1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Novell Inc. 4 * Copyright (C) 2016 Red Hat, Inc. 5 */ 6 7 #include <linux/fs.h> 8 #include <linux/cred.h> 9 #include <linux/ctype.h> 10 #include <linux/namei.h> 11 #include <linux/xattr.h> 12 #include <linux/ratelimit.h> 13 #include <linux/mount.h> 14 #include <linux/exportfs.h> 15 #include "overlayfs.h" 16 17 struct ovl_lookup_data { 18 struct super_block *sb; 19 struct qstr name; 20 bool is_dir; 21 bool opaque; 22 bool stop; 23 bool last; 24 char *redirect; 25 bool metacopy; 26 }; 27 28 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d, 29 size_t prelen, const char *post) 30 { 31 int res; 32 char *buf; 33 34 buf = ovl_get_redirect_xattr(dentry, prelen + strlen(post)); 35 if (IS_ERR_OR_NULL(buf)) 36 return PTR_ERR(buf); 37 38 if (buf[0] == '/') { 39 /* 40 * One of the ancestor path elements in an absolute path 41 * lookup in ovl_lookup_layer() could have been opaque and 42 * that will stop further lookup in lower layers (d->stop=true) 43 * But we have found an absolute redirect in decendant path 44 * element and that should force continue lookup in lower 45 * layers (reset d->stop). 46 */ 47 d->stop = false; 48 } else { 49 res = strlen(buf) + 1; 50 memmove(buf + prelen, buf, res); 51 memcpy(buf, d->name.name, prelen); 52 } 53 54 strcat(buf, post); 55 kfree(d->redirect); 56 d->redirect = buf; 57 d->name.name = d->redirect; 58 d->name.len = strlen(d->redirect); 59 60 return 0; 61 } 62 63 static int ovl_acceptable(void *ctx, struct dentry *dentry) 64 { 65 /* 66 * A non-dir origin may be disconnected, which is fine, because 67 * we only need it for its unique inode number. 68 */ 69 if (!d_is_dir(dentry)) 70 return 1; 71 72 /* Don't decode a deleted empty directory */ 73 if (d_unhashed(dentry)) 74 return 0; 75 76 /* Check if directory belongs to the layer we are decoding from */ 77 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root); 78 } 79 80 /* 81 * Check validity of an overlay file handle buffer. 82 * 83 * Return 0 for a valid file handle. 84 * Return -ENODATA for "origin unknown". 85 * Return <0 for an invalid file handle. 86 */ 87 int ovl_check_fh_len(struct ovl_fh *fh, int fh_len) 88 { 89 if (fh_len < sizeof(struct ovl_fh) || fh_len < fh->len) 90 return -EINVAL; 91 92 if (fh->magic != OVL_FH_MAGIC) 93 return -EINVAL; 94 95 /* Treat larger version and unknown flags as "origin unknown" */ 96 if (fh->version > OVL_FH_VERSION || fh->flags & ~OVL_FH_FLAG_ALL) 97 return -ENODATA; 98 99 /* Treat endianness mismatch as "origin unknown" */ 100 if (!(fh->flags & OVL_FH_FLAG_ANY_ENDIAN) && 101 (fh->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN) 102 return -ENODATA; 103 104 return 0; 105 } 106 107 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) 108 { 109 int res, err; 110 struct ovl_fh *fh = NULL; 111 112 res = vfs_getxattr(dentry, name, NULL, 0); 113 if (res < 0) { 114 if (res == -ENODATA || res == -EOPNOTSUPP) 115 return NULL; 116 goto fail; 117 } 118 /* Zero size value means "copied up but origin unknown" */ 119 if (res == 0) 120 return NULL; 121 122 fh = kzalloc(res, GFP_KERNEL); 123 if (!fh) 124 return ERR_PTR(-ENOMEM); 125 126 res = vfs_getxattr(dentry, name, fh, res); 127 if (res < 0) 128 goto fail; 129 130 err = ovl_check_fh_len(fh, res); 131 if (err < 0) { 132 if (err == -ENODATA) 133 goto out; 134 goto invalid; 135 } 136 137 return fh; 138 139 out: 140 kfree(fh); 141 return NULL; 142 143 fail: 144 pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res); 145 goto out; 146 invalid: 147 pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh); 148 goto out; 149 } 150 151 struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, 152 bool connected) 153 { 154 struct dentry *real; 155 int bytes; 156 157 /* 158 * Make sure that the stored uuid matches the uuid of the lower 159 * layer where file handle will be decoded. 160 */ 161 if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid)) 162 return NULL; 163 164 bytes = (fh->len - offsetof(struct ovl_fh, fid)); 165 real = exportfs_decode_fh(mnt, (struct fid *)fh->fid, 166 bytes >> 2, (int)fh->type, 167 connected ? ovl_acceptable : NULL, mnt); 168 if (IS_ERR(real)) { 169 /* 170 * Treat stale file handle to lower file as "origin unknown". 171 * upper file handle could become stale when upper file is 172 * unlinked and this information is needed to handle stale 173 * index entries correctly. 174 */ 175 if (real == ERR_PTR(-ESTALE) && 176 !(fh->flags & OVL_FH_FLAG_PATH_UPPER)) 177 real = NULL; 178 return real; 179 } 180 181 if (ovl_dentry_weird(real)) { 182 dput(real); 183 return NULL; 184 } 185 186 return real; 187 } 188 189 static bool ovl_is_opaquedir(struct dentry *dentry) 190 { 191 return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE); 192 } 193 194 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d, 195 const char *name, unsigned int namelen, 196 size_t prelen, const char *post, 197 struct dentry **ret) 198 { 199 struct dentry *this; 200 int err; 201 bool last_element = !post[0]; 202 203 this = lookup_one_len_unlocked(name, base, namelen); 204 if (IS_ERR(this)) { 205 err = PTR_ERR(this); 206 this = NULL; 207 if (err == -ENOENT || err == -ENAMETOOLONG) 208 goto out; 209 goto out_err; 210 } 211 if (!this->d_inode) 212 goto put_and_out; 213 214 if (ovl_dentry_weird(this)) { 215 /* Don't support traversing automounts and other weirdness */ 216 err = -EREMOTE; 217 goto out_err; 218 } 219 if (ovl_is_whiteout(this)) { 220 d->stop = d->opaque = true; 221 goto put_and_out; 222 } 223 /* 224 * This dentry should be a regular file if previous layer lookup 225 * found a metacopy dentry. 226 */ 227 if (last_element && d->metacopy && !d_is_reg(this)) { 228 d->stop = true; 229 goto put_and_out; 230 } 231 if (!d_can_lookup(this)) { 232 if (d->is_dir || !last_element) { 233 d->stop = true; 234 goto put_and_out; 235 } 236 err = ovl_check_metacopy_xattr(this); 237 if (err < 0) 238 goto out_err; 239 240 d->metacopy = err; 241 d->stop = !d->metacopy; 242 if (!d->metacopy || d->last) 243 goto out; 244 } else { 245 if (ovl_lookup_trap_inode(d->sb, this)) { 246 /* Caught in a trap of overlapping layers */ 247 err = -ELOOP; 248 goto out_err; 249 } 250 251 if (last_element) 252 d->is_dir = true; 253 if (d->last) 254 goto out; 255 256 if (ovl_is_opaquedir(this)) { 257 d->stop = true; 258 if (last_element) 259 d->opaque = true; 260 goto out; 261 } 262 } 263 err = ovl_check_redirect(this, d, prelen, post); 264 if (err) 265 goto out_err; 266 out: 267 *ret = this; 268 return 0; 269 270 put_and_out: 271 dput(this); 272 this = NULL; 273 goto out; 274 275 out_err: 276 dput(this); 277 return err; 278 } 279 280 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d, 281 struct dentry **ret) 282 { 283 /* Counting down from the end, since the prefix can change */ 284 size_t rem = d->name.len - 1; 285 struct dentry *dentry = NULL; 286 int err; 287 288 if (d->name.name[0] != '/') 289 return ovl_lookup_single(base, d, d->name.name, d->name.len, 290 0, "", ret); 291 292 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) { 293 const char *s = d->name.name + d->name.len - rem; 294 const char *next = strchrnul(s, '/'); 295 size_t thislen = next - s; 296 bool end = !next[0]; 297 298 /* Verify we did not go off the rails */ 299 if (WARN_ON(s[-1] != '/')) 300 return -EIO; 301 302 err = ovl_lookup_single(base, d, s, thislen, 303 d->name.len - rem, next, &base); 304 dput(dentry); 305 if (err) 306 return err; 307 dentry = base; 308 if (end) 309 break; 310 311 rem -= thislen + 1; 312 313 if (WARN_ON(rem >= d->name.len)) 314 return -EIO; 315 } 316 *ret = dentry; 317 return 0; 318 } 319 320 321 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected, 322 struct dentry *upperdentry, struct ovl_path **stackp) 323 { 324 struct dentry *origin = NULL; 325 int i; 326 327 for (i = 0; i < ofs->numlower; i++) { 328 origin = ovl_decode_real_fh(fh, ofs->lower_layers[i].mnt, 329 connected); 330 if (origin) 331 break; 332 } 333 334 if (!origin) 335 return -ESTALE; 336 else if (IS_ERR(origin)) 337 return PTR_ERR(origin); 338 339 if (upperdentry && !ovl_is_whiteout(upperdentry) && 340 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT)) 341 goto invalid; 342 343 if (!*stackp) 344 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL); 345 if (!*stackp) { 346 dput(origin); 347 return -ENOMEM; 348 } 349 **stackp = (struct ovl_path){ 350 .dentry = origin, 351 .layer = &ofs->lower_layers[i] 352 }; 353 354 return 0; 355 356 invalid: 357 pr_warn_ratelimited("overlayfs: invalid origin (%pd2, ftype=%x, origin ftype=%x).\n", 358 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT, 359 d_inode(origin)->i_mode & S_IFMT); 360 dput(origin); 361 return -EIO; 362 } 363 364 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry, 365 struct ovl_path **stackp, unsigned int *ctrp) 366 { 367 struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN); 368 int err; 369 370 if (IS_ERR_OR_NULL(fh)) 371 return PTR_ERR(fh); 372 373 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp); 374 kfree(fh); 375 376 if (err) { 377 if (err == -ESTALE) 378 return 0; 379 return err; 380 } 381 382 if (WARN_ON(*ctrp)) 383 return -EIO; 384 385 *ctrp = 1; 386 return 0; 387 } 388 389 /* 390 * Verify that @fh matches the file handle stored in xattr @name. 391 * Return 0 on match, -ESTALE on mismatch, < 0 on error. 392 */ 393 static int ovl_verify_fh(struct dentry *dentry, const char *name, 394 const struct ovl_fh *fh) 395 { 396 struct ovl_fh *ofh = ovl_get_fh(dentry, name); 397 int err = 0; 398 399 if (!ofh) 400 return -ENODATA; 401 402 if (IS_ERR(ofh)) 403 return PTR_ERR(ofh); 404 405 if (fh->len != ofh->len || memcmp(fh, ofh, fh->len)) 406 err = -ESTALE; 407 408 kfree(ofh); 409 return err; 410 } 411 412 /* 413 * Verify that @real dentry matches the file handle stored in xattr @name. 414 * 415 * If @set is true and there is no stored file handle, encode @real and store 416 * file handle in xattr @name. 417 * 418 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error. 419 */ 420 int ovl_verify_set_fh(struct dentry *dentry, const char *name, 421 struct dentry *real, bool is_upper, bool set) 422 { 423 struct inode *inode; 424 struct ovl_fh *fh; 425 int err; 426 427 fh = ovl_encode_real_fh(real, is_upper); 428 err = PTR_ERR(fh); 429 if (IS_ERR(fh)) { 430 fh = NULL; 431 goto fail; 432 } 433 434 err = ovl_verify_fh(dentry, name, fh); 435 if (set && err == -ENODATA) 436 err = ovl_do_setxattr(dentry, name, fh, fh->len, 0); 437 if (err) 438 goto fail; 439 440 out: 441 kfree(fh); 442 return err; 443 444 fail: 445 inode = d_inode(real); 446 pr_warn_ratelimited("overlayfs: failed to verify %s (%pd2, ino=%lu, err=%i)\n", 447 is_upper ? "upper" : "origin", real, 448 inode ? inode->i_ino : 0, err); 449 goto out; 450 } 451 452 /* Get upper dentry from index */ 453 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index) 454 { 455 struct ovl_fh *fh; 456 struct dentry *upper; 457 458 if (!d_is_dir(index)) 459 return dget(index); 460 461 fh = ovl_get_fh(index, OVL_XATTR_UPPER); 462 if (IS_ERR_OR_NULL(fh)) 463 return ERR_CAST(fh); 464 465 upper = ovl_decode_real_fh(fh, ofs->upper_mnt, true); 466 kfree(fh); 467 468 if (IS_ERR_OR_NULL(upper)) 469 return upper ?: ERR_PTR(-ESTALE); 470 471 if (!d_is_dir(upper)) { 472 pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n", 473 index, upper); 474 dput(upper); 475 return ERR_PTR(-EIO); 476 } 477 478 return upper; 479 } 480 481 /* Is this a leftover from create/whiteout of directory index entry? */ 482 static bool ovl_is_temp_index(struct dentry *index) 483 { 484 return index->d_name.name[0] == '#'; 485 } 486 487 /* 488 * Verify that an index entry name matches the origin file handle stored in 489 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. 490 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error. 491 */ 492 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) 493 { 494 struct ovl_fh *fh = NULL; 495 size_t len; 496 struct ovl_path origin = { }; 497 struct ovl_path *stack = &origin; 498 struct dentry *upper = NULL; 499 int err; 500 501 if (!d_inode(index)) 502 return 0; 503 504 /* Cleanup leftover from index create/cleanup attempt */ 505 err = -ESTALE; 506 if (ovl_is_temp_index(index)) 507 goto fail; 508 509 err = -EINVAL; 510 if (index->d_name.len < sizeof(struct ovl_fh)*2) 511 goto fail; 512 513 err = -ENOMEM; 514 len = index->d_name.len / 2; 515 fh = kzalloc(len, GFP_KERNEL); 516 if (!fh) 517 goto fail; 518 519 err = -EINVAL; 520 if (hex2bin((u8 *)fh, index->d_name.name, len)) 521 goto fail; 522 523 err = ovl_check_fh_len(fh, len); 524 if (err) 525 goto fail; 526 527 /* 528 * Whiteout index entries are used as an indication that an exported 529 * overlay file handle should be treated as stale (i.e. after unlink 530 * of the overlay inode). These entries contain no origin xattr. 531 */ 532 if (ovl_is_whiteout(index)) 533 goto out; 534 535 /* 536 * Verifying directory index entries are not stale is expensive, so 537 * only verify stale dir index if NFS export is enabled. 538 */ 539 if (d_is_dir(index) && !ofs->config.nfs_export) 540 goto out; 541 542 /* 543 * Directory index entries should have 'upper' xattr pointing to the 544 * real upper dir. Non-dir index entries are hardlinks to the upper 545 * real inode. For non-dir index, we can read the copy up origin xattr 546 * directly from the index dentry, but for dir index we first need to 547 * decode the upper directory. 548 */ 549 upper = ovl_index_upper(ofs, index); 550 if (IS_ERR_OR_NULL(upper)) { 551 err = PTR_ERR(upper); 552 /* 553 * Directory index entries with no 'upper' xattr need to be 554 * removed. When dir index entry has a stale 'upper' xattr, 555 * we assume that upper dir was removed and we treat the dir 556 * index as orphan entry that needs to be whited out. 557 */ 558 if (err == -ESTALE) 559 goto orphan; 560 else if (!err) 561 err = -ESTALE; 562 goto fail; 563 } 564 565 err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh); 566 dput(upper); 567 if (err) 568 goto fail; 569 570 /* Check if non-dir index is orphan and don't warn before cleaning it */ 571 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) { 572 err = ovl_check_origin_fh(ofs, fh, false, index, &stack); 573 if (err) 574 goto fail; 575 576 if (ovl_get_nlink(origin.dentry, index, 0) == 0) 577 goto orphan; 578 } 579 580 out: 581 dput(origin.dentry); 582 kfree(fh); 583 return err; 584 585 fail: 586 pr_warn_ratelimited("overlayfs: failed to verify index (%pd2, ftype=%x, err=%i)\n", 587 index, d_inode(index)->i_mode & S_IFMT, err); 588 goto out; 589 590 orphan: 591 pr_warn_ratelimited("overlayfs: orphan index entry (%pd2, ftype=%x, nlink=%u)\n", 592 index, d_inode(index)->i_mode & S_IFMT, 593 d_inode(index)->i_nlink); 594 err = -ENOENT; 595 goto out; 596 } 597 598 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name) 599 { 600 char *n, *s; 601 602 n = kcalloc(fh->len, 2, GFP_KERNEL); 603 if (!n) 604 return -ENOMEM; 605 606 s = bin2hex(n, fh, fh->len); 607 *name = (struct qstr) QSTR_INIT(n, s - n); 608 609 return 0; 610 611 } 612 613 /* 614 * Lookup in indexdir for the index entry of a lower real inode or a copy up 615 * origin inode. The index entry name is the hex representation of the lower 616 * inode file handle. 617 * 618 * If the index dentry in negative, then either no lower aliases have been 619 * copied up yet, or aliases have been copied up in older kernels and are 620 * not indexed. 621 * 622 * If the index dentry for a copy up origin inode is positive, but points 623 * to an inode different than the upper inode, then either the upper inode 624 * has been copied up and not indexed or it was indexed, but since then 625 * index dir was cleared. Either way, that index cannot be used to indentify 626 * the overlay inode. 627 */ 628 int ovl_get_index_name(struct dentry *origin, struct qstr *name) 629 { 630 struct ovl_fh *fh; 631 int err; 632 633 fh = ovl_encode_real_fh(origin, false); 634 if (IS_ERR(fh)) 635 return PTR_ERR(fh); 636 637 err = ovl_get_index_name_fh(fh, name); 638 639 kfree(fh); 640 return err; 641 } 642 643 /* Lookup index by file handle for NFS export */ 644 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh) 645 { 646 struct dentry *index; 647 struct qstr name; 648 int err; 649 650 err = ovl_get_index_name_fh(fh, &name); 651 if (err) 652 return ERR_PTR(err); 653 654 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); 655 kfree(name.name); 656 if (IS_ERR(index)) { 657 if (PTR_ERR(index) == -ENOENT) 658 index = NULL; 659 return index; 660 } 661 662 if (d_is_negative(index)) 663 err = 0; 664 else if (ovl_is_whiteout(index)) 665 err = -ESTALE; 666 else if (ovl_dentry_weird(index)) 667 err = -EIO; 668 else 669 return index; 670 671 dput(index); 672 return ERR_PTR(err); 673 } 674 675 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper, 676 struct dentry *origin, bool verify) 677 { 678 struct dentry *index; 679 struct inode *inode; 680 struct qstr name; 681 bool is_dir = d_is_dir(origin); 682 int err; 683 684 err = ovl_get_index_name(origin, &name); 685 if (err) 686 return ERR_PTR(err); 687 688 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); 689 if (IS_ERR(index)) { 690 err = PTR_ERR(index); 691 if (err == -ENOENT) { 692 index = NULL; 693 goto out; 694 } 695 pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n" 696 "overlayfs: mount with '-o index=off' to disable inodes index.\n", 697 d_inode(origin)->i_ino, name.len, name.name, 698 err); 699 goto out; 700 } 701 702 inode = d_inode(index); 703 if (d_is_negative(index)) { 704 goto out_dput; 705 } else if (ovl_is_whiteout(index) && !verify) { 706 /* 707 * When index lookup is called with !verify for decoding an 708 * overlay file handle, a whiteout index implies that decode 709 * should treat file handle as stale and no need to print a 710 * warning about it. 711 */ 712 dput(index); 713 index = ERR_PTR(-ESTALE); 714 goto out; 715 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || 716 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) { 717 /* 718 * Index should always be of the same file type as origin 719 * except for the case of a whiteout index. A whiteout 720 * index should only exist if all lower aliases have been 721 * unlinked, which means that finding a lower origin on lookup 722 * whose index is a whiteout should be treated as an error. 723 */ 724 pr_warn_ratelimited("overlayfs: bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n", 725 index, d_inode(index)->i_mode & S_IFMT, 726 d_inode(origin)->i_mode & S_IFMT); 727 goto fail; 728 } else if (is_dir && verify) { 729 if (!upper) { 730 pr_warn_ratelimited("overlayfs: suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n", 731 origin, index); 732 goto fail; 733 } 734 735 /* Verify that dir index 'upper' xattr points to upper dir */ 736 err = ovl_verify_upper(index, upper, false); 737 if (err) { 738 if (err == -ESTALE) { 739 pr_warn_ratelimited("overlayfs: suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n", 740 upper, origin, index); 741 } 742 goto fail; 743 } 744 } else if (upper && d_inode(upper) != inode) { 745 goto out_dput; 746 } 747 out: 748 kfree(name.name); 749 return index; 750 751 out_dput: 752 dput(index); 753 index = NULL; 754 goto out; 755 756 fail: 757 dput(index); 758 index = ERR_PTR(-EIO); 759 goto out; 760 } 761 762 /* 763 * Returns next layer in stack starting from top. 764 * Returns -1 if this is the last layer. 765 */ 766 int ovl_path_next(int idx, struct dentry *dentry, struct path *path) 767 { 768 struct ovl_entry *oe = dentry->d_fsdata; 769 770 BUG_ON(idx < 0); 771 if (idx == 0) { 772 ovl_path_upper(dentry, path); 773 if (path->dentry) 774 return oe->numlower ? 1 : -1; 775 idx++; 776 } 777 BUG_ON(idx > oe->numlower); 778 path->dentry = oe->lowerstack[idx - 1].dentry; 779 path->mnt = oe->lowerstack[idx - 1].layer->mnt; 780 781 return (idx < oe->numlower) ? idx + 1 : -1; 782 } 783 784 /* Fix missing 'origin' xattr */ 785 static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower, 786 struct dentry *upper) 787 { 788 int err; 789 790 if (ovl_check_origin_xattr(upper)) 791 return 0; 792 793 err = ovl_want_write(dentry); 794 if (err) 795 return err; 796 797 err = ovl_set_origin(dentry, lower, upper); 798 if (!err) 799 err = ovl_set_impure(dentry->d_parent, upper->d_parent); 800 801 ovl_drop_write(dentry); 802 return err; 803 } 804 805 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, 806 unsigned int flags) 807 { 808 struct ovl_entry *oe; 809 const struct cred *old_cred; 810 struct ovl_fs *ofs = dentry->d_sb->s_fs_info; 811 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 812 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata; 813 struct ovl_path *stack = NULL, *origin_path = NULL; 814 struct dentry *upperdir, *upperdentry = NULL; 815 struct dentry *origin = NULL; 816 struct dentry *index = NULL; 817 unsigned int ctr = 0; 818 struct inode *inode = NULL; 819 bool upperopaque = false; 820 char *upperredirect = NULL; 821 struct dentry *this; 822 unsigned int i; 823 int err; 824 bool metacopy = false; 825 struct ovl_lookup_data d = { 826 .sb = dentry->d_sb, 827 .name = dentry->d_name, 828 .is_dir = false, 829 .opaque = false, 830 .stop = false, 831 .last = ofs->config.redirect_follow ? false : !poe->numlower, 832 .redirect = NULL, 833 .metacopy = false, 834 }; 835 836 if (dentry->d_name.len > ofs->namelen) 837 return ERR_PTR(-ENAMETOOLONG); 838 839 old_cred = ovl_override_creds(dentry->d_sb); 840 upperdir = ovl_dentry_upper(dentry->d_parent); 841 if (upperdir) { 842 err = ovl_lookup_layer(upperdir, &d, &upperdentry); 843 if (err) 844 goto out; 845 846 if (upperdentry && unlikely(ovl_dentry_remote(upperdentry))) { 847 dput(upperdentry); 848 err = -EREMOTE; 849 goto out; 850 } 851 if (upperdentry && !d.is_dir) { 852 unsigned int origin_ctr = 0; 853 854 /* 855 * Lookup copy up origin by decoding origin file handle. 856 * We may get a disconnected dentry, which is fine, 857 * because we only need to hold the origin inode in 858 * cache and use its inode number. We may even get a 859 * connected dentry, that is not under any of the lower 860 * layers root. That is also fine for using it's inode 861 * number - it's the same as if we held a reference 862 * to a dentry in lower layer that was moved under us. 863 */ 864 err = ovl_check_origin(ofs, upperdentry, &origin_path, 865 &origin_ctr); 866 if (err) 867 goto out_put_upper; 868 869 if (d.metacopy) 870 metacopy = true; 871 } 872 873 if (d.redirect) { 874 err = -ENOMEM; 875 upperredirect = kstrdup(d.redirect, GFP_KERNEL); 876 if (!upperredirect) 877 goto out_put_upper; 878 if (d.redirect[0] == '/') 879 poe = roe; 880 } 881 upperopaque = d.opaque; 882 } 883 884 if (!d.stop && poe->numlower) { 885 err = -ENOMEM; 886 stack = kcalloc(ofs->numlower, sizeof(struct ovl_path), 887 GFP_KERNEL); 888 if (!stack) 889 goto out_put_upper; 890 } 891 892 for (i = 0; !d.stop && i < poe->numlower; i++) { 893 struct ovl_path lower = poe->lowerstack[i]; 894 895 if (!ofs->config.redirect_follow) 896 d.last = i == poe->numlower - 1; 897 else 898 d.last = lower.layer->idx == roe->numlower; 899 900 err = ovl_lookup_layer(lower.dentry, &d, &this); 901 if (err) 902 goto out_put; 903 904 if (!this) 905 continue; 906 907 /* 908 * If no origin fh is stored in upper of a merge dir, store fh 909 * of lower dir and set upper parent "impure". 910 */ 911 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) { 912 err = ovl_fix_origin(dentry, this, upperdentry); 913 if (err) { 914 dput(this); 915 goto out_put; 916 } 917 } 918 919 /* 920 * When "verify_lower" feature is enabled, do not merge with a 921 * lower dir that does not match a stored origin xattr. In any 922 * case, only verified origin is used for index lookup. 923 * 924 * For non-dir dentry, if index=on, then ensure origin 925 * matches the dentry found using path based lookup, 926 * otherwise error out. 927 */ 928 if (upperdentry && !ctr && 929 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) || 930 (!d.is_dir && ofs->config.index && origin_path))) { 931 err = ovl_verify_origin(upperdentry, this, false); 932 if (err) { 933 dput(this); 934 if (d.is_dir) 935 break; 936 goto out_put; 937 } 938 origin = this; 939 } 940 941 if (d.metacopy) 942 metacopy = true; 943 /* 944 * Do not store intermediate metacopy dentries in chain, 945 * except top most lower metacopy dentry 946 */ 947 if (d.metacopy && ctr) { 948 dput(this); 949 continue; 950 } 951 952 stack[ctr].dentry = this; 953 stack[ctr].layer = lower.layer; 954 ctr++; 955 956 /* 957 * Following redirects can have security consequences: it's like 958 * a symlink into the lower layer without the permission checks. 959 * This is only a problem if the upper layer is untrusted (e.g 960 * comes from an USB drive). This can allow a non-readable file 961 * or directory to become readable. 962 * 963 * Only following redirects when redirects are enabled disables 964 * this attack vector when not necessary. 965 */ 966 err = -EPERM; 967 if (d.redirect && !ofs->config.redirect_follow) { 968 pr_warn_ratelimited("overlayfs: refusing to follow redirect for (%pd2)\n", 969 dentry); 970 goto out_put; 971 } 972 973 if (d.stop) 974 break; 975 976 if (d.redirect && d.redirect[0] == '/' && poe != roe) { 977 poe = roe; 978 /* Find the current layer on the root dentry */ 979 i = lower.layer->idx - 1; 980 } 981 } 982 983 if (metacopy) { 984 /* 985 * Found a metacopy dentry but did not find corresponding 986 * data dentry 987 */ 988 if (d.metacopy) { 989 err = -EIO; 990 goto out_put; 991 } 992 993 err = -EPERM; 994 if (!ofs->config.metacopy) { 995 pr_warn_ratelimited("overlay: refusing to follow metacopy origin for (%pd2)\n", 996 dentry); 997 goto out_put; 998 } 999 } else if (!d.is_dir && upperdentry && !ctr && origin_path) { 1000 if (WARN_ON(stack != NULL)) { 1001 err = -EIO; 1002 goto out_put; 1003 } 1004 stack = origin_path; 1005 ctr = 1; 1006 origin_path = NULL; 1007 } 1008 1009 /* 1010 * Lookup index by lower inode and verify it matches upper inode. 1011 * We only trust dir index if we verified that lower dir matches 1012 * origin, otherwise dir index entries may be inconsistent and we 1013 * ignore them. 1014 * 1015 * For non-dir upper metacopy dentry, we already set "origin" if we 1016 * verified that lower matched upper origin. If upper origin was 1017 * not present (because lower layer did not support fh encode/decode), 1018 * or indexing is not enabled, do not set "origin" and skip looking up 1019 * index. This case should be handled in same way as a non-dir upper 1020 * without ORIGIN is handled. 1021 * 1022 * Always lookup index of non-dir non-metacopy and non-upper. 1023 */ 1024 if (ctr && (!upperdentry || (!d.is_dir && !metacopy))) 1025 origin = stack[0].dentry; 1026 1027 if (origin && ovl_indexdir(dentry->d_sb) && 1028 (!d.is_dir || ovl_index_all(dentry->d_sb))) { 1029 index = ovl_lookup_index(ofs, upperdentry, origin, true); 1030 if (IS_ERR(index)) { 1031 err = PTR_ERR(index); 1032 index = NULL; 1033 goto out_put; 1034 } 1035 } 1036 1037 oe = ovl_alloc_entry(ctr); 1038 err = -ENOMEM; 1039 if (!oe) 1040 goto out_put; 1041 1042 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr); 1043 dentry->d_fsdata = oe; 1044 1045 if (upperopaque) 1046 ovl_dentry_set_opaque(dentry); 1047 1048 if (upperdentry) 1049 ovl_dentry_set_upper_alias(dentry); 1050 else if (index) { 1051 upperdentry = dget(index); 1052 upperredirect = ovl_get_redirect_xattr(upperdentry, 0); 1053 if (IS_ERR(upperredirect)) { 1054 err = PTR_ERR(upperredirect); 1055 upperredirect = NULL; 1056 goto out_free_oe; 1057 } 1058 } 1059 1060 if (upperdentry || ctr) { 1061 struct ovl_inode_params oip = { 1062 .upperdentry = upperdentry, 1063 .lowerpath = stack, 1064 .index = index, 1065 .numlower = ctr, 1066 .redirect = upperredirect, 1067 .lowerdata = (ctr > 1 && !d.is_dir) ? 1068 stack[ctr - 1].dentry : NULL, 1069 }; 1070 1071 inode = ovl_get_inode(dentry->d_sb, &oip); 1072 err = PTR_ERR(inode); 1073 if (IS_ERR(inode)) 1074 goto out_free_oe; 1075 } 1076 1077 revert_creds(old_cred); 1078 if (origin_path) { 1079 dput(origin_path->dentry); 1080 kfree(origin_path); 1081 } 1082 dput(index); 1083 kfree(stack); 1084 kfree(d.redirect); 1085 return d_splice_alias(inode, dentry); 1086 1087 out_free_oe: 1088 dentry->d_fsdata = NULL; 1089 kfree(oe); 1090 out_put: 1091 dput(index); 1092 for (i = 0; i < ctr; i++) 1093 dput(stack[i].dentry); 1094 kfree(stack); 1095 out_put_upper: 1096 if (origin_path) { 1097 dput(origin_path->dentry); 1098 kfree(origin_path); 1099 } 1100 dput(upperdentry); 1101 kfree(upperredirect); 1102 out: 1103 kfree(d.redirect); 1104 revert_creds(old_cred); 1105 return ERR_PTR(err); 1106 } 1107 1108 bool ovl_lower_positive(struct dentry *dentry) 1109 { 1110 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 1111 const struct qstr *name = &dentry->d_name; 1112 const struct cred *old_cred; 1113 unsigned int i; 1114 bool positive = false; 1115 bool done = false; 1116 1117 /* 1118 * If dentry is negative, then lower is positive iff this is a 1119 * whiteout. 1120 */ 1121 if (!dentry->d_inode) 1122 return ovl_dentry_is_opaque(dentry); 1123 1124 /* Negative upper -> positive lower */ 1125 if (!ovl_dentry_upper(dentry)) 1126 return true; 1127 1128 old_cred = ovl_override_creds(dentry->d_sb); 1129 /* Positive upper -> have to look up lower to see whether it exists */ 1130 for (i = 0; !done && !positive && i < poe->numlower; i++) { 1131 struct dentry *this; 1132 struct dentry *lowerdir = poe->lowerstack[i].dentry; 1133 1134 this = lookup_one_len_unlocked(name->name, lowerdir, 1135 name->len); 1136 if (IS_ERR(this)) { 1137 switch (PTR_ERR(this)) { 1138 case -ENOENT: 1139 case -ENAMETOOLONG: 1140 break; 1141 1142 default: 1143 /* 1144 * Assume something is there, we just couldn't 1145 * access it. 1146 */ 1147 positive = true; 1148 break; 1149 } 1150 } else { 1151 if (this->d_inode) { 1152 positive = !ovl_is_whiteout(this); 1153 done = true; 1154 } 1155 dput(this); 1156 } 1157 } 1158 revert_creds(old_cred); 1159 1160 return positive; 1161 } 1162