1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Novell Inc. 4 * Copyright (C) 2016 Red Hat, Inc. 5 */ 6 7 #include <linux/fs.h> 8 #include <linux/cred.h> 9 #include <linux/ctype.h> 10 #include <linux/namei.h> 11 #include <linux/xattr.h> 12 #include <linux/ratelimit.h> 13 #include <linux/mount.h> 14 #include <linux/exportfs.h> 15 #include "overlayfs.h" 16 17 struct ovl_lookup_data { 18 struct super_block *sb; 19 struct vfsmount *mnt; 20 struct qstr name; 21 bool is_dir; 22 bool opaque; 23 bool stop; 24 bool last; 25 char *redirect; 26 bool metacopy; 27 }; 28 29 static int ovl_check_redirect(struct path *path, struct ovl_lookup_data *d, 30 size_t prelen, const char *post) 31 { 32 int res; 33 char *buf; 34 struct ovl_fs *ofs = OVL_FS(d->sb); 35 36 buf = ovl_get_redirect_xattr(ofs, path, prelen + strlen(post)); 37 if (IS_ERR_OR_NULL(buf)) 38 return PTR_ERR(buf); 39 40 if (buf[0] == '/') { 41 /* 42 * One of the ancestor path elements in an absolute path 43 * lookup in ovl_lookup_layer() could have been opaque and 44 * that will stop further lookup in lower layers (d->stop=true) 45 * But we have found an absolute redirect in decendant path 46 * element and that should force continue lookup in lower 47 * layers (reset d->stop). 48 */ 49 d->stop = false; 50 } else { 51 res = strlen(buf) + 1; 52 memmove(buf + prelen, buf, res); 53 memcpy(buf, d->name.name, prelen); 54 } 55 56 strcat(buf, post); 57 kfree(d->redirect); 58 d->redirect = buf; 59 d->name.name = d->redirect; 60 d->name.len = strlen(d->redirect); 61 62 return 0; 63 } 64 65 static int ovl_acceptable(void *ctx, struct dentry *dentry) 66 { 67 /* 68 * A non-dir origin may be disconnected, which is fine, because 69 * we only need it for its unique inode number. 70 */ 71 if (!d_is_dir(dentry)) 72 return 1; 73 74 /* Don't decode a deleted empty directory */ 75 if (d_unhashed(dentry)) 76 return 0; 77 78 /* Check if directory belongs to the layer we are decoding from */ 79 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root); 80 } 81 82 /* 83 * Check validity of an overlay file handle buffer. 84 * 85 * Return 0 for a valid file handle. 86 * Return -ENODATA for "origin unknown". 87 * Return <0 for an invalid file handle. 88 */ 89 int ovl_check_fb_len(struct ovl_fb *fb, int fb_len) 90 { 91 if (fb_len < sizeof(struct ovl_fb) || fb_len < fb->len) 92 return -EINVAL; 93 94 if (fb->magic != OVL_FH_MAGIC) 95 return -EINVAL; 96 97 /* Treat larger version and unknown flags as "origin unknown" */ 98 if (fb->version > OVL_FH_VERSION || fb->flags & ~OVL_FH_FLAG_ALL) 99 return -ENODATA; 100 101 /* Treat endianness mismatch as "origin unknown" */ 102 if (!(fb->flags & OVL_FH_FLAG_ANY_ENDIAN) && 103 (fb->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN) 104 return -ENODATA; 105 106 return 0; 107 } 108 109 static struct ovl_fh *ovl_get_fh(struct ovl_fs *ofs, struct dentry *upperdentry, 110 enum ovl_xattr ox) 111 { 112 int res, err; 113 struct ovl_fh *fh = NULL; 114 115 res = ovl_getxattr_upper(ofs, upperdentry, ox, NULL, 0); 116 if (res < 0) { 117 if (res == -ENODATA || res == -EOPNOTSUPP) 118 return NULL; 119 goto fail; 120 } 121 /* Zero size value means "copied up but origin unknown" */ 122 if (res == 0) 123 return NULL; 124 125 fh = kzalloc(res + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 126 if (!fh) 127 return ERR_PTR(-ENOMEM); 128 129 res = ovl_getxattr_upper(ofs, upperdentry, ox, fh->buf, res); 130 if (res < 0) 131 goto fail; 132 133 err = ovl_check_fb_len(&fh->fb, res); 134 if (err < 0) { 135 if (err == -ENODATA) 136 goto out; 137 goto invalid; 138 } 139 140 return fh; 141 142 out: 143 kfree(fh); 144 return NULL; 145 146 fail: 147 pr_warn_ratelimited("failed to get origin (%i)\n", res); 148 goto out; 149 invalid: 150 pr_warn_ratelimited("invalid origin (%*phN)\n", res, fh); 151 goto out; 152 } 153 154 struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh, 155 struct vfsmount *mnt, bool connected) 156 { 157 struct dentry *real; 158 int bytes; 159 160 if (!capable(CAP_DAC_READ_SEARCH)) 161 return NULL; 162 163 /* 164 * Make sure that the stored uuid matches the uuid of the lower 165 * layer where file handle will be decoded. 166 * In case of uuid=off option just make sure that stored uuid is null. 167 */ 168 if (ofs->config.uuid ? !uuid_equal(&fh->fb.uuid, &mnt->mnt_sb->s_uuid) : 169 !uuid_is_null(&fh->fb.uuid)) 170 return NULL; 171 172 bytes = (fh->fb.len - offsetof(struct ovl_fb, fid)); 173 real = exportfs_decode_fh(mnt, (struct fid *)fh->fb.fid, 174 bytes >> 2, (int)fh->fb.type, 175 connected ? ovl_acceptable : NULL, mnt); 176 if (IS_ERR(real)) { 177 /* 178 * Treat stale file handle to lower file as "origin unknown". 179 * upper file handle could become stale when upper file is 180 * unlinked and this information is needed to handle stale 181 * index entries correctly. 182 */ 183 if (real == ERR_PTR(-ESTALE) && 184 !(fh->fb.flags & OVL_FH_FLAG_PATH_UPPER)) 185 real = NULL; 186 return real; 187 } 188 189 if (ovl_dentry_weird(real)) { 190 dput(real); 191 return NULL; 192 } 193 194 return real; 195 } 196 197 static bool ovl_is_opaquedir(struct ovl_fs *ofs, struct path *path) 198 { 199 return ovl_path_check_dir_xattr(ofs, path, OVL_XATTR_OPAQUE); 200 } 201 202 static struct dentry *ovl_lookup_positive_unlocked(const char *name, 203 struct dentry *base, int len, 204 bool drop_negative) 205 { 206 struct dentry *ret = lookup_one_len_unlocked(name, base, len); 207 208 if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) { 209 if (drop_negative && ret->d_lockref.count == 1) { 210 spin_lock(&ret->d_lock); 211 /* Recheck condition under lock */ 212 if (d_is_negative(ret) && ret->d_lockref.count == 1) 213 __d_drop(ret); 214 spin_unlock(&ret->d_lock); 215 } 216 dput(ret); 217 ret = ERR_PTR(-ENOENT); 218 } 219 return ret; 220 } 221 222 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d, 223 const char *name, unsigned int namelen, 224 size_t prelen, const char *post, 225 struct dentry **ret, bool drop_negative) 226 { 227 struct dentry *this; 228 struct path path; 229 int err; 230 bool last_element = !post[0]; 231 232 this = ovl_lookup_positive_unlocked(name, base, namelen, drop_negative); 233 if (IS_ERR(this)) { 234 err = PTR_ERR(this); 235 this = NULL; 236 if (err == -ENOENT || err == -ENAMETOOLONG) 237 goto out; 238 goto out_err; 239 } 240 241 if (ovl_dentry_weird(this)) { 242 /* Don't support traversing automounts and other weirdness */ 243 err = -EREMOTE; 244 goto out_err; 245 } 246 if (ovl_is_whiteout(this)) { 247 d->stop = d->opaque = true; 248 goto put_and_out; 249 } 250 /* 251 * This dentry should be a regular file if previous layer lookup 252 * found a metacopy dentry. 253 */ 254 if (last_element && d->metacopy && !d_is_reg(this)) { 255 d->stop = true; 256 goto put_and_out; 257 } 258 259 path.dentry = this; 260 path.mnt = d->mnt; 261 if (!d_can_lookup(this)) { 262 if (d->is_dir || !last_element) { 263 d->stop = true; 264 goto put_and_out; 265 } 266 err = ovl_check_metacopy_xattr(OVL_FS(d->sb), &path); 267 if (err < 0) 268 goto out_err; 269 270 d->metacopy = err; 271 d->stop = !d->metacopy; 272 if (!d->metacopy || d->last) 273 goto out; 274 } else { 275 if (ovl_lookup_trap_inode(d->sb, this)) { 276 /* Caught in a trap of overlapping layers */ 277 err = -ELOOP; 278 goto out_err; 279 } 280 281 if (last_element) 282 d->is_dir = true; 283 if (d->last) 284 goto out; 285 286 if (ovl_is_opaquedir(OVL_FS(d->sb), &path)) { 287 d->stop = true; 288 if (last_element) 289 d->opaque = true; 290 goto out; 291 } 292 } 293 err = ovl_check_redirect(&path, d, prelen, post); 294 if (err) 295 goto out_err; 296 out: 297 *ret = this; 298 return 0; 299 300 put_and_out: 301 dput(this); 302 this = NULL; 303 goto out; 304 305 out_err: 306 dput(this); 307 return err; 308 } 309 310 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d, 311 struct dentry **ret, bool drop_negative) 312 { 313 /* Counting down from the end, since the prefix can change */ 314 size_t rem = d->name.len - 1; 315 struct dentry *dentry = NULL; 316 int err; 317 318 if (d->name.name[0] != '/') 319 return ovl_lookup_single(base, d, d->name.name, d->name.len, 320 0, "", ret, drop_negative); 321 322 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) { 323 const char *s = d->name.name + d->name.len - rem; 324 const char *next = strchrnul(s, '/'); 325 size_t thislen = next - s; 326 bool end = !next[0]; 327 328 /* Verify we did not go off the rails */ 329 if (WARN_ON(s[-1] != '/')) 330 return -EIO; 331 332 err = ovl_lookup_single(base, d, s, thislen, 333 d->name.len - rem, next, &base, 334 drop_negative); 335 dput(dentry); 336 if (err) 337 return err; 338 dentry = base; 339 if (end) 340 break; 341 342 rem -= thislen + 1; 343 344 if (WARN_ON(rem >= d->name.len)) 345 return -EIO; 346 } 347 *ret = dentry; 348 return 0; 349 } 350 351 352 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected, 353 struct dentry *upperdentry, struct ovl_path **stackp) 354 { 355 struct dentry *origin = NULL; 356 int i; 357 358 for (i = 1; i < ofs->numlayer; i++) { 359 /* 360 * If lower fs uuid is not unique among lower fs we cannot match 361 * fh->uuid to layer. 362 */ 363 if (ofs->layers[i].fsid && 364 ofs->layers[i].fs->bad_uuid) 365 continue; 366 367 origin = ovl_decode_real_fh(ofs, fh, ofs->layers[i].mnt, 368 connected); 369 if (origin) 370 break; 371 } 372 373 if (!origin) 374 return -ESTALE; 375 else if (IS_ERR(origin)) 376 return PTR_ERR(origin); 377 378 if (upperdentry && !ovl_is_whiteout(upperdentry) && 379 inode_wrong_type(d_inode(upperdentry), d_inode(origin)->i_mode)) 380 goto invalid; 381 382 if (!*stackp) 383 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL); 384 if (!*stackp) { 385 dput(origin); 386 return -ENOMEM; 387 } 388 **stackp = (struct ovl_path){ 389 .dentry = origin, 390 .layer = &ofs->layers[i] 391 }; 392 393 return 0; 394 395 invalid: 396 pr_warn_ratelimited("invalid origin (%pd2, ftype=%x, origin ftype=%x).\n", 397 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT, 398 d_inode(origin)->i_mode & S_IFMT); 399 dput(origin); 400 return -ESTALE; 401 } 402 403 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry, 404 struct ovl_path **stackp) 405 { 406 struct ovl_fh *fh = ovl_get_fh(ofs, upperdentry, OVL_XATTR_ORIGIN); 407 int err; 408 409 if (IS_ERR_OR_NULL(fh)) 410 return PTR_ERR(fh); 411 412 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp); 413 kfree(fh); 414 415 if (err) { 416 if (err == -ESTALE) 417 return 0; 418 return err; 419 } 420 421 return 0; 422 } 423 424 /* 425 * Verify that @fh matches the file handle stored in xattr @name. 426 * Return 0 on match, -ESTALE on mismatch, < 0 on error. 427 */ 428 static int ovl_verify_fh(struct ovl_fs *ofs, struct dentry *dentry, 429 enum ovl_xattr ox, const struct ovl_fh *fh) 430 { 431 struct ovl_fh *ofh = ovl_get_fh(ofs, dentry, ox); 432 int err = 0; 433 434 if (!ofh) 435 return -ENODATA; 436 437 if (IS_ERR(ofh)) 438 return PTR_ERR(ofh); 439 440 if (fh->fb.len != ofh->fb.len || memcmp(&fh->fb, &ofh->fb, fh->fb.len)) 441 err = -ESTALE; 442 443 kfree(ofh); 444 return err; 445 } 446 447 /* 448 * Verify that @real dentry matches the file handle stored in xattr @name. 449 * 450 * If @set is true and there is no stored file handle, encode @real and store 451 * file handle in xattr @name. 452 * 453 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error. 454 */ 455 int ovl_verify_set_fh(struct ovl_fs *ofs, struct dentry *dentry, 456 enum ovl_xattr ox, struct dentry *real, bool is_upper, 457 bool set) 458 { 459 struct inode *inode; 460 struct ovl_fh *fh; 461 int err; 462 463 fh = ovl_encode_real_fh(ofs, real, is_upper); 464 err = PTR_ERR(fh); 465 if (IS_ERR(fh)) { 466 fh = NULL; 467 goto fail; 468 } 469 470 err = ovl_verify_fh(ofs, dentry, ox, fh); 471 if (set && err == -ENODATA) 472 err = ovl_setxattr(ofs, dentry, ox, fh->buf, fh->fb.len); 473 if (err) 474 goto fail; 475 476 out: 477 kfree(fh); 478 return err; 479 480 fail: 481 inode = d_inode(real); 482 pr_warn_ratelimited("failed to verify %s (%pd2, ino=%lu, err=%i)\n", 483 is_upper ? "upper" : "origin", real, 484 inode ? inode->i_ino : 0, err); 485 goto out; 486 } 487 488 /* Get upper dentry from index */ 489 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index) 490 { 491 struct ovl_fh *fh; 492 struct dentry *upper; 493 494 if (!d_is_dir(index)) 495 return dget(index); 496 497 fh = ovl_get_fh(ofs, index, OVL_XATTR_UPPER); 498 if (IS_ERR_OR_NULL(fh)) 499 return ERR_CAST(fh); 500 501 upper = ovl_decode_real_fh(ofs, fh, ovl_upper_mnt(ofs), true); 502 kfree(fh); 503 504 if (IS_ERR_OR_NULL(upper)) 505 return upper ?: ERR_PTR(-ESTALE); 506 507 if (!d_is_dir(upper)) { 508 pr_warn_ratelimited("invalid index upper (%pd2, upper=%pd2).\n", 509 index, upper); 510 dput(upper); 511 return ERR_PTR(-EIO); 512 } 513 514 return upper; 515 } 516 517 /* 518 * Verify that an index entry name matches the origin file handle stored in 519 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. 520 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error. 521 */ 522 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) 523 { 524 struct ovl_fh *fh = NULL; 525 size_t len; 526 struct ovl_path origin = { }; 527 struct ovl_path *stack = &origin; 528 struct dentry *upper = NULL; 529 int err; 530 531 if (!d_inode(index)) 532 return 0; 533 534 err = -EINVAL; 535 if (index->d_name.len < sizeof(struct ovl_fb)*2) 536 goto fail; 537 538 err = -ENOMEM; 539 len = index->d_name.len / 2; 540 fh = kzalloc(len + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 541 if (!fh) 542 goto fail; 543 544 err = -EINVAL; 545 if (hex2bin(fh->buf, index->d_name.name, len)) 546 goto fail; 547 548 err = ovl_check_fb_len(&fh->fb, len); 549 if (err) 550 goto fail; 551 552 /* 553 * Whiteout index entries are used as an indication that an exported 554 * overlay file handle should be treated as stale (i.e. after unlink 555 * of the overlay inode). These entries contain no origin xattr. 556 */ 557 if (ovl_is_whiteout(index)) 558 goto out; 559 560 /* 561 * Verifying directory index entries are not stale is expensive, so 562 * only verify stale dir index if NFS export is enabled. 563 */ 564 if (d_is_dir(index) && !ofs->config.nfs_export) 565 goto out; 566 567 /* 568 * Directory index entries should have 'upper' xattr pointing to the 569 * real upper dir. Non-dir index entries are hardlinks to the upper 570 * real inode. For non-dir index, we can read the copy up origin xattr 571 * directly from the index dentry, but for dir index we first need to 572 * decode the upper directory. 573 */ 574 upper = ovl_index_upper(ofs, index); 575 if (IS_ERR_OR_NULL(upper)) { 576 err = PTR_ERR(upper); 577 /* 578 * Directory index entries with no 'upper' xattr need to be 579 * removed. When dir index entry has a stale 'upper' xattr, 580 * we assume that upper dir was removed and we treat the dir 581 * index as orphan entry that needs to be whited out. 582 */ 583 if (err == -ESTALE) 584 goto orphan; 585 else if (!err) 586 err = -ESTALE; 587 goto fail; 588 } 589 590 err = ovl_verify_fh(ofs, upper, OVL_XATTR_ORIGIN, fh); 591 dput(upper); 592 if (err) 593 goto fail; 594 595 /* Check if non-dir index is orphan and don't warn before cleaning it */ 596 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) { 597 err = ovl_check_origin_fh(ofs, fh, false, index, &stack); 598 if (err) 599 goto fail; 600 601 if (ovl_get_nlink(ofs, origin.dentry, index, 0) == 0) 602 goto orphan; 603 } 604 605 out: 606 dput(origin.dentry); 607 kfree(fh); 608 return err; 609 610 fail: 611 pr_warn_ratelimited("failed to verify index (%pd2, ftype=%x, err=%i)\n", 612 index, d_inode(index)->i_mode & S_IFMT, err); 613 goto out; 614 615 orphan: 616 pr_warn_ratelimited("orphan index entry (%pd2, ftype=%x, nlink=%u)\n", 617 index, d_inode(index)->i_mode & S_IFMT, 618 d_inode(index)->i_nlink); 619 err = -ENOENT; 620 goto out; 621 } 622 623 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name) 624 { 625 char *n, *s; 626 627 n = kcalloc(fh->fb.len, 2, GFP_KERNEL); 628 if (!n) 629 return -ENOMEM; 630 631 s = bin2hex(n, fh->buf, fh->fb.len); 632 *name = (struct qstr) QSTR_INIT(n, s - n); 633 634 return 0; 635 636 } 637 638 /* 639 * Lookup in indexdir for the index entry of a lower real inode or a copy up 640 * origin inode. The index entry name is the hex representation of the lower 641 * inode file handle. 642 * 643 * If the index dentry in negative, then either no lower aliases have been 644 * copied up yet, or aliases have been copied up in older kernels and are 645 * not indexed. 646 * 647 * If the index dentry for a copy up origin inode is positive, but points 648 * to an inode different than the upper inode, then either the upper inode 649 * has been copied up and not indexed or it was indexed, but since then 650 * index dir was cleared. Either way, that index cannot be used to indentify 651 * the overlay inode. 652 */ 653 int ovl_get_index_name(struct ovl_fs *ofs, struct dentry *origin, 654 struct qstr *name) 655 { 656 struct ovl_fh *fh; 657 int err; 658 659 fh = ovl_encode_real_fh(ofs, origin, false); 660 if (IS_ERR(fh)) 661 return PTR_ERR(fh); 662 663 err = ovl_get_index_name_fh(fh, name); 664 665 kfree(fh); 666 return err; 667 } 668 669 /* Lookup index by file handle for NFS export */ 670 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh) 671 { 672 struct dentry *index; 673 struct qstr name; 674 int err; 675 676 err = ovl_get_index_name_fh(fh, &name); 677 if (err) 678 return ERR_PTR(err); 679 680 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len); 681 kfree(name.name); 682 if (IS_ERR(index)) { 683 if (PTR_ERR(index) == -ENOENT) 684 index = NULL; 685 return index; 686 } 687 688 if (ovl_is_whiteout(index)) 689 err = -ESTALE; 690 else if (ovl_dentry_weird(index)) 691 err = -EIO; 692 else 693 return index; 694 695 dput(index); 696 return ERR_PTR(err); 697 } 698 699 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper, 700 struct dentry *origin, bool verify) 701 { 702 struct dentry *index; 703 struct inode *inode; 704 struct qstr name; 705 bool is_dir = d_is_dir(origin); 706 int err; 707 708 err = ovl_get_index_name(ofs, origin, &name); 709 if (err) 710 return ERR_PTR(err); 711 712 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len); 713 if (IS_ERR(index)) { 714 err = PTR_ERR(index); 715 if (err == -ENOENT) { 716 index = NULL; 717 goto out; 718 } 719 pr_warn_ratelimited("failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n" 720 "overlayfs: mount with '-o index=off' to disable inodes index.\n", 721 d_inode(origin)->i_ino, name.len, name.name, 722 err); 723 goto out; 724 } 725 726 inode = d_inode(index); 727 if (ovl_is_whiteout(index) && !verify) { 728 /* 729 * When index lookup is called with !verify for decoding an 730 * overlay file handle, a whiteout index implies that decode 731 * should treat file handle as stale and no need to print a 732 * warning about it. 733 */ 734 dput(index); 735 index = ERR_PTR(-ESTALE); 736 goto out; 737 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || 738 inode_wrong_type(inode, d_inode(origin)->i_mode)) { 739 /* 740 * Index should always be of the same file type as origin 741 * except for the case of a whiteout index. A whiteout 742 * index should only exist if all lower aliases have been 743 * unlinked, which means that finding a lower origin on lookup 744 * whose index is a whiteout should be treated as an error. 745 */ 746 pr_warn_ratelimited("bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n", 747 index, d_inode(index)->i_mode & S_IFMT, 748 d_inode(origin)->i_mode & S_IFMT); 749 goto fail; 750 } else if (is_dir && verify) { 751 if (!upper) { 752 pr_warn_ratelimited("suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n", 753 origin, index); 754 goto fail; 755 } 756 757 /* Verify that dir index 'upper' xattr points to upper dir */ 758 err = ovl_verify_upper(ofs, index, upper, false); 759 if (err) { 760 if (err == -ESTALE) { 761 pr_warn_ratelimited("suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n", 762 upper, origin, index); 763 } 764 goto fail; 765 } 766 } else if (upper && d_inode(upper) != inode) { 767 goto out_dput; 768 } 769 out: 770 kfree(name.name); 771 return index; 772 773 out_dput: 774 dput(index); 775 index = NULL; 776 goto out; 777 778 fail: 779 dput(index); 780 index = ERR_PTR(-EIO); 781 goto out; 782 } 783 784 /* 785 * Returns next layer in stack starting from top. 786 * Returns -1 if this is the last layer. 787 */ 788 int ovl_path_next(int idx, struct dentry *dentry, struct path *path) 789 { 790 struct ovl_entry *oe = dentry->d_fsdata; 791 792 BUG_ON(idx < 0); 793 if (idx == 0) { 794 ovl_path_upper(dentry, path); 795 if (path->dentry) 796 return oe->numlower ? 1 : -1; 797 idx++; 798 } 799 BUG_ON(idx > oe->numlower); 800 path->dentry = oe->lowerstack[idx - 1].dentry; 801 path->mnt = oe->lowerstack[idx - 1].layer->mnt; 802 803 return (idx < oe->numlower) ? idx + 1 : -1; 804 } 805 806 /* Fix missing 'origin' xattr */ 807 static int ovl_fix_origin(struct ovl_fs *ofs, struct dentry *dentry, 808 struct dentry *lower, struct dentry *upper) 809 { 810 int err; 811 812 if (ovl_check_origin_xattr(ofs, upper)) 813 return 0; 814 815 err = ovl_want_write(dentry); 816 if (err) 817 return err; 818 819 err = ovl_set_origin(ofs, lower, upper); 820 if (!err) 821 err = ovl_set_impure(dentry->d_parent, upper->d_parent); 822 823 ovl_drop_write(dentry); 824 return err; 825 } 826 827 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, 828 unsigned int flags) 829 { 830 struct ovl_entry *oe; 831 const struct cred *old_cred; 832 struct ovl_fs *ofs = dentry->d_sb->s_fs_info; 833 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 834 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata; 835 struct ovl_path *stack = NULL, *origin_path = NULL; 836 struct dentry *upperdir, *upperdentry = NULL; 837 struct dentry *origin = NULL; 838 struct dentry *index = NULL; 839 unsigned int ctr = 0; 840 struct inode *inode = NULL; 841 bool upperopaque = false; 842 char *upperredirect = NULL; 843 struct dentry *this; 844 unsigned int i; 845 int err; 846 bool uppermetacopy = false; 847 struct ovl_lookup_data d = { 848 .sb = dentry->d_sb, 849 .name = dentry->d_name, 850 .is_dir = false, 851 .opaque = false, 852 .stop = false, 853 .last = ofs->config.redirect_follow ? false : !poe->numlower, 854 .redirect = NULL, 855 .metacopy = false, 856 }; 857 858 if (dentry->d_name.len > ofs->namelen) 859 return ERR_PTR(-ENAMETOOLONG); 860 861 old_cred = ovl_override_creds(dentry->d_sb); 862 upperdir = ovl_dentry_upper(dentry->d_parent); 863 if (upperdir) { 864 d.mnt = ovl_upper_mnt(ofs); 865 err = ovl_lookup_layer(upperdir, &d, &upperdentry, true); 866 if (err) 867 goto out; 868 869 if (upperdentry && upperdentry->d_flags & DCACHE_OP_REAL) { 870 dput(upperdentry); 871 err = -EREMOTE; 872 goto out; 873 } 874 if (upperdentry && !d.is_dir) { 875 /* 876 * Lookup copy up origin by decoding origin file handle. 877 * We may get a disconnected dentry, which is fine, 878 * because we only need to hold the origin inode in 879 * cache and use its inode number. We may even get a 880 * connected dentry, that is not under any of the lower 881 * layers root. That is also fine for using it's inode 882 * number - it's the same as if we held a reference 883 * to a dentry in lower layer that was moved under us. 884 */ 885 err = ovl_check_origin(ofs, upperdentry, &origin_path); 886 if (err) 887 goto out_put_upper; 888 889 if (d.metacopy) 890 uppermetacopy = true; 891 } 892 893 if (d.redirect) { 894 err = -ENOMEM; 895 upperredirect = kstrdup(d.redirect, GFP_KERNEL); 896 if (!upperredirect) 897 goto out_put_upper; 898 if (d.redirect[0] == '/') 899 poe = roe; 900 } 901 upperopaque = d.opaque; 902 } 903 904 if (!d.stop && poe->numlower) { 905 err = -ENOMEM; 906 stack = kcalloc(ofs->numlayer - 1, sizeof(struct ovl_path), 907 GFP_KERNEL); 908 if (!stack) 909 goto out_put_upper; 910 } 911 912 for (i = 0; !d.stop && i < poe->numlower; i++) { 913 struct ovl_path lower = poe->lowerstack[i]; 914 915 if (!ofs->config.redirect_follow) 916 d.last = i == poe->numlower - 1; 917 else 918 d.last = lower.layer->idx == roe->numlower; 919 920 d.mnt = lower.layer->mnt; 921 err = ovl_lookup_layer(lower.dentry, &d, &this, false); 922 if (err) 923 goto out_put; 924 925 if (!this) 926 continue; 927 928 if ((uppermetacopy || d.metacopy) && !ofs->config.metacopy) { 929 dput(this); 930 err = -EPERM; 931 pr_warn_ratelimited("refusing to follow metacopy origin for (%pd2)\n", dentry); 932 goto out_put; 933 } 934 935 /* 936 * If no origin fh is stored in upper of a merge dir, store fh 937 * of lower dir and set upper parent "impure". 938 */ 939 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) { 940 err = ovl_fix_origin(ofs, dentry, this, upperdentry); 941 if (err) { 942 dput(this); 943 goto out_put; 944 } 945 } 946 947 /* 948 * When "verify_lower" feature is enabled, do not merge with a 949 * lower dir that does not match a stored origin xattr. In any 950 * case, only verified origin is used for index lookup. 951 * 952 * For non-dir dentry, if index=on, then ensure origin 953 * matches the dentry found using path based lookup, 954 * otherwise error out. 955 */ 956 if (upperdentry && !ctr && 957 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) || 958 (!d.is_dir && ofs->config.index && origin_path))) { 959 err = ovl_verify_origin(ofs, upperdentry, this, false); 960 if (err) { 961 dput(this); 962 if (d.is_dir) 963 break; 964 goto out_put; 965 } 966 origin = this; 967 } 968 969 if (d.metacopy && ctr) { 970 /* 971 * Do not store intermediate metacopy dentries in 972 * lower chain, except top most lower metacopy dentry. 973 * Continue the loop so that if there is an absolute 974 * redirect on this dentry, poe can be reset to roe. 975 */ 976 dput(this); 977 this = NULL; 978 } else { 979 stack[ctr].dentry = this; 980 stack[ctr].layer = lower.layer; 981 ctr++; 982 } 983 984 /* 985 * Following redirects can have security consequences: it's like 986 * a symlink into the lower layer without the permission checks. 987 * This is only a problem if the upper layer is untrusted (e.g 988 * comes from an USB drive). This can allow a non-readable file 989 * or directory to become readable. 990 * 991 * Only following redirects when redirects are enabled disables 992 * this attack vector when not necessary. 993 */ 994 err = -EPERM; 995 if (d.redirect && !ofs->config.redirect_follow) { 996 pr_warn_ratelimited("refusing to follow redirect for (%pd2)\n", 997 dentry); 998 goto out_put; 999 } 1000 1001 if (d.stop) 1002 break; 1003 1004 if (d.redirect && d.redirect[0] == '/' && poe != roe) { 1005 poe = roe; 1006 /* Find the current layer on the root dentry */ 1007 i = lower.layer->idx - 1; 1008 } 1009 } 1010 1011 /* 1012 * For regular non-metacopy upper dentries, there is no lower 1013 * path based lookup, hence ctr will be zero. If a dentry is found 1014 * using ORIGIN xattr on upper, install it in stack. 1015 * 1016 * For metacopy dentry, path based lookup will find lower dentries. 1017 * Just make sure a corresponding data dentry has been found. 1018 */ 1019 if (d.metacopy || (uppermetacopy && !ctr)) { 1020 pr_warn_ratelimited("metacopy with no lower data found - abort lookup (%pd2)\n", 1021 dentry); 1022 err = -EIO; 1023 goto out_put; 1024 } else if (!d.is_dir && upperdentry && !ctr && origin_path) { 1025 if (WARN_ON(stack != NULL)) { 1026 err = -EIO; 1027 goto out_put; 1028 } 1029 stack = origin_path; 1030 ctr = 1; 1031 origin = origin_path->dentry; 1032 origin_path = NULL; 1033 } 1034 1035 /* 1036 * Always lookup index if there is no-upperdentry. 1037 * 1038 * For the case of upperdentry, we have set origin by now if it 1039 * needed to be set. There are basically three cases. 1040 * 1041 * For directories, lookup index by lower inode and verify it matches 1042 * upper inode. We only trust dir index if we verified that lower dir 1043 * matches origin, otherwise dir index entries may be inconsistent 1044 * and we ignore them. 1045 * 1046 * For regular upper, we already set origin if upper had ORIGIN 1047 * xattr. There is no verification though as there is no path 1048 * based dentry lookup in lower in this case. 1049 * 1050 * For metacopy upper, we set a verified origin already if index 1051 * is enabled and if upper had an ORIGIN xattr. 1052 * 1053 */ 1054 if (!upperdentry && ctr) 1055 origin = stack[0].dentry; 1056 1057 if (origin && ovl_indexdir(dentry->d_sb) && 1058 (!d.is_dir || ovl_index_all(dentry->d_sb))) { 1059 index = ovl_lookup_index(ofs, upperdentry, origin, true); 1060 if (IS_ERR(index)) { 1061 err = PTR_ERR(index); 1062 index = NULL; 1063 goto out_put; 1064 } 1065 } 1066 1067 oe = ovl_alloc_entry(ctr); 1068 err = -ENOMEM; 1069 if (!oe) 1070 goto out_put; 1071 1072 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr); 1073 dentry->d_fsdata = oe; 1074 1075 if (upperopaque) 1076 ovl_dentry_set_opaque(dentry); 1077 1078 if (upperdentry) 1079 ovl_dentry_set_upper_alias(dentry); 1080 else if (index) { 1081 struct path upperpath = { 1082 .dentry = upperdentry = dget(index), 1083 .mnt = ovl_upper_mnt(ofs), 1084 }; 1085 1086 upperredirect = ovl_get_redirect_xattr(ofs, &upperpath, 0); 1087 if (IS_ERR(upperredirect)) { 1088 err = PTR_ERR(upperredirect); 1089 upperredirect = NULL; 1090 goto out_free_oe; 1091 } 1092 err = ovl_check_metacopy_xattr(ofs, &upperpath); 1093 if (err < 0) 1094 goto out_free_oe; 1095 uppermetacopy = err; 1096 } 1097 1098 if (upperdentry || ctr) { 1099 struct ovl_inode_params oip = { 1100 .upperdentry = upperdentry, 1101 .lowerpath = stack, 1102 .index = index, 1103 .numlower = ctr, 1104 .redirect = upperredirect, 1105 .lowerdata = (ctr > 1 && !d.is_dir) ? 1106 stack[ctr - 1].dentry : NULL, 1107 }; 1108 1109 inode = ovl_get_inode(dentry->d_sb, &oip); 1110 err = PTR_ERR(inode); 1111 if (IS_ERR(inode)) 1112 goto out_free_oe; 1113 if (upperdentry && !uppermetacopy) 1114 ovl_set_flag(OVL_UPPERDATA, inode); 1115 } 1116 1117 ovl_dentry_update_reval(dentry, upperdentry, 1118 DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); 1119 1120 revert_creds(old_cred); 1121 if (origin_path) { 1122 dput(origin_path->dentry); 1123 kfree(origin_path); 1124 } 1125 dput(index); 1126 kfree(stack); 1127 kfree(d.redirect); 1128 return d_splice_alias(inode, dentry); 1129 1130 out_free_oe: 1131 dentry->d_fsdata = NULL; 1132 kfree(oe); 1133 out_put: 1134 dput(index); 1135 for (i = 0; i < ctr; i++) 1136 dput(stack[i].dentry); 1137 kfree(stack); 1138 out_put_upper: 1139 if (origin_path) { 1140 dput(origin_path->dentry); 1141 kfree(origin_path); 1142 } 1143 dput(upperdentry); 1144 kfree(upperredirect); 1145 out: 1146 kfree(d.redirect); 1147 revert_creds(old_cred); 1148 return ERR_PTR(err); 1149 } 1150 1151 bool ovl_lower_positive(struct dentry *dentry) 1152 { 1153 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 1154 const struct qstr *name = &dentry->d_name; 1155 const struct cred *old_cred; 1156 unsigned int i; 1157 bool positive = false; 1158 bool done = false; 1159 1160 /* 1161 * If dentry is negative, then lower is positive iff this is a 1162 * whiteout. 1163 */ 1164 if (!dentry->d_inode) 1165 return ovl_dentry_is_opaque(dentry); 1166 1167 /* Negative upper -> positive lower */ 1168 if (!ovl_dentry_upper(dentry)) 1169 return true; 1170 1171 old_cred = ovl_override_creds(dentry->d_sb); 1172 /* Positive upper -> have to look up lower to see whether it exists */ 1173 for (i = 0; !done && !positive && i < poe->numlower; i++) { 1174 struct dentry *this; 1175 struct dentry *lowerdir = poe->lowerstack[i].dentry; 1176 1177 this = lookup_positive_unlocked(name->name, lowerdir, 1178 name->len); 1179 if (IS_ERR(this)) { 1180 switch (PTR_ERR(this)) { 1181 case -ENOENT: 1182 case -ENAMETOOLONG: 1183 break; 1184 1185 default: 1186 /* 1187 * Assume something is there, we just couldn't 1188 * access it. 1189 */ 1190 positive = true; 1191 break; 1192 } 1193 } else { 1194 positive = !ovl_is_whiteout(this); 1195 done = true; 1196 dput(this); 1197 } 1198 } 1199 revert_creds(old_cred); 1200 1201 return positive; 1202 } 1203