1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Novell Inc. 4 * Copyright (C) 2016 Red Hat, Inc. 5 */ 6 7 #include <linux/fs.h> 8 #include <linux/cred.h> 9 #include <linux/ctype.h> 10 #include <linux/namei.h> 11 #include <linux/xattr.h> 12 #include <linux/ratelimit.h> 13 #include <linux/mount.h> 14 #include <linux/exportfs.h> 15 #include "overlayfs.h" 16 17 struct ovl_lookup_data { 18 struct super_block *sb; 19 struct vfsmount *mnt; 20 struct qstr name; 21 bool is_dir; 22 bool opaque; 23 bool stop; 24 bool last; 25 char *redirect; 26 bool metacopy; 27 }; 28 29 static int ovl_check_redirect(const struct path *path, struct ovl_lookup_data *d, 30 size_t prelen, const char *post) 31 { 32 int res; 33 char *buf; 34 struct ovl_fs *ofs = OVL_FS(d->sb); 35 36 buf = ovl_get_redirect_xattr(ofs, path, prelen + strlen(post)); 37 if (IS_ERR_OR_NULL(buf)) 38 return PTR_ERR(buf); 39 40 if (buf[0] == '/') { 41 /* 42 * One of the ancestor path elements in an absolute path 43 * lookup in ovl_lookup_layer() could have been opaque and 44 * that will stop further lookup in lower layers (d->stop=true) 45 * But we have found an absolute redirect in descendant path 46 * element and that should force continue lookup in lower 47 * layers (reset d->stop). 48 */ 49 d->stop = false; 50 } else { 51 res = strlen(buf) + 1; 52 memmove(buf + prelen, buf, res); 53 memcpy(buf, d->name.name, prelen); 54 } 55 56 strcat(buf, post); 57 kfree(d->redirect); 58 d->redirect = buf; 59 d->name.name = d->redirect; 60 d->name.len = strlen(d->redirect); 61 62 return 0; 63 } 64 65 static int ovl_acceptable(void *ctx, struct dentry *dentry) 66 { 67 /* 68 * A non-dir origin may be disconnected, which is fine, because 69 * we only need it for its unique inode number. 70 */ 71 if (!d_is_dir(dentry)) 72 return 1; 73 74 /* Don't decode a deleted empty directory */ 75 if (d_unhashed(dentry)) 76 return 0; 77 78 /* Check if directory belongs to the layer we are decoding from */ 79 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root); 80 } 81 82 /* 83 * Check validity of an overlay file handle buffer. 84 * 85 * Return 0 for a valid file handle. 86 * Return -ENODATA for "origin unknown". 87 * Return <0 for an invalid file handle. 88 */ 89 int ovl_check_fb_len(struct ovl_fb *fb, int fb_len) 90 { 91 if (fb_len < sizeof(struct ovl_fb) || fb_len < fb->len) 92 return -EINVAL; 93 94 if (fb->magic != OVL_FH_MAGIC) 95 return -EINVAL; 96 97 /* Treat larger version and unknown flags as "origin unknown" */ 98 if (fb->version > OVL_FH_VERSION || fb->flags & ~OVL_FH_FLAG_ALL) 99 return -ENODATA; 100 101 /* Treat endianness mismatch as "origin unknown" */ 102 if (!(fb->flags & OVL_FH_FLAG_ANY_ENDIAN) && 103 (fb->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN) 104 return -ENODATA; 105 106 return 0; 107 } 108 109 static struct ovl_fh *ovl_get_fh(struct ovl_fs *ofs, struct dentry *upperdentry, 110 enum ovl_xattr ox) 111 { 112 int res, err; 113 struct ovl_fh *fh = NULL; 114 115 res = ovl_getxattr_upper(ofs, upperdentry, ox, NULL, 0); 116 if (res < 0) { 117 if (res == -ENODATA || res == -EOPNOTSUPP) 118 return NULL; 119 goto fail; 120 } 121 /* Zero size value means "copied up but origin unknown" */ 122 if (res == 0) 123 return NULL; 124 125 fh = kzalloc(res + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 126 if (!fh) 127 return ERR_PTR(-ENOMEM); 128 129 res = ovl_getxattr_upper(ofs, upperdentry, ox, fh->buf, res); 130 if (res < 0) 131 goto fail; 132 133 err = ovl_check_fb_len(&fh->fb, res); 134 if (err < 0) { 135 if (err == -ENODATA) 136 goto out; 137 goto invalid; 138 } 139 140 return fh; 141 142 out: 143 kfree(fh); 144 return NULL; 145 146 fail: 147 pr_warn_ratelimited("failed to get origin (%i)\n", res); 148 goto out; 149 invalid: 150 pr_warn_ratelimited("invalid origin (%*phN)\n", res, fh); 151 goto out; 152 } 153 154 struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh, 155 struct vfsmount *mnt, bool connected) 156 { 157 struct dentry *real; 158 int bytes; 159 160 if (!capable(CAP_DAC_READ_SEARCH)) 161 return NULL; 162 163 /* 164 * Make sure that the stored uuid matches the uuid of the lower 165 * layer where file handle will be decoded. 166 * In case of uuid=off option just make sure that stored uuid is null. 167 */ 168 if (ofs->config.uuid ? !uuid_equal(&fh->fb.uuid, &mnt->mnt_sb->s_uuid) : 169 !uuid_is_null(&fh->fb.uuid)) 170 return NULL; 171 172 bytes = (fh->fb.len - offsetof(struct ovl_fb, fid)); 173 real = exportfs_decode_fh(mnt, (struct fid *)fh->fb.fid, 174 bytes >> 2, (int)fh->fb.type, 175 connected ? ovl_acceptable : NULL, mnt); 176 if (IS_ERR(real)) { 177 /* 178 * Treat stale file handle to lower file as "origin unknown". 179 * upper file handle could become stale when upper file is 180 * unlinked and this information is needed to handle stale 181 * index entries correctly. 182 */ 183 if (real == ERR_PTR(-ESTALE) && 184 !(fh->fb.flags & OVL_FH_FLAG_PATH_UPPER)) 185 real = NULL; 186 return real; 187 } 188 189 if (ovl_dentry_weird(real)) { 190 dput(real); 191 return NULL; 192 } 193 194 return real; 195 } 196 197 static bool ovl_is_opaquedir(struct ovl_fs *ofs, const struct path *path) 198 { 199 return ovl_path_check_dir_xattr(ofs, path, OVL_XATTR_OPAQUE); 200 } 201 202 static struct dentry *ovl_lookup_positive_unlocked(struct ovl_lookup_data *d, 203 const char *name, 204 struct dentry *base, int len, 205 bool drop_negative) 206 { 207 struct dentry *ret = lookup_one_unlocked(mnt_user_ns(d->mnt), name, base, len); 208 209 if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) { 210 if (drop_negative && ret->d_lockref.count == 1) { 211 spin_lock(&ret->d_lock); 212 /* Recheck condition under lock */ 213 if (d_is_negative(ret) && ret->d_lockref.count == 1) 214 __d_drop(ret); 215 spin_unlock(&ret->d_lock); 216 } 217 dput(ret); 218 ret = ERR_PTR(-ENOENT); 219 } 220 return ret; 221 } 222 223 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d, 224 const char *name, unsigned int namelen, 225 size_t prelen, const char *post, 226 struct dentry **ret, bool drop_negative) 227 { 228 struct dentry *this; 229 struct path path; 230 int err; 231 bool last_element = !post[0]; 232 233 this = ovl_lookup_positive_unlocked(d, name, base, namelen, drop_negative); 234 if (IS_ERR(this)) { 235 err = PTR_ERR(this); 236 this = NULL; 237 if (err == -ENOENT || err == -ENAMETOOLONG) 238 goto out; 239 goto out_err; 240 } 241 242 if (ovl_dentry_weird(this)) { 243 /* Don't support traversing automounts and other weirdness */ 244 err = -EREMOTE; 245 goto out_err; 246 } 247 if (ovl_is_whiteout(this)) { 248 d->stop = d->opaque = true; 249 goto put_and_out; 250 } 251 /* 252 * This dentry should be a regular file if previous layer lookup 253 * found a metacopy dentry. 254 */ 255 if (last_element && d->metacopy && !d_is_reg(this)) { 256 d->stop = true; 257 goto put_and_out; 258 } 259 260 path.dentry = this; 261 path.mnt = d->mnt; 262 if (!d_can_lookup(this)) { 263 if (d->is_dir || !last_element) { 264 d->stop = true; 265 goto put_and_out; 266 } 267 err = ovl_check_metacopy_xattr(OVL_FS(d->sb), &path); 268 if (err < 0) 269 goto out_err; 270 271 d->metacopy = err; 272 d->stop = !d->metacopy; 273 if (!d->metacopy || d->last) 274 goto out; 275 } else { 276 if (ovl_lookup_trap_inode(d->sb, this)) { 277 /* Caught in a trap of overlapping layers */ 278 err = -ELOOP; 279 goto out_err; 280 } 281 282 if (last_element) 283 d->is_dir = true; 284 if (d->last) 285 goto out; 286 287 if (ovl_is_opaquedir(OVL_FS(d->sb), &path)) { 288 d->stop = true; 289 if (last_element) 290 d->opaque = true; 291 goto out; 292 } 293 } 294 err = ovl_check_redirect(&path, d, prelen, post); 295 if (err) 296 goto out_err; 297 out: 298 *ret = this; 299 return 0; 300 301 put_and_out: 302 dput(this); 303 this = NULL; 304 goto out; 305 306 out_err: 307 dput(this); 308 return err; 309 } 310 311 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d, 312 struct dentry **ret, bool drop_negative) 313 { 314 /* Counting down from the end, since the prefix can change */ 315 size_t rem = d->name.len - 1; 316 struct dentry *dentry = NULL; 317 int err; 318 319 if (d->name.name[0] != '/') 320 return ovl_lookup_single(base, d, d->name.name, d->name.len, 321 0, "", ret, drop_negative); 322 323 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) { 324 const char *s = d->name.name + d->name.len - rem; 325 const char *next = strchrnul(s, '/'); 326 size_t thislen = next - s; 327 bool end = !next[0]; 328 329 /* Verify we did not go off the rails */ 330 if (WARN_ON(s[-1] != '/')) 331 return -EIO; 332 333 err = ovl_lookup_single(base, d, s, thislen, 334 d->name.len - rem, next, &base, 335 drop_negative); 336 dput(dentry); 337 if (err) 338 return err; 339 dentry = base; 340 if (end) 341 break; 342 343 rem -= thislen + 1; 344 345 if (WARN_ON(rem >= d->name.len)) 346 return -EIO; 347 } 348 *ret = dentry; 349 return 0; 350 } 351 352 353 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected, 354 struct dentry *upperdentry, struct ovl_path **stackp) 355 { 356 struct dentry *origin = NULL; 357 int i; 358 359 for (i = 1; i < ofs->numlayer; i++) { 360 /* 361 * If lower fs uuid is not unique among lower fs we cannot match 362 * fh->uuid to layer. 363 */ 364 if (ofs->layers[i].fsid && 365 ofs->layers[i].fs->bad_uuid) 366 continue; 367 368 origin = ovl_decode_real_fh(ofs, fh, ofs->layers[i].mnt, 369 connected); 370 if (origin) 371 break; 372 } 373 374 if (!origin) 375 return -ESTALE; 376 else if (IS_ERR(origin)) 377 return PTR_ERR(origin); 378 379 if (upperdentry && !ovl_is_whiteout(upperdentry) && 380 inode_wrong_type(d_inode(upperdentry), d_inode(origin)->i_mode)) 381 goto invalid; 382 383 if (!*stackp) 384 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL); 385 if (!*stackp) { 386 dput(origin); 387 return -ENOMEM; 388 } 389 **stackp = (struct ovl_path){ 390 .dentry = origin, 391 .layer = &ofs->layers[i] 392 }; 393 394 return 0; 395 396 invalid: 397 pr_warn_ratelimited("invalid origin (%pd2, ftype=%x, origin ftype=%x).\n", 398 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT, 399 d_inode(origin)->i_mode & S_IFMT); 400 dput(origin); 401 return -ESTALE; 402 } 403 404 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry, 405 struct ovl_path **stackp) 406 { 407 struct ovl_fh *fh = ovl_get_fh(ofs, upperdentry, OVL_XATTR_ORIGIN); 408 int err; 409 410 if (IS_ERR_OR_NULL(fh)) 411 return PTR_ERR(fh); 412 413 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp); 414 kfree(fh); 415 416 if (err) { 417 if (err == -ESTALE) 418 return 0; 419 return err; 420 } 421 422 return 0; 423 } 424 425 /* 426 * Verify that @fh matches the file handle stored in xattr @name. 427 * Return 0 on match, -ESTALE on mismatch, < 0 on error. 428 */ 429 static int ovl_verify_fh(struct ovl_fs *ofs, struct dentry *dentry, 430 enum ovl_xattr ox, const struct ovl_fh *fh) 431 { 432 struct ovl_fh *ofh = ovl_get_fh(ofs, dentry, ox); 433 int err = 0; 434 435 if (!ofh) 436 return -ENODATA; 437 438 if (IS_ERR(ofh)) 439 return PTR_ERR(ofh); 440 441 if (fh->fb.len != ofh->fb.len || memcmp(&fh->fb, &ofh->fb, fh->fb.len)) 442 err = -ESTALE; 443 444 kfree(ofh); 445 return err; 446 } 447 448 /* 449 * Verify that @real dentry matches the file handle stored in xattr @name. 450 * 451 * If @set is true and there is no stored file handle, encode @real and store 452 * file handle in xattr @name. 453 * 454 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error. 455 */ 456 int ovl_verify_set_fh(struct ovl_fs *ofs, struct dentry *dentry, 457 enum ovl_xattr ox, struct dentry *real, bool is_upper, 458 bool set) 459 { 460 struct inode *inode; 461 struct ovl_fh *fh; 462 int err; 463 464 fh = ovl_encode_real_fh(ofs, real, is_upper); 465 err = PTR_ERR(fh); 466 if (IS_ERR(fh)) { 467 fh = NULL; 468 goto fail; 469 } 470 471 err = ovl_verify_fh(ofs, dentry, ox, fh); 472 if (set && err == -ENODATA) 473 err = ovl_setxattr(ofs, dentry, ox, fh->buf, fh->fb.len); 474 if (err) 475 goto fail; 476 477 out: 478 kfree(fh); 479 return err; 480 481 fail: 482 inode = d_inode(real); 483 pr_warn_ratelimited("failed to verify %s (%pd2, ino=%lu, err=%i)\n", 484 is_upper ? "upper" : "origin", real, 485 inode ? inode->i_ino : 0, err); 486 goto out; 487 } 488 489 /* Get upper dentry from index */ 490 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index, 491 bool connected) 492 { 493 struct ovl_fh *fh; 494 struct dentry *upper; 495 496 if (!d_is_dir(index)) 497 return dget(index); 498 499 fh = ovl_get_fh(ofs, index, OVL_XATTR_UPPER); 500 if (IS_ERR_OR_NULL(fh)) 501 return ERR_CAST(fh); 502 503 upper = ovl_decode_real_fh(ofs, fh, ovl_upper_mnt(ofs), connected); 504 kfree(fh); 505 506 if (IS_ERR_OR_NULL(upper)) 507 return upper ?: ERR_PTR(-ESTALE); 508 509 if (!d_is_dir(upper)) { 510 pr_warn_ratelimited("invalid index upper (%pd2, upper=%pd2).\n", 511 index, upper); 512 dput(upper); 513 return ERR_PTR(-EIO); 514 } 515 516 return upper; 517 } 518 519 /* 520 * Verify that an index entry name matches the origin file handle stored in 521 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. 522 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error. 523 */ 524 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) 525 { 526 struct ovl_fh *fh = NULL; 527 size_t len; 528 struct ovl_path origin = { }; 529 struct ovl_path *stack = &origin; 530 struct dentry *upper = NULL; 531 int err; 532 533 if (!d_inode(index)) 534 return 0; 535 536 err = -EINVAL; 537 if (index->d_name.len < sizeof(struct ovl_fb)*2) 538 goto fail; 539 540 err = -ENOMEM; 541 len = index->d_name.len / 2; 542 fh = kzalloc(len + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 543 if (!fh) 544 goto fail; 545 546 err = -EINVAL; 547 if (hex2bin(fh->buf, index->d_name.name, len)) 548 goto fail; 549 550 err = ovl_check_fb_len(&fh->fb, len); 551 if (err) 552 goto fail; 553 554 /* 555 * Whiteout index entries are used as an indication that an exported 556 * overlay file handle should be treated as stale (i.e. after unlink 557 * of the overlay inode). These entries contain no origin xattr. 558 */ 559 if (ovl_is_whiteout(index)) 560 goto out; 561 562 /* 563 * Verifying directory index entries are not stale is expensive, so 564 * only verify stale dir index if NFS export is enabled. 565 */ 566 if (d_is_dir(index) && !ofs->config.nfs_export) 567 goto out; 568 569 /* 570 * Directory index entries should have 'upper' xattr pointing to the 571 * real upper dir. Non-dir index entries are hardlinks to the upper 572 * real inode. For non-dir index, we can read the copy up origin xattr 573 * directly from the index dentry, but for dir index we first need to 574 * decode the upper directory. 575 */ 576 upper = ovl_index_upper(ofs, index, false); 577 if (IS_ERR_OR_NULL(upper)) { 578 err = PTR_ERR(upper); 579 /* 580 * Directory index entries with no 'upper' xattr need to be 581 * removed. When dir index entry has a stale 'upper' xattr, 582 * we assume that upper dir was removed and we treat the dir 583 * index as orphan entry that needs to be whited out. 584 */ 585 if (err == -ESTALE) 586 goto orphan; 587 else if (!err) 588 err = -ESTALE; 589 goto fail; 590 } 591 592 err = ovl_verify_fh(ofs, upper, OVL_XATTR_ORIGIN, fh); 593 dput(upper); 594 if (err) 595 goto fail; 596 597 /* Check if non-dir index is orphan and don't warn before cleaning it */ 598 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) { 599 err = ovl_check_origin_fh(ofs, fh, false, index, &stack); 600 if (err) 601 goto fail; 602 603 if (ovl_get_nlink(ofs, origin.dentry, index, 0) == 0) 604 goto orphan; 605 } 606 607 out: 608 dput(origin.dentry); 609 kfree(fh); 610 return err; 611 612 fail: 613 pr_warn_ratelimited("failed to verify index (%pd2, ftype=%x, err=%i)\n", 614 index, d_inode(index)->i_mode & S_IFMT, err); 615 goto out; 616 617 orphan: 618 pr_warn_ratelimited("orphan index entry (%pd2, ftype=%x, nlink=%u)\n", 619 index, d_inode(index)->i_mode & S_IFMT, 620 d_inode(index)->i_nlink); 621 err = -ENOENT; 622 goto out; 623 } 624 625 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name) 626 { 627 char *n, *s; 628 629 n = kcalloc(fh->fb.len, 2, GFP_KERNEL); 630 if (!n) 631 return -ENOMEM; 632 633 s = bin2hex(n, fh->buf, fh->fb.len); 634 *name = (struct qstr) QSTR_INIT(n, s - n); 635 636 return 0; 637 638 } 639 640 /* 641 * Lookup in indexdir for the index entry of a lower real inode or a copy up 642 * origin inode. The index entry name is the hex representation of the lower 643 * inode file handle. 644 * 645 * If the index dentry in negative, then either no lower aliases have been 646 * copied up yet, or aliases have been copied up in older kernels and are 647 * not indexed. 648 * 649 * If the index dentry for a copy up origin inode is positive, but points 650 * to an inode different than the upper inode, then either the upper inode 651 * has been copied up and not indexed or it was indexed, but since then 652 * index dir was cleared. Either way, that index cannot be used to identify 653 * the overlay inode. 654 */ 655 int ovl_get_index_name(struct ovl_fs *ofs, struct dentry *origin, 656 struct qstr *name) 657 { 658 struct ovl_fh *fh; 659 int err; 660 661 fh = ovl_encode_real_fh(ofs, origin, false); 662 if (IS_ERR(fh)) 663 return PTR_ERR(fh); 664 665 err = ovl_get_index_name_fh(fh, name); 666 667 kfree(fh); 668 return err; 669 } 670 671 /* Lookup index by file handle for NFS export */ 672 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh) 673 { 674 struct dentry *index; 675 struct qstr name; 676 int err; 677 678 err = ovl_get_index_name_fh(fh, &name); 679 if (err) 680 return ERR_PTR(err); 681 682 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len); 683 kfree(name.name); 684 if (IS_ERR(index)) { 685 if (PTR_ERR(index) == -ENOENT) 686 index = NULL; 687 return index; 688 } 689 690 if (ovl_is_whiteout(index)) 691 err = -ESTALE; 692 else if (ovl_dentry_weird(index)) 693 err = -EIO; 694 else 695 return index; 696 697 dput(index); 698 return ERR_PTR(err); 699 } 700 701 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper, 702 struct dentry *origin, bool verify) 703 { 704 struct dentry *index; 705 struct inode *inode; 706 struct qstr name; 707 bool is_dir = d_is_dir(origin); 708 int err; 709 710 err = ovl_get_index_name(ofs, origin, &name); 711 if (err) 712 return ERR_PTR(err); 713 714 index = lookup_one_positive_unlocked(ovl_upper_mnt_userns(ofs), name.name, 715 ofs->indexdir, name.len); 716 if (IS_ERR(index)) { 717 err = PTR_ERR(index); 718 if (err == -ENOENT) { 719 index = NULL; 720 goto out; 721 } 722 pr_warn_ratelimited("failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n" 723 "overlayfs: mount with '-o index=off' to disable inodes index.\n", 724 d_inode(origin)->i_ino, name.len, name.name, 725 err); 726 goto out; 727 } 728 729 inode = d_inode(index); 730 if (ovl_is_whiteout(index) && !verify) { 731 /* 732 * When index lookup is called with !verify for decoding an 733 * overlay file handle, a whiteout index implies that decode 734 * should treat file handle as stale and no need to print a 735 * warning about it. 736 */ 737 dput(index); 738 index = ERR_PTR(-ESTALE); 739 goto out; 740 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || 741 inode_wrong_type(inode, d_inode(origin)->i_mode)) { 742 /* 743 * Index should always be of the same file type as origin 744 * except for the case of a whiteout index. A whiteout 745 * index should only exist if all lower aliases have been 746 * unlinked, which means that finding a lower origin on lookup 747 * whose index is a whiteout should be treated as an error. 748 */ 749 pr_warn_ratelimited("bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n", 750 index, d_inode(index)->i_mode & S_IFMT, 751 d_inode(origin)->i_mode & S_IFMT); 752 goto fail; 753 } else if (is_dir && verify) { 754 if (!upper) { 755 pr_warn_ratelimited("suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n", 756 origin, index); 757 goto fail; 758 } 759 760 /* Verify that dir index 'upper' xattr points to upper dir */ 761 err = ovl_verify_upper(ofs, index, upper, false); 762 if (err) { 763 if (err == -ESTALE) { 764 pr_warn_ratelimited("suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n", 765 upper, origin, index); 766 } 767 goto fail; 768 } 769 } else if (upper && d_inode(upper) != inode) { 770 goto out_dput; 771 } 772 out: 773 kfree(name.name); 774 return index; 775 776 out_dput: 777 dput(index); 778 index = NULL; 779 goto out; 780 781 fail: 782 dput(index); 783 index = ERR_PTR(-EIO); 784 goto out; 785 } 786 787 /* 788 * Returns next layer in stack starting from top. 789 * Returns -1 if this is the last layer. 790 */ 791 int ovl_path_next(int idx, struct dentry *dentry, struct path *path) 792 { 793 struct ovl_entry *oe = dentry->d_fsdata; 794 795 BUG_ON(idx < 0); 796 if (idx == 0) { 797 ovl_path_upper(dentry, path); 798 if (path->dentry) 799 return oe->numlower ? 1 : -1; 800 idx++; 801 } 802 BUG_ON(idx > oe->numlower); 803 path->dentry = oe->lowerstack[idx - 1].dentry; 804 path->mnt = oe->lowerstack[idx - 1].layer->mnt; 805 806 return (idx < oe->numlower) ? idx + 1 : -1; 807 } 808 809 /* Fix missing 'origin' xattr */ 810 static int ovl_fix_origin(struct ovl_fs *ofs, struct dentry *dentry, 811 struct dentry *lower, struct dentry *upper) 812 { 813 int err; 814 815 if (ovl_check_origin_xattr(ofs, upper)) 816 return 0; 817 818 err = ovl_want_write(dentry); 819 if (err) 820 return err; 821 822 err = ovl_set_origin(ofs, lower, upper); 823 if (!err) 824 err = ovl_set_impure(dentry->d_parent, upper->d_parent); 825 826 ovl_drop_write(dentry); 827 return err; 828 } 829 830 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, 831 unsigned int flags) 832 { 833 struct ovl_entry *oe; 834 const struct cred *old_cred; 835 struct ovl_fs *ofs = dentry->d_sb->s_fs_info; 836 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 837 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata; 838 struct ovl_path *stack = NULL, *origin_path = NULL; 839 struct dentry *upperdir, *upperdentry = NULL; 840 struct dentry *origin = NULL; 841 struct dentry *index = NULL; 842 unsigned int ctr = 0; 843 struct inode *inode = NULL; 844 bool upperopaque = false; 845 char *upperredirect = NULL; 846 struct dentry *this; 847 unsigned int i; 848 int err; 849 bool uppermetacopy = false; 850 struct ovl_lookup_data d = { 851 .sb = dentry->d_sb, 852 .name = dentry->d_name, 853 .is_dir = false, 854 .opaque = false, 855 .stop = false, 856 .last = ofs->config.redirect_follow ? false : !poe->numlower, 857 .redirect = NULL, 858 .metacopy = false, 859 }; 860 861 if (dentry->d_name.len > ofs->namelen) 862 return ERR_PTR(-ENAMETOOLONG); 863 864 old_cred = ovl_override_creds(dentry->d_sb); 865 upperdir = ovl_dentry_upper(dentry->d_parent); 866 if (upperdir) { 867 d.mnt = ovl_upper_mnt(ofs); 868 err = ovl_lookup_layer(upperdir, &d, &upperdentry, true); 869 if (err) 870 goto out; 871 872 if (upperdentry && upperdentry->d_flags & DCACHE_OP_REAL) { 873 dput(upperdentry); 874 err = -EREMOTE; 875 goto out; 876 } 877 if (upperdentry && !d.is_dir) { 878 /* 879 * Lookup copy up origin by decoding origin file handle. 880 * We may get a disconnected dentry, which is fine, 881 * because we only need to hold the origin inode in 882 * cache and use its inode number. We may even get a 883 * connected dentry, that is not under any of the lower 884 * layers root. That is also fine for using it's inode 885 * number - it's the same as if we held a reference 886 * to a dentry in lower layer that was moved under us. 887 */ 888 err = ovl_check_origin(ofs, upperdentry, &origin_path); 889 if (err) 890 goto out_put_upper; 891 892 if (d.metacopy) 893 uppermetacopy = true; 894 } 895 896 if (d.redirect) { 897 err = -ENOMEM; 898 upperredirect = kstrdup(d.redirect, GFP_KERNEL); 899 if (!upperredirect) 900 goto out_put_upper; 901 if (d.redirect[0] == '/') 902 poe = roe; 903 } 904 upperopaque = d.opaque; 905 } 906 907 if (!d.stop && poe->numlower) { 908 err = -ENOMEM; 909 stack = kcalloc(ofs->numlayer - 1, sizeof(struct ovl_path), 910 GFP_KERNEL); 911 if (!stack) 912 goto out_put_upper; 913 } 914 915 for (i = 0; !d.stop && i < poe->numlower; i++) { 916 struct ovl_path lower = poe->lowerstack[i]; 917 918 if (!ofs->config.redirect_follow) 919 d.last = i == poe->numlower - 1; 920 else 921 d.last = lower.layer->idx == roe->numlower; 922 923 d.mnt = lower.layer->mnt; 924 err = ovl_lookup_layer(lower.dentry, &d, &this, false); 925 if (err) 926 goto out_put; 927 928 if (!this) 929 continue; 930 931 if ((uppermetacopy || d.metacopy) && !ofs->config.metacopy) { 932 dput(this); 933 err = -EPERM; 934 pr_warn_ratelimited("refusing to follow metacopy origin for (%pd2)\n", dentry); 935 goto out_put; 936 } 937 938 /* 939 * If no origin fh is stored in upper of a merge dir, store fh 940 * of lower dir and set upper parent "impure". 941 */ 942 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) { 943 err = ovl_fix_origin(ofs, dentry, this, upperdentry); 944 if (err) { 945 dput(this); 946 goto out_put; 947 } 948 } 949 950 /* 951 * When "verify_lower" feature is enabled, do not merge with a 952 * lower dir that does not match a stored origin xattr. In any 953 * case, only verified origin is used for index lookup. 954 * 955 * For non-dir dentry, if index=on, then ensure origin 956 * matches the dentry found using path based lookup, 957 * otherwise error out. 958 */ 959 if (upperdentry && !ctr && 960 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) || 961 (!d.is_dir && ofs->config.index && origin_path))) { 962 err = ovl_verify_origin(ofs, upperdentry, this, false); 963 if (err) { 964 dput(this); 965 if (d.is_dir) 966 break; 967 goto out_put; 968 } 969 origin = this; 970 } 971 972 if (d.metacopy && ctr) { 973 /* 974 * Do not store intermediate metacopy dentries in 975 * lower chain, except top most lower metacopy dentry. 976 * Continue the loop so that if there is an absolute 977 * redirect on this dentry, poe can be reset to roe. 978 */ 979 dput(this); 980 this = NULL; 981 } else { 982 stack[ctr].dentry = this; 983 stack[ctr].layer = lower.layer; 984 ctr++; 985 } 986 987 /* 988 * Following redirects can have security consequences: it's like 989 * a symlink into the lower layer without the permission checks. 990 * This is only a problem if the upper layer is untrusted (e.g 991 * comes from an USB drive). This can allow a non-readable file 992 * or directory to become readable. 993 * 994 * Only following redirects when redirects are enabled disables 995 * this attack vector when not necessary. 996 */ 997 err = -EPERM; 998 if (d.redirect && !ofs->config.redirect_follow) { 999 pr_warn_ratelimited("refusing to follow redirect for (%pd2)\n", 1000 dentry); 1001 goto out_put; 1002 } 1003 1004 if (d.stop) 1005 break; 1006 1007 if (d.redirect && d.redirect[0] == '/' && poe != roe) { 1008 poe = roe; 1009 /* Find the current layer on the root dentry */ 1010 i = lower.layer->idx - 1; 1011 } 1012 } 1013 1014 /* 1015 * For regular non-metacopy upper dentries, there is no lower 1016 * path based lookup, hence ctr will be zero. If a dentry is found 1017 * using ORIGIN xattr on upper, install it in stack. 1018 * 1019 * For metacopy dentry, path based lookup will find lower dentries. 1020 * Just make sure a corresponding data dentry has been found. 1021 */ 1022 if (d.metacopy || (uppermetacopy && !ctr)) { 1023 pr_warn_ratelimited("metacopy with no lower data found - abort lookup (%pd2)\n", 1024 dentry); 1025 err = -EIO; 1026 goto out_put; 1027 } else if (!d.is_dir && upperdentry && !ctr && origin_path) { 1028 if (WARN_ON(stack != NULL)) { 1029 err = -EIO; 1030 goto out_put; 1031 } 1032 stack = origin_path; 1033 ctr = 1; 1034 origin = origin_path->dentry; 1035 origin_path = NULL; 1036 } 1037 1038 /* 1039 * Always lookup index if there is no-upperdentry. 1040 * 1041 * For the case of upperdentry, we have set origin by now if it 1042 * needed to be set. There are basically three cases. 1043 * 1044 * For directories, lookup index by lower inode and verify it matches 1045 * upper inode. We only trust dir index if we verified that lower dir 1046 * matches origin, otherwise dir index entries may be inconsistent 1047 * and we ignore them. 1048 * 1049 * For regular upper, we already set origin if upper had ORIGIN 1050 * xattr. There is no verification though as there is no path 1051 * based dentry lookup in lower in this case. 1052 * 1053 * For metacopy upper, we set a verified origin already if index 1054 * is enabled and if upper had an ORIGIN xattr. 1055 * 1056 */ 1057 if (!upperdentry && ctr) 1058 origin = stack[0].dentry; 1059 1060 if (origin && ovl_indexdir(dentry->d_sb) && 1061 (!d.is_dir || ovl_index_all(dentry->d_sb))) { 1062 index = ovl_lookup_index(ofs, upperdentry, origin, true); 1063 if (IS_ERR(index)) { 1064 err = PTR_ERR(index); 1065 index = NULL; 1066 goto out_put; 1067 } 1068 } 1069 1070 oe = ovl_alloc_entry(ctr); 1071 err = -ENOMEM; 1072 if (!oe) 1073 goto out_put; 1074 1075 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr); 1076 dentry->d_fsdata = oe; 1077 1078 if (upperopaque) 1079 ovl_dentry_set_opaque(dentry); 1080 1081 if (upperdentry) 1082 ovl_dentry_set_upper_alias(dentry); 1083 else if (index) { 1084 struct path upperpath = { 1085 .dentry = upperdentry = dget(index), 1086 .mnt = ovl_upper_mnt(ofs), 1087 }; 1088 1089 /* 1090 * It's safe to assign upperredirect here: the previous 1091 * assignment of happens only if upperdentry is non-NULL, and 1092 * this one only if upperdentry is NULL. 1093 */ 1094 upperredirect = ovl_get_redirect_xattr(ofs, &upperpath, 0); 1095 if (IS_ERR(upperredirect)) { 1096 err = PTR_ERR(upperredirect); 1097 upperredirect = NULL; 1098 goto out_free_oe; 1099 } 1100 err = ovl_check_metacopy_xattr(ofs, &upperpath); 1101 if (err < 0) 1102 goto out_free_oe; 1103 uppermetacopy = err; 1104 } 1105 1106 if (upperdentry || ctr) { 1107 struct ovl_inode_params oip = { 1108 .upperdentry = upperdentry, 1109 .lowerpath = stack, 1110 .index = index, 1111 .numlower = ctr, 1112 .redirect = upperredirect, 1113 .lowerdata = (ctr > 1 && !d.is_dir) ? 1114 stack[ctr - 1].dentry : NULL, 1115 }; 1116 1117 inode = ovl_get_inode(dentry->d_sb, &oip); 1118 err = PTR_ERR(inode); 1119 if (IS_ERR(inode)) 1120 goto out_free_oe; 1121 if (upperdentry && !uppermetacopy) 1122 ovl_set_flag(OVL_UPPERDATA, inode); 1123 } 1124 1125 ovl_dentry_update_reval(dentry, upperdentry, 1126 DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); 1127 1128 revert_creds(old_cred); 1129 if (origin_path) { 1130 dput(origin_path->dentry); 1131 kfree(origin_path); 1132 } 1133 dput(index); 1134 kfree(stack); 1135 kfree(d.redirect); 1136 return d_splice_alias(inode, dentry); 1137 1138 out_free_oe: 1139 dentry->d_fsdata = NULL; 1140 kfree(oe); 1141 out_put: 1142 dput(index); 1143 for (i = 0; i < ctr; i++) 1144 dput(stack[i].dentry); 1145 kfree(stack); 1146 out_put_upper: 1147 if (origin_path) { 1148 dput(origin_path->dentry); 1149 kfree(origin_path); 1150 } 1151 dput(upperdentry); 1152 kfree(upperredirect); 1153 out: 1154 kfree(d.redirect); 1155 revert_creds(old_cred); 1156 return ERR_PTR(err); 1157 } 1158 1159 bool ovl_lower_positive(struct dentry *dentry) 1160 { 1161 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 1162 const struct qstr *name = &dentry->d_name; 1163 const struct cred *old_cred; 1164 unsigned int i; 1165 bool positive = false; 1166 bool done = false; 1167 1168 /* 1169 * If dentry is negative, then lower is positive iff this is a 1170 * whiteout. 1171 */ 1172 if (!dentry->d_inode) 1173 return ovl_dentry_is_opaque(dentry); 1174 1175 /* Negative upper -> positive lower */ 1176 if (!ovl_dentry_upper(dentry)) 1177 return true; 1178 1179 old_cred = ovl_override_creds(dentry->d_sb); 1180 /* Positive upper -> have to look up lower to see whether it exists */ 1181 for (i = 0; !done && !positive && i < poe->numlower; i++) { 1182 struct dentry *this; 1183 struct dentry *lowerdir = poe->lowerstack[i].dentry; 1184 1185 this = lookup_one_positive_unlocked(mnt_user_ns(poe->lowerstack[i].layer->mnt), 1186 name->name, lowerdir, name->len); 1187 if (IS_ERR(this)) { 1188 switch (PTR_ERR(this)) { 1189 case -ENOENT: 1190 case -ENAMETOOLONG: 1191 break; 1192 1193 default: 1194 /* 1195 * Assume something is there, we just couldn't 1196 * access it. 1197 */ 1198 positive = true; 1199 break; 1200 } 1201 } else { 1202 positive = !ovl_is_whiteout(this); 1203 done = true; 1204 dput(this); 1205 } 1206 } 1207 revert_creds(old_cred); 1208 1209 return positive; 1210 } 1211