1 /* 2 * Copyright (C) 2011 Novell Inc. 3 * Copyright (C) 2016 Red Hat, Inc. 4 * 5 * This program is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 as published by 7 * the Free Software Foundation. 8 */ 9 10 #include <linux/fs.h> 11 #include <linux/cred.h> 12 #include <linux/ctype.h> 13 #include <linux/namei.h> 14 #include <linux/xattr.h> 15 #include <linux/ratelimit.h> 16 #include <linux/mount.h> 17 #include <linux/exportfs.h> 18 #include "overlayfs.h" 19 20 struct ovl_lookup_data { 21 struct qstr name; 22 bool is_dir; 23 bool opaque; 24 bool stop; 25 bool last; 26 char *redirect; 27 }; 28 29 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d, 30 size_t prelen, const char *post) 31 { 32 int res; 33 char *s, *next, *buf = NULL; 34 35 res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, NULL, 0); 36 if (res < 0) { 37 if (res == -ENODATA || res == -EOPNOTSUPP) 38 return 0; 39 goto fail; 40 } 41 buf = kzalloc(prelen + res + strlen(post) + 1, GFP_KERNEL); 42 if (!buf) 43 return -ENOMEM; 44 45 if (res == 0) 46 goto invalid; 47 48 res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, buf, res); 49 if (res < 0) 50 goto fail; 51 if (res == 0) 52 goto invalid; 53 if (buf[0] == '/') { 54 for (s = buf; *s++ == '/'; s = next) { 55 next = strchrnul(s, '/'); 56 if (s == next) 57 goto invalid; 58 } 59 } else { 60 if (strchr(buf, '/') != NULL) 61 goto invalid; 62 63 memmove(buf + prelen, buf, res); 64 memcpy(buf, d->name.name, prelen); 65 } 66 67 strcat(buf, post); 68 kfree(d->redirect); 69 d->redirect = buf; 70 d->name.name = d->redirect; 71 d->name.len = strlen(d->redirect); 72 73 return 0; 74 75 err_free: 76 kfree(buf); 77 return 0; 78 fail: 79 pr_warn_ratelimited("overlayfs: failed to get redirect (%i)\n", res); 80 goto err_free; 81 invalid: 82 pr_warn_ratelimited("overlayfs: invalid redirect (%s)\n", buf); 83 goto err_free; 84 } 85 86 static int ovl_acceptable(void *ctx, struct dentry *dentry) 87 { 88 /* 89 * A non-dir origin may be disconnected, which is fine, because 90 * we only need it for its unique inode number. 91 */ 92 if (!d_is_dir(dentry)) 93 return 1; 94 95 /* Don't decode a deleted empty directory */ 96 if (d_unhashed(dentry)) 97 return 0; 98 99 /* Check if directory belongs to the layer we are decoding from */ 100 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root); 101 } 102 103 /* 104 * Check validity of an overlay file handle buffer. 105 * 106 * Return 0 for a valid file handle. 107 * Return -ENODATA for "origin unknown". 108 * Return <0 for an invalid file handle. 109 */ 110 int ovl_check_fh_len(struct ovl_fh *fh, int fh_len) 111 { 112 if (fh_len < sizeof(struct ovl_fh) || fh_len < fh->len) 113 return -EINVAL; 114 115 if (fh->magic != OVL_FH_MAGIC) 116 return -EINVAL; 117 118 /* Treat larger version and unknown flags as "origin unknown" */ 119 if (fh->version > OVL_FH_VERSION || fh->flags & ~OVL_FH_FLAG_ALL) 120 return -ENODATA; 121 122 /* Treat endianness mismatch as "origin unknown" */ 123 if (!(fh->flags & OVL_FH_FLAG_ANY_ENDIAN) && 124 (fh->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN) 125 return -ENODATA; 126 127 return 0; 128 } 129 130 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) 131 { 132 int res, err; 133 struct ovl_fh *fh = NULL; 134 135 res = vfs_getxattr(dentry, name, NULL, 0); 136 if (res < 0) { 137 if (res == -ENODATA || res == -EOPNOTSUPP) 138 return NULL; 139 goto fail; 140 } 141 /* Zero size value means "copied up but origin unknown" */ 142 if (res == 0) 143 return NULL; 144 145 fh = kzalloc(res, GFP_KERNEL); 146 if (!fh) 147 return ERR_PTR(-ENOMEM); 148 149 res = vfs_getxattr(dentry, name, fh, res); 150 if (res < 0) 151 goto fail; 152 153 err = ovl_check_fh_len(fh, res); 154 if (err < 0) { 155 if (err == -ENODATA) 156 goto out; 157 goto invalid; 158 } 159 160 return fh; 161 162 out: 163 kfree(fh); 164 return NULL; 165 166 fail: 167 pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res); 168 goto out; 169 invalid: 170 pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh); 171 goto out; 172 } 173 174 struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt) 175 { 176 struct dentry *real; 177 int bytes; 178 179 /* 180 * Make sure that the stored uuid matches the uuid of the lower 181 * layer where file handle will be decoded. 182 */ 183 if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid)) 184 return NULL; 185 186 bytes = (fh->len - offsetof(struct ovl_fh, fid)); 187 real = exportfs_decode_fh(mnt, (struct fid *)fh->fid, 188 bytes >> 2, (int)fh->type, 189 ovl_acceptable, mnt); 190 if (IS_ERR(real)) { 191 /* 192 * Treat stale file handle to lower file as "origin unknown". 193 * upper file handle could become stale when upper file is 194 * unlinked and this information is needed to handle stale 195 * index entries correctly. 196 */ 197 if (real == ERR_PTR(-ESTALE) && 198 !(fh->flags & OVL_FH_FLAG_PATH_UPPER)) 199 real = NULL; 200 return real; 201 } 202 203 if (ovl_dentry_weird(real)) { 204 dput(real); 205 return NULL; 206 } 207 208 return real; 209 } 210 211 static bool ovl_is_opaquedir(struct dentry *dentry) 212 { 213 return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE); 214 } 215 216 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d, 217 const char *name, unsigned int namelen, 218 size_t prelen, const char *post, 219 struct dentry **ret) 220 { 221 struct dentry *this; 222 int err; 223 224 this = lookup_one_len_unlocked(name, base, namelen); 225 if (IS_ERR(this)) { 226 err = PTR_ERR(this); 227 this = NULL; 228 if (err == -ENOENT || err == -ENAMETOOLONG) 229 goto out; 230 goto out_err; 231 } 232 if (!this->d_inode) 233 goto put_and_out; 234 235 if (ovl_dentry_weird(this)) { 236 /* Don't support traversing automounts and other weirdness */ 237 err = -EREMOTE; 238 goto out_err; 239 } 240 if (ovl_is_whiteout(this)) { 241 d->stop = d->opaque = true; 242 goto put_and_out; 243 } 244 if (!d_can_lookup(this)) { 245 d->stop = true; 246 if (d->is_dir) 247 goto put_and_out; 248 goto out; 249 } 250 d->is_dir = true; 251 if (!d->last && ovl_is_opaquedir(this)) { 252 d->stop = d->opaque = true; 253 goto out; 254 } 255 err = ovl_check_redirect(this, d, prelen, post); 256 if (err) 257 goto out_err; 258 out: 259 *ret = this; 260 return 0; 261 262 put_and_out: 263 dput(this); 264 this = NULL; 265 goto out; 266 267 out_err: 268 dput(this); 269 return err; 270 } 271 272 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d, 273 struct dentry **ret) 274 { 275 /* Counting down from the end, since the prefix can change */ 276 size_t rem = d->name.len - 1; 277 struct dentry *dentry = NULL; 278 int err; 279 280 if (d->name.name[0] != '/') 281 return ovl_lookup_single(base, d, d->name.name, d->name.len, 282 0, "", ret); 283 284 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) { 285 const char *s = d->name.name + d->name.len - rem; 286 const char *next = strchrnul(s, '/'); 287 size_t thislen = next - s; 288 bool end = !next[0]; 289 290 /* Verify we did not go off the rails */ 291 if (WARN_ON(s[-1] != '/')) 292 return -EIO; 293 294 err = ovl_lookup_single(base, d, s, thislen, 295 d->name.len - rem, next, &base); 296 dput(dentry); 297 if (err) 298 return err; 299 dentry = base; 300 if (end) 301 break; 302 303 rem -= thislen + 1; 304 305 if (WARN_ON(rem >= d->name.len)) 306 return -EIO; 307 } 308 *ret = dentry; 309 return 0; 310 } 311 312 313 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, 314 struct dentry *upperdentry, struct ovl_path **stackp) 315 { 316 struct dentry *origin = NULL; 317 int i; 318 319 for (i = 0; i < ofs->numlower; i++) { 320 origin = ovl_decode_fh(fh, ofs->lower_layers[i].mnt); 321 if (origin) 322 break; 323 } 324 325 if (!origin) 326 return -ESTALE; 327 else if (IS_ERR(origin)) 328 return PTR_ERR(origin); 329 330 if (upperdentry && !ovl_is_whiteout(upperdentry) && 331 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT)) 332 goto invalid; 333 334 if (!*stackp) 335 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL); 336 if (!*stackp) { 337 dput(origin); 338 return -ENOMEM; 339 } 340 **stackp = (struct ovl_path){ 341 .dentry = origin, 342 .layer = &ofs->lower_layers[i] 343 }; 344 345 return 0; 346 347 invalid: 348 pr_warn_ratelimited("overlayfs: invalid origin (%pd2, ftype=%x, origin ftype=%x).\n", 349 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT, 350 d_inode(origin)->i_mode & S_IFMT); 351 dput(origin); 352 return -EIO; 353 } 354 355 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry, 356 struct ovl_path **stackp, unsigned int *ctrp) 357 { 358 struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN); 359 int err; 360 361 if (IS_ERR_OR_NULL(fh)) 362 return PTR_ERR(fh); 363 364 err = ovl_check_origin_fh(ofs, fh, upperdentry, stackp); 365 kfree(fh); 366 367 if (err) { 368 if (err == -ESTALE) 369 return 0; 370 return err; 371 } 372 373 if (WARN_ON(*ctrp)) 374 return -EIO; 375 376 *ctrp = 1; 377 return 0; 378 } 379 380 /* 381 * Verify that @fh matches the file handle stored in xattr @name. 382 * Return 0 on match, -ESTALE on mismatch, < 0 on error. 383 */ 384 static int ovl_verify_fh(struct dentry *dentry, const char *name, 385 const struct ovl_fh *fh) 386 { 387 struct ovl_fh *ofh = ovl_get_fh(dentry, name); 388 int err = 0; 389 390 if (!ofh) 391 return -ENODATA; 392 393 if (IS_ERR(ofh)) 394 return PTR_ERR(ofh); 395 396 if (fh->len != ofh->len || memcmp(fh, ofh, fh->len)) 397 err = -ESTALE; 398 399 kfree(ofh); 400 return err; 401 } 402 403 /* 404 * Verify that @real dentry matches the file handle stored in xattr @name. 405 * 406 * If @set is true and there is no stored file handle, encode @real and store 407 * file handle in xattr @name. 408 * 409 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error. 410 */ 411 int ovl_verify_set_fh(struct dentry *dentry, const char *name, 412 struct dentry *real, bool is_upper, bool set) 413 { 414 struct inode *inode; 415 struct ovl_fh *fh; 416 int err; 417 418 fh = ovl_encode_fh(real, is_upper); 419 err = PTR_ERR(fh); 420 if (IS_ERR(fh)) 421 goto fail; 422 423 err = ovl_verify_fh(dentry, name, fh); 424 if (set && err == -ENODATA) 425 err = ovl_do_setxattr(dentry, name, fh, fh->len, 0); 426 if (err) 427 goto fail; 428 429 out: 430 kfree(fh); 431 return err; 432 433 fail: 434 inode = d_inode(real); 435 pr_warn_ratelimited("overlayfs: failed to verify %s (%pd2, ino=%lu, err=%i)\n", 436 is_upper ? "upper" : "origin", real, 437 inode ? inode->i_ino : 0, err); 438 goto out; 439 } 440 441 /* Get upper dentry from index */ 442 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index) 443 { 444 struct ovl_fh *fh; 445 struct dentry *upper; 446 447 if (!d_is_dir(index)) 448 return dget(index); 449 450 fh = ovl_get_fh(index, OVL_XATTR_UPPER); 451 if (IS_ERR_OR_NULL(fh)) 452 return ERR_CAST(fh); 453 454 upper = ovl_decode_fh(fh, ofs->upper_mnt); 455 kfree(fh); 456 457 if (IS_ERR_OR_NULL(upper)) 458 return upper ?: ERR_PTR(-ESTALE); 459 460 if (!d_is_dir(upper)) { 461 pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n", 462 index, upper); 463 dput(upper); 464 return ERR_PTR(-EIO); 465 } 466 467 return upper; 468 } 469 470 /* Is this a leftover from create/whiteout of directory index entry? */ 471 static bool ovl_is_temp_index(struct dentry *index) 472 { 473 return index->d_name.name[0] == '#'; 474 } 475 476 /* 477 * Verify that an index entry name matches the origin file handle stored in 478 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. 479 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error. 480 */ 481 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) 482 { 483 struct ovl_fh *fh = NULL; 484 size_t len; 485 struct ovl_path origin = { }; 486 struct ovl_path *stack = &origin; 487 struct dentry *upper = NULL; 488 int err; 489 490 if (!d_inode(index)) 491 return 0; 492 493 /* Cleanup leftover from index create/cleanup attempt */ 494 err = -ESTALE; 495 if (ovl_is_temp_index(index)) 496 goto fail; 497 498 err = -EINVAL; 499 if (index->d_name.len < sizeof(struct ovl_fh)*2) 500 goto fail; 501 502 err = -ENOMEM; 503 len = index->d_name.len / 2; 504 fh = kzalloc(len, GFP_KERNEL); 505 if (!fh) 506 goto fail; 507 508 err = -EINVAL; 509 if (hex2bin((u8 *)fh, index->d_name.name, len)) 510 goto fail; 511 512 err = ovl_check_fh_len(fh, len); 513 if (err) 514 goto fail; 515 516 /* 517 * Whiteout index entries are used as an indication that an exported 518 * overlay file handle should be treated as stale (i.e. after unlink 519 * of the overlay inode). These entries contain no origin xattr. 520 */ 521 if (ovl_is_whiteout(index)) 522 goto out; 523 524 /* 525 * Verifying directory index entries are not stale is expensive, so 526 * only verify stale dir index if NFS export is enabled. 527 */ 528 if (d_is_dir(index) && !ofs->config.nfs_export) 529 goto out; 530 531 /* 532 * Directory index entries should have 'upper' xattr pointing to the 533 * real upper dir. Non-dir index entries are hardlinks to the upper 534 * real inode. For non-dir index, we can read the copy up origin xattr 535 * directly from the index dentry, but for dir index we first need to 536 * decode the upper directory. 537 */ 538 upper = ovl_index_upper(ofs, index); 539 if (IS_ERR_OR_NULL(upper)) { 540 err = PTR_ERR(upper); 541 /* 542 * Directory index entries with no 'upper' xattr need to be 543 * removed. When dir index entry has a stale 'upper' xattr, 544 * we assume that upper dir was removed and we treat the dir 545 * index as orphan entry that needs to be whited out. 546 */ 547 if (err == -ESTALE) 548 goto orphan; 549 else if (!err) 550 err = -ESTALE; 551 goto fail; 552 } 553 554 err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh); 555 dput(upper); 556 if (err) 557 goto fail; 558 559 /* Check if non-dir index is orphan and don't warn before cleaning it */ 560 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) { 561 err = ovl_check_origin_fh(ofs, fh, index, &stack); 562 if (err) 563 goto fail; 564 565 if (ovl_get_nlink(origin.dentry, index, 0) == 0) 566 goto orphan; 567 } 568 569 out: 570 dput(origin.dentry); 571 kfree(fh); 572 return err; 573 574 fail: 575 pr_warn_ratelimited("overlayfs: failed to verify index (%pd2, ftype=%x, err=%i)\n", 576 index, d_inode(index)->i_mode & S_IFMT, err); 577 goto out; 578 579 orphan: 580 pr_warn_ratelimited("overlayfs: orphan index entry (%pd2, ftype=%x, nlink=%u)\n", 581 index, d_inode(index)->i_mode & S_IFMT, 582 d_inode(index)->i_nlink); 583 err = -ENOENT; 584 goto out; 585 } 586 587 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name) 588 { 589 char *n, *s; 590 591 n = kzalloc(fh->len * 2, GFP_KERNEL); 592 if (!n) 593 return -ENOMEM; 594 595 s = bin2hex(n, fh, fh->len); 596 *name = (struct qstr) QSTR_INIT(n, s - n); 597 598 return 0; 599 600 } 601 602 /* 603 * Lookup in indexdir for the index entry of a lower real inode or a copy up 604 * origin inode. The index entry name is the hex representation of the lower 605 * inode file handle. 606 * 607 * If the index dentry in negative, then either no lower aliases have been 608 * copied up yet, or aliases have been copied up in older kernels and are 609 * not indexed. 610 * 611 * If the index dentry for a copy up origin inode is positive, but points 612 * to an inode different than the upper inode, then either the upper inode 613 * has been copied up and not indexed or it was indexed, but since then 614 * index dir was cleared. Either way, that index cannot be used to indentify 615 * the overlay inode. 616 */ 617 int ovl_get_index_name(struct dentry *origin, struct qstr *name) 618 { 619 struct ovl_fh *fh; 620 int err; 621 622 fh = ovl_encode_fh(origin, false); 623 if (IS_ERR(fh)) 624 return PTR_ERR(fh); 625 626 err = ovl_get_index_name_fh(fh, name); 627 628 kfree(fh); 629 return err; 630 } 631 632 /* Lookup index by file handle for NFS export */ 633 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh) 634 { 635 struct dentry *index; 636 struct qstr name; 637 int err; 638 639 err = ovl_get_index_name_fh(fh, &name); 640 if (err) 641 return ERR_PTR(err); 642 643 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); 644 kfree(name.name); 645 if (IS_ERR(index)) { 646 if (PTR_ERR(index) == -ENOENT) 647 index = NULL; 648 return index; 649 } 650 651 if (d_is_negative(index)) 652 err = 0; 653 else if (ovl_is_whiteout(index)) 654 err = -ESTALE; 655 else if (ovl_dentry_weird(index)) 656 err = -EIO; 657 else 658 return index; 659 660 dput(index); 661 return ERR_PTR(err); 662 } 663 664 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper, 665 struct dentry *origin, bool verify) 666 { 667 struct dentry *index; 668 struct inode *inode; 669 struct qstr name; 670 bool is_dir = d_is_dir(origin); 671 int err; 672 673 err = ovl_get_index_name(origin, &name); 674 if (err) 675 return ERR_PTR(err); 676 677 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); 678 if (IS_ERR(index)) { 679 err = PTR_ERR(index); 680 if (err == -ENOENT) { 681 index = NULL; 682 goto out; 683 } 684 pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n" 685 "overlayfs: mount with '-o index=off' to disable inodes index.\n", 686 d_inode(origin)->i_ino, name.len, name.name, 687 err); 688 goto out; 689 } 690 691 inode = d_inode(index); 692 if (d_is_negative(index)) { 693 goto out_dput; 694 } else if (ovl_is_whiteout(index) && !verify) { 695 /* 696 * When index lookup is called with !verify for decoding an 697 * overlay file handle, a whiteout index implies that decode 698 * should treat file handle as stale and no need to print a 699 * warning about it. 700 */ 701 dput(index); 702 index = ERR_PTR(-ESTALE); 703 goto out; 704 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || 705 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) { 706 /* 707 * Index should always be of the same file type as origin 708 * except for the case of a whiteout index. A whiteout 709 * index should only exist if all lower aliases have been 710 * unlinked, which means that finding a lower origin on lookup 711 * whose index is a whiteout should be treated as an error. 712 */ 713 pr_warn_ratelimited("overlayfs: bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n", 714 index, d_inode(index)->i_mode & S_IFMT, 715 d_inode(origin)->i_mode & S_IFMT); 716 goto fail; 717 } else if (is_dir && verify) { 718 if (!upper) { 719 pr_warn_ratelimited("overlayfs: suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n", 720 origin, index); 721 goto fail; 722 } 723 724 /* Verify that dir index 'upper' xattr points to upper dir */ 725 err = ovl_verify_upper(index, upper, false); 726 if (err) { 727 if (err == -ESTALE) { 728 pr_warn_ratelimited("overlayfs: suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n", 729 upper, origin, index); 730 } 731 goto fail; 732 } 733 } else if (upper && d_inode(upper) != inode) { 734 goto out_dput; 735 } 736 out: 737 kfree(name.name); 738 return index; 739 740 out_dput: 741 dput(index); 742 index = NULL; 743 goto out; 744 745 fail: 746 dput(index); 747 index = ERR_PTR(-EIO); 748 goto out; 749 } 750 751 /* 752 * Returns next layer in stack starting from top. 753 * Returns -1 if this is the last layer. 754 */ 755 int ovl_path_next(int idx, struct dentry *dentry, struct path *path) 756 { 757 struct ovl_entry *oe = dentry->d_fsdata; 758 759 BUG_ON(idx < 0); 760 if (idx == 0) { 761 ovl_path_upper(dentry, path); 762 if (path->dentry) 763 return oe->numlower ? 1 : -1; 764 idx++; 765 } 766 BUG_ON(idx > oe->numlower); 767 path->dentry = oe->lowerstack[idx - 1].dentry; 768 path->mnt = oe->lowerstack[idx - 1].layer->mnt; 769 770 return (idx < oe->numlower) ? idx + 1 : -1; 771 } 772 773 /* Fix missing 'origin' xattr */ 774 static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower, 775 struct dentry *upper) 776 { 777 int err; 778 779 if (ovl_check_origin_xattr(upper)) 780 return 0; 781 782 err = ovl_want_write(dentry); 783 if (err) 784 return err; 785 786 err = ovl_set_origin(dentry, lower, upper); 787 if (!err) 788 err = ovl_set_impure(dentry->d_parent, upper->d_parent); 789 790 ovl_drop_write(dentry); 791 return err; 792 } 793 794 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, 795 unsigned int flags) 796 { 797 struct ovl_entry *oe; 798 const struct cred *old_cred; 799 struct ovl_fs *ofs = dentry->d_sb->s_fs_info; 800 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 801 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata; 802 struct ovl_path *stack = NULL; 803 struct dentry *upperdir, *upperdentry = NULL; 804 struct dentry *origin = NULL; 805 struct dentry *index = NULL; 806 unsigned int ctr = 0; 807 struct inode *inode = NULL; 808 bool upperopaque = false; 809 char *upperredirect = NULL; 810 struct dentry *this; 811 unsigned int i; 812 int err; 813 struct ovl_lookup_data d = { 814 .name = dentry->d_name, 815 .is_dir = false, 816 .opaque = false, 817 .stop = false, 818 .last = !poe->numlower, 819 .redirect = NULL, 820 }; 821 822 if (dentry->d_name.len > ofs->namelen) 823 return ERR_PTR(-ENAMETOOLONG); 824 825 old_cred = ovl_override_creds(dentry->d_sb); 826 upperdir = ovl_dentry_upper(dentry->d_parent); 827 if (upperdir) { 828 err = ovl_lookup_layer(upperdir, &d, &upperdentry); 829 if (err) 830 goto out; 831 832 if (upperdentry && unlikely(ovl_dentry_remote(upperdentry))) { 833 dput(upperdentry); 834 err = -EREMOTE; 835 goto out; 836 } 837 if (upperdentry && !d.is_dir) { 838 BUG_ON(!d.stop || d.redirect); 839 /* 840 * Lookup copy up origin by decoding origin file handle. 841 * We may get a disconnected dentry, which is fine, 842 * because we only need to hold the origin inode in 843 * cache and use its inode number. We may even get a 844 * connected dentry, that is not under any of the lower 845 * layers root. That is also fine for using it's inode 846 * number - it's the same as if we held a reference 847 * to a dentry in lower layer that was moved under us. 848 */ 849 err = ovl_check_origin(ofs, upperdentry, &stack, &ctr); 850 if (err) 851 goto out_put_upper; 852 } 853 854 if (d.redirect) { 855 err = -ENOMEM; 856 upperredirect = kstrdup(d.redirect, GFP_KERNEL); 857 if (!upperredirect) 858 goto out_put_upper; 859 if (d.redirect[0] == '/') 860 poe = roe; 861 } 862 upperopaque = d.opaque; 863 } 864 865 if (!d.stop && poe->numlower) { 866 err = -ENOMEM; 867 stack = kcalloc(ofs->numlower, sizeof(struct ovl_path), 868 GFP_KERNEL); 869 if (!stack) 870 goto out_put_upper; 871 } 872 873 for (i = 0; !d.stop && i < poe->numlower; i++) { 874 struct ovl_path lower = poe->lowerstack[i]; 875 876 d.last = i == poe->numlower - 1; 877 err = ovl_lookup_layer(lower.dentry, &d, &this); 878 if (err) 879 goto out_put; 880 881 if (!this) 882 continue; 883 884 /* 885 * If no origin fh is stored in upper of a merge dir, store fh 886 * of lower dir and set upper parent "impure". 887 */ 888 if (upperdentry && !ctr && !ofs->noxattr) { 889 err = ovl_fix_origin(dentry, this, upperdentry); 890 if (err) { 891 dput(this); 892 goto out_put; 893 } 894 } 895 896 /* 897 * When "verify_lower" feature is enabled, do not merge with a 898 * lower dir that does not match a stored origin xattr. In any 899 * case, only verified origin is used for index lookup. 900 */ 901 if (upperdentry && !ctr && ovl_verify_lower(dentry->d_sb)) { 902 err = ovl_verify_origin(upperdentry, this, false); 903 if (err) { 904 dput(this); 905 break; 906 } 907 908 /* Bless lower dir as verified origin */ 909 origin = this; 910 } 911 912 stack[ctr].dentry = this; 913 stack[ctr].layer = lower.layer; 914 ctr++; 915 916 if (d.stop) 917 break; 918 919 /* 920 * Following redirects can have security consequences: it's like 921 * a symlink into the lower layer without the permission checks. 922 * This is only a problem if the upper layer is untrusted (e.g 923 * comes from an USB drive). This can allow a non-readable file 924 * or directory to become readable. 925 * 926 * Only following redirects when redirects are enabled disables 927 * this attack vector when not necessary. 928 */ 929 err = -EPERM; 930 if (d.redirect && !ofs->config.redirect_follow) { 931 pr_warn_ratelimited("overlayfs: refusing to follow redirect for (%pd2)\n", 932 dentry); 933 goto out_put; 934 } 935 936 if (d.redirect && d.redirect[0] == '/' && poe != roe) { 937 poe = roe; 938 /* Find the current layer on the root dentry */ 939 i = lower.layer->idx - 1; 940 } 941 } 942 943 /* 944 * Lookup index by lower inode and verify it matches upper inode. 945 * We only trust dir index if we verified that lower dir matches 946 * origin, otherwise dir index entries may be inconsistent and we 947 * ignore them. Always lookup index of non-dir and non-upper. 948 */ 949 if (ctr && (!upperdentry || !d.is_dir)) 950 origin = stack[0].dentry; 951 952 if (origin && ovl_indexdir(dentry->d_sb) && 953 (!d.is_dir || ovl_index_all(dentry->d_sb))) { 954 index = ovl_lookup_index(ofs, upperdentry, origin, true); 955 if (IS_ERR(index)) { 956 err = PTR_ERR(index); 957 index = NULL; 958 goto out_put; 959 } 960 } 961 962 oe = ovl_alloc_entry(ctr); 963 err = -ENOMEM; 964 if (!oe) 965 goto out_put; 966 967 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr); 968 dentry->d_fsdata = oe; 969 970 if (upperopaque) 971 ovl_dentry_set_opaque(dentry); 972 973 if (upperdentry) 974 ovl_dentry_set_upper_alias(dentry); 975 else if (index) 976 upperdentry = dget(index); 977 978 if (upperdentry || ctr) { 979 if (ctr) 980 origin = stack[0].dentry; 981 inode = ovl_get_inode(dentry->d_sb, upperdentry, origin, index, 982 ctr); 983 err = PTR_ERR(inode); 984 if (IS_ERR(inode)) 985 goto out_free_oe; 986 987 OVL_I(inode)->redirect = upperredirect; 988 if (index) 989 ovl_set_flag(OVL_INDEX, inode); 990 } 991 992 revert_creds(old_cred); 993 dput(index); 994 kfree(stack); 995 kfree(d.redirect); 996 return d_splice_alias(inode, dentry); 997 998 out_free_oe: 999 dentry->d_fsdata = NULL; 1000 kfree(oe); 1001 out_put: 1002 dput(index); 1003 for (i = 0; i < ctr; i++) 1004 dput(stack[i].dentry); 1005 kfree(stack); 1006 out_put_upper: 1007 dput(upperdentry); 1008 kfree(upperredirect); 1009 out: 1010 kfree(d.redirect); 1011 revert_creds(old_cred); 1012 return ERR_PTR(err); 1013 } 1014 1015 bool ovl_lower_positive(struct dentry *dentry) 1016 { 1017 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 1018 const struct qstr *name = &dentry->d_name; 1019 const struct cred *old_cred; 1020 unsigned int i; 1021 bool positive = false; 1022 bool done = false; 1023 1024 /* 1025 * If dentry is negative, then lower is positive iff this is a 1026 * whiteout. 1027 */ 1028 if (!dentry->d_inode) 1029 return ovl_dentry_is_opaque(dentry); 1030 1031 /* Negative upper -> positive lower */ 1032 if (!ovl_dentry_upper(dentry)) 1033 return true; 1034 1035 old_cred = ovl_override_creds(dentry->d_sb); 1036 /* Positive upper -> have to look up lower to see whether it exists */ 1037 for (i = 0; !done && !positive && i < poe->numlower; i++) { 1038 struct dentry *this; 1039 struct dentry *lowerdir = poe->lowerstack[i].dentry; 1040 1041 this = lookup_one_len_unlocked(name->name, lowerdir, 1042 name->len); 1043 if (IS_ERR(this)) { 1044 switch (PTR_ERR(this)) { 1045 case -ENOENT: 1046 case -ENAMETOOLONG: 1047 break; 1048 1049 default: 1050 /* 1051 * Assume something is there, we just couldn't 1052 * access it. 1053 */ 1054 positive = true; 1055 break; 1056 } 1057 } else { 1058 if (this->d_inode) { 1059 positive = !ovl_is_whiteout(this); 1060 done = true; 1061 } 1062 dput(this); 1063 } 1064 } 1065 revert_creds(old_cred); 1066 1067 return positive; 1068 } 1069