1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Novell Inc. 4 * Copyright (C) 2016 Red Hat, Inc. 5 */ 6 7 #include <linux/fs.h> 8 #include <linux/cred.h> 9 #include <linux/ctype.h> 10 #include <linux/namei.h> 11 #include <linux/xattr.h> 12 #include <linux/ratelimit.h> 13 #include <linux/mount.h> 14 #include <linux/exportfs.h> 15 #include "overlayfs.h" 16 17 struct ovl_lookup_data { 18 struct super_block *sb; 19 struct qstr name; 20 bool is_dir; 21 bool opaque; 22 bool stop; 23 bool last; 24 char *redirect; 25 bool metacopy; 26 }; 27 28 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d, 29 size_t prelen, const char *post) 30 { 31 int res; 32 char *buf; 33 struct ovl_fs *ofs = OVL_FS(d->sb); 34 35 buf = ovl_get_redirect_xattr(ofs, dentry, prelen + strlen(post)); 36 if (IS_ERR_OR_NULL(buf)) 37 return PTR_ERR(buf); 38 39 if (buf[0] == '/') { 40 /* 41 * One of the ancestor path elements in an absolute path 42 * lookup in ovl_lookup_layer() could have been opaque and 43 * that will stop further lookup in lower layers (d->stop=true) 44 * But we have found an absolute redirect in decendant path 45 * element and that should force continue lookup in lower 46 * layers (reset d->stop). 47 */ 48 d->stop = false; 49 } else { 50 res = strlen(buf) + 1; 51 memmove(buf + prelen, buf, res); 52 memcpy(buf, d->name.name, prelen); 53 } 54 55 strcat(buf, post); 56 kfree(d->redirect); 57 d->redirect = buf; 58 d->name.name = d->redirect; 59 d->name.len = strlen(d->redirect); 60 61 return 0; 62 } 63 64 static int ovl_acceptable(void *ctx, struct dentry *dentry) 65 { 66 /* 67 * A non-dir origin may be disconnected, which is fine, because 68 * we only need it for its unique inode number. 69 */ 70 if (!d_is_dir(dentry)) 71 return 1; 72 73 /* Don't decode a deleted empty directory */ 74 if (d_unhashed(dentry)) 75 return 0; 76 77 /* Check if directory belongs to the layer we are decoding from */ 78 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root); 79 } 80 81 /* 82 * Check validity of an overlay file handle buffer. 83 * 84 * Return 0 for a valid file handle. 85 * Return -ENODATA for "origin unknown". 86 * Return <0 for an invalid file handle. 87 */ 88 int ovl_check_fb_len(struct ovl_fb *fb, int fb_len) 89 { 90 if (fb_len < sizeof(struct ovl_fb) || fb_len < fb->len) 91 return -EINVAL; 92 93 if (fb->magic != OVL_FH_MAGIC) 94 return -EINVAL; 95 96 /* Treat larger version and unknown flags as "origin unknown" */ 97 if (fb->version > OVL_FH_VERSION || fb->flags & ~OVL_FH_FLAG_ALL) 98 return -ENODATA; 99 100 /* Treat endianness mismatch as "origin unknown" */ 101 if (!(fb->flags & OVL_FH_FLAG_ANY_ENDIAN) && 102 (fb->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN) 103 return -ENODATA; 104 105 return 0; 106 } 107 108 static struct ovl_fh *ovl_get_fh(struct ovl_fs *ofs, struct dentry *dentry, 109 enum ovl_xattr ox) 110 { 111 int res, err; 112 struct ovl_fh *fh = NULL; 113 114 res = ovl_do_getxattr(ofs, dentry, ox, NULL, 0); 115 if (res < 0) { 116 if (res == -ENODATA || res == -EOPNOTSUPP) 117 return NULL; 118 goto fail; 119 } 120 /* Zero size value means "copied up but origin unknown" */ 121 if (res == 0) 122 return NULL; 123 124 fh = kzalloc(res + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 125 if (!fh) 126 return ERR_PTR(-ENOMEM); 127 128 res = ovl_do_getxattr(ofs, dentry, ox, fh->buf, res); 129 if (res < 0) 130 goto fail; 131 132 err = ovl_check_fb_len(&fh->fb, res); 133 if (err < 0) { 134 if (err == -ENODATA) 135 goto out; 136 goto invalid; 137 } 138 139 return fh; 140 141 out: 142 kfree(fh); 143 return NULL; 144 145 fail: 146 pr_warn_ratelimited("failed to get origin (%i)\n", res); 147 goto out; 148 invalid: 149 pr_warn_ratelimited("invalid origin (%*phN)\n", res, fh); 150 goto out; 151 } 152 153 struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh, 154 struct vfsmount *mnt, bool connected) 155 { 156 struct dentry *real; 157 int bytes; 158 159 if (!capable(CAP_DAC_READ_SEARCH)) 160 return NULL; 161 162 /* 163 * Make sure that the stored uuid matches the uuid of the lower 164 * layer where file handle will be decoded. 165 * In case of uuid=off option just make sure that stored uuid is null. 166 */ 167 if (ofs->config.uuid ? !uuid_equal(&fh->fb.uuid, &mnt->mnt_sb->s_uuid) : 168 !uuid_is_null(&fh->fb.uuid)) 169 return NULL; 170 171 bytes = (fh->fb.len - offsetof(struct ovl_fb, fid)); 172 real = exportfs_decode_fh(mnt, (struct fid *)fh->fb.fid, 173 bytes >> 2, (int)fh->fb.type, 174 connected ? ovl_acceptable : NULL, mnt); 175 if (IS_ERR(real)) { 176 /* 177 * Treat stale file handle to lower file as "origin unknown". 178 * upper file handle could become stale when upper file is 179 * unlinked and this information is needed to handle stale 180 * index entries correctly. 181 */ 182 if (real == ERR_PTR(-ESTALE) && 183 !(fh->fb.flags & OVL_FH_FLAG_PATH_UPPER)) 184 real = NULL; 185 return real; 186 } 187 188 if (ovl_dentry_weird(real)) { 189 dput(real); 190 return NULL; 191 } 192 193 return real; 194 } 195 196 static bool ovl_is_opaquedir(struct super_block *sb, struct dentry *dentry) 197 { 198 return ovl_check_dir_xattr(sb, dentry, OVL_XATTR_OPAQUE); 199 } 200 201 static struct dentry *ovl_lookup_positive_unlocked(const char *name, 202 struct dentry *base, int len, 203 bool drop_negative) 204 { 205 struct dentry *ret = lookup_one_len_unlocked(name, base, len); 206 207 if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) { 208 if (drop_negative && ret->d_lockref.count == 1) { 209 spin_lock(&ret->d_lock); 210 /* Recheck condition under lock */ 211 if (d_is_negative(ret) && ret->d_lockref.count == 1) 212 __d_drop(ret); 213 spin_unlock(&ret->d_lock); 214 } 215 dput(ret); 216 ret = ERR_PTR(-ENOENT); 217 } 218 return ret; 219 } 220 221 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d, 222 const char *name, unsigned int namelen, 223 size_t prelen, const char *post, 224 struct dentry **ret, bool drop_negative) 225 { 226 struct dentry *this; 227 int err; 228 bool last_element = !post[0]; 229 230 this = ovl_lookup_positive_unlocked(name, base, namelen, drop_negative); 231 if (IS_ERR(this)) { 232 err = PTR_ERR(this); 233 this = NULL; 234 if (err == -ENOENT || err == -ENAMETOOLONG) 235 goto out; 236 goto out_err; 237 } 238 239 if (ovl_dentry_weird(this)) { 240 /* Don't support traversing automounts and other weirdness */ 241 err = -EREMOTE; 242 goto out_err; 243 } 244 if (ovl_is_whiteout(this)) { 245 d->stop = d->opaque = true; 246 goto put_and_out; 247 } 248 /* 249 * This dentry should be a regular file if previous layer lookup 250 * found a metacopy dentry. 251 */ 252 if (last_element && d->metacopy && !d_is_reg(this)) { 253 d->stop = true; 254 goto put_and_out; 255 } 256 if (!d_can_lookup(this)) { 257 if (d->is_dir || !last_element) { 258 d->stop = true; 259 goto put_and_out; 260 } 261 err = ovl_check_metacopy_xattr(OVL_FS(d->sb), this); 262 if (err < 0) 263 goto out_err; 264 265 d->metacopy = err; 266 d->stop = !d->metacopy; 267 if (!d->metacopy || d->last) 268 goto out; 269 } else { 270 if (ovl_lookup_trap_inode(d->sb, this)) { 271 /* Caught in a trap of overlapping layers */ 272 err = -ELOOP; 273 goto out_err; 274 } 275 276 if (last_element) 277 d->is_dir = true; 278 if (d->last) 279 goto out; 280 281 if (ovl_is_opaquedir(d->sb, this)) { 282 d->stop = true; 283 if (last_element) 284 d->opaque = true; 285 goto out; 286 } 287 } 288 err = ovl_check_redirect(this, d, prelen, post); 289 if (err) 290 goto out_err; 291 out: 292 *ret = this; 293 return 0; 294 295 put_and_out: 296 dput(this); 297 this = NULL; 298 goto out; 299 300 out_err: 301 dput(this); 302 return err; 303 } 304 305 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d, 306 struct dentry **ret, bool drop_negative) 307 { 308 /* Counting down from the end, since the prefix can change */ 309 size_t rem = d->name.len - 1; 310 struct dentry *dentry = NULL; 311 int err; 312 313 if (d->name.name[0] != '/') 314 return ovl_lookup_single(base, d, d->name.name, d->name.len, 315 0, "", ret, drop_negative); 316 317 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) { 318 const char *s = d->name.name + d->name.len - rem; 319 const char *next = strchrnul(s, '/'); 320 size_t thislen = next - s; 321 bool end = !next[0]; 322 323 /* Verify we did not go off the rails */ 324 if (WARN_ON(s[-1] != '/')) 325 return -EIO; 326 327 err = ovl_lookup_single(base, d, s, thislen, 328 d->name.len - rem, next, &base, 329 drop_negative); 330 dput(dentry); 331 if (err) 332 return err; 333 dentry = base; 334 if (end) 335 break; 336 337 rem -= thislen + 1; 338 339 if (WARN_ON(rem >= d->name.len)) 340 return -EIO; 341 } 342 *ret = dentry; 343 return 0; 344 } 345 346 347 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected, 348 struct dentry *upperdentry, struct ovl_path **stackp) 349 { 350 struct dentry *origin = NULL; 351 int i; 352 353 for (i = 1; i < ofs->numlayer; i++) { 354 /* 355 * If lower fs uuid is not unique among lower fs we cannot match 356 * fh->uuid to layer. 357 */ 358 if (ofs->layers[i].fsid && 359 ofs->layers[i].fs->bad_uuid) 360 continue; 361 362 origin = ovl_decode_real_fh(ofs, fh, ofs->layers[i].mnt, 363 connected); 364 if (origin) 365 break; 366 } 367 368 if (!origin) 369 return -ESTALE; 370 else if (IS_ERR(origin)) 371 return PTR_ERR(origin); 372 373 if (upperdentry && !ovl_is_whiteout(upperdentry) && 374 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT)) 375 goto invalid; 376 377 if (!*stackp) 378 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL); 379 if (!*stackp) { 380 dput(origin); 381 return -ENOMEM; 382 } 383 **stackp = (struct ovl_path){ 384 .dentry = origin, 385 .layer = &ofs->layers[i] 386 }; 387 388 return 0; 389 390 invalid: 391 pr_warn_ratelimited("invalid origin (%pd2, ftype=%x, origin ftype=%x).\n", 392 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT, 393 d_inode(origin)->i_mode & S_IFMT); 394 dput(origin); 395 return -EIO; 396 } 397 398 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry, 399 struct ovl_path **stackp) 400 { 401 struct ovl_fh *fh = ovl_get_fh(ofs, upperdentry, OVL_XATTR_ORIGIN); 402 int err; 403 404 if (IS_ERR_OR_NULL(fh)) 405 return PTR_ERR(fh); 406 407 err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp); 408 kfree(fh); 409 410 if (err) { 411 if (err == -ESTALE) 412 return 0; 413 return err; 414 } 415 416 return 0; 417 } 418 419 /* 420 * Verify that @fh matches the file handle stored in xattr @name. 421 * Return 0 on match, -ESTALE on mismatch, < 0 on error. 422 */ 423 static int ovl_verify_fh(struct ovl_fs *ofs, struct dentry *dentry, 424 enum ovl_xattr ox, const struct ovl_fh *fh) 425 { 426 struct ovl_fh *ofh = ovl_get_fh(ofs, dentry, ox); 427 int err = 0; 428 429 if (!ofh) 430 return -ENODATA; 431 432 if (IS_ERR(ofh)) 433 return PTR_ERR(ofh); 434 435 if (fh->fb.len != ofh->fb.len || memcmp(&fh->fb, &ofh->fb, fh->fb.len)) 436 err = -ESTALE; 437 438 kfree(ofh); 439 return err; 440 } 441 442 /* 443 * Verify that @real dentry matches the file handle stored in xattr @name. 444 * 445 * If @set is true and there is no stored file handle, encode @real and store 446 * file handle in xattr @name. 447 * 448 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error. 449 */ 450 int ovl_verify_set_fh(struct ovl_fs *ofs, struct dentry *dentry, 451 enum ovl_xattr ox, struct dentry *real, bool is_upper, 452 bool set) 453 { 454 struct inode *inode; 455 struct ovl_fh *fh; 456 int err; 457 458 fh = ovl_encode_real_fh(ofs, real, is_upper); 459 err = PTR_ERR(fh); 460 if (IS_ERR(fh)) { 461 fh = NULL; 462 goto fail; 463 } 464 465 err = ovl_verify_fh(ofs, dentry, ox, fh); 466 if (set && err == -ENODATA) 467 err = ovl_do_setxattr(ofs, dentry, ox, fh->buf, fh->fb.len); 468 if (err) 469 goto fail; 470 471 out: 472 kfree(fh); 473 return err; 474 475 fail: 476 inode = d_inode(real); 477 pr_warn_ratelimited("failed to verify %s (%pd2, ino=%lu, err=%i)\n", 478 is_upper ? "upper" : "origin", real, 479 inode ? inode->i_ino : 0, err); 480 goto out; 481 } 482 483 /* Get upper dentry from index */ 484 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index) 485 { 486 struct ovl_fh *fh; 487 struct dentry *upper; 488 489 if (!d_is_dir(index)) 490 return dget(index); 491 492 fh = ovl_get_fh(ofs, index, OVL_XATTR_UPPER); 493 if (IS_ERR_OR_NULL(fh)) 494 return ERR_CAST(fh); 495 496 upper = ovl_decode_real_fh(ofs, fh, ovl_upper_mnt(ofs), true); 497 kfree(fh); 498 499 if (IS_ERR_OR_NULL(upper)) 500 return upper ?: ERR_PTR(-ESTALE); 501 502 if (!d_is_dir(upper)) { 503 pr_warn_ratelimited("invalid index upper (%pd2, upper=%pd2).\n", 504 index, upper); 505 dput(upper); 506 return ERR_PTR(-EIO); 507 } 508 509 return upper; 510 } 511 512 /* 513 * Verify that an index entry name matches the origin file handle stored in 514 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. 515 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error. 516 */ 517 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) 518 { 519 struct ovl_fh *fh = NULL; 520 size_t len; 521 struct ovl_path origin = { }; 522 struct ovl_path *stack = &origin; 523 struct dentry *upper = NULL; 524 int err; 525 526 if (!d_inode(index)) 527 return 0; 528 529 err = -EINVAL; 530 if (index->d_name.len < sizeof(struct ovl_fb)*2) 531 goto fail; 532 533 err = -ENOMEM; 534 len = index->d_name.len / 2; 535 fh = kzalloc(len + OVL_FH_WIRE_OFFSET, GFP_KERNEL); 536 if (!fh) 537 goto fail; 538 539 err = -EINVAL; 540 if (hex2bin(fh->buf, index->d_name.name, len)) 541 goto fail; 542 543 err = ovl_check_fb_len(&fh->fb, len); 544 if (err) 545 goto fail; 546 547 /* 548 * Whiteout index entries are used as an indication that an exported 549 * overlay file handle should be treated as stale (i.e. after unlink 550 * of the overlay inode). These entries contain no origin xattr. 551 */ 552 if (ovl_is_whiteout(index)) 553 goto out; 554 555 /* 556 * Verifying directory index entries are not stale is expensive, so 557 * only verify stale dir index if NFS export is enabled. 558 */ 559 if (d_is_dir(index) && !ofs->config.nfs_export) 560 goto out; 561 562 /* 563 * Directory index entries should have 'upper' xattr pointing to the 564 * real upper dir. Non-dir index entries are hardlinks to the upper 565 * real inode. For non-dir index, we can read the copy up origin xattr 566 * directly from the index dentry, but for dir index we first need to 567 * decode the upper directory. 568 */ 569 upper = ovl_index_upper(ofs, index); 570 if (IS_ERR_OR_NULL(upper)) { 571 err = PTR_ERR(upper); 572 /* 573 * Directory index entries with no 'upper' xattr need to be 574 * removed. When dir index entry has a stale 'upper' xattr, 575 * we assume that upper dir was removed and we treat the dir 576 * index as orphan entry that needs to be whited out. 577 */ 578 if (err == -ESTALE) 579 goto orphan; 580 else if (!err) 581 err = -ESTALE; 582 goto fail; 583 } 584 585 err = ovl_verify_fh(ofs, upper, OVL_XATTR_ORIGIN, fh); 586 dput(upper); 587 if (err) 588 goto fail; 589 590 /* Check if non-dir index is orphan and don't warn before cleaning it */ 591 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) { 592 err = ovl_check_origin_fh(ofs, fh, false, index, &stack); 593 if (err) 594 goto fail; 595 596 if (ovl_get_nlink(ofs, origin.dentry, index, 0) == 0) 597 goto orphan; 598 } 599 600 out: 601 dput(origin.dentry); 602 kfree(fh); 603 return err; 604 605 fail: 606 pr_warn_ratelimited("failed to verify index (%pd2, ftype=%x, err=%i)\n", 607 index, d_inode(index)->i_mode & S_IFMT, err); 608 goto out; 609 610 orphan: 611 pr_warn_ratelimited("orphan index entry (%pd2, ftype=%x, nlink=%u)\n", 612 index, d_inode(index)->i_mode & S_IFMT, 613 d_inode(index)->i_nlink); 614 err = -ENOENT; 615 goto out; 616 } 617 618 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name) 619 { 620 char *n, *s; 621 622 n = kcalloc(fh->fb.len, 2, GFP_KERNEL); 623 if (!n) 624 return -ENOMEM; 625 626 s = bin2hex(n, fh->buf, fh->fb.len); 627 *name = (struct qstr) QSTR_INIT(n, s - n); 628 629 return 0; 630 631 } 632 633 /* 634 * Lookup in indexdir for the index entry of a lower real inode or a copy up 635 * origin inode. The index entry name is the hex representation of the lower 636 * inode file handle. 637 * 638 * If the index dentry in negative, then either no lower aliases have been 639 * copied up yet, or aliases have been copied up in older kernels and are 640 * not indexed. 641 * 642 * If the index dentry for a copy up origin inode is positive, but points 643 * to an inode different than the upper inode, then either the upper inode 644 * has been copied up and not indexed or it was indexed, but since then 645 * index dir was cleared. Either way, that index cannot be used to indentify 646 * the overlay inode. 647 */ 648 int ovl_get_index_name(struct ovl_fs *ofs, struct dentry *origin, 649 struct qstr *name) 650 { 651 struct ovl_fh *fh; 652 int err; 653 654 fh = ovl_encode_real_fh(ofs, origin, false); 655 if (IS_ERR(fh)) 656 return PTR_ERR(fh); 657 658 err = ovl_get_index_name_fh(fh, name); 659 660 kfree(fh); 661 return err; 662 } 663 664 /* Lookup index by file handle for NFS export */ 665 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh) 666 { 667 struct dentry *index; 668 struct qstr name; 669 int err; 670 671 err = ovl_get_index_name_fh(fh, &name); 672 if (err) 673 return ERR_PTR(err); 674 675 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len); 676 kfree(name.name); 677 if (IS_ERR(index)) { 678 if (PTR_ERR(index) == -ENOENT) 679 index = NULL; 680 return index; 681 } 682 683 if (ovl_is_whiteout(index)) 684 err = -ESTALE; 685 else if (ovl_dentry_weird(index)) 686 err = -EIO; 687 else 688 return index; 689 690 dput(index); 691 return ERR_PTR(err); 692 } 693 694 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper, 695 struct dentry *origin, bool verify) 696 { 697 struct dentry *index; 698 struct inode *inode; 699 struct qstr name; 700 bool is_dir = d_is_dir(origin); 701 int err; 702 703 err = ovl_get_index_name(ofs, origin, &name); 704 if (err) 705 return ERR_PTR(err); 706 707 index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len); 708 if (IS_ERR(index)) { 709 err = PTR_ERR(index); 710 if (err == -ENOENT) { 711 index = NULL; 712 goto out; 713 } 714 pr_warn_ratelimited("failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n" 715 "overlayfs: mount with '-o index=off' to disable inodes index.\n", 716 d_inode(origin)->i_ino, name.len, name.name, 717 err); 718 goto out; 719 } 720 721 inode = d_inode(index); 722 if (ovl_is_whiteout(index) && !verify) { 723 /* 724 * When index lookup is called with !verify for decoding an 725 * overlay file handle, a whiteout index implies that decode 726 * should treat file handle as stale and no need to print a 727 * warning about it. 728 */ 729 dput(index); 730 index = ERR_PTR(-ESTALE); 731 goto out; 732 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) || 733 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) { 734 /* 735 * Index should always be of the same file type as origin 736 * except for the case of a whiteout index. A whiteout 737 * index should only exist if all lower aliases have been 738 * unlinked, which means that finding a lower origin on lookup 739 * whose index is a whiteout should be treated as an error. 740 */ 741 pr_warn_ratelimited("bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n", 742 index, d_inode(index)->i_mode & S_IFMT, 743 d_inode(origin)->i_mode & S_IFMT); 744 goto fail; 745 } else if (is_dir && verify) { 746 if (!upper) { 747 pr_warn_ratelimited("suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n", 748 origin, index); 749 goto fail; 750 } 751 752 /* Verify that dir index 'upper' xattr points to upper dir */ 753 err = ovl_verify_upper(ofs, index, upper, false); 754 if (err) { 755 if (err == -ESTALE) { 756 pr_warn_ratelimited("suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n", 757 upper, origin, index); 758 } 759 goto fail; 760 } 761 } else if (upper && d_inode(upper) != inode) { 762 goto out_dput; 763 } 764 out: 765 kfree(name.name); 766 return index; 767 768 out_dput: 769 dput(index); 770 index = NULL; 771 goto out; 772 773 fail: 774 dput(index); 775 index = ERR_PTR(-EIO); 776 goto out; 777 } 778 779 /* 780 * Returns next layer in stack starting from top. 781 * Returns -1 if this is the last layer. 782 */ 783 int ovl_path_next(int idx, struct dentry *dentry, struct path *path) 784 { 785 struct ovl_entry *oe = dentry->d_fsdata; 786 787 BUG_ON(idx < 0); 788 if (idx == 0) { 789 ovl_path_upper(dentry, path); 790 if (path->dentry) 791 return oe->numlower ? 1 : -1; 792 idx++; 793 } 794 BUG_ON(idx > oe->numlower); 795 path->dentry = oe->lowerstack[idx - 1].dentry; 796 path->mnt = oe->lowerstack[idx - 1].layer->mnt; 797 798 return (idx < oe->numlower) ? idx + 1 : -1; 799 } 800 801 /* Fix missing 'origin' xattr */ 802 static int ovl_fix_origin(struct ovl_fs *ofs, struct dentry *dentry, 803 struct dentry *lower, struct dentry *upper) 804 { 805 int err; 806 807 if (ovl_check_origin_xattr(ofs, upper)) 808 return 0; 809 810 err = ovl_want_write(dentry); 811 if (err) 812 return err; 813 814 err = ovl_set_origin(ofs, dentry, lower, upper); 815 if (!err) 816 err = ovl_set_impure(dentry->d_parent, upper->d_parent); 817 818 ovl_drop_write(dentry); 819 return err; 820 } 821 822 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, 823 unsigned int flags) 824 { 825 struct ovl_entry *oe; 826 const struct cred *old_cred; 827 struct ovl_fs *ofs = dentry->d_sb->s_fs_info; 828 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 829 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata; 830 struct ovl_path *stack = NULL, *origin_path = NULL; 831 struct dentry *upperdir, *upperdentry = NULL; 832 struct dentry *origin = NULL; 833 struct dentry *index = NULL; 834 unsigned int ctr = 0; 835 struct inode *inode = NULL; 836 bool upperopaque = false; 837 char *upperredirect = NULL; 838 struct dentry *this; 839 unsigned int i; 840 int err; 841 bool uppermetacopy = false; 842 struct ovl_lookup_data d = { 843 .sb = dentry->d_sb, 844 .name = dentry->d_name, 845 .is_dir = false, 846 .opaque = false, 847 .stop = false, 848 .last = ofs->config.redirect_follow ? false : !poe->numlower, 849 .redirect = NULL, 850 .metacopy = false, 851 }; 852 853 if (dentry->d_name.len > ofs->namelen) 854 return ERR_PTR(-ENAMETOOLONG); 855 856 old_cred = ovl_override_creds(dentry->d_sb); 857 upperdir = ovl_dentry_upper(dentry->d_parent); 858 if (upperdir) { 859 err = ovl_lookup_layer(upperdir, &d, &upperdentry, true); 860 if (err) 861 goto out; 862 863 if (upperdentry && upperdentry->d_flags & DCACHE_OP_REAL) { 864 dput(upperdentry); 865 err = -EREMOTE; 866 goto out; 867 } 868 if (upperdentry && !d.is_dir) { 869 /* 870 * Lookup copy up origin by decoding origin file handle. 871 * We may get a disconnected dentry, which is fine, 872 * because we only need to hold the origin inode in 873 * cache and use its inode number. We may even get a 874 * connected dentry, that is not under any of the lower 875 * layers root. That is also fine for using it's inode 876 * number - it's the same as if we held a reference 877 * to a dentry in lower layer that was moved under us. 878 */ 879 err = ovl_check_origin(ofs, upperdentry, &origin_path); 880 if (err) 881 goto out_put_upper; 882 883 if (d.metacopy) 884 uppermetacopy = true; 885 } 886 887 if (d.redirect) { 888 err = -ENOMEM; 889 upperredirect = kstrdup(d.redirect, GFP_KERNEL); 890 if (!upperredirect) 891 goto out_put_upper; 892 if (d.redirect[0] == '/') 893 poe = roe; 894 } 895 upperopaque = d.opaque; 896 } 897 898 if (!d.stop && poe->numlower) { 899 err = -ENOMEM; 900 stack = kcalloc(ofs->numlayer - 1, sizeof(struct ovl_path), 901 GFP_KERNEL); 902 if (!stack) 903 goto out_put_upper; 904 } 905 906 for (i = 0; !d.stop && i < poe->numlower; i++) { 907 struct ovl_path lower = poe->lowerstack[i]; 908 909 if (!ofs->config.redirect_follow) 910 d.last = i == poe->numlower - 1; 911 else 912 d.last = lower.layer->idx == roe->numlower; 913 914 err = ovl_lookup_layer(lower.dentry, &d, &this, false); 915 if (err) 916 goto out_put; 917 918 if (!this) 919 continue; 920 921 if ((uppermetacopy || d.metacopy) && !ofs->config.metacopy) { 922 err = -EPERM; 923 pr_warn_ratelimited("refusing to follow metacopy origin for (%pd2)\n", dentry); 924 goto out_put; 925 } 926 927 /* 928 * If no origin fh is stored in upper of a merge dir, store fh 929 * of lower dir and set upper parent "impure". 930 */ 931 if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) { 932 err = ovl_fix_origin(ofs, dentry, this, upperdentry); 933 if (err) { 934 dput(this); 935 goto out_put; 936 } 937 } 938 939 /* 940 * When "verify_lower" feature is enabled, do not merge with a 941 * lower dir that does not match a stored origin xattr. In any 942 * case, only verified origin is used for index lookup. 943 * 944 * For non-dir dentry, if index=on, then ensure origin 945 * matches the dentry found using path based lookup, 946 * otherwise error out. 947 */ 948 if (upperdentry && !ctr && 949 ((d.is_dir && ovl_verify_lower(dentry->d_sb)) || 950 (!d.is_dir && ofs->config.index && origin_path))) { 951 err = ovl_verify_origin(ofs, upperdentry, this, false); 952 if (err) { 953 dput(this); 954 if (d.is_dir) 955 break; 956 goto out_put; 957 } 958 origin = this; 959 } 960 961 if (d.metacopy && ctr) { 962 /* 963 * Do not store intermediate metacopy dentries in 964 * lower chain, except top most lower metacopy dentry. 965 * Continue the loop so that if there is an absolute 966 * redirect on this dentry, poe can be reset to roe. 967 */ 968 dput(this); 969 this = NULL; 970 } else { 971 stack[ctr].dentry = this; 972 stack[ctr].layer = lower.layer; 973 ctr++; 974 } 975 976 /* 977 * Following redirects can have security consequences: it's like 978 * a symlink into the lower layer without the permission checks. 979 * This is only a problem if the upper layer is untrusted (e.g 980 * comes from an USB drive). This can allow a non-readable file 981 * or directory to become readable. 982 * 983 * Only following redirects when redirects are enabled disables 984 * this attack vector when not necessary. 985 */ 986 err = -EPERM; 987 if (d.redirect && !ofs->config.redirect_follow) { 988 pr_warn_ratelimited("refusing to follow redirect for (%pd2)\n", 989 dentry); 990 goto out_put; 991 } 992 993 if (d.stop) 994 break; 995 996 if (d.redirect && d.redirect[0] == '/' && poe != roe) { 997 poe = roe; 998 /* Find the current layer on the root dentry */ 999 i = lower.layer->idx - 1; 1000 } 1001 } 1002 1003 /* 1004 * For regular non-metacopy upper dentries, there is no lower 1005 * path based lookup, hence ctr will be zero. If a dentry is found 1006 * using ORIGIN xattr on upper, install it in stack. 1007 * 1008 * For metacopy dentry, path based lookup will find lower dentries. 1009 * Just make sure a corresponding data dentry has been found. 1010 */ 1011 if (d.metacopy || (uppermetacopy && !ctr)) { 1012 pr_warn_ratelimited("metacopy with no lower data found - abort lookup (%pd2)\n", 1013 dentry); 1014 err = -EIO; 1015 goto out_put; 1016 } else if (!d.is_dir && upperdentry && !ctr && origin_path) { 1017 if (WARN_ON(stack != NULL)) { 1018 err = -EIO; 1019 goto out_put; 1020 } 1021 stack = origin_path; 1022 ctr = 1; 1023 origin = origin_path->dentry; 1024 origin_path = NULL; 1025 } 1026 1027 /* 1028 * Always lookup index if there is no-upperdentry. 1029 * 1030 * For the case of upperdentry, we have set origin by now if it 1031 * needed to be set. There are basically three cases. 1032 * 1033 * For directories, lookup index by lower inode and verify it matches 1034 * upper inode. We only trust dir index if we verified that lower dir 1035 * matches origin, otherwise dir index entries may be inconsistent 1036 * and we ignore them. 1037 * 1038 * For regular upper, we already set origin if upper had ORIGIN 1039 * xattr. There is no verification though as there is no path 1040 * based dentry lookup in lower in this case. 1041 * 1042 * For metacopy upper, we set a verified origin already if index 1043 * is enabled and if upper had an ORIGIN xattr. 1044 * 1045 */ 1046 if (!upperdentry && ctr) 1047 origin = stack[0].dentry; 1048 1049 if (origin && ovl_indexdir(dentry->d_sb) && 1050 (!d.is_dir || ovl_index_all(dentry->d_sb))) { 1051 index = ovl_lookup_index(ofs, upperdentry, origin, true); 1052 if (IS_ERR(index)) { 1053 err = PTR_ERR(index); 1054 index = NULL; 1055 goto out_put; 1056 } 1057 } 1058 1059 oe = ovl_alloc_entry(ctr); 1060 err = -ENOMEM; 1061 if (!oe) 1062 goto out_put; 1063 1064 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr); 1065 dentry->d_fsdata = oe; 1066 1067 if (upperopaque) 1068 ovl_dentry_set_opaque(dentry); 1069 1070 if (upperdentry) 1071 ovl_dentry_set_upper_alias(dentry); 1072 else if (index) { 1073 upperdentry = dget(index); 1074 upperredirect = ovl_get_redirect_xattr(ofs, upperdentry, 0); 1075 if (IS_ERR(upperredirect)) { 1076 err = PTR_ERR(upperredirect); 1077 upperredirect = NULL; 1078 goto out_free_oe; 1079 } 1080 err = ovl_check_metacopy_xattr(ofs, upperdentry); 1081 if (err < 0) 1082 goto out_free_oe; 1083 uppermetacopy = err; 1084 } 1085 1086 if (upperdentry || ctr) { 1087 struct ovl_inode_params oip = { 1088 .upperdentry = upperdentry, 1089 .lowerpath = stack, 1090 .index = index, 1091 .numlower = ctr, 1092 .redirect = upperredirect, 1093 .lowerdata = (ctr > 1 && !d.is_dir) ? 1094 stack[ctr - 1].dentry : NULL, 1095 }; 1096 1097 inode = ovl_get_inode(dentry->d_sb, &oip); 1098 err = PTR_ERR(inode); 1099 if (IS_ERR(inode)) 1100 goto out_free_oe; 1101 if (upperdentry && !uppermetacopy) 1102 ovl_set_flag(OVL_UPPERDATA, inode); 1103 } 1104 1105 ovl_dentry_update_reval(dentry, upperdentry, 1106 DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); 1107 1108 revert_creds(old_cred); 1109 if (origin_path) { 1110 dput(origin_path->dentry); 1111 kfree(origin_path); 1112 } 1113 dput(index); 1114 kfree(stack); 1115 kfree(d.redirect); 1116 return d_splice_alias(inode, dentry); 1117 1118 out_free_oe: 1119 dentry->d_fsdata = NULL; 1120 kfree(oe); 1121 out_put: 1122 dput(index); 1123 for (i = 0; i < ctr; i++) 1124 dput(stack[i].dentry); 1125 kfree(stack); 1126 out_put_upper: 1127 if (origin_path) { 1128 dput(origin_path->dentry); 1129 kfree(origin_path); 1130 } 1131 dput(upperdentry); 1132 kfree(upperredirect); 1133 out: 1134 kfree(d.redirect); 1135 revert_creds(old_cred); 1136 return ERR_PTR(err); 1137 } 1138 1139 bool ovl_lower_positive(struct dentry *dentry) 1140 { 1141 struct ovl_entry *poe = dentry->d_parent->d_fsdata; 1142 const struct qstr *name = &dentry->d_name; 1143 const struct cred *old_cred; 1144 unsigned int i; 1145 bool positive = false; 1146 bool done = false; 1147 1148 /* 1149 * If dentry is negative, then lower is positive iff this is a 1150 * whiteout. 1151 */ 1152 if (!dentry->d_inode) 1153 return ovl_dentry_is_opaque(dentry); 1154 1155 /* Negative upper -> positive lower */ 1156 if (!ovl_dentry_upper(dentry)) 1157 return true; 1158 1159 old_cred = ovl_override_creds(dentry->d_sb); 1160 /* Positive upper -> have to look up lower to see whether it exists */ 1161 for (i = 0; !done && !positive && i < poe->numlower; i++) { 1162 struct dentry *this; 1163 struct dentry *lowerdir = poe->lowerstack[i].dentry; 1164 1165 this = lookup_positive_unlocked(name->name, lowerdir, 1166 name->len); 1167 if (IS_ERR(this)) { 1168 switch (PTR_ERR(this)) { 1169 case -ENOENT: 1170 case -ENAMETOOLONG: 1171 break; 1172 1173 default: 1174 /* 1175 * Assume something is there, we just couldn't 1176 * access it. 1177 */ 1178 positive = true; 1179 break; 1180 } 1181 } else { 1182 positive = !ovl_is_whiteout(this); 1183 done = true; 1184 dput(this); 1185 } 1186 } 1187 revert_creds(old_cred); 1188 1189 return positive; 1190 } 1191