xref: /openbmc/linux/fs/overlayfs/namei.c (revision ddc141e5)
1 /*
2  * Copyright (C) 2011 Novell Inc.
3  * Copyright (C) 2016 Red Hat, Inc.
4  *
5  * This program is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 as published by
7  * the Free Software Foundation.
8  */
9 
10 #include <linux/fs.h>
11 #include <linux/cred.h>
12 #include <linux/ctype.h>
13 #include <linux/namei.h>
14 #include <linux/xattr.h>
15 #include <linux/ratelimit.h>
16 #include <linux/mount.h>
17 #include <linux/exportfs.h>
18 #include "overlayfs.h"
19 
20 struct ovl_lookup_data {
21 	struct qstr name;
22 	bool is_dir;
23 	bool opaque;
24 	bool stop;
25 	bool last;
26 	char *redirect;
27 };
28 
29 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
30 			      size_t prelen, const char *post)
31 {
32 	int res;
33 	char *s, *next, *buf = NULL;
34 
35 	res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, NULL, 0);
36 	if (res < 0) {
37 		if (res == -ENODATA || res == -EOPNOTSUPP)
38 			return 0;
39 		goto fail;
40 	}
41 	buf = kzalloc(prelen + res + strlen(post) + 1, GFP_KERNEL);
42 	if (!buf)
43 		return -ENOMEM;
44 
45 	if (res == 0)
46 		goto invalid;
47 
48 	res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, buf, res);
49 	if (res < 0)
50 		goto fail;
51 	if (res == 0)
52 		goto invalid;
53 	if (buf[0] == '/') {
54 		for (s = buf; *s++ == '/'; s = next) {
55 			next = strchrnul(s, '/');
56 			if (s == next)
57 				goto invalid;
58 		}
59 	} else {
60 		if (strchr(buf, '/') != NULL)
61 			goto invalid;
62 
63 		memmove(buf + prelen, buf, res);
64 		memcpy(buf, d->name.name, prelen);
65 	}
66 
67 	strcat(buf, post);
68 	kfree(d->redirect);
69 	d->redirect = buf;
70 	d->name.name = d->redirect;
71 	d->name.len = strlen(d->redirect);
72 
73 	return 0;
74 
75 err_free:
76 	kfree(buf);
77 	return 0;
78 fail:
79 	pr_warn_ratelimited("overlayfs: failed to get redirect (%i)\n", res);
80 	goto err_free;
81 invalid:
82 	pr_warn_ratelimited("overlayfs: invalid redirect (%s)\n", buf);
83 	goto err_free;
84 }
85 
86 static int ovl_acceptable(void *ctx, struct dentry *dentry)
87 {
88 	/*
89 	 * A non-dir origin may be disconnected, which is fine, because
90 	 * we only need it for its unique inode number.
91 	 */
92 	if (!d_is_dir(dentry))
93 		return 1;
94 
95 	/* Don't decode a deleted empty directory */
96 	if (d_unhashed(dentry))
97 		return 0;
98 
99 	/* Check if directory belongs to the layer we are decoding from */
100 	return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root);
101 }
102 
103 /*
104  * Check validity of an overlay file handle buffer.
105  *
106  * Return 0 for a valid file handle.
107  * Return -ENODATA for "origin unknown".
108  * Return <0 for an invalid file handle.
109  */
110 int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
111 {
112 	if (fh_len < sizeof(struct ovl_fh) || fh_len < fh->len)
113 		return -EINVAL;
114 
115 	if (fh->magic != OVL_FH_MAGIC)
116 		return -EINVAL;
117 
118 	/* Treat larger version and unknown flags as "origin unknown" */
119 	if (fh->version > OVL_FH_VERSION || fh->flags & ~OVL_FH_FLAG_ALL)
120 		return -ENODATA;
121 
122 	/* Treat endianness mismatch as "origin unknown" */
123 	if (!(fh->flags & OVL_FH_FLAG_ANY_ENDIAN) &&
124 	    (fh->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN)
125 		return -ENODATA;
126 
127 	return 0;
128 }
129 
130 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name)
131 {
132 	int res, err;
133 	struct ovl_fh *fh = NULL;
134 
135 	res = vfs_getxattr(dentry, name, NULL, 0);
136 	if (res < 0) {
137 		if (res == -ENODATA || res == -EOPNOTSUPP)
138 			return NULL;
139 		goto fail;
140 	}
141 	/* Zero size value means "copied up but origin unknown" */
142 	if (res == 0)
143 		return NULL;
144 
145 	fh = kzalloc(res, GFP_KERNEL);
146 	if (!fh)
147 		return ERR_PTR(-ENOMEM);
148 
149 	res = vfs_getxattr(dentry, name, fh, res);
150 	if (res < 0)
151 		goto fail;
152 
153 	err = ovl_check_fh_len(fh, res);
154 	if (err < 0) {
155 		if (err == -ENODATA)
156 			goto out;
157 		goto invalid;
158 	}
159 
160 	return fh;
161 
162 out:
163 	kfree(fh);
164 	return NULL;
165 
166 fail:
167 	pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res);
168 	goto out;
169 invalid:
170 	pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh);
171 	goto out;
172 }
173 
174 struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt)
175 {
176 	struct dentry *real;
177 	int bytes;
178 
179 	/*
180 	 * Make sure that the stored uuid matches the uuid of the lower
181 	 * layer where file handle will be decoded.
182 	 */
183 	if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid))
184 		return NULL;
185 
186 	bytes = (fh->len - offsetof(struct ovl_fh, fid));
187 	real = exportfs_decode_fh(mnt, (struct fid *)fh->fid,
188 				  bytes >> 2, (int)fh->type,
189 				  ovl_acceptable, mnt);
190 	if (IS_ERR(real)) {
191 		/*
192 		 * Treat stale file handle to lower file as "origin unknown".
193 		 * upper file handle could become stale when upper file is
194 		 * unlinked and this information is needed to handle stale
195 		 * index entries correctly.
196 		 */
197 		if (real == ERR_PTR(-ESTALE) &&
198 		    !(fh->flags & OVL_FH_FLAG_PATH_UPPER))
199 			real = NULL;
200 		return real;
201 	}
202 
203 	if (ovl_dentry_weird(real)) {
204 		dput(real);
205 		return NULL;
206 	}
207 
208 	return real;
209 }
210 
211 static bool ovl_is_opaquedir(struct dentry *dentry)
212 {
213 	return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE);
214 }
215 
216 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
217 			     const char *name, unsigned int namelen,
218 			     size_t prelen, const char *post,
219 			     struct dentry **ret)
220 {
221 	struct dentry *this;
222 	int err;
223 
224 	this = lookup_one_len_unlocked(name, base, namelen);
225 	if (IS_ERR(this)) {
226 		err = PTR_ERR(this);
227 		this = NULL;
228 		if (err == -ENOENT || err == -ENAMETOOLONG)
229 			goto out;
230 		goto out_err;
231 	}
232 	if (!this->d_inode)
233 		goto put_and_out;
234 
235 	if (ovl_dentry_weird(this)) {
236 		/* Don't support traversing automounts and other weirdness */
237 		err = -EREMOTE;
238 		goto out_err;
239 	}
240 	if (ovl_is_whiteout(this)) {
241 		d->stop = d->opaque = true;
242 		goto put_and_out;
243 	}
244 	if (!d_can_lookup(this)) {
245 		d->stop = true;
246 		if (d->is_dir)
247 			goto put_and_out;
248 		goto out;
249 	}
250 	d->is_dir = true;
251 	if (!d->last && ovl_is_opaquedir(this)) {
252 		d->stop = d->opaque = true;
253 		goto out;
254 	}
255 	err = ovl_check_redirect(this, d, prelen, post);
256 	if (err)
257 		goto out_err;
258 out:
259 	*ret = this;
260 	return 0;
261 
262 put_and_out:
263 	dput(this);
264 	this = NULL;
265 	goto out;
266 
267 out_err:
268 	dput(this);
269 	return err;
270 }
271 
272 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
273 			    struct dentry **ret)
274 {
275 	/* Counting down from the end, since the prefix can change */
276 	size_t rem = d->name.len - 1;
277 	struct dentry *dentry = NULL;
278 	int err;
279 
280 	if (d->name.name[0] != '/')
281 		return ovl_lookup_single(base, d, d->name.name, d->name.len,
282 					 0, "", ret);
283 
284 	while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
285 		const char *s = d->name.name + d->name.len - rem;
286 		const char *next = strchrnul(s, '/');
287 		size_t thislen = next - s;
288 		bool end = !next[0];
289 
290 		/* Verify we did not go off the rails */
291 		if (WARN_ON(s[-1] != '/'))
292 			return -EIO;
293 
294 		err = ovl_lookup_single(base, d, s, thislen,
295 					d->name.len - rem, next, &base);
296 		dput(dentry);
297 		if (err)
298 			return err;
299 		dentry = base;
300 		if (end)
301 			break;
302 
303 		rem -= thislen + 1;
304 
305 		if (WARN_ON(rem >= d->name.len))
306 			return -EIO;
307 	}
308 	*ret = dentry;
309 	return 0;
310 }
311 
312 
313 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
314 			struct dentry *upperdentry, struct ovl_path **stackp)
315 {
316 	struct dentry *origin = NULL;
317 	int i;
318 
319 	for (i = 0; i < ofs->numlower; i++) {
320 		origin = ovl_decode_fh(fh, ofs->lower_layers[i].mnt);
321 		if (origin)
322 			break;
323 	}
324 
325 	if (!origin)
326 		return -ESTALE;
327 	else if (IS_ERR(origin))
328 		return PTR_ERR(origin);
329 
330 	if (upperdentry && !ovl_is_whiteout(upperdentry) &&
331 	    ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT))
332 		goto invalid;
333 
334 	if (!*stackp)
335 		*stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL);
336 	if (!*stackp) {
337 		dput(origin);
338 		return -ENOMEM;
339 	}
340 	**stackp = (struct ovl_path){
341 		.dentry = origin,
342 		.layer = &ofs->lower_layers[i]
343 	};
344 
345 	return 0;
346 
347 invalid:
348 	pr_warn_ratelimited("overlayfs: invalid origin (%pd2, ftype=%x, origin ftype=%x).\n",
349 			    upperdentry, d_inode(upperdentry)->i_mode & S_IFMT,
350 			    d_inode(origin)->i_mode & S_IFMT);
351 	dput(origin);
352 	return -EIO;
353 }
354 
355 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry,
356 			    struct ovl_path **stackp, unsigned int *ctrp)
357 {
358 	struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN);
359 	int err;
360 
361 	if (IS_ERR_OR_NULL(fh))
362 		return PTR_ERR(fh);
363 
364 	err = ovl_check_origin_fh(ofs, fh, upperdentry, stackp);
365 	kfree(fh);
366 
367 	if (err) {
368 		if (err == -ESTALE)
369 			return 0;
370 		return err;
371 	}
372 
373 	if (WARN_ON(*ctrp))
374 		return -EIO;
375 
376 	*ctrp = 1;
377 	return 0;
378 }
379 
380 /*
381  * Verify that @fh matches the file handle stored in xattr @name.
382  * Return 0 on match, -ESTALE on mismatch, < 0 on error.
383  */
384 static int ovl_verify_fh(struct dentry *dentry, const char *name,
385 			 const struct ovl_fh *fh)
386 {
387 	struct ovl_fh *ofh = ovl_get_fh(dentry, name);
388 	int err = 0;
389 
390 	if (!ofh)
391 		return -ENODATA;
392 
393 	if (IS_ERR(ofh))
394 		return PTR_ERR(ofh);
395 
396 	if (fh->len != ofh->len || memcmp(fh, ofh, fh->len))
397 		err = -ESTALE;
398 
399 	kfree(ofh);
400 	return err;
401 }
402 
403 /*
404  * Verify that @real dentry matches the file handle stored in xattr @name.
405  *
406  * If @set is true and there is no stored file handle, encode @real and store
407  * file handle in xattr @name.
408  *
409  * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error.
410  */
411 int ovl_verify_set_fh(struct dentry *dentry, const char *name,
412 		      struct dentry *real, bool is_upper, bool set)
413 {
414 	struct inode *inode;
415 	struct ovl_fh *fh;
416 	int err;
417 
418 	fh = ovl_encode_fh(real, is_upper);
419 	err = PTR_ERR(fh);
420 	if (IS_ERR(fh))
421 		goto fail;
422 
423 	err = ovl_verify_fh(dentry, name, fh);
424 	if (set && err == -ENODATA)
425 		err = ovl_do_setxattr(dentry, name, fh, fh->len, 0);
426 	if (err)
427 		goto fail;
428 
429 out:
430 	kfree(fh);
431 	return err;
432 
433 fail:
434 	inode = d_inode(real);
435 	pr_warn_ratelimited("overlayfs: failed to verify %s (%pd2, ino=%lu, err=%i)\n",
436 			    is_upper ? "upper" : "origin", real,
437 			    inode ? inode->i_ino : 0, err);
438 	goto out;
439 }
440 
441 /* Get upper dentry from index */
442 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index)
443 {
444 	struct ovl_fh *fh;
445 	struct dentry *upper;
446 
447 	if (!d_is_dir(index))
448 		return dget(index);
449 
450 	fh = ovl_get_fh(index, OVL_XATTR_UPPER);
451 	if (IS_ERR_OR_NULL(fh))
452 		return ERR_CAST(fh);
453 
454 	upper = ovl_decode_fh(fh, ofs->upper_mnt);
455 	kfree(fh);
456 
457 	if (IS_ERR_OR_NULL(upper))
458 		return upper ?: ERR_PTR(-ESTALE);
459 
460 	if (!d_is_dir(upper)) {
461 		pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n",
462 				    index, upper);
463 		dput(upper);
464 		return ERR_PTR(-EIO);
465 	}
466 
467 	return upper;
468 }
469 
470 /* Is this a leftover from create/whiteout of directory index entry? */
471 static bool ovl_is_temp_index(struct dentry *index)
472 {
473 	return index->d_name.name[0] == '#';
474 }
475 
476 /*
477  * Verify that an index entry name matches the origin file handle stored in
478  * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path.
479  * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error.
480  */
481 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
482 {
483 	struct ovl_fh *fh = NULL;
484 	size_t len;
485 	struct ovl_path origin = { };
486 	struct ovl_path *stack = &origin;
487 	struct dentry *upper = NULL;
488 	int err;
489 
490 	if (!d_inode(index))
491 		return 0;
492 
493 	/* Cleanup leftover from index create/cleanup attempt */
494 	err = -ESTALE;
495 	if (ovl_is_temp_index(index))
496 		goto fail;
497 
498 	err = -EINVAL;
499 	if (index->d_name.len < sizeof(struct ovl_fh)*2)
500 		goto fail;
501 
502 	err = -ENOMEM;
503 	len = index->d_name.len / 2;
504 	fh = kzalloc(len, GFP_KERNEL);
505 	if (!fh)
506 		goto fail;
507 
508 	err = -EINVAL;
509 	if (hex2bin((u8 *)fh, index->d_name.name, len))
510 		goto fail;
511 
512 	err = ovl_check_fh_len(fh, len);
513 	if (err)
514 		goto fail;
515 
516 	/*
517 	 * Whiteout index entries are used as an indication that an exported
518 	 * overlay file handle should be treated as stale (i.e. after unlink
519 	 * of the overlay inode). These entries contain no origin xattr.
520 	 */
521 	if (ovl_is_whiteout(index))
522 		goto out;
523 
524 	/*
525 	 * Verifying directory index entries are not stale is expensive, so
526 	 * only verify stale dir index if NFS export is enabled.
527 	 */
528 	if (d_is_dir(index) && !ofs->config.nfs_export)
529 		goto out;
530 
531 	/*
532 	 * Directory index entries should have 'upper' xattr pointing to the
533 	 * real upper dir. Non-dir index entries are hardlinks to the upper
534 	 * real inode. For non-dir index, we can read the copy up origin xattr
535 	 * directly from the index dentry, but for dir index we first need to
536 	 * decode the upper directory.
537 	 */
538 	upper = ovl_index_upper(ofs, index);
539 	if (IS_ERR_OR_NULL(upper)) {
540 		err = PTR_ERR(upper);
541 		/*
542 		 * Directory index entries with no 'upper' xattr need to be
543 		 * removed. When dir index entry has a stale 'upper' xattr,
544 		 * we assume that upper dir was removed and we treat the dir
545 		 * index as orphan entry that needs to be whited out.
546 		 */
547 		if (err == -ESTALE)
548 			goto orphan;
549 		else if (!err)
550 			err = -ESTALE;
551 		goto fail;
552 	}
553 
554 	err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh);
555 	dput(upper);
556 	if (err)
557 		goto fail;
558 
559 	/* Check if non-dir index is orphan and don't warn before cleaning it */
560 	if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) {
561 		err = ovl_check_origin_fh(ofs, fh, index, &stack);
562 		if (err)
563 			goto fail;
564 
565 		if (ovl_get_nlink(origin.dentry, index, 0) == 0)
566 			goto orphan;
567 	}
568 
569 out:
570 	dput(origin.dentry);
571 	kfree(fh);
572 	return err;
573 
574 fail:
575 	pr_warn_ratelimited("overlayfs: failed to verify index (%pd2, ftype=%x, err=%i)\n",
576 			    index, d_inode(index)->i_mode & S_IFMT, err);
577 	goto out;
578 
579 orphan:
580 	pr_warn_ratelimited("overlayfs: orphan index entry (%pd2, ftype=%x, nlink=%u)\n",
581 			    index, d_inode(index)->i_mode & S_IFMT,
582 			    d_inode(index)->i_nlink);
583 	err = -ENOENT;
584 	goto out;
585 }
586 
587 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name)
588 {
589 	char *n, *s;
590 
591 	n = kzalloc(fh->len * 2, GFP_KERNEL);
592 	if (!n)
593 		return -ENOMEM;
594 
595 	s  = bin2hex(n, fh, fh->len);
596 	*name = (struct qstr) QSTR_INIT(n, s - n);
597 
598 	return 0;
599 
600 }
601 
602 /*
603  * Lookup in indexdir for the index entry of a lower real inode or a copy up
604  * origin inode. The index entry name is the hex representation of the lower
605  * inode file handle.
606  *
607  * If the index dentry in negative, then either no lower aliases have been
608  * copied up yet, or aliases have been copied up in older kernels and are
609  * not indexed.
610  *
611  * If the index dentry for a copy up origin inode is positive, but points
612  * to an inode different than the upper inode, then either the upper inode
613  * has been copied up and not indexed or it was indexed, but since then
614  * index dir was cleared. Either way, that index cannot be used to indentify
615  * the overlay inode.
616  */
617 int ovl_get_index_name(struct dentry *origin, struct qstr *name)
618 {
619 	struct ovl_fh *fh;
620 	int err;
621 
622 	fh = ovl_encode_fh(origin, false);
623 	if (IS_ERR(fh))
624 		return PTR_ERR(fh);
625 
626 	err = ovl_get_index_name_fh(fh, name);
627 
628 	kfree(fh);
629 	return err;
630 }
631 
632 /* Lookup index by file handle for NFS export */
633 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh)
634 {
635 	struct dentry *index;
636 	struct qstr name;
637 	int err;
638 
639 	err = ovl_get_index_name_fh(fh, &name);
640 	if (err)
641 		return ERR_PTR(err);
642 
643 	index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
644 	kfree(name.name);
645 	if (IS_ERR(index)) {
646 		if (PTR_ERR(index) == -ENOENT)
647 			index = NULL;
648 		return index;
649 	}
650 
651 	if (d_is_negative(index))
652 		err = 0;
653 	else if (ovl_is_whiteout(index))
654 		err = -ESTALE;
655 	else if (ovl_dentry_weird(index))
656 		err = -EIO;
657 	else
658 		return index;
659 
660 	dput(index);
661 	return ERR_PTR(err);
662 }
663 
664 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper,
665 				struct dentry *origin, bool verify)
666 {
667 	struct dentry *index;
668 	struct inode *inode;
669 	struct qstr name;
670 	bool is_dir = d_is_dir(origin);
671 	int err;
672 
673 	err = ovl_get_index_name(origin, &name);
674 	if (err)
675 		return ERR_PTR(err);
676 
677 	index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
678 	if (IS_ERR(index)) {
679 		err = PTR_ERR(index);
680 		if (err == -ENOENT) {
681 			index = NULL;
682 			goto out;
683 		}
684 		pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
685 				    "overlayfs: mount with '-o index=off' to disable inodes index.\n",
686 				    d_inode(origin)->i_ino, name.len, name.name,
687 				    err);
688 		goto out;
689 	}
690 
691 	inode = d_inode(index);
692 	if (d_is_negative(index)) {
693 		goto out_dput;
694 	} else if (ovl_is_whiteout(index) && !verify) {
695 		/*
696 		 * When index lookup is called with !verify for decoding an
697 		 * overlay file handle, a whiteout index implies that decode
698 		 * should treat file handle as stale and no need to print a
699 		 * warning about it.
700 		 */
701 		dput(index);
702 		index = ERR_PTR(-ESTALE);
703 		goto out;
704 	} else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
705 		   ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) {
706 		/*
707 		 * Index should always be of the same file type as origin
708 		 * except for the case of a whiteout index. A whiteout
709 		 * index should only exist if all lower aliases have been
710 		 * unlinked, which means that finding a lower origin on lookup
711 		 * whose index is a whiteout should be treated as an error.
712 		 */
713 		pr_warn_ratelimited("overlayfs: bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n",
714 				    index, d_inode(index)->i_mode & S_IFMT,
715 				    d_inode(origin)->i_mode & S_IFMT);
716 		goto fail;
717 	} else if (is_dir && verify) {
718 		if (!upper) {
719 			pr_warn_ratelimited("overlayfs: suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n",
720 					    origin, index);
721 			goto fail;
722 		}
723 
724 		/* Verify that dir index 'upper' xattr points to upper dir */
725 		err = ovl_verify_upper(index, upper, false);
726 		if (err) {
727 			if (err == -ESTALE) {
728 				pr_warn_ratelimited("overlayfs: suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n",
729 						    upper, origin, index);
730 			}
731 			goto fail;
732 		}
733 	} else if (upper && d_inode(upper) != inode) {
734 		goto out_dput;
735 	}
736 out:
737 	kfree(name.name);
738 	return index;
739 
740 out_dput:
741 	dput(index);
742 	index = NULL;
743 	goto out;
744 
745 fail:
746 	dput(index);
747 	index = ERR_PTR(-EIO);
748 	goto out;
749 }
750 
751 /*
752  * Returns next layer in stack starting from top.
753  * Returns -1 if this is the last layer.
754  */
755 int ovl_path_next(int idx, struct dentry *dentry, struct path *path)
756 {
757 	struct ovl_entry *oe = dentry->d_fsdata;
758 
759 	BUG_ON(idx < 0);
760 	if (idx == 0) {
761 		ovl_path_upper(dentry, path);
762 		if (path->dentry)
763 			return oe->numlower ? 1 : -1;
764 		idx++;
765 	}
766 	BUG_ON(idx > oe->numlower);
767 	path->dentry = oe->lowerstack[idx - 1].dentry;
768 	path->mnt = oe->lowerstack[idx - 1].layer->mnt;
769 
770 	return (idx < oe->numlower) ? idx + 1 : -1;
771 }
772 
773 /* Fix missing 'origin' xattr */
774 static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower,
775 			  struct dentry *upper)
776 {
777 	int err;
778 
779 	if (ovl_check_origin_xattr(upper))
780 		return 0;
781 
782 	err = ovl_want_write(dentry);
783 	if (err)
784 		return err;
785 
786 	err = ovl_set_origin(dentry, lower, upper);
787 	if (!err)
788 		err = ovl_set_impure(dentry->d_parent, upper->d_parent);
789 
790 	ovl_drop_write(dentry);
791 	return err;
792 }
793 
794 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
795 			  unsigned int flags)
796 {
797 	struct ovl_entry *oe;
798 	const struct cred *old_cred;
799 	struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
800 	struct ovl_entry *poe = dentry->d_parent->d_fsdata;
801 	struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata;
802 	struct ovl_path *stack = NULL;
803 	struct dentry *upperdir, *upperdentry = NULL;
804 	struct dentry *origin = NULL;
805 	struct dentry *index = NULL;
806 	unsigned int ctr = 0;
807 	struct inode *inode = NULL;
808 	bool upperopaque = false;
809 	char *upperredirect = NULL;
810 	struct dentry *this;
811 	unsigned int i;
812 	int err;
813 	struct ovl_lookup_data d = {
814 		.name = dentry->d_name,
815 		.is_dir = false,
816 		.opaque = false,
817 		.stop = false,
818 		.last = !poe->numlower,
819 		.redirect = NULL,
820 	};
821 
822 	if (dentry->d_name.len > ofs->namelen)
823 		return ERR_PTR(-ENAMETOOLONG);
824 
825 	old_cred = ovl_override_creds(dentry->d_sb);
826 	upperdir = ovl_dentry_upper(dentry->d_parent);
827 	if (upperdir) {
828 		err = ovl_lookup_layer(upperdir, &d, &upperdentry);
829 		if (err)
830 			goto out;
831 
832 		if (upperdentry && unlikely(ovl_dentry_remote(upperdentry))) {
833 			dput(upperdentry);
834 			err = -EREMOTE;
835 			goto out;
836 		}
837 		if (upperdentry && !d.is_dir) {
838 			BUG_ON(!d.stop || d.redirect);
839 			/*
840 			 * Lookup copy up origin by decoding origin file handle.
841 			 * We may get a disconnected dentry, which is fine,
842 			 * because we only need to hold the origin inode in
843 			 * cache and use its inode number.  We may even get a
844 			 * connected dentry, that is not under any of the lower
845 			 * layers root.  That is also fine for using it's inode
846 			 * number - it's the same as if we held a reference
847 			 * to a dentry in lower layer that was moved under us.
848 			 */
849 			err = ovl_check_origin(ofs, upperdentry, &stack, &ctr);
850 			if (err)
851 				goto out_put_upper;
852 		}
853 
854 		if (d.redirect) {
855 			err = -ENOMEM;
856 			upperredirect = kstrdup(d.redirect, GFP_KERNEL);
857 			if (!upperredirect)
858 				goto out_put_upper;
859 			if (d.redirect[0] == '/')
860 				poe = roe;
861 		}
862 		upperopaque = d.opaque;
863 	}
864 
865 	if (!d.stop && poe->numlower) {
866 		err = -ENOMEM;
867 		stack = kcalloc(ofs->numlower, sizeof(struct ovl_path),
868 				GFP_KERNEL);
869 		if (!stack)
870 			goto out_put_upper;
871 	}
872 
873 	for (i = 0; !d.stop && i < poe->numlower; i++) {
874 		struct ovl_path lower = poe->lowerstack[i];
875 
876 		d.last = i == poe->numlower - 1;
877 		err = ovl_lookup_layer(lower.dentry, &d, &this);
878 		if (err)
879 			goto out_put;
880 
881 		if (!this)
882 			continue;
883 
884 		/*
885 		 * If no origin fh is stored in upper of a merge dir, store fh
886 		 * of lower dir and set upper parent "impure".
887 		 */
888 		if (upperdentry && !ctr && !ofs->noxattr) {
889 			err = ovl_fix_origin(dentry, this, upperdentry);
890 			if (err) {
891 				dput(this);
892 				goto out_put;
893 			}
894 		}
895 
896 		/*
897 		 * When "verify_lower" feature is enabled, do not merge with a
898 		 * lower dir that does not match a stored origin xattr. In any
899 		 * case, only verified origin is used for index lookup.
900 		 */
901 		if (upperdentry && !ctr && ovl_verify_lower(dentry->d_sb)) {
902 			err = ovl_verify_origin(upperdentry, this, false);
903 			if (err) {
904 				dput(this);
905 				break;
906 			}
907 
908 			/* Bless lower dir as verified origin */
909 			origin = this;
910 		}
911 
912 		stack[ctr].dentry = this;
913 		stack[ctr].layer = lower.layer;
914 		ctr++;
915 
916 		if (d.stop)
917 			break;
918 
919 		/*
920 		 * Following redirects can have security consequences: it's like
921 		 * a symlink into the lower layer without the permission checks.
922 		 * This is only a problem if the upper layer is untrusted (e.g
923 		 * comes from an USB drive).  This can allow a non-readable file
924 		 * or directory to become readable.
925 		 *
926 		 * Only following redirects when redirects are enabled disables
927 		 * this attack vector when not necessary.
928 		 */
929 		err = -EPERM;
930 		if (d.redirect && !ofs->config.redirect_follow) {
931 			pr_warn_ratelimited("overlayfs: refusing to follow redirect for (%pd2)\n",
932 					    dentry);
933 			goto out_put;
934 		}
935 
936 		if (d.redirect && d.redirect[0] == '/' && poe != roe) {
937 			poe = roe;
938 			/* Find the current layer on the root dentry */
939 			i = lower.layer->idx - 1;
940 		}
941 	}
942 
943 	/*
944 	 * Lookup index by lower inode and verify it matches upper inode.
945 	 * We only trust dir index if we verified that lower dir matches
946 	 * origin, otherwise dir index entries may be inconsistent and we
947 	 * ignore them. Always lookup index of non-dir and non-upper.
948 	 */
949 	if (ctr && (!upperdentry || !d.is_dir))
950 		origin = stack[0].dentry;
951 
952 	if (origin && ovl_indexdir(dentry->d_sb) &&
953 	    (!d.is_dir || ovl_index_all(dentry->d_sb))) {
954 		index = ovl_lookup_index(ofs, upperdentry, origin, true);
955 		if (IS_ERR(index)) {
956 			err = PTR_ERR(index);
957 			index = NULL;
958 			goto out_put;
959 		}
960 	}
961 
962 	oe = ovl_alloc_entry(ctr);
963 	err = -ENOMEM;
964 	if (!oe)
965 		goto out_put;
966 
967 	memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr);
968 	dentry->d_fsdata = oe;
969 
970 	if (upperopaque)
971 		ovl_dentry_set_opaque(dentry);
972 
973 	if (upperdentry)
974 		ovl_dentry_set_upper_alias(dentry);
975 	else if (index)
976 		upperdentry = dget(index);
977 
978 	if (upperdentry || ctr) {
979 		if (ctr)
980 			origin = stack[0].dentry;
981 		inode = ovl_get_inode(dentry->d_sb, upperdentry, origin, index,
982 				      ctr);
983 		err = PTR_ERR(inode);
984 		if (IS_ERR(inode))
985 			goto out_free_oe;
986 
987 		OVL_I(inode)->redirect = upperredirect;
988 		if (index)
989 			ovl_set_flag(OVL_INDEX, inode);
990 	}
991 
992 	revert_creds(old_cred);
993 	dput(index);
994 	kfree(stack);
995 	kfree(d.redirect);
996 	return d_splice_alias(inode, dentry);
997 
998 out_free_oe:
999 	dentry->d_fsdata = NULL;
1000 	kfree(oe);
1001 out_put:
1002 	dput(index);
1003 	for (i = 0; i < ctr; i++)
1004 		dput(stack[i].dentry);
1005 	kfree(stack);
1006 out_put_upper:
1007 	dput(upperdentry);
1008 	kfree(upperredirect);
1009 out:
1010 	kfree(d.redirect);
1011 	revert_creds(old_cred);
1012 	return ERR_PTR(err);
1013 }
1014 
1015 bool ovl_lower_positive(struct dentry *dentry)
1016 {
1017 	struct ovl_entry *poe = dentry->d_parent->d_fsdata;
1018 	const struct qstr *name = &dentry->d_name;
1019 	const struct cred *old_cred;
1020 	unsigned int i;
1021 	bool positive = false;
1022 	bool done = false;
1023 
1024 	/*
1025 	 * If dentry is negative, then lower is positive iff this is a
1026 	 * whiteout.
1027 	 */
1028 	if (!dentry->d_inode)
1029 		return ovl_dentry_is_opaque(dentry);
1030 
1031 	/* Negative upper -> positive lower */
1032 	if (!ovl_dentry_upper(dentry))
1033 		return true;
1034 
1035 	old_cred = ovl_override_creds(dentry->d_sb);
1036 	/* Positive upper -> have to look up lower to see whether it exists */
1037 	for (i = 0; !done && !positive && i < poe->numlower; i++) {
1038 		struct dentry *this;
1039 		struct dentry *lowerdir = poe->lowerstack[i].dentry;
1040 
1041 		this = lookup_one_len_unlocked(name->name, lowerdir,
1042 					       name->len);
1043 		if (IS_ERR(this)) {
1044 			switch (PTR_ERR(this)) {
1045 			case -ENOENT:
1046 			case -ENAMETOOLONG:
1047 				break;
1048 
1049 			default:
1050 				/*
1051 				 * Assume something is there, we just couldn't
1052 				 * access it.
1053 				 */
1054 				positive = true;
1055 				break;
1056 			}
1057 		} else {
1058 			if (this->d_inode) {
1059 				positive = !ovl_is_whiteout(this);
1060 				done = true;
1061 			}
1062 			dput(this);
1063 		}
1064 	}
1065 	revert_creds(old_cred);
1066 
1067 	return positive;
1068 }
1069