1 /* 2 * Copyright (C) 2011 Novell Inc. 3 * Copyright (C) 2016 Red Hat, Inc. 4 * 5 * This program is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 as published by 7 * the Free Software Foundation. 8 */ 9 10 #include <linux/fs.h> 11 #include <linux/cred.h> 12 #include <linux/ctype.h> 13 #include <linux/namei.h> 14 #include <linux/xattr.h> 15 #include <linux/ratelimit.h> 16 #include <linux/mount.h> 17 #include <linux/exportfs.h> 18 #include "overlayfs.h" 19 20 struct ovl_lookup_data { 21 struct super_block *sb; 22 struct qstr name; 23 bool is_dir; 24 bool opaque; 25 bool stop; 26 bool last; 27 char *redirect; 28 bool metacopy; 29 }; 30 31 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d, 32 size_t prelen, const char *post) 33 { 34 int res; 35 char *buf; 36 37 buf = ovl_get_redirect_xattr(dentry, prelen + strlen(post)); 38 if (IS_ERR_OR_NULL(buf)) 39 return PTR_ERR(buf); 40 41 if (buf[0] == '/') { 42 /* 43 * One of the ancestor path elements in an absolute path 44 * lookup in ovl_lookup_layer() could have been opaque and 45 * that will stop further lookup in lower layers (d->stop=true) 46 * But we have found an absolute redirect in decendant path 47 * element and that should force continue lookup in lower 48 * layers (reset d->stop). 49 */ 50 d->stop = false; 51 } else { 52 res = strlen(buf) + 1; 53 memmove(buf + prelen, buf, res); 54 memcpy(buf, d->name.name, prelen); 55 } 56 57 strcat(buf, post); 58 kfree(d->redirect); 59 d->redirect = buf; 60 d->name.name = d->redirect; 61 d->name.len = strlen(d->redirect); 62 63 return 0; 64 } 65 66 static int ovl_acceptable(void *ctx, struct dentry *dentry) 67 { 68 /* 69 * A non-dir origin may be disconnected, which is fine, because 70 * we only need it for its unique inode number. 71 */ 72 if (!d_is_dir(dentry)) 73 return 1; 74 75 /* Don't decode a deleted empty directory */ 76 if (d_unhashed(dentry)) 77 return 0; 78 79 /* Check if directory belongs to the layer we are decoding from */ 80 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root); 81 } 82 83 /* 84 * Check validity of an overlay file handle buffer. 85 * 86 * Return 0 for a valid file handle. 87 * Return -ENODATA for "origin unknown". 88 * Return <0 for an invalid file handle. 89 */ 90 int ovl_check_fh_len(struct ovl_fh *fh, int fh_len) 91 { 92 if (fh_len < sizeof(struct ovl_fh) || fh_len < fh->len) 93 return -EINVAL; 94 95 if (fh->magic != OVL_FH_MAGIC) 96 return -EINVAL; 97 98 /* Treat larger version and unknown flags as "origin unknown" */ 99 if (fh->version > OVL_FH_VERSION || fh->flags & ~OVL_FH_FLAG_ALL) 100 return -ENODATA; 101 102 /* Treat endianness mismatch as "origin unknown" */ 103 if (!(fh->flags & OVL_FH_FLAG_ANY_ENDIAN) && 104 (fh->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN) 105 return -ENODATA; 106 107 return 0; 108 } 109 110 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) 111 { 112 int res, err; 113 struct ovl_fh *fh = NULL; 114 115 res = vfs_getxattr(dentry, name, NULL, 0); 116 if (res < 0) { 117 if (res == -ENODATA || res == -EOPNOTSUPP) 118 return NULL; 119 goto fail; 120 } 121 /* Zero size value means "copied up but origin unknown" */ 122 if (res == 0) 123 return NULL; 124 125 fh = kzalloc(res, GFP_KERNEL); 126 if (!fh) 127 return ERR_PTR(-ENOMEM); 128 129 res = vfs_getxattr(dentry, name, fh, res); 130 if (res < 0) 131 goto fail; 132 133 err = ovl_check_fh_len(fh, res); 134 if (err < 0) { 135 if (err == -ENODATA) 136 goto out; 137 goto invalid; 138 } 139 140 return fh; 141 142 out: 143 kfree(fh); 144 return NULL; 145 146 fail: 147 pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res); 148 goto out; 149 invalid: 150 pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh); 151 goto out; 152 } 153 154 struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, 155 bool connected) 156 { 157 struct dentry *real; 158 int bytes; 159 160 /* 161 * Make sure that the stored uuid matches the uuid of the lower 162 * layer where file handle will be decoded. 163 */ 164 if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid)) 165 return NULL; 166 167 bytes = (fh->len - offsetof(struct ovl_fh, fid)); 168 real = exportfs_decode_fh(mnt, (struct fid *)fh->fid, 169 bytes >> 2, (int)fh->type, 170 connected ? ovl_acceptable : NULL, mnt); 171 if (IS_ERR(real)) { 172 /* 173 * Treat stale file handle to lower file as "origin unknown". 174 * upper file handle could become stale when upper file is 175 * unlinked and this information is needed to handle stale 176 * index entries correctly. 177 */ 178 if (real == ERR_PTR(-ESTALE) && 179 !(fh->flags & OVL_FH_FLAG_PATH_UPPER)) 180 real = NULL; 181 return real; 182 } 183 184 if (ovl_dentry_weird(real)) { 185 dput(real); 186 return NULL; 187 } 188 189 return real; 190 } 191 192 static bool ovl_is_opaquedir(struct dentry *dentry) 193 { 194 return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE); 195 } 196 197 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d, 198 const char *name, unsigned int namelen, 199 size_t prelen, const char *post, 200 struct dentry **ret) 201 { 202 struct dentry *this; 203 int err; 204 bool last_element = !post[0]; 205 206 this = lookup_one_len_unlocked(name, base, namelen); 207 if (IS_ERR(this)) { 208 err = PTR_ERR(this); 209 this = NULL; 210 if (err == -ENOENT || err == -ENAMETOOLONG) 211 goto out; 212 goto out_err; 213 } 214 if (!this->d_inode) 215 goto put_and_out; 216 217 if (ovl_dentry_weird(this)) { 218 /* Don't support traversing automounts and other weirdness */ 219 err = -EREMOTE; 220 goto out_err; 221 } 222 if (ovl_is_whiteout(this)) { 223 d->stop = d->opaque = true; 224 goto put_and_out; 225 } 226 /* 227 * This dentry should be a regular file if previous layer lookup 228 * found a metacopy dentry. 229 */ 230 if (last_element && d->metacopy && !d_is_reg(this)) { 231 d->stop = true; 232 goto put_and_out; 233 } 234 if (!d_can_lookup(this)) { 235 if (d->is_dir || !last_element) { 236 d->stop = true; 237 goto put_and_out; 238 } 239 err = ovl_check_metacopy_xattr(this); 240 if (err < 0) 241 goto out_err; 242 243 d->metacopy = err; 244 d->stop = !d->metacopy; 245 if (!d->metacopy || d->last) 246 goto out; 247 } else { 248 if (ovl_lookup_trap_inode(d->sb, this)) { 249 /* Caught in a trap of overlapping layers */ 250 err = -ELOOP; 251 goto out_err; 252 } 253 254 if (last_element) 255 d->is_dir = true; 256 if (d->last) 257 goto out; 258 259 if (ovl_is_opaquedir(this)) { 260 d->stop = true; 261 if (last_element) 262 d->opaque = true; 263 goto out; 264 } 265 } 266 err = ovl_check_redirect(this, d, prelen, post); 267 if (err) 268 goto out_err; 269 out: 270 *ret = this; 271 return 0; 272 273 put_and_out: 274 dput(this); 275 this = NULL; 276 goto out; 277 278 out_err: 279 dput(this); 280 return err; 281 } 282 283 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d, 284 struct dentry **ret) 285 { 286 /* Counting down from the end, since the prefix can change */ 287 size_t rem = d->name.len - 1; 288 struct dentry *dentry = NULL; 289 int err; 290 291 if (d->name.name[0] != '/') 292 return ovl_lookup_single(base, d, d->name.name, d->name.len, 293 0, "", ret); 294 295 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) { 296 const char *s = d->name.name + d->name.len - rem; 297 const char *next = strchrnul(s, '/'); 298 size_t thislen = next - s; 299 bool end = !next[0]; 300 301 /* Verify we did not go off the rails */ 302 if (WARN_ON(s[-1] != '/')) 303 return -EIO; 304 305 err = ovl_lookup_single(base, d, s, thislen, 306 d->name.len - rem, next, &base); 307 dput(dentry); 308 if (err) 309 return err; 310 dentry = base; 311 if (end) 312 break; 313 314 rem -= thislen + 1; 315 316 if (WARN_ON(rem >= d->name.len)) 317 return -EIO; 318 } 319 *ret = dentry; 320 return 0; 321 } 322 323 324 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected, 325 struct dentry *upperdentry, struct ovl_path **stackp) 326 { 327 struct dentry *origin = NULL; 328 int i; 329 330 for (i = 0; i < ofs->numlower; i++) { 331 origin = ovl_decode_real_fh(fh, ofs->lower_layers[i].mnt, 332 connected); 333 if (origin) 334 break; 335 } 336 337 if (!origin) 338 return -ESTALE; 339 else if (IS_ERR(origin)) 340 return PTR_ERR(origin); 341 342 if (upperdentry && !ovl_is_whiteout(upperdentry) && 343 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT)) 344 goto invalid; 345 346 if (!*stackp) 347 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL); 348 if (!*stackp) { 349 dput(origin); 350 return -ENOMEM; 351 } 352 **stackp = (struct ovl_path){ 353 .dentry = origin, 354 .layer = &ofs->lower_layers[i] 355 }; 356 357 return 0; 358 359 invalid: 360 pr_warn_ratelimited("overlayfs: invalid origin (%pd2, ftype=%x, origin ftype=%x).\n", 361 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT, 362 d_inode(origin)->i_mode & S_IFMT); 363 dput(origin); 364 return -EIO; 365 } 366 367 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry, 368 struct ovl_path **stackp, unsigned int *ctrp) 369 { 370 struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN); 371 int err; 372 373 if (IS_ERR_OR_NULL(fh)) 374 return PTR_ERR(fh); 375 376 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp); 377 kfree(fh); 378 379 if (err) { 380 if (err == -ESTALE) 381 return 0; 382 return err; 383 } 384 385 if (WARN_ON(*ctrp)) 386 return -EIO; 387 388 *ctrp = 1; 389 return 0; 390 } 391 392 /* 393 * Verify that @fh matches the file handle stored in xattr @name. 394 * Return 0 on match, -ESTALE on mismatch, < 0 on error. 395 */ 396 static int ovl_verify_fh(struct dentry *dentry, const char *name, 397 const struct ovl_fh *fh) 398 { 399 struct ovl_fh *ofh = ovl_get_fh(dentry, name); 400 int err = 0; 401 402 if (!ofh) 403 return -ENODATA; 404 405 if (IS_ERR(ofh)) 406 return PTR_ERR(ofh); 407 408 if (fh->len != ofh->len || memcmp(fh, ofh, fh->len)) 409 err = -ESTALE; 410 411 kfree(ofh); 412 return err; 413 } 414 415 /* 416 * Verify that @real dentry matches the file handle stored in xattr @name. 417 * 418 * If @set is true and there is no stored file handle, encode @real and store 419 * file handle in xattr @name. 420 * 421 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error. 422 */ 423 int ovl_verify_set_fh(struct dentry *dentry, const char *name, 424 struct dentry *real, bool is_upper, bool set) 425 { 426 struct inode *inode; 427 struct ovl_fh *fh; 428 int err; 429 430 fh = ovl_encode_real_fh(real, is_upper); 431 err = PTR_ERR(fh); 432 if (IS_ERR(fh)) { 433 fh = NULL; 434 goto fail; 435 } 436 437 err = ovl_verify_fh(dentry, name, fh); 438 if (set && err == -ENODATA) 439 err = ovl_do_setxattr(dentry, name, fh, fh->len, 0); 440 if (err) 441 goto fail; 442 443 out: 444 kfree(fh); 445 return err; 446 447 fail: 448 inode = d_inode(real); 449 pr_warn_ratelimited("overlayfs: failed to verify %s (%pd2, ino=%lu, err=%i)\n", 450 is_upper ? "upper" : "origin", real, 451 inode ? inode->i_ino : 0, err); 452 goto out; 453 } 454 455 /* Get upper dentry from index */ 456 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index) 457 { 458 struct ovl_fh *fh; 459 struct dentry *upper; 460 461 if (!d_is_dir(index)) 462 return dget(index); 463 464 fh = ovl_get_fh(index, OVL_XATTR_UPPER); 465 if (IS_ERR_OR_NULL(fh)) 466 return ERR_CAST(fh); 467 468 upper = ovl_decode_real_fh(fh, ofs->upper_mnt, true); 469 kfree(fh); 470 471 if (IS_ERR_OR_NULL(upper)) 472 return upper ?: ERR_PTR(-ESTALE); 473 474 if (!d_is_dir(upper)) { 475 pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n", 476 index, upper); 477 dput(upper); 478 return ERR_PTR(-EIO); 479 } 480 481 return upper; 482 } 483 484 /* Is this a leftover from create/whiteout of directory index entry? */ 485 static bool ovl_is_temp_index(struct dentry *index) 486 { 487 return index->d_name.name[0] == '#'; 488 } 489 490 /* 491 * Verify that an index entry name matches the origin file handle stored in 492 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. 493 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error. 494 */ 495 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) 496 { 497 struct ovl_fh *fh = NULL; 498 size_t len; 499 struct ovl_path origin = { }; 500 struct ovl_path *stack = &origin; 501 struct dentry *upper = NULL; 502 int err; 503 504 if (!d_inode(index)) 505 return 0; 506 507 /* Cleanup leftover from index create/cleanup attempt */ 508 err = -ESTALE; 509 if (ovl_is_temp_index(index)) 510 goto fail; 511 512 err = -EINVAL; 513 if (index->d_name.len < sizeof(struct ovl_fh)*2) 514 goto fail; 515 516 err = -ENOMEM; 517 len = index->d_name.len / 2; 518 fh = kzalloc(len, GFP_KERNEL); 519 if (!fh) 520 goto fail; 521 522 err = -EINVAL; 523 if (hex2bin((u8 *)fh, index->d_name.name, len)) 524 goto fail; 525 526 err = ovl_check_fh_len(fh, len); 527 if (err) 528 goto fail; 529 530 /* 531 * Whiteout index entries are used as an indication that an exported 532 * overlay file handle should be treated as stale (i.e. after unlink 533 * of the overlay inode). These entries contain no origin xattr. 534 */ 535 if (ovl_is_whiteout(index)) 536 goto out; 537 538 /* 539 * Verifying directory index entries are not stale is expensive, so 540 * only verify stale dir index if NFS export is enabled. 541 */ 542 if (d_is_dir(index) && !ofs->config.nfs_export) 543 goto out; 544 545 /* 546 * Directory index entries should have 'upper' xattr pointing to the 547 * real upper dir. Non-dir index entries are hardlinks to the upper 548 * real inode. For non-dir index, we can read the copy up origin xattr 549 * directly from the index dentry, but for dir index we first need to 550 * decode the upper directory. 551 */ 552 upper = ovl_index_upper(ofs, index); 553 if (IS_ERR_OR_NULL(upper)) { 554 err = PTR_ERR(upper); 555 /* 556 * Directory index entries with no 'upper' xattr need to be 557 * removed. When dir index entry has a stale 'upper' xattr, 558 * we assume that upper dir was removed and we treat the dir 559 * index as orphan entry that needs to be whited out. 560 */ 561 if (err == -ESTALE) 562 goto orphan; 563 else if (!err) 564 err = -ESTALE; 565 goto fail; 566 } 567 568 err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh); 569 dput(upper); 570 if (err) 571 goto fail; 572 573 /* Check if non-dir index is orphan and don't warn before cleaning it */ 574 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) { 575 err = ovl_check_origin_fh(ofs, fh, false, index, &stack); 576 if (err) 577 goto fail; 578 579 if (ovl_get_nlink(origin.dentry, index, 0) == 0) 580 goto orphan; 581 } 582 583 out: 584 dput(origin.dentry); 585 kfree(fh); 586 return err; 587 588 fail: 589 pr_warn_ratelimited("overlayfs: failed to verify index (%pd2, ftype=%x, err=%i)\n", 590 index, d_inode(index)->i_mode & S_IFMT, err); 591 goto out; 592 593 orphan: 594 pr_warn_ratelimited("overlayfs: orphan index entry (%pd2, ftype=%x, nlink=%u)\n", 595 index, d_inode(index)->i_mode & S_IFMT, 596 d_inode(index)->i_nlink); 597 err = -ENOENT; 598 goto out; 599 } 600 601 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name) 602 { 603 char *n, *s; 604 605 n = kcalloc(fh->len, 2, GFP_KERNEL); 606 if (!n) 607 return -ENOMEM; 608 609 s = bin2hex(n, fh, fh->len); 610 *name = (struct qstr) QSTR_INIT(n, s - n); 611 612 return 0; 613 614 } 615 616 /* 617 * Lookup in indexdir for the index entry of a lower real inode or a copy up 618 * origin inode. The index entry name is the hex representation of the lower 619 * inode file handle. 620 * 621 * If the index dentry in negative, then either no lower aliases have been 622 * copied up yet, or aliases have been copied up in older kernels and are 623 * not indexed. 624 * 625 * If the index dentry for a copy up origin inode is positive, but points 626 * to an inode different than the upper inode, then either the upper inode 627 * has been copied up and not indexed or it was indexed, but since then 628 * index dir was cleared. Either way, that index cannot be used to indentify 629 * the overlay inode. 630 */ 631 int ovl_get_index_name(struct dentry *origin, struct qstr *name) 632 { 633 struct ovl_fh *fh; 634 int err; 635 636 fh = ovl_encode_real_fh(origin, false); 637 if (IS_ERR(fh)) 638 return PTR_ERR(fh); 639 640 err = ovl_get_index_name_fh(fh, name); 641 642 kfree(fh); 643 return err; 644 } 645 646 /* Lookup index by file handle for NFS export */ 647 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh) 648 { 649 struct dentry *index; 650 struct qstr name; 651 int err; 652 653 err = ovl_get_index_name_fh(fh, &name); 654 if (err) 655 return ERR_PTR(err); 656 657 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); 658 kfree(name.name); 659 if (IS_ERR(index)) { 660 if (PTR_ERR(index) == -ENOENT) 661 index = NULL; 662 return index; 663 } 664 665 if (d_is_negative(index)) 666 err = 0; 667 else if (ovl_is_whiteout(index)) 668 err = -ESTALE; 669 else if (ovl_dentry_weird(index)) 670 err = -EIO; 671 else 672 return index; 673 674 dput(index); 675 return ERR_PTR(err); 676 } 677 678 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper, 679 struct dentry *origin, bool verify) 680 { 681 struct dentry *index; 682 struct inode *inode; 683 struct qstr name; 684 bool is_dir = d_is_dir(origin); 685 int err; 686 687 err = ovl_get_index_name(origin, &name); 688 if (err) 689 return ERR_PTR(err); 690 691 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len); 692 if (IS_ERR(index)) { 693 err = PTR_ERR(index); 694 if (err == -ENOENT) { 695 index = NULL; 696 goto out; 697 } 698 pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n" 699 "overlayfs: mount with '-o index=off' to disable inodes index.\n", 700 d_inode(origin)->i_ino, name.len, name.name, 701 err); 702 goto out; 703 } 704 705 inode = d_inode(index); 706 if (d_is_negative(index)) { 707 goto out_dput; 708 } else if (ovl_is_whiteout(index) && !verify) { 709 /* 710 * When index lookup is called with !verify for decoding an 711 * overlay file handle, a whiteout index implies that decode 712 * should treat file handle as stale and no need to print a 713 * warning about it. 714 */ 715 dput(index); 716 index = ERR_PTR(-ESTALE); 717 goto out; 718 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || 719 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) { 720 /* 721 * Index should always be of the same file type as origin 722 * except for the case of a whiteout index. A whiteout 723 * index should only exist if all lower aliases have been 724 * unlinked, which means that finding a lower origin on lookup 725 * whose index is a whiteout should be treated as an error. 726 */ 727 pr_warn_ratelimited("overlayfs: bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n", 728 index, d_inode(index)->i_mode & S_IFMT, 729 d_inode(origin)->i_mode & S_IFMT); 730 goto fail; 731 } else if (is_dir && verify) { 732 if (!upper) { 733 pr_warn_ratelimited("overlayfs: suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n", 734 origin, index); 735 goto fail; 736 } 737 738 /* Verify that dir index 'upper' xattr points to upper dir */ 739 err = ovl_verify_upper(index, upper, false); 740 if (err) { 741 if (err == -ESTALE) { 742 pr_warn_ratelimited("overlayfs: suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n", 743 upper, origin, index); 744 } 745 goto fail; 746 } 747 } else if (upper && d_inode(upper) != inode) { 748 goto out_dput; 749 } 750 out: 751 kfree(name.name); 752 return index; 753 754 out_dput: 755 dput(index); 756 index = NULL; 757 goto out; 758 759 fail: 760 dput(index); 761 index = ERR_PTR(-EIO); 762 goto out; 763 } 764 765 /* 766 * Returns next layer in stack starting from top. 767 * Returns -1 if this is the last layer. 768 */ 769 int ovl_path_next(int idx, struct dentry *dentry, struct path *path) 770 { 771 struct ovl_entry *oe = dentry->d_fsdata; 772 773 BUG_ON(idx < 0); 774 if (idx == 0) { 775 ovl_path_upper(dentry, path); 776 if (path->dentry) 777 return oe->numlower ? 1 : -1; 778 idx++; 779 } 780 BUG_ON(idx > oe->numlower); 781 path->dentry = oe->lowerstack[idx - 1].dentry; 782 path->mnt = oe->lowerstack[idx - 1].layer->mnt; 783 784 return (idx < oe->numlower) ? idx + 1 : -1; 785 } 786 787 /* Fix missing 'origin' xattr */ 788 static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower, 789 struct dentry *upper) 790 { 791 int err; 792 793 if (ovl_check_origin_xattr(upper)) 794 return 0; 795 796 err = ovl_want_write(dentry); 797 if (err) 798 return err; 799 800 err = ovl_set_origin(dentry, lower, upper); 801 if (!err) 802 err = ovl_set_impure(dentry->d_parent, upper->d_parent); 803 804 ovl_drop_write(dentry); 805 return err; 806 } 807 808 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, 809 unsigned int flags) 810 { 811 struct ovl_entry *oe; 812 const struct cred *old_cred; 813 struct ovl_fs *ofs = dentry->d_sb->s_fs_info; 814 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 815 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata; 816 struct ovl_path *stack = NULL, *origin_path = NULL; 817 struct dentry *upperdir, *upperdentry = NULL; 818 struct dentry *origin = NULL; 819 struct dentry *index = NULL; 820 unsigned int ctr = 0; 821 struct inode *inode = NULL; 822 bool upperopaque = false; 823 char *upperredirect = NULL; 824 struct dentry *this; 825 unsigned int i; 826 int err; 827 bool metacopy = false; 828 struct ovl_lookup_data d = { 829 .sb = dentry->d_sb, 830 .name = dentry->d_name, 831 .is_dir = false, 832 .opaque = false, 833 .stop = false, 834 .last = ofs->config.redirect_follow ? false : !poe->numlower, 835 .redirect = NULL, 836 .metacopy = false, 837 }; 838 839 if (dentry->d_name.len > ofs->namelen) 840 return ERR_PTR(-ENAMETOOLONG); 841 842 old_cred = ovl_override_creds(dentry->d_sb); 843 upperdir = ovl_dentry_upper(dentry->d_parent); 844 if (upperdir) { 845 err = ovl_lookup_layer(upperdir, &d, &upperdentry); 846 if (err) 847 goto out; 848 849 if (upperdentry && unlikely(ovl_dentry_remote(upperdentry))) { 850 dput(upperdentry); 851 err = -EREMOTE; 852 goto out; 853 } 854 if (upperdentry && !d.is_dir) { 855 unsigned int origin_ctr = 0; 856 857 /* 858 * Lookup copy up origin by decoding origin file handle. 859 * We may get a disconnected dentry, which is fine, 860 * because we only need to hold the origin inode in 861 * cache and use its inode number. We may even get a 862 * connected dentry, that is not under any of the lower 863 * layers root. That is also fine for using it's inode 864 * number - it's the same as if we held a reference 865 * to a dentry in lower layer that was moved under us. 866 */ 867 err = ovl_check_origin(ofs, upperdentry, &origin_path, 868 &origin_ctr); 869 if (err) 870 goto out_put_upper; 871 872 if (d.metacopy) 873 metacopy = true; 874 } 875 876 if (d.redirect) { 877 err = -ENOMEM; 878 upperredirect = kstrdup(d.redirect, GFP_KERNEL); 879 if (!upperredirect) 880 goto out_put_upper; 881 if (d.redirect[0] == '/') 882 poe = roe; 883 } 884 upperopaque = d.opaque; 885 } 886 887 if (!d.stop && poe->numlower) { 888 err = -ENOMEM; 889 stack = kcalloc(ofs->numlower, sizeof(struct ovl_path), 890 GFP_KERNEL); 891 if (!stack) 892 goto out_put_upper; 893 } 894 895 for (i = 0; !d.stop && i < poe->numlower; i++) { 896 struct ovl_path lower = poe->lowerstack[i]; 897 898 if (!ofs->config.redirect_follow) 899 d.last = i == poe->numlower - 1; 900 else 901 d.last = lower.layer->idx == roe->numlower; 902 903 err = ovl_lookup_layer(lower.dentry, &d, &this); 904 if (err) 905 goto out_put; 906 907 if (!this) 908 continue; 909 910 /* 911 * If no origin fh is stored in upper of a merge dir, store fh 912 * of lower dir and set upper parent "impure". 913 */ 914 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) { 915 err = ovl_fix_origin(dentry, this, upperdentry); 916 if (err) { 917 dput(this); 918 goto out_put; 919 } 920 } 921 922 /* 923 * When "verify_lower" feature is enabled, do not merge with a 924 * lower dir that does not match a stored origin xattr. In any 925 * case, only verified origin is used for index lookup. 926 * 927 * For non-dir dentry, if index=on, then ensure origin 928 * matches the dentry found using path based lookup, 929 * otherwise error out. 930 */ 931 if (upperdentry && !ctr && 932 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) || 933 (!d.is_dir && ofs->config.index && origin_path))) { 934 err = ovl_verify_origin(upperdentry, this, false); 935 if (err) { 936 dput(this); 937 if (d.is_dir) 938 break; 939 goto out_put; 940 } 941 origin = this; 942 } 943 944 if (d.metacopy) 945 metacopy = true; 946 /* 947 * Do not store intermediate metacopy dentries in chain, 948 * except top most lower metacopy dentry 949 */ 950 if (d.metacopy && ctr) { 951 dput(this); 952 continue; 953 } 954 955 stack[ctr].dentry = this; 956 stack[ctr].layer = lower.layer; 957 ctr++; 958 959 /* 960 * Following redirects can have security consequences: it's like 961 * a symlink into the lower layer without the permission checks. 962 * This is only a problem if the upper layer is untrusted (e.g 963 * comes from an USB drive). This can allow a non-readable file 964 * or directory to become readable. 965 * 966 * Only following redirects when redirects are enabled disables 967 * this attack vector when not necessary. 968 */ 969 err = -EPERM; 970 if (d.redirect && !ofs->config.redirect_follow) { 971 pr_warn_ratelimited("overlayfs: refusing to follow redirect for (%pd2)\n", 972 dentry); 973 goto out_put; 974 } 975 976 if (d.stop) 977 break; 978 979 if (d.redirect && d.redirect[0] == '/' && poe != roe) { 980 poe = roe; 981 /* Find the current layer on the root dentry */ 982 i = lower.layer->idx - 1; 983 } 984 } 985 986 if (metacopy) { 987 /* 988 * Found a metacopy dentry but did not find corresponding 989 * data dentry 990 */ 991 if (d.metacopy) { 992 err = -EIO; 993 goto out_put; 994 } 995 996 err = -EPERM; 997 if (!ofs->config.metacopy) { 998 pr_warn_ratelimited("overlay: refusing to follow metacopy origin for (%pd2)\n", 999 dentry); 1000 goto out_put; 1001 } 1002 } else if (!d.is_dir && upperdentry && !ctr && origin_path) { 1003 if (WARN_ON(stack != NULL)) { 1004 err = -EIO; 1005 goto out_put; 1006 } 1007 stack = origin_path; 1008 ctr = 1; 1009 origin_path = NULL; 1010 } 1011 1012 /* 1013 * Lookup index by lower inode and verify it matches upper inode. 1014 * We only trust dir index if we verified that lower dir matches 1015 * origin, otherwise dir index entries may be inconsistent and we 1016 * ignore them. 1017 * 1018 * For non-dir upper metacopy dentry, we already set "origin" if we 1019 * verified that lower matched upper origin. If upper origin was 1020 * not present (because lower layer did not support fh encode/decode), 1021 * or indexing is not enabled, do not set "origin" and skip looking up 1022 * index. This case should be handled in same way as a non-dir upper 1023 * without ORIGIN is handled. 1024 * 1025 * Always lookup index of non-dir non-metacopy and non-upper. 1026 */ 1027 if (ctr && (!upperdentry || (!d.is_dir && !metacopy))) 1028 origin = stack[0].dentry; 1029 1030 if (origin && ovl_indexdir(dentry->d_sb) && 1031 (!d.is_dir || ovl_index_all(dentry->d_sb))) { 1032 index = ovl_lookup_index(ofs, upperdentry, origin, true); 1033 if (IS_ERR(index)) { 1034 err = PTR_ERR(index); 1035 index = NULL; 1036 goto out_put; 1037 } 1038 } 1039 1040 oe = ovl_alloc_entry(ctr); 1041 err = -ENOMEM; 1042 if (!oe) 1043 goto out_put; 1044 1045 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr); 1046 dentry->d_fsdata = oe; 1047 1048 if (upperopaque) 1049 ovl_dentry_set_opaque(dentry); 1050 1051 if (upperdentry) 1052 ovl_dentry_set_upper_alias(dentry); 1053 else if (index) { 1054 upperdentry = dget(index); 1055 upperredirect = ovl_get_redirect_xattr(upperdentry, 0); 1056 if (IS_ERR(upperredirect)) { 1057 err = PTR_ERR(upperredirect); 1058 upperredirect = NULL; 1059 goto out_free_oe; 1060 } 1061 } 1062 1063 if (upperdentry || ctr) { 1064 struct ovl_inode_params oip = { 1065 .upperdentry = upperdentry, 1066 .lowerpath = stack, 1067 .index = index, 1068 .numlower = ctr, 1069 .redirect = upperredirect, 1070 .lowerdata = (ctr > 1 && !d.is_dir) ? 1071 stack[ctr - 1].dentry : NULL, 1072 }; 1073 1074 inode = ovl_get_inode(dentry->d_sb, &oip); 1075 err = PTR_ERR(inode); 1076 if (IS_ERR(inode)) 1077 goto out_free_oe; 1078 } 1079 1080 revert_creds(old_cred); 1081 if (origin_path) { 1082 dput(origin_path->dentry); 1083 kfree(origin_path); 1084 } 1085 dput(index); 1086 kfree(stack); 1087 kfree(d.redirect); 1088 return d_splice_alias(inode, dentry); 1089 1090 out_free_oe: 1091 dentry->d_fsdata = NULL; 1092 kfree(oe); 1093 out_put: 1094 dput(index); 1095 for (i = 0; i < ctr; i++) 1096 dput(stack[i].dentry); 1097 kfree(stack); 1098 out_put_upper: 1099 if (origin_path) { 1100 dput(origin_path->dentry); 1101 kfree(origin_path); 1102 } 1103 dput(upperdentry); 1104 kfree(upperredirect); 1105 out: 1106 kfree(d.redirect); 1107 revert_creds(old_cred); 1108 return ERR_PTR(err); 1109 } 1110 1111 bool ovl_lower_positive(struct dentry *dentry) 1112 { 1113 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 1114 const struct qstr *name = &dentry->d_name; 1115 const struct cred *old_cred; 1116 unsigned int i; 1117 bool positive = false; 1118 bool done = false; 1119 1120 /* 1121 * If dentry is negative, then lower is positive iff this is a 1122 * whiteout. 1123 */ 1124 if (!dentry->d_inode) 1125 return ovl_dentry_is_opaque(dentry); 1126 1127 /* Negative upper -> positive lower */ 1128 if (!ovl_dentry_upper(dentry)) 1129 return true; 1130 1131 old_cred = ovl_override_creds(dentry->d_sb); 1132 /* Positive upper -> have to look up lower to see whether it exists */ 1133 for (i = 0; !done && !positive && i < poe->numlower; i++) { 1134 struct dentry *this; 1135 struct dentry *lowerdir = poe->lowerstack[i].dentry; 1136 1137 this = lookup_one_len_unlocked(name->name, lowerdir, 1138 name->len); 1139 if (IS_ERR(this)) { 1140 switch (PTR_ERR(this)) { 1141 case -ENOENT: 1142 case -ENAMETOOLONG: 1143 break; 1144 1145 default: 1146 /* 1147 * Assume something is there, we just couldn't 1148 * access it. 1149 */ 1150 positive = true; 1151 break; 1152 } 1153 } else { 1154 if (this->d_inode) { 1155 positive = !ovl_is_whiteout(this); 1156 done = true; 1157 } 1158 dput(this); 1159 } 1160 } 1161 revert_creds(old_cred); 1162 1163 return positive; 1164 } 1165