1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Novell Inc. 4 * Copyright (C) 2016 Red Hat, Inc. 5 */ 6 7 #include <linux/fs.h> 8 #include <linux/cred.h> 9 #include <linux/ctype.h> 10 #include <linux/namei.h> 11 #include <linux/xattr.h> 12 #include <linux/ratelimit.h> 13 #include <linux/mount.h> 14 #include <linux/exportfs.h> 15 #include "overlayfs.h" 16 17 struct ovl_lookup_data { 18 struct super_block *sb; 19 struct qstr name; 20 bool is_dir; 21 bool opaque; 22 bool stop; 23 bool last; 24 char *redirect; 25 bool metacopy; 26 }; 27 28 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d, 29 size_t prelen, const char *post) 30 { 31 int res; 32 char *buf; 33 34 buf = ovl_get_redirect_xattr(dentry, prelen + strlen(post)); 35 if (IS_ERR_OR_NULL(buf)) 36 return PTR_ERR(buf); 37 38 if (buf[0] == '/') { 39 /* 40 * One of the ancestor path elements in an absolute path 41 * lookup in ovl_lookup_layer() could have been opaque and 42 * that will stop further lookup in lower layers (d->stop=true) 43 * But we have found an absolute redirect in decendant path 44 * element and that should force continue lookup in lower 45 * layers (reset d->stop). 46 */ 47 d->stop = false; 48 } else { 49 res = strlen(buf) + 1; 50 memmove(buf + prelen, buf, res); 51 memcpy(buf, d->name.name, prelen); 52 } 53 54 strcat(buf, post); 55 kfree(d->redirect); 56 d->redirect = buf; 57 d->name.name = d->redirect; 58 d->name.len = strlen(d->redirect); 59 60 return 0; 61 } 62 63 static int ovl_acceptable(void *ctx, struct dentry *dentry) 64 { 65 /* 66 * A non-dir origin may be disconnected, which is fine, because 67 * we only need it for its unique inode number. 68 */ 69 if (!d_is_dir(dentry)) 70 return 1; 71 72 /* Don't decode a deleted empty directory */ 73 if (d_unhashed(dentry)) 74 return 0; 75 76 /* Check if directory belongs to the layer we are decoding from */ 77 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root); 78 } 79 80 /* 81 * Check validity of an overlay file handle buffer. 82 * 83 * Return 0 for a valid file handle. 84 * Return -ENODATA for "origin unknown". 85 * Return <0 for an invalid file handle. 86 */ 87 int ovl_check_fb_len(struct ovl_fb *fb, int fb_len) 88 { 89 if (fb_len < sizeof(struct ovl_fb) || fb_len < fb->len) 90 return -EINVAL; 91 92 if (fb->magic != OVL_FH_MAGIC) 93 return -EINVAL; 94 95 /* Treat larger version and unknown flags as "origin unknown" */ 96 if (fb->version > OVL_FH_VERSION || fb->flags & ~OVL_FH_FLAG_ALL) 97 return -ENODATA; 98 99 /* Treat endianness mismatch as "origin unknown" */ 100 if (!(fb->flags & OVL_FH_FLAG_ANY_ENDIAN) && 101 (fb->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN) 102 return -ENODATA; 103 104 return 0; 105 } 106 107 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) 108 { 109 int res, err; 110 struct ovl_fh *fh = NULL; 111 112 res = vfs_getxattr(dentry, name, NULL, 0); 113 if (res < 0) { 114 if (res == -ENODATA || res == -EOPNOTSUPP) 115 return NULL; 116 goto fail; 117 } 118 /* Zero size value means "copied up but origin unknown" */ 119 if (res == 0) 120 return NULL; 121 122 fh = kzalloc(res + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 123 if (!fh) 124 return ERR_PTR(-ENOMEM); 125 126 res = vfs_getxattr(dentry, name, fh->buf, res); 127 if (res < 0) 128 goto fail; 129 130 err = ovl_check_fb_len(&fh->fb, res); 131 if (err < 0) { 132 if (err == -ENODATA) 133 goto out; 134 goto invalid; 135 } 136 137 return fh; 138 139 out: 140 kfree(fh); 141 return NULL; 142 143 fail: 144 pr_warn_ratelimited("failed to get origin (%i)\n", res); 145 goto out; 146 invalid: 147 pr_warn_ratelimited("invalid origin (%*phN)\n", res, fh); 148 goto out; 149 } 150 151 struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, 152 bool connected) 153 { 154 struct dentry *real; 155 int bytes; 156 157 /* 158 * Make sure that the stored uuid matches the uuid of the lower 159 * layer where file handle will be decoded. 160 */ 161 if (!uuid_equal(&fh->fb.uuid, &mnt->mnt_sb->s_uuid)) 162 return NULL; 163 164 bytes = (fh->fb.len - offsetof(struct ovl_fb, fid)); 165 real = exportfs_decode_fh(mnt, (struct fid *)fh->fb.fid, 166 bytes >> 2, (int)fh->fb.type, 167 connected ? ovl_acceptable : NULL, mnt); 168 if (IS_ERR(real)) { 169 /* 170 * Treat stale file handle to lower file as "origin unknown". 171 * upper file handle could become stale when upper file is 172 * unlinked and this information is needed to handle stale 173 * index entries correctly. 174 */ 175 if (real == ERR_PTR(-ESTALE) && 176 !(fh->fb.flags & OVL_FH_FLAG_PATH_UPPER)) 177 real = NULL; 178 return real; 179 } 180 181 if (ovl_dentry_weird(real)) { 182 dput(real); 183 return NULL; 184 } 185 186 return real; 187 } 188 189 static bool ovl_is_opaquedir(struct dentry *dentry) 190 { 191 return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE); 192 } 193 194 static struct dentry *ovl_lookup_positive_unlocked(const char *name, 195 struct dentry *base, int len, 196 bool drop_negative) 197 { 198 struct dentry *ret = lookup_one_len_unlocked(name, base, len); 199 200 if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) { 201 if (drop_negative && ret->d_lockref.count == 1) { 202 spin_lock(&ret->d_lock); 203 /* Recheck condition under lock */ 204 if (d_is_negative(ret) && ret->d_lockref.count == 1) 205 __d_drop(ret); 206 spin_unlock(&ret->d_lock); 207 } 208 dput(ret); 209 ret = ERR_PTR(-ENOENT); 210 } 211 return ret; 212 } 213 214 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d, 215 const char *name, unsigned int namelen, 216 size_t prelen, const char *post, 217 struct dentry **ret, bool drop_negative) 218 { 219 struct dentry *this; 220 int err; 221 bool last_element = !post[0]; 222 223 this = ovl_lookup_positive_unlocked(name, base, namelen, drop_negative); 224 if (IS_ERR(this)) { 225 err = PTR_ERR(this); 226 this = NULL; 227 if (err == -ENOENT || err == -ENAMETOOLONG) 228 goto out; 229 goto out_err; 230 } 231 232 if (ovl_dentry_weird(this)) { 233 /* Don't support traversing automounts and other weirdness */ 234 err = -EREMOTE; 235 goto out_err; 236 } 237 if (ovl_is_whiteout(this)) { 238 d->stop = d->opaque = true; 239 goto put_and_out; 240 } 241 /* 242 * This dentry should be a regular file if previous layer lookup 243 * found a metacopy dentry. 244 */ 245 if (last_element && d->metacopy && !d_is_reg(this)) { 246 d->stop = true; 247 goto put_and_out; 248 } 249 if (!d_can_lookup(this)) { 250 if (d->is_dir || !last_element) { 251 d->stop = true; 252 goto put_and_out; 253 } 254 err = ovl_check_metacopy_xattr(this); 255 if (err < 0) 256 goto out_err; 257 258 d->metacopy = err; 259 d->stop = !d->metacopy; 260 if (!d->metacopy || d->last) 261 goto out; 262 } else { 263 if (ovl_lookup_trap_inode(d->sb, this)) { 264 /* Caught in a trap of overlapping layers */ 265 err = -ELOOP; 266 goto out_err; 267 } 268 269 if (last_element) 270 d->is_dir = true; 271 if (d->last) 272 goto out; 273 274 if (ovl_is_opaquedir(this)) { 275 d->stop = true; 276 if (last_element) 277 d->opaque = true; 278 goto out; 279 } 280 } 281 err = ovl_check_redirect(this, d, prelen, post); 282 if (err) 283 goto out_err; 284 out: 285 *ret = this; 286 return 0; 287 288 put_and_out: 289 dput(this); 290 this = NULL; 291 goto out; 292 293 out_err: 294 dput(this); 295 return err; 296 } 297 298 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d, 299 struct dentry **ret, bool drop_negative) 300 { 301 /* Counting down from the end, since the prefix can change */ 302 size_t rem = d->name.len - 1; 303 struct dentry *dentry = NULL; 304 int err; 305 306 if (d->name.name[0] != '/') 307 return ovl_lookup_single(base, d, d->name.name, d->name.len, 308 0, "", ret, drop_negative); 309 310 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) { 311 const char *s = d->name.name + d->name.len - rem; 312 const char *next = strchrnul(s, '/'); 313 size_t thislen = next - s; 314 bool end = !next[0]; 315 316 /* Verify we did not go off the rails */ 317 if (WARN_ON(s[-1] != '/')) 318 return -EIO; 319 320 err = ovl_lookup_single(base, d, s, thislen, 321 d->name.len - rem, next, &base, 322 drop_negative); 323 dput(dentry); 324 if (err) 325 return err; 326 dentry = base; 327 if (end) 328 break; 329 330 rem -= thislen + 1; 331 332 if (WARN_ON(rem >= d->name.len)) 333 return -EIO; 334 } 335 *ret = dentry; 336 return 0; 337 } 338 339 340 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected, 341 struct dentry *upperdentry, struct ovl_path **stackp) 342 { 343 struct dentry *origin = NULL; 344 int i; 345 346 for (i = 1; i < ofs->numlayer; i++) { 347 /* 348 * If lower fs uuid is not unique among lower fs we cannot match 349 * fh->uuid to layer. 350 */ 351 if (ofs->layers[i].fsid && 352 ofs->layers[i].fs->bad_uuid) 353 continue; 354 355 origin = ovl_decode_real_fh(fh, ofs->layers[i].mnt, 356 connected); 357 if (origin) 358 break; 359 } 360 361 if (!origin) 362 return -ESTALE; 363 else if (IS_ERR(origin)) 364 return PTR_ERR(origin); 365 366 if (upperdentry && !ovl_is_whiteout(upperdentry) && 367 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT)) 368 goto invalid; 369 370 if (!*stackp) 371 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL); 372 if (!*stackp) { 373 dput(origin); 374 return -ENOMEM; 375 } 376 **stackp = (struct ovl_path){ 377 .dentry = origin, 378 .layer = &ofs->layers[i] 379 }; 380 381 return 0; 382 383 invalid: 384 pr_warn_ratelimited("invalid origin (%pd2, ftype=%x, origin ftype=%x).\n", 385 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT, 386 d_inode(origin)->i_mode & S_IFMT); 387 dput(origin); 388 return -EIO; 389 } 390 391 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry, 392 struct ovl_path **stackp, unsigned int *ctrp) 393 { 394 struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN); 395 int err; 396 397 if (IS_ERR_OR_NULL(fh)) 398 return PTR_ERR(fh); 399 400 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp); 401 kfree(fh); 402 403 if (err) { 404 if (err == -ESTALE) 405 return 0; 406 return err; 407 } 408 409 if (WARN_ON(*ctrp)) 410 return -EIO; 411 412 *ctrp = 1; 413 return 0; 414 } 415 416 /* 417 * Verify that @fh matches the file handle stored in xattr @name. 418 * Return 0 on match, -ESTALE on mismatch, < 0 on error. 419 */ 420 static int ovl_verify_fh(struct dentry *dentry, const char *name, 421 const struct ovl_fh *fh) 422 { 423 struct ovl_fh *ofh = ovl_get_fh(dentry, name); 424 int err = 0; 425 426 if (!ofh) 427 return -ENODATA; 428 429 if (IS_ERR(ofh)) 430 return PTR_ERR(ofh); 431 432 if (fh->fb.len != ofh->fb.len || memcmp(&fh->fb, &ofh->fb, fh->fb.len)) 433 err = -ESTALE; 434 435 kfree(ofh); 436 return err; 437 } 438 439 /* 440 * Verify that @real dentry matches the file handle stored in xattr @name. 441 * 442 * If @set is true and there is no stored file handle, encode @real and store 443 * file handle in xattr @name. 444 * 445 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error. 446 */ 447 int ovl_verify_set_fh(struct dentry *dentry, const char *name, 448 struct dentry *real, bool is_upper, bool set) 449 { 450 struct inode *inode; 451 struct ovl_fh *fh; 452 int err; 453 454 fh = ovl_encode_real_fh(real, is_upper); 455 err = PTR_ERR(fh); 456 if (IS_ERR(fh)) { 457 fh = NULL; 458 goto fail; 459 } 460 461 err = ovl_verify_fh(dentry, name, fh); 462 if (set && err == -ENODATA) 463 err = ovl_do_setxattr(dentry, name, fh->buf, fh->fb.len, 0); 464 if (err) 465 goto fail; 466 467 out: 468 kfree(fh); 469 return err; 470 471 fail: 472 inode = d_inode(real); 473 pr_warn_ratelimited("failed to verify %s (%pd2, ino=%lu, err=%i)\n", 474 is_upper ? "upper" : "origin", real, 475 inode ? inode->i_ino : 0, err); 476 goto out; 477 } 478 479 /* Get upper dentry from index */ 480 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index) 481 { 482 struct ovl_fh *fh; 483 struct dentry *upper; 484 485 if (!d_is_dir(index)) 486 return dget(index); 487 488 fh = ovl_get_fh(index, OVL_XATTR_UPPER); 489 if (IS_ERR_OR_NULL(fh)) 490 return ERR_CAST(fh); 491 492 upper = ovl_decode_real_fh(fh, ovl_upper_mnt(ofs), true); 493 kfree(fh); 494 495 if (IS_ERR_OR_NULL(upper)) 496 return upper ?: ERR_PTR(-ESTALE); 497 498 if (!d_is_dir(upper)) { 499 pr_warn_ratelimited("invalid index upper (%pd2, upper=%pd2).\n", 500 index, upper); 501 dput(upper); 502 return ERR_PTR(-EIO); 503 } 504 505 return upper; 506 } 507 508 /* 509 * Verify that an index entry name matches the origin file handle stored in 510 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. 511 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error. 512 */ 513 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) 514 { 515 struct ovl_fh *fh = NULL; 516 size_t len; 517 struct ovl_path origin = { }; 518 struct ovl_path *stack = &origin; 519 struct dentry *upper = NULL; 520 int err; 521 522 if (!d_inode(index)) 523 return 0; 524 525 err = -EINVAL; 526 if (index->d_name.len < sizeof(struct ovl_fb)*2) 527 goto fail; 528 529 err = -ENOMEM; 530 len = index->d_name.len / 2; 531 fh = kzalloc(len + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 532 if (!fh) 533 goto fail; 534 535 err = -EINVAL; 536 if (hex2bin(fh->buf, index->d_name.name, len)) 537 goto fail; 538 539 err = ovl_check_fb_len(&fh->fb, len); 540 if (err) 541 goto fail; 542 543 /* 544 * Whiteout index entries are used as an indication that an exported 545 * overlay file handle should be treated as stale (i.e. after unlink 546 * of the overlay inode). These entries contain no origin xattr. 547 */ 548 if (ovl_is_whiteout(index)) 549 goto out; 550 551 /* 552 * Verifying directory index entries are not stale is expensive, so 553 * only verify stale dir index if NFS export is enabled. 554 */ 555 if (d_is_dir(index) && !ofs->config.nfs_export) 556 goto out; 557 558 /* 559 * Directory index entries should have 'upper' xattr pointing to the 560 * real upper dir. Non-dir index entries are hardlinks to the upper 561 * real inode. For non-dir index, we can read the copy up origin xattr 562 * directly from the index dentry, but for dir index we first need to 563 * decode the upper directory. 564 */ 565 upper = ovl_index_upper(ofs, index); 566 if (IS_ERR_OR_NULL(upper)) { 567 err = PTR_ERR(upper); 568 /* 569 * Directory index entries with no 'upper' xattr need to be 570 * removed. When dir index entry has a stale 'upper' xattr, 571 * we assume that upper dir was removed and we treat the dir 572 * index as orphan entry that needs to be whited out. 573 */ 574 if (err == -ESTALE) 575 goto orphan; 576 else if (!err) 577 err = -ESTALE; 578 goto fail; 579 } 580 581 err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh); 582 dput(upper); 583 if (err) 584 goto fail; 585 586 /* Check if non-dir index is orphan and don't warn before cleaning it */ 587 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) { 588 err = ovl_check_origin_fh(ofs, fh, false, index, &stack); 589 if (err) 590 goto fail; 591 592 if (ovl_get_nlink(origin.dentry, index, 0) == 0) 593 goto orphan; 594 } 595 596 out: 597 dput(origin.dentry); 598 kfree(fh); 599 return err; 600 601 fail: 602 pr_warn_ratelimited("failed to verify index (%pd2, ftype=%x, err=%i)\n", 603 index, d_inode(index)->i_mode & S_IFMT, err); 604 goto out; 605 606 orphan: 607 pr_warn_ratelimited("orphan index entry (%pd2, ftype=%x, nlink=%u)\n", 608 index, d_inode(index)->i_mode & S_IFMT, 609 d_inode(index)->i_nlink); 610 err = -ENOENT; 611 goto out; 612 } 613 614 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name) 615 { 616 char *n, *s; 617 618 n = kcalloc(fh->fb.len, 2, GFP_KERNEL); 619 if (!n) 620 return -ENOMEM; 621 622 s = bin2hex(n, fh->buf, fh->fb.len); 623 *name = (struct qstr) QSTR_INIT(n, s - n); 624 625 return 0; 626 627 } 628 629 /* 630 * Lookup in indexdir for the index entry of a lower real inode or a copy up 631 * origin inode. The index entry name is the hex representation of the lower 632 * inode file handle. 633 * 634 * If the index dentry in negative, then either no lower aliases have been 635 * copied up yet, or aliases have been copied up in older kernels and are 636 * not indexed. 637 * 638 * If the index dentry for a copy up origin inode is positive, but points 639 * to an inode different than the upper inode, then either the upper inode 640 * has been copied up and not indexed or it was indexed, but since then 641 * index dir was cleared. Either way, that index cannot be used to indentify 642 * the overlay inode. 643 */ 644 int ovl_get_index_name(struct dentry *origin, struct qstr *name) 645 { 646 struct ovl_fh *fh; 647 int err; 648 649 fh = ovl_encode_real_fh(origin, false); 650 if (IS_ERR(fh)) 651 return PTR_ERR(fh); 652 653 err = ovl_get_index_name_fh(fh, name); 654 655 kfree(fh); 656 return err; 657 } 658 659 /* Lookup index by file handle for NFS export */ 660 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh) 661 { 662 struct dentry *index; 663 struct qstr name; 664 int err; 665 666 err = ovl_get_index_name_fh(fh, &name); 667 if (err) 668 return ERR_PTR(err); 669 670 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len); 671 kfree(name.name); 672 if (IS_ERR(index)) { 673 if (PTR_ERR(index) == -ENOENT) 674 index = NULL; 675 return index; 676 } 677 678 if (ovl_is_whiteout(index)) 679 err = -ESTALE; 680 else if (ovl_dentry_weird(index)) 681 err = -EIO; 682 else 683 return index; 684 685 dput(index); 686 return ERR_PTR(err); 687 } 688 689 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper, 690 struct dentry *origin, bool verify) 691 { 692 struct dentry *index; 693 struct inode *inode; 694 struct qstr name; 695 bool is_dir = d_is_dir(origin); 696 int err; 697 698 err = ovl_get_index_name(origin, &name); 699 if (err) 700 return ERR_PTR(err); 701 702 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len); 703 if (IS_ERR(index)) { 704 err = PTR_ERR(index); 705 if (err == -ENOENT) { 706 index = NULL; 707 goto out; 708 } 709 pr_warn_ratelimited("failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n" 710 "overlayfs: mount with '-o index=off' to disable inodes index.\n", 711 d_inode(origin)->i_ino, name.len, name.name, 712 err); 713 goto out; 714 } 715 716 inode = d_inode(index); 717 if (ovl_is_whiteout(index) && !verify) { 718 /* 719 * When index lookup is called with !verify for decoding an 720 * overlay file handle, a whiteout index implies that decode 721 * should treat file handle as stale and no need to print a 722 * warning about it. 723 */ 724 dput(index); 725 index = ERR_PTR(-ESTALE); 726 goto out; 727 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || 728 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) { 729 /* 730 * Index should always be of the same file type as origin 731 * except for the case of a whiteout index. A whiteout 732 * index should only exist if all lower aliases have been 733 * unlinked, which means that finding a lower origin on lookup 734 * whose index is a whiteout should be treated as an error. 735 */ 736 pr_warn_ratelimited("bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n", 737 index, d_inode(index)->i_mode & S_IFMT, 738 d_inode(origin)->i_mode & S_IFMT); 739 goto fail; 740 } else if (is_dir && verify) { 741 if (!upper) { 742 pr_warn_ratelimited("suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n", 743 origin, index); 744 goto fail; 745 } 746 747 /* Verify that dir index 'upper' xattr points to upper dir */ 748 err = ovl_verify_upper(index, upper, false); 749 if (err) { 750 if (err == -ESTALE) { 751 pr_warn_ratelimited("suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n", 752 upper, origin, index); 753 } 754 goto fail; 755 } 756 } else if (upper && d_inode(upper) != inode) { 757 goto out_dput; 758 } 759 out: 760 kfree(name.name); 761 return index; 762 763 out_dput: 764 dput(index); 765 index = NULL; 766 goto out; 767 768 fail: 769 dput(index); 770 index = ERR_PTR(-EIO); 771 goto out; 772 } 773 774 /* 775 * Returns next layer in stack starting from top. 776 * Returns -1 if this is the last layer. 777 */ 778 int ovl_path_next(int idx, struct dentry *dentry, struct path *path) 779 { 780 struct ovl_entry *oe = dentry->d_fsdata; 781 782 BUG_ON(idx < 0); 783 if (idx == 0) { 784 ovl_path_upper(dentry, path); 785 if (path->dentry) 786 return oe->numlower ? 1 : -1; 787 idx++; 788 } 789 BUG_ON(idx > oe->numlower); 790 path->dentry = oe->lowerstack[idx - 1].dentry; 791 path->mnt = oe->lowerstack[idx - 1].layer->mnt; 792 793 return (idx < oe->numlower) ? idx + 1 : -1; 794 } 795 796 /* Fix missing 'origin' xattr */ 797 static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower, 798 struct dentry *upper) 799 { 800 int err; 801 802 if (ovl_check_origin_xattr(upper)) 803 return 0; 804 805 err = ovl_want_write(dentry); 806 if (err) 807 return err; 808 809 err = ovl_set_origin(dentry, lower, upper); 810 if (!err) 811 err = ovl_set_impure(dentry->d_parent, upper->d_parent); 812 813 ovl_drop_write(dentry); 814 return err; 815 } 816 817 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, 818 unsigned int flags) 819 { 820 struct ovl_entry *oe; 821 const struct cred *old_cred; 822 struct ovl_fs *ofs = dentry->d_sb->s_fs_info; 823 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 824 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata; 825 struct ovl_path *stack = NULL, *origin_path = NULL; 826 struct dentry *upperdir, *upperdentry = NULL; 827 struct dentry *origin = NULL; 828 struct dentry *index = NULL; 829 unsigned int ctr = 0; 830 struct inode *inode = NULL; 831 bool upperopaque = false; 832 char *upperredirect = NULL; 833 struct dentry *this; 834 unsigned int i; 835 int err; 836 bool uppermetacopy = false; 837 struct ovl_lookup_data d = { 838 .sb = dentry->d_sb, 839 .name = dentry->d_name, 840 .is_dir = false, 841 .opaque = false, 842 .stop = false, 843 .last = ofs->config.redirect_follow ? false : !poe->numlower, 844 .redirect = NULL, 845 .metacopy = false, 846 }; 847 848 if (dentry->d_name.len > ofs->namelen) 849 return ERR_PTR(-ENAMETOOLONG); 850 851 old_cred = ovl_override_creds(dentry->d_sb); 852 upperdir = ovl_dentry_upper(dentry->d_parent); 853 if (upperdir) { 854 err = ovl_lookup_layer(upperdir, &d, &upperdentry, true); 855 if (err) 856 goto out; 857 858 if (upperdentry && upperdentry->d_flags & DCACHE_OP_REAL) { 859 dput(upperdentry); 860 err = -EREMOTE; 861 goto out; 862 } 863 if (upperdentry && !d.is_dir) { 864 unsigned int origin_ctr = 0; 865 866 /* 867 * Lookup copy up origin by decoding origin file handle. 868 * We may get a disconnected dentry, which is fine, 869 * because we only need to hold the origin inode in 870 * cache and use its inode number. We may even get a 871 * connected dentry, that is not under any of the lower 872 * layers root. That is also fine for using it's inode 873 * number - it's the same as if we held a reference 874 * to a dentry in lower layer that was moved under us. 875 */ 876 err = ovl_check_origin(ofs, upperdentry, &origin_path, 877 &origin_ctr); 878 if (err) 879 goto out_put_upper; 880 881 if (d.metacopy) 882 uppermetacopy = true; 883 } 884 885 if (d.redirect) { 886 err = -ENOMEM; 887 upperredirect = kstrdup(d.redirect, GFP_KERNEL); 888 if (!upperredirect) 889 goto out_put_upper; 890 if (d.redirect[0] == '/') 891 poe = roe; 892 } 893 upperopaque = d.opaque; 894 } 895 896 if (!d.stop && poe->numlower) { 897 err = -ENOMEM; 898 stack = kcalloc(ofs->numlayer - 1, sizeof(struct ovl_path), 899 GFP_KERNEL); 900 if (!stack) 901 goto out_put_upper; 902 } 903 904 for (i = 0; !d.stop && i < poe->numlower; i++) { 905 struct ovl_path lower = poe->lowerstack[i]; 906 907 if (!ofs->config.redirect_follow) 908 d.last = i == poe->numlower - 1; 909 else 910 d.last = lower.layer->idx == roe->numlower; 911 912 err = ovl_lookup_layer(lower.dentry, &d, &this, false); 913 if (err) 914 goto out_put; 915 916 if (!this) 917 continue; 918 919 if ((uppermetacopy || d.metacopy) && !ofs->config.metacopy) { 920 err = -EPERM; 921 pr_warn_ratelimited("refusing to follow metacopy origin for (%pd2)\n", dentry); 922 goto out_put; 923 } 924 925 /* 926 * If no origin fh is stored in upper of a merge dir, store fh 927 * of lower dir and set upper parent "impure". 928 */ 929 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) { 930 err = ovl_fix_origin(dentry, this, upperdentry); 931 if (err) { 932 dput(this); 933 goto out_put; 934 } 935 } 936 937 /* 938 * When "verify_lower" feature is enabled, do not merge with a 939 * lower dir that does not match a stored origin xattr. In any 940 * case, only verified origin is used for index lookup. 941 * 942 * For non-dir dentry, if index=on, then ensure origin 943 * matches the dentry found using path based lookup, 944 * otherwise error out. 945 */ 946 if (upperdentry && !ctr && 947 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) || 948 (!d.is_dir && ofs->config.index && origin_path))) { 949 err = ovl_verify_origin(upperdentry, this, false); 950 if (err) { 951 dput(this); 952 if (d.is_dir) 953 break; 954 goto out_put; 955 } 956 origin = this; 957 } 958 959 if (d.metacopy && ctr) { 960 /* 961 * Do not store intermediate metacopy dentries in 962 * lower chain, except top most lower metacopy dentry. 963 * Continue the loop so that if there is an absolute 964 * redirect on this dentry, poe can be reset to roe. 965 */ 966 dput(this); 967 this = NULL; 968 } else { 969 stack[ctr].dentry = this; 970 stack[ctr].layer = lower.layer; 971 ctr++; 972 } 973 974 /* 975 * Following redirects can have security consequences: it's like 976 * a symlink into the lower layer without the permission checks. 977 * This is only a problem if the upper layer is untrusted (e.g 978 * comes from an USB drive). This can allow a non-readable file 979 * or directory to become readable. 980 * 981 * Only following redirects when redirects are enabled disables 982 * this attack vector when not necessary. 983 */ 984 err = -EPERM; 985 if (d.redirect && !ofs->config.redirect_follow) { 986 pr_warn_ratelimited("refusing to follow redirect for (%pd2)\n", 987 dentry); 988 goto out_put; 989 } 990 991 if (d.stop) 992 break; 993 994 if (d.redirect && d.redirect[0] == '/' && poe != roe) { 995 poe = roe; 996 /* Find the current layer on the root dentry */ 997 i = lower.layer->idx - 1; 998 } 999 } 1000 1001 /* 1002 * For regular non-metacopy upper dentries, there is no lower 1003 * path based lookup, hence ctr will be zero. If a dentry is found 1004 * using ORIGIN xattr on upper, install it in stack. 1005 * 1006 * For metacopy dentry, path based lookup will find lower dentries. 1007 * Just make sure a corresponding data dentry has been found. 1008 */ 1009 if (d.metacopy || (uppermetacopy && !ctr)) { 1010 err = -EIO; 1011 goto out_put; 1012 } else if (!d.is_dir && upperdentry && !ctr && origin_path) { 1013 if (WARN_ON(stack != NULL)) { 1014 err = -EIO; 1015 goto out_put; 1016 } 1017 stack = origin_path; 1018 ctr = 1; 1019 origin = origin_path->dentry; 1020 origin_path = NULL; 1021 } 1022 1023 /* 1024 * Always lookup index if there is no-upperdentry. 1025 * 1026 * For the case of upperdentry, we have set origin by now if it 1027 * needed to be set. There are basically three cases. 1028 * 1029 * For directories, lookup index by lower inode and verify it matches 1030 * upper inode. We only trust dir index if we verified that lower dir 1031 * matches origin, otherwise dir index entries may be inconsistent 1032 * and we ignore them. 1033 * 1034 * For regular upper, we already set origin if upper had ORIGIN 1035 * xattr. There is no verification though as there is no path 1036 * based dentry lookup in lower in this case. 1037 * 1038 * For metacopy upper, we set a verified origin already if index 1039 * is enabled and if upper had an ORIGIN xattr. 1040 * 1041 */ 1042 if (!upperdentry && ctr) 1043 origin = stack[0].dentry; 1044 1045 if (origin && ovl_indexdir(dentry->d_sb) && 1046 (!d.is_dir || ovl_index_all(dentry->d_sb))) { 1047 index = ovl_lookup_index(ofs, upperdentry, origin, true); 1048 if (IS_ERR(index)) { 1049 err = PTR_ERR(index); 1050 index = NULL; 1051 goto out_put; 1052 } 1053 } 1054 1055 oe = ovl_alloc_entry(ctr); 1056 err = -ENOMEM; 1057 if (!oe) 1058 goto out_put; 1059 1060 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr); 1061 dentry->d_fsdata = oe; 1062 1063 if (upperopaque) 1064 ovl_dentry_set_opaque(dentry); 1065 1066 if (upperdentry) 1067 ovl_dentry_set_upper_alias(dentry); 1068 else if (index) { 1069 upperdentry = dget(index); 1070 upperredirect = ovl_get_redirect_xattr(upperdentry, 0); 1071 if (IS_ERR(upperredirect)) { 1072 err = PTR_ERR(upperredirect); 1073 upperredirect = NULL; 1074 goto out_free_oe; 1075 } 1076 } 1077 1078 if (upperdentry || ctr) { 1079 struct ovl_inode_params oip = { 1080 .upperdentry = upperdentry, 1081 .lowerpath = stack, 1082 .index = index, 1083 .numlower = ctr, 1084 .redirect = upperredirect, 1085 .lowerdata = (ctr > 1 && !d.is_dir) ? 1086 stack[ctr - 1].dentry : NULL, 1087 }; 1088 1089 inode = ovl_get_inode(dentry->d_sb, &oip); 1090 err = PTR_ERR(inode); 1091 if (IS_ERR(inode)) 1092 goto out_free_oe; 1093 if (upperdentry && !uppermetacopy) 1094 ovl_set_flag(OVL_UPPERDATA, inode); 1095 } 1096 1097 ovl_dentry_update_reval(dentry, upperdentry, 1098 DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); 1099 1100 revert_creds(old_cred); 1101 if (origin_path) { 1102 dput(origin_path->dentry); 1103 kfree(origin_path); 1104 } 1105 dput(index); 1106 kfree(stack); 1107 kfree(d.redirect); 1108 return d_splice_alias(inode, dentry); 1109 1110 out_free_oe: 1111 dentry->d_fsdata = NULL; 1112 kfree(oe); 1113 out_put: 1114 dput(index); 1115 for (i = 0; i < ctr; i++) 1116 dput(stack[i].dentry); 1117 kfree(stack); 1118 out_put_upper: 1119 if (origin_path) { 1120 dput(origin_path->dentry); 1121 kfree(origin_path); 1122 } 1123 dput(upperdentry); 1124 kfree(upperredirect); 1125 out: 1126 kfree(d.redirect); 1127 revert_creds(old_cred); 1128 return ERR_PTR(err); 1129 } 1130 1131 bool ovl_lower_positive(struct dentry *dentry) 1132 { 1133 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 1134 const struct qstr *name = &dentry->d_name; 1135 const struct cred *old_cred; 1136 unsigned int i; 1137 bool positive = false; 1138 bool done = false; 1139 1140 /* 1141 * If dentry is negative, then lower is positive iff this is a 1142 * whiteout. 1143 */ 1144 if (!dentry->d_inode) 1145 return ovl_dentry_is_opaque(dentry); 1146 1147 /* Negative upper -> positive lower */ 1148 if (!ovl_dentry_upper(dentry)) 1149 return true; 1150 1151 old_cred = ovl_override_creds(dentry->d_sb); 1152 /* Positive upper -> have to look up lower to see whether it exists */ 1153 for (i = 0; !done && !positive && i < poe->numlower; i++) { 1154 struct dentry *this; 1155 struct dentry *lowerdir = poe->lowerstack[i].dentry; 1156 1157 this = lookup_positive_unlocked(name->name, lowerdir, 1158 name->len); 1159 if (IS_ERR(this)) { 1160 switch (PTR_ERR(this)) { 1161 case -ENOENT: 1162 case -ENAMETOOLONG: 1163 break; 1164 1165 default: 1166 /* 1167 * Assume something is there, we just couldn't 1168 * access it. 1169 */ 1170 positive = true; 1171 break; 1172 } 1173 } else { 1174 positive = !ovl_is_whiteout(this); 1175 done = true; 1176 dput(this); 1177 } 1178 } 1179 revert_creds(old_cred); 1180 1181 return positive; 1182 } 1183