ovl_index_all(dentry->d_sb))) {
1045 index = ovl_lookup_index(ofs, upperdentry, origin, true);
1046 if (IS_ERR(index)) {
1047 err = PTR_ERR(index);
1048 index = NULL;
1049 goto out_put;
1050 }
1051 }
1052
1053 oe = ovl_alloc_entry(ctr);
1054 err = -ENOMEM;
1055 if (!oe)
1056 goto out_put;
1057
1058 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr);
1059 dentry->d_fsdata = oe;
1060
1061 if (upperopaque)
1062 ovl_dentry_set_opaque(dentry);
1063
1064 if (upperdentry)
1065 ovl_dentry_set_upper_alias(dentry);
1066 else if (index) {
1067 upperdentry = dget(index);
1068 upperredirect = ovl_get_redirect_xattr(ofs, upperdentry, 0);
1069 if (IS_ERR(upperredirect)) {
1070 err = PTR_ERR(upperredirect);
1071 upperredirect = NULL;
1072 goto out_free_oe;
1073 }
1074 err = ovl_check_metacopy_xattr(ofs, upperdentry);
1075 if (err < 0)
1076 goto out_free_oe;
1077 uppermetacopy = err;
1078 }
1079
1080 if (upperdentry || ctr) {
1081 struct ovl_inode_params oip = {
1082 .upperdentry = upperdentry,
1083 .lowerpath = stack,
1084 .index = index,
1085 .numlower = ctr,
1086 .redirect = upperredirect,
1087 .lowerdata = (ctr > 1 && !d.is_dir) ?
1088 stack[ctr - 1].dentry : NULL,
1089 };
1090
1091 inode = ovl_get_inode(dentry->d_sb, &oip);
1092 err = PTR_ERR(inode);
1093 if (IS_ERR(inode))
1094 goto out_free_oe;
1095 if (upperdentry && !uppermetacopy)
1096 ovl_set_flag(OVL_UPPERDATA, inode);
1097 }
1098
1099 ovl_dentry_init_reval(dentry, upperdentry);
1100
1101 ovl_revert_creds(dentry->d_sb, old_cred);
1102 if (origin_path) {
1103 dput(origin_path->dentry);
1104 kfree(origin_path);
1105 }
1106 dput(index);
1107 kfree(stack);
1108 kfree(d.redirect);
1109 return d_splice_alias(inode, dentry);
1110
1111 out_free_oe:
1112 dentry->d_fsdata = NULL;
1113 kfree(oe);
1114 out_put:
1115 dput(index);
1116 for (i = 0; i < ctr; i++)
1117 dput(stack[i].dentry);
1118 kfree(stack);
1119 out_put_upper:
1120 if (origin_path) {
1121 dput(origin_path->dentry);
1122 kfree(origin_path);
1123 }
1124 dput(upperdentry);
1125 kfree(upperredirect);
1126 out:
1127 kfree(d.redirect);
1128 ovl_revert_creds(dentry->d_sb, old_cred);
1129 return ERR_PTR(err);
1130 }
1131
ovl_lower_positive(struct dentry * dentry)1132 bool ovl_lower_positive(struct dentry *dentry)
1133 {
1134 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
1135 const struct qstr *name = &dentry->d_name;
1136 const struct cred *old_cred;
1137 unsigned int i;
1138 bool positive = false;
1139 bool done = false;
1140
1141 /*
1142 * If dentry is negative, then lower is positive iff this is a
1143 * whiteout.
1144 */
1145 if (!dentry->d_inode)
1146 return ovl_dentry_is_opaque(dentry);
1147
1148 /* Negative upper -> positive lower */
1149 if (!ovl_dentry_upper(dentry))
1150 return true;
1151
1152 old_cred = ovl_override_creds(dentry->d_sb);
1153 /* Positive upper -> have to look up lower to see whether it exists */
1154 for (i = 0; !done && !positive && i < poe->numlower; i++) {
1155 struct dentry *this;
1156 struct dentry *lowerdir = poe->lowerstack[i].dentry;
1157
1158 this = lookup_positive_unlocked(name->name, lowerdir,
1159 name->len);
1160 if (IS_ERR(this)) {
1161 switch (PTR_ERR(this)) {
1162 case -ENOENT:
1163 case -ENAMETOOLONG:
1164 break;
1165
1166 default:
1167 /*
1168 * Assume something is there, we just couldn't
1169 * access it.
1170 */
1171 positive = true;
1172 break;
1173 }
1174 } else {
1175 positive = !ovl_is_whiteout(this);
1176 done = true;
1177 dput(this);
1178 }
1179 }
1180 ovl_revert_creds(dentry->d_sb, old_cred);
1181
1182 return positive;
1183 }
1184