Gitiles
Code Review Sign In
192.168.1.100 / T800 / 3d6f2cbaebf994b51e5a264fbd52f000d669edd5 / . / src / kernel / linux / v4.19 / fs / overlayfs / namei.c
blob: 499cd1f4fa85ee27df2861e98f2715eab0c28374 [file] [log] [blame]
xjb04a4022021-11-25 15:01:52 +0800[diff] [blame]1/*
2 * Copyright (C) 2011 Novell Inc.
3 * Copyright (C) 2016 Red Hat, Inc.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 as published by
7 * the Free Software Foundation.
8 */
9
10#include <linux/fs.h>
11#include <linux/cred.h>
12#include <linux/ctype.h>
13#include <linux/namei.h>
14#include <linux/xattr.h>
15#include <linux/ratelimit.h>
16#include <linux/mount.h>
17#include <linux/exportfs.h>
18#include "overlayfs.h"
19
20struct ovl_lookup_data {
21 struct super_block *sb;
22 struct qstr name;
23 bool is_dir;
24 bool opaque;
25 bool stop;
26 bool last;
27 char *redirect;
28 bool metacopy;
29};
30
31static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
32 size_t prelen, const char *post)
33{
34 int res;
35 char *buf;
36
37 buf = ovl_get_redirect_xattr(dentry, prelen + strlen(post));
38 if (IS_ERR_OR_NULL(buf))
39 return PTR_ERR(buf);
40
41 if (buf[0] == '/') {
42 /*
43 * One of the ancestor path elements in an absolute path
44 * lookup in ovl_lookup_layer() could have been opaque and
45 * that will stop further lookup in lower layers (d->stop=true)
46 * But we have found an absolute redirect in decendant path
47 * element and that should force continue lookup in lower
48 * layers (reset d->stop).
49 */
50 d->stop = false;
51 } else {
52 res = strlen(buf) + 1;
53 memmove(buf + prelen, buf, res);
54 memcpy(buf, d->name.name, prelen);
55 }
56
57 strcat(buf, post);
58 kfree(d->redirect);
59 d->redirect = buf;
60 d->name.name = d->redirect;
61 d->name.len = strlen(d->redirect);
62
63 return 0;
64}
65
66static int ovl_acceptable(void *ctx, struct dentry *dentry)
67{
68 /*
69 * A non-dir origin may be disconnected, which is fine, because
70 * we only need it for its unique inode number.
71 */
72 if (!d_is_dir(dentry))
73 return 1;
74
75 /* Don't decode a deleted empty directory */
76 if (d_unhashed(dentry))
77 return 0;
78
79 /* Check if directory belongs to the layer we are decoding from */
80 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root);
81}
82
83/*
84 * Check validity of an overlay file handle buffer.
85 *
86 * Return 0 for a valid file handle.
87 * Return -ENODATA for "origin unknown".
88 * Return <0 for an invalid file handle.
89 */
90int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
91{
92 if (fh_len < sizeof(struct ovl_fh) || fh_len < fh->len)
93 return -EINVAL;
94
95 if (fh->magic != OVL_FH_MAGIC)
96 return -EINVAL;
97
98 /* Treat larger version and unknown flags as "origin unknown" */
99 if (fh->version > OVL_FH_VERSION || fh->flags & ~OVL_FH_FLAG_ALL)
100 return -ENODATA;
101
102 /* Treat endianness mismatch as "origin unknown" */
103 if (!(fh->flags & OVL_FH_FLAG_ANY_ENDIAN) &&
104 (fh->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN)
105 return -ENODATA;
106
107 return 0;
108}
109
110static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name)
111{
112 ssize_t res;
113 int err;
114 struct ovl_fh *fh = NULL;
115
116 res = ovl_vfs_getxattr(dentry, name, NULL, 0);
117 if (res < 0) {
118 if (res == -ENODATA || res == -EOPNOTSUPP)
119 return NULL;
120 goto fail;
121 }
122 /* Zero size value means "copied up but origin unknown" */
123 if (res == 0)
124 return NULL;
125
126 fh = kzalloc(res, GFP_KERNEL);
127 if (!fh)
128 return ERR_PTR(-ENOMEM);
129
130 res = ovl_vfs_getxattr(dentry, name, fh, res);
131 if (res < 0)
132 goto fail;
133
134 err = ovl_check_fh_len(fh, res);
135 if (err < 0) {
136 if (err == -ENODATA)
137 goto out;
138 goto invalid;
139 }
140
141 return fh;
142
143out:
144 kfree(fh);
145 return NULL;
146
147fail:
148 pr_warn_ratelimited("overlayfs: failed to get origin (%zi)\n", res);
149 goto out;
150invalid:
151 pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n",
152 (int)res, fh);
153 goto out;
154}
155
156struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt,
157 bool connected)
158{
159 struct dentry *real;
160 int bytes;
161
162 /*
163 * Make sure that the stored uuid matches the uuid of the lower
164 * layer where file handle will be decoded.
165 */
166 if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid))
167 return NULL;
168
169 bytes = (fh->len - offsetof(struct ovl_fh, fid));
170 real = exportfs_decode_fh(mnt, (struct fid *)fh->fid,
171 bytes >> 2, (int)fh->type,
172 connected ? ovl_acceptable : NULL, mnt);
173 if (IS_ERR(real)) {
174 /*
175 * Treat stale file handle to lower file as "origin unknown".
176 * upper file handle could become stale when upper file is
177 * unlinked and this information is needed to handle stale
178 * index entries correctly.
179 */
180 if (real == ERR_PTR(-ESTALE) &&
181 !(fh->flags & OVL_FH_FLAG_PATH_UPPER))
182 real = NULL;
183 return real;
184 }
185
186 if (ovl_dentry_weird(real)) {
187 dput(real);
188 return NULL;
189 }
190
191 return real;
192}
193
194static bool ovl_is_opaquedir(struct dentry *dentry)
195{
196 return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE);
197}
198
199static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
200 const char *name, unsigned int namelen,
201 size_t prelen, const char *post,
202 struct dentry **ret)
203{
204 struct dentry *this;
205 int err;
206 bool last_element = !post[0];
207
208 this = lookup_one_len_unlocked(name, base, namelen);
209 if (IS_ERR(this)) {
210 err = PTR_ERR(this);
211 this = NULL;
212 if (err == -ENOENT || err == -ENAMETOOLONG)
213 goto out;
214 goto out_err;
215 }
216 if (!this->d_inode)
217 goto put_and_out;
218
219 if (ovl_dentry_weird(this)) {
220 /* Don't support traversing automounts and other weirdness */
221 err = -EREMOTE;
222 goto out_err;
223 }
224 if (ovl_is_whiteout(this)) {
225 d->stop = d->opaque = true;
226 goto put_and_out;
227 }
228 /*
229 * This dentry should be a regular file if previous layer lookup
230 * found a metacopy dentry.
231 */
232 if (last_element && d->metacopy && !d_is_reg(this)) {
233 d->stop = true;
234 goto put_and_out;
235 }
236 if (!d_can_lookup(this)) {
237 if (d->is_dir || !last_element) {
238 d->stop = true;
239 goto put_and_out;
240 }
241 err = ovl_check_metacopy_xattr(this);
242 if (err < 0)
243 goto out_err;
244
245 d->metacopy = err;
246 d->stop = !d->metacopy;
247 if (!d->metacopy || d->last)
248 goto out;
249 } else {
250 if (ovl_lookup_trap_inode(d->sb, this)) {
251 /* Caught in a trap of overlapping layers */
252 err = -ELOOP;
253 goto out_err;
254 }
255
256 if (last_element)
257 d->is_dir = true;
258 if (d->last)
259 goto out;
260
261 if (ovl_is_opaquedir(this)) {
262 d->stop = true;
263 if (last_element)
264 d->opaque = true;
265 goto out;
266 }
267 }
268 err = ovl_check_redirect(this, d, prelen, post);
269 if (err)
270 goto out_err;
271out:
272 *ret = this;
273 return 0;
274
275put_and_out:
276 dput(this);
277 this = NULL;
278 goto out;
279
280out_err:
281 dput(this);
282 return err;
283}
284
285static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
286 struct dentry **ret)
287{
288 /* Counting down from the end, since the prefix can change */
289 size_t rem = d->name.len - 1;
290 struct dentry *dentry = NULL;
291 int err;
292
293 if (d->name.name[0] != '/')
294 return ovl_lookup_single(base, d, d->name.name, d->name.len,
295 0, "", ret);
296
297 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
298 const char *s = d->name.name + d->name.len - rem;
299 const char *next = strchrnul(s, '/');
300 size_t thislen = next - s;
301 bool end = !next[0];
302
303 /* Verify we did not go off the rails */
304 if (WARN_ON(s[-1] != '/'))
305 return -EIO;
306
307 err = ovl_lookup_single(base, d, s, thislen,
308 d->name.len - rem, next, &base);
309 dput(dentry);
310 if (err)
311 return err;
312 dentry = base;
313 if (end)
314 break;
315
316 rem -= thislen + 1;
317
318 if (WARN_ON(rem >= d->name.len))
319 return -EIO;
320 }
321 *ret = dentry;
322 return 0;
323}
324
325
326int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected,
327 struct dentry *upperdentry, struct ovl_path **stackp)
328{
329 struct dentry *origin = NULL;
330 int i;
331
332 for (i = 0; i < ofs->numlower; i++) {
333 origin = ovl_decode_real_fh(fh, ofs->lower_layers[i].mnt,
334 connected);
335 if (origin)
336 break;
337 }
338
339 if (!origin)
340 return -ESTALE;
341 else if (IS_ERR(origin))
342 return PTR_ERR(origin);
343
344 if (upperdentry && !ovl_is_whiteout(upperdentry) &&
345 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT))
346 goto invalid;
347
348 if (!*stackp)
349 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL);
350 if (!*stackp) {
351 dput(origin);
352 return -ENOMEM;
353 }
354 **stackp = (struct ovl_path){
355 .dentry = origin,
356 .layer = &ofs->lower_layers[i]
357 };
358
359 return 0;
360
361invalid:
362 pr_warn_ratelimited("overlayfs: invalid origin (%pd2, ftype=%x, origin ftype=%x).\n",
363 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT,
364 d_inode(origin)->i_mode & S_IFMT);
365 dput(origin);
366 return -EIO;
367}
368
369static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry,
370 struct ovl_path **stackp, unsigned int *ctrp)
371{
372 struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN);
373 int err;
374
375 if (IS_ERR_OR_NULL(fh))
376 return PTR_ERR(fh);
377
378 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp);
379 kfree(fh);
380
381 if (err) {
382 if (err == -ESTALE)
383 return 0;
384 return err;
385 }
386
387 if (WARN_ON(*ctrp))
388 return -EIO;
389
390 *ctrp = 1;
391 return 0;
392}
393
394/*
395 * Verify that @fh matches the file handle stored in xattr @name.
396 * Return 0 on match, -ESTALE on mismatch, < 0 on error.
397 */
398static int ovl_verify_fh(struct dentry *dentry, const char *name,
399 const struct ovl_fh *fh)
400{
401 struct ovl_fh *ofh = ovl_get_fh(dentry, name);
402 int err = 0;
403
404 if (!ofh)
405 return -ENODATA;
406
407 if (IS_ERR(ofh))
408 return PTR_ERR(ofh);
409
410 if (fh->len != ofh->len || memcmp(fh, ofh, fh->len))
411 err = -ESTALE;
412
413 kfree(ofh);
414 return err;
415}
416
417/*
418 * Verify that @real dentry matches the file handle stored in xattr @name.
419 *
420 * If @set is true and there is no stored file handle, encode @real and store
421 * file handle in xattr @name.
422 *
423 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error.
424 */
425int ovl_verify_set_fh(struct dentry *dentry, const char *name,
426 struct dentry *real, bool is_upper, bool set)
427{
428 struct inode *inode;
429 struct ovl_fh *fh;
430 int err;
431
432 fh = ovl_encode_real_fh(real, is_upper);
433 err = PTR_ERR(fh);
434 if (IS_ERR(fh)) {
435 fh = NULL;
436 goto fail;
437 }
438
439 err = ovl_verify_fh(dentry, name, fh);
440 if (set && err == -ENODATA)
441 err = ovl_do_setxattr(dentry, name, fh, fh->len, 0);
442 if (err)
443 goto fail;
444
445out:
446 kfree(fh);
447 return err;
448
449fail:
450 inode = d_inode(real);
451 pr_warn_ratelimited("overlayfs: failed to verify %s (%pd2, ino=%lu, err=%i)\n",
452 is_upper ? "upper" : "origin", real,
453 inode ? inode->i_ino : 0, err);
454 goto out;
455}
456
457/* Get upper dentry from index */
458struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index)
459{
460 struct ovl_fh *fh;
461 struct dentry *upper;
462
463 if (!d_is_dir(index))
464 return dget(index);
465
466 fh = ovl_get_fh(index, OVL_XATTR_UPPER);
467 if (IS_ERR_OR_NULL(fh))
468 return ERR_CAST(fh);
469
470 upper = ovl_decode_real_fh(fh, ofs->upper_mnt, true);
471 kfree(fh);
472
473 if (IS_ERR_OR_NULL(upper))
474 return upper ?: ERR_PTR(-ESTALE);
475
476 if (!d_is_dir(upper)) {
477 pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n",
478 index, upper);
479 dput(upper);
480 return ERR_PTR(-EIO);
481 }
482
483 return upper;
484}
485
486/* Is this a leftover from create/whiteout of directory index entry? */
487static bool ovl_is_temp_index(struct dentry *index)
488{
489 return index->d_name.name[0] == '#';
490}
491
492/*
493 * Verify that an index entry name matches the origin file handle stored in
494 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path.
495 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error.
496 */
497int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
498{
499 struct ovl_fh *fh = NULL;
500 size_t len;
501 struct ovl_path origin = { };
502 struct ovl_path *stack = &origin;
503 struct dentry *upper = NULL;
504 int err;
505
506 if (!d_inode(index))
507 return 0;
508
509 /* Cleanup leftover from index create/cleanup attempt */
510 err = -ESTALE;
511 if (ovl_is_temp_index(index))
512 goto fail;
513
514 err = -EINVAL;
515 if (index->d_name.len < sizeof(struct ovl_fh)*2)
516 goto fail;
517
518 err = -ENOMEM;
519 len = index->d_name.len / 2;
520 fh = kzalloc(len, GFP_KERNEL);
521 if (!fh)
522 goto fail;
523
524 err = -EINVAL;
525 if (hex2bin((u8 *)fh, index->d_name.name, len))
526 goto fail;
527
528 err = ovl_check_fh_len(fh, len);
529 if (err)
530 goto fail;
531
532 /*
533 * Whiteout index entries are used as an indication that an exported
534 * overlay file handle should be treated as stale (i.e. after unlink
535 * of the overlay inode). These entries contain no origin xattr.
536 */
537 if (ovl_is_whiteout(index))
538 goto out;
539
540 /*
541 * Verifying directory index entries are not stale is expensive, so
542 * only verify stale dir index if NFS export is enabled.
543 */
544 if (d_is_dir(index) && !ofs->config.nfs_export)
545 goto out;
546
547 /*
548 * Directory index entries should have 'upper' xattr pointing to the
549 * real upper dir. Non-dir index entries are hardlinks to the upper
550 * real inode. For non-dir index, we can read the copy up origin xattr
551 * directly from the index dentry, but for dir index we first need to
552 * decode the upper directory.
553 */
554 upper = ovl_index_upper(ofs, index);
555 if (IS_ERR_OR_NULL(upper)) {
556 err = PTR_ERR(upper);
557 /*
558 * Directory index entries with no 'upper' xattr need to be
559 * removed. When dir index entry has a stale 'upper' xattr,
560 * we assume that upper dir was removed and we treat the dir
561 * index as orphan entry that needs to be whited out.
562 */
563 if (err == -ESTALE)
564 goto orphan;
565 else if (!err)
566 err = -ESTALE;
567 goto fail;
568 }
569
570 err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh);
571 dput(upper);
572 if (err)
573 goto fail;
574
575 /* Check if non-dir index is orphan and don't warn before cleaning it */
576 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) {
577 err = ovl_check_origin_fh(ofs, fh, false, index, &stack);
578 if (err)
579 goto fail;
580
581 if (ovl_get_nlink(origin.dentry, index, 0) == 0)
582 goto orphan;
583 }
584
585out:
586 dput(origin.dentry);
587 kfree(fh);
588 return err;
589
590fail:
591 pr_warn_ratelimited("overlayfs: failed to verify index (%pd2, ftype=%x, err=%i)\n",
592 index, d_inode(index)->i_mode & S_IFMT, err);
593 goto out;
594
595orphan:
596 pr_warn_ratelimited("overlayfs: orphan index entry (%pd2, ftype=%x, nlink=%u)\n",
597 index, d_inode(index)->i_mode & S_IFMT,
598 d_inode(index)->i_nlink);
599 err = -ENOENT;
600 goto out;
601}
602
603static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name)
604{
605 char *n, *s;
606
607 n = kcalloc(fh->len, 2, GFP_KERNEL);
608 if (!n)
609 return -ENOMEM;
610
611 s = bin2hex(n, fh, fh->len);
612 *name = (struct qstr) QSTR_INIT(n, s - n);
613
614 return 0;
615
616}
617
618/*
619 * Lookup in indexdir for the index entry of a lower real inode or a copy up
620 * origin inode. The index entry name is the hex representation of the lower
621 * inode file handle.
622 *
623 * If the index dentry in negative, then either no lower aliases have been
624 * copied up yet, or aliases have been copied up in older kernels and are
625 * not indexed.
626 *
627 * If the index dentry for a copy up origin inode is positive, but points
628 * to an inode different than the upper inode, then either the upper inode
629 * has been copied up and not indexed or it was indexed, but since then
630 * index dir was cleared. Either way, that index cannot be used to indentify
631 * the overlay inode.
632 */
633int ovl_get_index_name(struct dentry *origin, struct qstr *name)
634{
635 struct ovl_fh *fh;
636 int err;
637
638 fh = ovl_encode_real_fh(origin, false);
639 if (IS_ERR(fh))
640 return PTR_ERR(fh);
641
642 err = ovl_get_index_name_fh(fh, name);
643
644 kfree(fh);
645 return err;
646}
647
648/* Lookup index by file handle for NFS export */
649struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh)
650{
651 struct dentry *index;
652 struct qstr name;
653 int err;
654
655 err = ovl_get_index_name_fh(fh, &name);
656 if (err)
657 return ERR_PTR(err);
658
659 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
660 kfree(name.name);
661 if (IS_ERR(index)) {
662 if (PTR_ERR(index) == -ENOENT)
663 index = NULL;
664 return index;
665 }
666
667 if (d_is_negative(index))
668 err = 0;
669 else if (ovl_is_whiteout(index))
670 err = -ESTALE;
671 else if (ovl_dentry_weird(index))
672 err = -EIO;
673 else
674 return index;
675
676 dput(index);
677 return ERR_PTR(err);
678}
679
680struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper,
681 struct dentry *origin, bool verify)
682{
683 struct dentry *index;
684 struct inode *inode;
685 struct qstr name;
686 bool is_dir = d_is_dir(origin);
687 int err;
688
689 err = ovl_get_index_name(origin, &name);
690 if (err)
691 return ERR_PTR(err);
692
693 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
694 if (IS_ERR(index)) {
695 err = PTR_ERR(index);
696 if (err == -ENOENT) {
697 index = NULL;
698 goto out;
699 }
700 pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n"
701 "overlayfs: mount with '-o index=off' to disable inodes index.\n",
702 d_inode(origin)->i_ino, name.len, name.name,
703 err);
704 goto out;
705 }
706
707 inode = d_inode(index);
708 if (d_is_negative(index)) {
709 goto out_dput;
710 } else if (ovl_is_whiteout(index) && !verify) {
711 /*
712 * When index lookup is called with !verify for decoding an
713 * overlay file handle, a whiteout index implies that decode
714 * should treat file handle as stale and no need to print a
715 * warning about it.
716 */
717 dput(index);
718 index = ERR_PTR(-ESTALE);
719 goto out;
720 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
721 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) {
722 /*
723 * Index should always be of the same file type as origin
724 * except for the case of a whiteout index. A whiteout
725 * index should only exist if all lower aliases have been
726 * unlinked, which means that finding a lower origin on lookup
727 * whose index is a whiteout should be treated as an error.
728 */
729 pr_warn_ratelimited("overlayfs: bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n",
730 index, d_inode(index)->i_mode & S_IFMT,
731 d_inode(origin)->i_mode & S_IFMT);
732 goto fail;
733 } else if (is_dir && verify) {
734 if (!upper) {
735 pr_warn_ratelimited("overlayfs: suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n",
736 origin, index);
737 goto fail;
738 }
739
740 /* Verify that dir index 'upper' xattr points to upper dir */
741 err = ovl_verify_upper(index, upper, false);
742 if (err) {
743 if (err == -ESTALE) {
744 pr_warn_ratelimited("overlayfs: suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n",
745 upper, origin, index);
746 }
747 goto fail;
748 }
749 } else if (upper && d_inode(upper) != inode) {
750 goto out_dput;
751 }
752out:
753 kfree(name.name);
754 return index;
755
756out_dput:
757 dput(index);
758 index = NULL;
759 goto out;
760
761fail:
762 dput(index);
763 index = ERR_PTR(-EIO);
764 goto out;
765}
766
767/*
768 * Returns next layer in stack starting from top.
769 * Returns -1 if this is the last layer.
770 */
771int ovl_path_next(int idx, struct dentry *dentry, struct path *path)
772{
773 struct ovl_entry *oe = dentry->d_fsdata;
774
775 BUG_ON(idx < 0);
776 if (idx == 0) {
777 ovl_path_upper(dentry, path);
778 if (path->dentry)
779 return oe->numlower ? 1 : -1;
780 idx++;
781 }
782 BUG_ON(idx > oe->numlower);
783 path->dentry = oe->lowerstack[idx - 1].dentry;
784 path->mnt = oe->lowerstack[idx - 1].layer->mnt;
785
786 return (idx < oe->numlower) ? idx + 1 : -1;
787}
788
789/* Fix missing 'origin' xattr */
790static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower,
791 struct dentry *upper)
792{
793 int err;
794
795 if (ovl_check_origin_xattr(upper))
796 return 0;
797
798 err = ovl_want_write(dentry);
799 if (err)
800 return err;
801
802 err = ovl_set_origin(dentry, lower, upper);
803 if (!err)
804 err = ovl_set_impure(dentry->d_parent, upper->d_parent);
805
806 ovl_drop_write(dentry);
807 return err;
808}
809
810struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
811 unsigned int flags)
812{
813 struct ovl_entry *oe;
814 const struct cred *old_cred;
815 struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
816 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
817 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata;
818 struct ovl_path *stack = NULL, *origin_path = NULL;
819 struct dentry *upperdir, *upperdentry = NULL;
820 struct dentry *origin = NULL;
821 struct dentry *index = NULL;
822 unsigned int ctr = 0;
823 struct inode *inode = NULL;
824 bool upperopaque = false;
825 char *upperredirect = NULL;
826 struct dentry *this;
827 unsigned int i;
828 int err;
829 bool metacopy = false;
830 struct ovl_lookup_data d = {
831 .sb = dentry->d_sb,
832 .name = dentry->d_name,
833 .is_dir = false,
834 .opaque = false,
835 .stop = false,
836 .last = ofs->config.redirect_follow ? false : !poe->numlower,
837 .redirect = NULL,
838 .metacopy = false,
839 };
840
841 if (dentry->d_name.len > ofs->namelen)
842 return ERR_PTR(-ENAMETOOLONG);
843
844 old_cred = ovl_override_creds(dentry->d_sb);
845 upperdir = ovl_dentry_upper(dentry->d_parent);
846 if (upperdir) {
847 err = ovl_lookup_layer(upperdir, &d, &upperdentry);
848 if (err)
849 goto out;
850
851 if (upperdentry && unlikely(ovl_dentry_remote(upperdentry))) {
852 dput(upperdentry);
853 err = -EREMOTE;
854 goto out;
855 }
856 if (upperdentry && !d.is_dir) {
857 unsigned int origin_ctr = 0;
858
859 /*
860 * Lookup copy up origin by decoding origin file handle.
861 * We may get a disconnected dentry, which is fine,
862 * because we only need to hold the origin inode in
863 * cache and use its inode number. We may even get a
864 * connected dentry, that is not under any of the lower
865 * layers root. That is also fine for using it's inode
866 * number - it's the same as if we held a reference
867 * to a dentry in lower layer that was moved under us.
868 */
869 err = ovl_check_origin(ofs, upperdentry, &origin_path,
870 &origin_ctr);
871 if (err)
872 goto out_put_upper;
873
874 if (d.metacopy)
875 metacopy = true;
876 }
877
878 if (d.redirect) {
879 err = -ENOMEM;
880 upperredirect = kstrdup(d.redirect, GFP_KERNEL);
881 if (!upperredirect)
882 goto out_put_upper;
883 if (d.redirect[0] == '/')
884 poe = roe;
885 }
886 upperopaque = d.opaque;
887 }
888
889 if (!d.stop && poe->numlower) {
890 err = -ENOMEM;
891 stack = kcalloc(ofs->numlower, sizeof(struct ovl_path),
892 GFP_KERNEL);
893 if (!stack)
894 goto out_put_upper;
895 }
896
897 for (i = 0; !d.stop && i < poe->numlower; i++) {
898 struct ovl_path lower = poe->lowerstack[i];
899
900 if (!ofs->config.redirect_follow)
901 d.last = i == poe->numlower - 1;
902 else
903 d.last = lower.layer->idx == roe->numlower;
904
905 err = ovl_lookup_layer(lower.dentry, &d, &this);
906 if (err)
907 goto out_put;
908
909 if (!this)
910 continue;
911
912 /*
913 * If no origin fh is stored in upper of a merge dir, store fh
914 * of lower dir and set upper parent "impure".
915 */
916 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) {
917 err = ovl_fix_origin(dentry, this, upperdentry);
918 if (err) {
919 dput(this);
920 goto out_put;
921 }
922 }
923
924 /*
925 * When "verify_lower" feature is enabled, do not merge with a
926 * lower dir that does not match a stored origin xattr. In any
927 * case, only verified origin is used for index lookup.
928 *
929 * For non-dir dentry, if index=on, then ensure origin
930 * matches the dentry found using path based lookup,
931 * otherwise error out.
932 */
933 if (upperdentry && !ctr &&
934 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) ||
935 (!d.is_dir && ofs->config.index && origin_path))) {
936 err = ovl_verify_origin(upperdentry, this, false);
937 if (err) {
938 dput(this);
939 if (d.is_dir)
940 break;
941 goto out_put;
942 }
943 origin = this;
944 }
945
946 if (d.metacopy)
947 metacopy = true;
948 /*
949 * Do not store intermediate metacopy dentries in chain,
950 * except top most lower metacopy dentry
951 */
952 if (d.metacopy && ctr) {
953 dput(this);
954 continue;
955 }
956
957 stack[ctr].dentry = this;
958 stack[ctr].layer = lower.layer;
959 ctr++;
960
961 /*
962 * Following redirects can have security consequences: it's like
963 * a symlink into the lower layer without the permission checks.
964 * This is only a problem if the upper layer is untrusted (e.g
965 * comes from an USB drive). This can allow a non-readable file
966 * or directory to become readable.
967 *
968 * Only following redirects when redirects are enabled disables
969 * this attack vector when not necessary.
970 */
971 err = -EPERM;
972 if (d.redirect && !ofs->config.redirect_follow) {
973 pr_warn_ratelimited("overlayfs: refusing to follow redirect for (%pd2)\n",
974 dentry);
975 goto out_put;
976 }
977
978 if (d.stop)
979 break;
980
981 if (d.redirect && d.redirect[0] == '/' && poe != roe) {
982 poe = roe;
983 /* Find the current layer on the root dentry */
984 i = lower.layer->idx - 1;
985 }
986 }
987
988 if (metacopy) {
989 /*
990 * Found a metacopy dentry but did not find corresponding
991 * data dentry
992 */
993 if (d.metacopy) {
994 err = -EIO;
995 goto out_put;
996 }
997
998 err = -EPERM;
999 if (!ofs->config.metacopy) {
1000 pr_warn_ratelimited("overlay: refusing to follow metacopy origin for (%pd2)\n",
1001 dentry);
1002 goto out_put;
1003 }
1004 } else if (!d.is_dir && upperdentry && !ctr && origin_path) {
1005 if (WARN_ON(stack != NULL)) {
1006 err = -EIO;
1007 goto out_put;
1008 }
1009 stack = origin_path;
1010 ctr = 1;
1011 origin_path = NULL;
1012 }
1013
1014 /*
1015 * Lookup index by lower inode and verify it matches upper inode.
1016 * We only trust dir index if we verified that lower dir matches
1017 * origin, otherwise dir index entries may be inconsistent and we
1018 * ignore them.
1019 *
1020 * For non-dir upper metacopy dentry, we already set "origin" if we
1021 * verified that lower matched upper origin. If upper origin was
1022 * not present (because lower layer did not support fh encode/decode),
1023 * or indexing is not enabled, do not set "origin" and skip looking up
1024 * index. This case should be handled in same way as a non-dir upper
1025 * without ORIGIN is handled.
1026 *
1027 * Always lookup index of non-dir non-metacopy and non-upper.
1028 */
1029 if (ctr && (!upperdentry || (!d.is_dir && !metacopy)))
1030 origin = stack[0].dentry;
1031
1032 if (origin && ovl_indexdir(dentry->d_sb) &&
1033 (!d.is_dir || ovl_index_all(dentry->d_sb))) {
1034 index = ovl_lookup_index(ofs, upperdentry, origin, true);
1035 if (IS_ERR(index)) {
1036 err = PTR_ERR(index);
1037 index = NULL;
1038 goto out_put;
1039 }
1040 }
1041
1042 oe = ovl_alloc_entry(ctr);
1043 err = -ENOMEM;
1044 if (!oe)
1045 goto out_put;
1046
1047 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr);
1048 dentry->d_fsdata = oe;
1049
1050 if (upperopaque)
1051 ovl_dentry_set_opaque(dentry);
1052
1053 if (upperdentry)
1054 ovl_dentry_set_upper_alias(dentry);
1055 else if (index) {
1056 upperdentry = dget(index);
1057 upperredirect = ovl_get_redirect_xattr(upperdentry, 0);
1058 if (IS_ERR(upperredirect)) {
1059 err = PTR_ERR(upperredirect);
1060 upperredirect = NULL;
1061 goto out_free_oe;
1062 }
1063 }
1064
1065 if (upperdentry || ctr) {
1066 struct ovl_inode_params oip = {
1067 .upperdentry = upperdentry,
1068 .lowerpath = stack,
1069 .index = index,
1070 .numlower = ctr,
1071 .redirect = upperredirect,
1072 .lowerdata = (ctr > 1 && !d.is_dir) ?
1073 stack[ctr - 1].dentry : NULL,
1074 };
1075
1076 inode = ovl_get_inode(dentry->d_sb, &oip);
1077 err = PTR_ERR(inode);
1078 if (IS_ERR(inode))
1079 goto out_free_oe;
1080 }
1081
1082 ovl_revert_creds(old_cred);
1083 if (origin_path) {
1084 dput(origin_path->dentry);
1085 kfree(origin_path);
1086 }
1087 dput(index);
1088 kfree(stack);
1089 kfree(d.redirect);
1090 return d_splice_alias(inode, dentry);
1091
1092out_free_oe:
1093 dentry->d_fsdata = NULL;
1094 kfree(oe);
1095out_put:
1096 dput(index);
1097 for (i = 0; i < ctr; i++)
1098 dput(stack[i].dentry);
1099 kfree(stack);
1100out_put_upper:
1101 if (origin_path) {
1102 dput(origin_path->dentry);
1103 kfree(origin_path);
1104 }
1105 dput(upperdentry);
1106 kfree(upperredirect);
1107out:
1108 kfree(d.redirect);
1109 ovl_revert_creds(old_cred);
1110 return ERR_PTR(err);
1111}
1112
1113bool ovl_lower_positive(struct dentry *dentry)
1114{
1115 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
1116 const struct qstr *name = &dentry->d_name;
1117 const struct cred *old_cred;
1118 unsigned int i;
1119 bool positive = false;
1120 bool done = false;
1121
1122 /*
1123 * If dentry is negative, then lower is positive iff this is a
1124 * whiteout.
1125 */
1126 if (!dentry->d_inode)
1127 return ovl_dentry_is_opaque(dentry);
1128
1129 /* Negative upper -> positive lower */
1130 if (!ovl_dentry_upper(dentry))
1131 return true;
1132
1133 old_cred = ovl_override_creds(dentry->d_sb);
1134 /* Positive upper -> have to look up lower to see whether it exists */
1135 for (i = 0; !done && !positive && i < poe->numlower; i++) {
1136 struct dentry *this;
1137 struct dentry *lowerdir = poe->lowerstack[i].dentry;
1138
1139 this = lookup_one_len_unlocked(name->name, lowerdir,
1140 name->len);
1141 if (IS_ERR(this)) {
1142 switch (PTR_ERR(this)) {
1143 case -ENOENT:
1144 case -ENAMETOOLONG:
1145 break;
1146
1147 default:
1148 /*
1149 * Assume something is there, we just couldn't
1150 * access it.
1151 */
1152 positive = true;
1153 break;
1154 }
1155 } else {
1156 if (this->d_inode) {
1157 positive = !ovl_is_whiteout(this);
1158 done = true;
1159 }
1160 dput(this);
1161 }
1162 }
1163 ovl_revert_creds(old_cred);
1164
1165 return positive;
1166}