xref: /linux/fs/overlayfs/namei.c (revision b77e0ce62d63a761ffb7f7245a215a49f5921c2f)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2011 Novell Inc.
4  * Copyright (C) 2016 Red Hat, Inc.
5  */
6 
7 #include <linux/fs.h>
8 #include <linux/cred.h>
9 #include <linux/ctype.h>
10 #include <linux/namei.h>
11 #include <linux/xattr.h>
12 #include <linux/ratelimit.h>
13 #include <linux/mount.h>
14 #include <linux/exportfs.h>
15 #include "overlayfs.h"
16 
17 struct ovl_lookup_data {
18 	struct super_block *sb;
19 	struct qstr name;
20 	bool is_dir;
21 	bool opaque;
22 	bool stop;
23 	bool last;
24 	char *redirect;
25 	bool metacopy;
26 };
27 
28 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
29 			      size_t prelen, const char *post)
30 {
31 	int res;
32 	char *buf;
33 	struct ovl_fs *ofs = OVL_FS(d->sb);
34 
35 	buf = ovl_get_redirect_xattr(ofs, dentry, prelen + strlen(post));
36 	if (IS_ERR_OR_NULL(buf))
37 		return PTR_ERR(buf);
38 
39 	if (buf[0] == '/') {
40 		/*
41 		 * One of the ancestor path elements in an absolute path
42 		 * lookup in ovl_lookup_layer() could have been opaque and
43 		 * that will stop further lookup in lower layers (d->stop=true)
44 		 * But we have found an absolute redirect in decendant path
45 		 * element and that should force continue lookup in lower
46 		 * layers (reset d->stop).
47 		 */
48 		d->stop = false;
49 	} else {
50 		res = strlen(buf) + 1;
51 		memmove(buf + prelen, buf, res);
52 		memcpy(buf, d->name.name, prelen);
53 	}
54 
55 	strcat(buf, post);
56 	kfree(d->redirect);
57 	d->redirect = buf;
58 	d->name.name = d->redirect;
59 	d->name.len = strlen(d->redirect);
60 
61 	return 0;
62 }
63 
64 static int ovl_acceptable(void *ctx, struct dentry *dentry)
65 {
66 	/*
67 	 * A non-dir origin may be disconnected, which is fine, because
68 	 * we only need it for its unique inode number.
69 	 */
70 	if (!d_is_dir(dentry))
71 		return 1;
72 
73 	/* Don't decode a deleted empty directory */
74 	if (d_unhashed(dentry))
75 		return 0;
76 
77 	/* Check if directory belongs to the layer we are decoding from */
78 	return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root);
79 }
80 
81 /*
82  * Check validity of an overlay file handle buffer.
83  *
84  * Return 0 for a valid file handle.
85  * Return -ENODATA for "origin unknown".
86  * Return <0 for an invalid file handle.
87  */
88 int ovl_check_fb_len(struct ovl_fb *fb, int fb_len)
89 {
90 	if (fb_len < sizeof(struct ovl_fb) || fb_len < fb->len)
91 		return -EINVAL;
92 
93 	if (fb->magic != OVL_FH_MAGIC)
94 		return -EINVAL;
95 
96 	/* Treat larger version and unknown flags as "origin unknown" */
97 	if (fb->version > OVL_FH_VERSION || fb->flags & ~OVL_FH_FLAG_ALL)
98 		return -ENODATA;
99 
100 	/* Treat endianness mismatch as "origin unknown" */
101 	if (!(fb->flags & OVL_FH_FLAG_ANY_ENDIAN) &&
102 	    (fb->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN)
103 		return -ENODATA;
104 
105 	return 0;
106 }
107 
108 static struct ovl_fh *ovl_get_fh(struct ovl_fs *ofs, struct dentry *dentry,
109 				 enum ovl_xattr ox)
110 {
111 	int res, err;
112 	struct ovl_fh *fh = NULL;
113 
114 	res = ovl_do_getxattr(ofs, dentry, ox, NULL, 0);
115 	if (res < 0) {
116 		if (res == -ENODATA || res == -EOPNOTSUPP)
117 			return NULL;
118 		goto fail;
119 	}
120 	/* Zero size value means "copied up but origin unknown" */
121 	if (res == 0)
122 		return NULL;
123 
124 	fh = kzalloc(res + OVL_FH_WIRE_OFFSET, GFP_KERNEL);
125 	if (!fh)
126 		return ERR_PTR(-ENOMEM);
127 
128 	res = ovl_do_getxattr(ofs, dentry, ox, fh->buf, res);
129 	if (res < 0)
130 		goto fail;
131 
132 	err = ovl_check_fb_len(&fh->fb, res);
133 	if (err < 0) {
134 		if (err == -ENODATA)
135 			goto out;
136 		goto invalid;
137 	}
138 
139 	return fh;
140 
141 out:
142 	kfree(fh);
143 	return NULL;
144 
145 fail:
146 	pr_warn_ratelimited("failed to get origin (%i)\n", res);
147 	goto out;
148 invalid:
149 	pr_warn_ratelimited("invalid origin (%*phN)\n", res, fh);
150 	goto out;
151 }
152 
153 struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
154 				  struct vfsmount *mnt, bool connected)
155 {
156 	struct dentry *real;
157 	int bytes;
158 
159 	if (!capable(CAP_DAC_READ_SEARCH))
160 		return NULL;
161 
162 	/*
163 	 * Make sure that the stored uuid matches the uuid of the lower
164 	 * layer where file handle will be decoded.
165 	 * In case of uuid=off option just make sure that stored uuid is null.
166 	 */
167 	if (ofs->config.uuid ? !uuid_equal(&fh->fb.uuid, &mnt->mnt_sb->s_uuid) :
168 			      !uuid_is_null(&fh->fb.uuid))
169 		return NULL;
170 
171 	bytes = (fh->fb.len - offsetof(struct ovl_fb, fid));
172 	real = exportfs_decode_fh(mnt, (struct fid *)fh->fb.fid,
173 				  bytes >> 2, (int)fh->fb.type,
174 				  connected ? ovl_acceptable : NULL, mnt);
175 	if (IS_ERR(real)) {
176 		/*
177 		 * Treat stale file handle to lower file as "origin unknown".
178 		 * upper file handle could become stale when upper file is
179 		 * unlinked and this information is needed to handle stale
180 		 * index entries correctly.
181 		 */
182 		if (real == ERR_PTR(-ESTALE) &&
183 		    !(fh->fb.flags & OVL_FH_FLAG_PATH_UPPER))
184 			real = NULL;
185 		return real;
186 	}
187 
188 	if (ovl_dentry_weird(real)) {
189 		dput(real);
190 		return NULL;
191 	}
192 
193 	return real;
194 }
195 
196 static bool ovl_is_opaquedir(struct super_block *sb, struct dentry *dentry)
197 {
198 	return ovl_check_dir_xattr(sb, dentry, OVL_XATTR_OPAQUE);
199 }
200 
201 static struct dentry *ovl_lookup_positive_unlocked(const char *name,
202 						   struct dentry *base, int len,
203 						   bool drop_negative)
204 {
205 	struct dentry *ret = lookup_one_len_unlocked(name, base, len);
206 
207 	if (!IS_ERR(ret) && d_flags_negative(smp_load_acquire(&ret->d_flags))) {
208 		if (drop_negative && ret->d_lockref.count == 1) {
209 			spin_lock(&ret->d_lock);
210 			/* Recheck condition under lock */
211 			if (d_is_negative(ret) && ret->d_lockref.count == 1)
212 				__d_drop(ret);
213 			spin_unlock(&ret->d_lock);
214 		}
215 		dput(ret);
216 		ret = ERR_PTR(-ENOENT);
217 	}
218 	return ret;
219 }
220 
221 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
222 			     const char *name, unsigned int namelen,
223 			     size_t prelen, const char *post,
224 			     struct dentry **ret, bool drop_negative)
225 {
226 	struct dentry *this;
227 	int err;
228 	bool last_element = !post[0];
229 
230 	this = ovl_lookup_positive_unlocked(name, base, namelen, drop_negative);
231 	if (IS_ERR(this)) {
232 		err = PTR_ERR(this);
233 		this = NULL;
234 		if (err == -ENOENT || err == -ENAMETOOLONG)
235 			goto out;
236 		goto out_err;
237 	}
238 
239 	if (ovl_dentry_weird(this)) {
240 		/* Don't support traversing automounts and other weirdness */
241 		err = -EREMOTE;
242 		goto out_err;
243 	}
244 	if (ovl_is_whiteout(this)) {
245 		d->stop = d->opaque = true;
246 		goto put_and_out;
247 	}
248 	/*
249 	 * This dentry should be a regular file if previous layer lookup
250 	 * found a metacopy dentry.
251 	 */
252 	if (last_element && d->metacopy && !d_is_reg(this)) {
253 		d->stop = true;
254 		goto put_and_out;
255 	}
256 	if (!d_can_lookup(this)) {
257 		if (d->is_dir || !last_element) {
258 			d->stop = true;
259 			goto put_and_out;
260 		}
261 		err = ovl_check_metacopy_xattr(OVL_FS(d->sb), this);
262 		if (err < 0)
263 			goto out_err;
264 
265 		d->metacopy = err;
266 		d->stop = !d->metacopy;
267 		if (!d->metacopy || d->last)
268 			goto out;
269 	} else {
270 		if (ovl_lookup_trap_inode(d->sb, this)) {
271 			/* Caught in a trap of overlapping layers */
272 			err = -ELOOP;
273 			goto out_err;
274 		}
275 
276 		if (last_element)
277 			d->is_dir = true;
278 		if (d->last)
279 			goto out;
280 
281 		if (ovl_is_opaquedir(d->sb, this)) {
282 			d->stop = true;
283 			if (last_element)
284 				d->opaque = true;
285 			goto out;
286 		}
287 	}
288 	err = ovl_check_redirect(this, d, prelen, post);
289 	if (err)
290 		goto out_err;
291 out:
292 	*ret = this;
293 	return 0;
294 
295 put_and_out:
296 	dput(this);
297 	this = NULL;
298 	goto out;
299 
300 out_err:
301 	dput(this);
302 	return err;
303 }
304 
305 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
306 			    struct dentry **ret, bool drop_negative)
307 {
308 	/* Counting down from the end, since the prefix can change */
309 	size_t rem = d->name.len - 1;
310 	struct dentry *dentry = NULL;
311 	int err;
312 
313 	if (d->name.name[0] != '/')
314 		return ovl_lookup_single(base, d, d->name.name, d->name.len,
315 					 0, "", ret, drop_negative);
316 
317 	while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
318 		const char *s = d->name.name + d->name.len - rem;
319 		const char *next = strchrnul(s, '/');
320 		size_t thislen = next - s;
321 		bool end = !next[0];
322 
323 		/* Verify we did not go off the rails */
324 		if (WARN_ON(s[-1] != '/'))
325 			return -EIO;
326 
327 		err = ovl_lookup_single(base, d, s, thislen,
328 					d->name.len - rem, next, &base,
329 					drop_negative);
330 		dput(dentry);
331 		if (err)
332 			return err;
333 		dentry = base;
334 		if (end)
335 			break;
336 
337 		rem -= thislen + 1;
338 
339 		if (WARN_ON(rem >= d->name.len))
340 			return -EIO;
341 	}
342 	*ret = dentry;
343 	return 0;
344 }
345 
346 
347 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh, bool connected,
348 			struct dentry *upperdentry, struct ovl_path **stackp)
349 {
350 	struct dentry *origin = NULL;
351 	int i;
352 
353 	for (i = 1; i < ofs->numlayer; i++) {
354 		/*
355 		 * If lower fs uuid is not unique among lower fs we cannot match
356 		 * fh->uuid to layer.
357 		 */
358 		if (ofs->layers[i].fsid &&
359 		    ofs->layers[i].fs->bad_uuid)
360 			continue;
361 
362 		origin = ovl_decode_real_fh(ofs, fh, ofs->layers[i].mnt,
363 					    connected);
364 		if (origin)
365 			break;
366 	}
367 
368 	if (!origin)
369 		return -ESTALE;
370 	else if (IS_ERR(origin))
371 		return PTR_ERR(origin);
372 
373 	if (upperdentry && !ovl_is_whiteout(upperdentry) &&
374 	    ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT))
375 		goto invalid;
376 
377 	if (!*stackp)
378 		*stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL);
379 	if (!*stackp) {
380 		dput(origin);
381 		return -ENOMEM;
382 	}
383 	**stackp = (struct ovl_path){
384 		.dentry = origin,
385 		.layer = &ofs->layers[i]
386 	};
387 
388 	return 0;
389 
390 invalid:
391 	pr_warn_ratelimited("invalid origin (%pd2, ftype=%x, origin ftype=%x).\n",
392 			    upperdentry, d_inode(upperdentry)->i_mode & S_IFMT,
393 			    d_inode(origin)->i_mode & S_IFMT);
394 	dput(origin);
395 	return -EIO;
396 }
397 
398 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry,
399 			    struct ovl_path **stackp)
400 {
401 	struct ovl_fh *fh = ovl_get_fh(ofs, upperdentry, OVL_XATTR_ORIGIN);
402 	int err;
403 
404 	if (IS_ERR_OR_NULL(fh))
405 		return PTR_ERR(fh);
406 
407 	err = ovl_check_origin_fh(ofs, fh, false, upperdentry, stackp);
408 	kfree(fh);
409 
410 	if (err) {
411 		if (err == -ESTALE)
412 			return 0;
413 		return err;
414 	}
415 
416 	return 0;
417 }
418 
419 /*
420  * Verify that @fh matches the file handle stored in xattr @name.
421  * Return 0 on match, -ESTALE on mismatch, < 0 on error.
422  */
423 static int ovl_verify_fh(struct ovl_fs *ofs, struct dentry *dentry,
424 			 enum ovl_xattr ox, const struct ovl_fh *fh)
425 {
426 	struct ovl_fh *ofh = ovl_get_fh(ofs, dentry, ox);
427 	int err = 0;
428 
429 	if (!ofh)
430 		return -ENODATA;
431 
432 	if (IS_ERR(ofh))
433 		return PTR_ERR(ofh);
434 
435 	if (fh->fb.len != ofh->fb.len || memcmp(&fh->fb, &ofh->fb, fh->fb.len))
436 		err = -ESTALE;
437 
438 	kfree(ofh);
439 	return err;
440 }
441 
442 /*
443  * Verify that @real dentry matches the file handle stored in xattr @name.
444  *
445  * If @set is true and there is no stored file handle, encode @real and store
446  * file handle in xattr @name.
447  *
448  * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error.
449  */
450 int ovl_verify_set_fh(struct ovl_fs *ofs, struct dentry *dentry,
451 		      enum ovl_xattr ox, struct dentry *real, bool is_upper,
452 		      bool set)
453 {
454 	struct inode *inode;
455 	struct ovl_fh *fh;
456 	int err;
457 
458 	fh = ovl_encode_real_fh(ofs, real, is_upper);
459 	err = PTR_ERR(fh);
460 	if (IS_ERR(fh)) {
461 		fh = NULL;
462 		goto fail;
463 	}
464 
465 	err = ovl_verify_fh(ofs, dentry, ox, fh);
466 	if (set && err == -ENODATA)
467 		err = ovl_do_setxattr(ofs, dentry, ox, fh->buf, fh->fb.len);
468 	if (err)
469 		goto fail;
470 
471 out:
472 	kfree(fh);
473 	return err;
474 
475 fail:
476 	inode = d_inode(real);
477 	pr_warn_ratelimited("failed to verify %s (%pd2, ino=%lu, err=%i)\n",
478 			    is_upper ? "upper" : "origin", real,
479 			    inode ? inode->i_ino : 0, err);
480 	goto out;
481 }
482 
483 /* Get upper dentry from index */
484 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index)
485 {
486 	struct ovl_fh *fh;
487 	struct dentry *upper;
488 
489 	if (!d_is_dir(index))
490 		return dget(index);
491 
492 	fh = ovl_get_fh(ofs, index, OVL_XATTR_UPPER);
493 	if (IS_ERR_OR_NULL(fh))
494 		return ERR_CAST(fh);
495 
496 	upper = ovl_decode_real_fh(ofs, fh, ovl_upper_mnt(ofs), true);
497 	kfree(fh);
498 
499 	if (IS_ERR_OR_NULL(upper))
500 		return upper ?: ERR_PTR(-ESTALE);
501 
502 	if (!d_is_dir(upper)) {
503 		pr_warn_ratelimited("invalid index upper (%pd2, upper=%pd2).\n",
504 				    index, upper);
505 		dput(upper);
506 		return ERR_PTR(-EIO);
507 	}
508 
509 	return upper;
510 }
511 
512 /*
513  * Verify that an index entry name matches the origin file handle stored in
514  * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path.
515  * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error.
516  */
517 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
518 {
519 	struct ovl_fh *fh = NULL;
520 	size_t len;
521 	struct ovl_path origin = { };
522 	struct ovl_path *stack = &origin;
523 	struct dentry *upper = NULL;
524 	int err;
525 
526 	if (!d_inode(index))
527 		return 0;
528 
529 	err = -EINVAL;
530 	if (index->d_name.len < sizeof(struct ovl_fb)*2)
531 		goto fail;
532 
533 	err = -ENOMEM;
534 	len = index->d_name.len / 2;
535 	fh = kzalloc(len + OVL_FH_WIRE_OFFSET, GFP_KERNEL);
536 	if (!fh)
537 		goto fail;
538 
539 	err = -EINVAL;
540 	if (hex2bin(fh->buf, index->d_name.name, len))
541 		goto fail;
542 
543 	err = ovl_check_fb_len(&fh->fb, len);
544 	if (err)
545 		goto fail;
546 
547 	/*
548 	 * Whiteout index entries are used as an indication that an exported
549 	 * overlay file handle should be treated as stale (i.e. after unlink
550 	 * of the overlay inode). These entries contain no origin xattr.
551 	 */
552 	if (ovl_is_whiteout(index))
553 		goto out;
554 
555 	/*
556 	 * Verifying directory index entries are not stale is expensive, so
557 	 * only verify stale dir index if NFS export is enabled.
558 	 */
559 	if (d_is_dir(index) && !ofs->config.nfs_export)
560 		goto out;
561 
562 	/*
563 	 * Directory index entries should have 'upper' xattr pointing to the
564 	 * real upper dir. Non-dir index entries are hardlinks to the upper
565 	 * real inode. For non-dir index, we can read the copy up origin xattr
566 	 * directly from the index dentry, but for dir index we first need to
567 	 * decode the upper directory.
568 	 */
569 	upper = ovl_index_upper(ofs, index);
570 	if (IS_ERR_OR_NULL(upper)) {
571 		err = PTR_ERR(upper);
572 		/*
573 		 * Directory index entries with no 'upper' xattr need to be
574 		 * removed. When dir index entry has a stale 'upper' xattr,
575 		 * we assume that upper dir was removed and we treat the dir
576 		 * index as orphan entry that needs to be whited out.
577 		 */
578 		if (err == -ESTALE)
579 			goto orphan;
580 		else if (!err)
581 			err = -ESTALE;
582 		goto fail;
583 	}
584 
585 	err = ovl_verify_fh(ofs, upper, OVL_XATTR_ORIGIN, fh);
586 	dput(upper);
587 	if (err)
588 		goto fail;
589 
590 	/* Check if non-dir index is orphan and don't warn before cleaning it */
591 	if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) {
592 		err = ovl_check_origin_fh(ofs, fh, false, index, &stack);
593 		if (err)
594 			goto fail;
595 
596 		if (ovl_get_nlink(ofs, origin.dentry, index, 0) == 0)
597 			goto orphan;
598 	}
599 
600 out:
601 	dput(origin.dentry);
602 	kfree(fh);
603 	return err;
604 
605 fail:
606 	pr_warn_ratelimited("failed to verify index (%pd2, ftype=%x, err=%i)\n",
607 			    index, d_inode(index)->i_mode & S_IFMT, err);
608 	goto out;
609 
610 orphan:
611 	pr_warn_ratelimited("orphan index entry (%pd2, ftype=%x, nlink=%u)\n",
612 			    index, d_inode(index)->i_mode & S_IFMT,
613 			    d_inode(index)->i_nlink);
614 	err = -ENOENT;
615 	goto out;
616 }
617 
618 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name)
619 {
620 	char *n, *s;
621 
622 	n = kcalloc(fh->fb.len, 2, GFP_KERNEL);
623 	if (!n)
624 		return -ENOMEM;
625 
626 	s  = bin2hex(n, fh->buf, fh->fb.len);
627 	*name = (struct qstr) QSTR_INIT(n, s - n);
628 
629 	return 0;
630 
631 }
632 
633 /*
634  * Lookup in indexdir for the index entry of a lower real inode or a copy up
635  * origin inode. The index entry name is the hex representation of the lower
636  * inode file handle.
637  *
638  * If the index dentry in negative, then either no lower aliases have been
639  * copied up yet, or aliases have been copied up in older kernels and are
640  * not indexed.
641  *
642  * If the index dentry for a copy up origin inode is positive, but points
643  * to an inode different than the upper inode, then either the upper inode
644  * has been copied up and not indexed or it was indexed, but since then
645  * index dir was cleared. Either way, that index cannot be used to indentify
646  * the overlay inode.
647  */
648 int ovl_get_index_name(struct ovl_fs *ofs, struct dentry *origin,
649 		       struct qstr *name)
650 {
651 	struct ovl_fh *fh;
652 	int err;
653 
654 	fh = ovl_encode_real_fh(ofs, origin, false);
655 	if (IS_ERR(fh))
656 		return PTR_ERR(fh);
657 
658 	err = ovl_get_index_name_fh(fh, name);
659 
660 	kfree(fh);
661 	return err;
662 }
663 
664 /* Lookup index by file handle for NFS export */
665 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh)
666 {
667 	struct dentry *index;
668 	struct qstr name;
669 	int err;
670 
671 	err = ovl_get_index_name_fh(fh, &name);
672 	if (err)
673 		return ERR_PTR(err);
674 
675 	index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len);
676 	kfree(name.name);
677 	if (IS_ERR(index)) {
678 		if (PTR_ERR(index) == -ENOENT)
679 			index = NULL;
680 		return index;
681 	}
682 
683 	if (ovl_is_whiteout(index))
684 		err = -ESTALE;
685 	else if (ovl_dentry_weird(index))
686 		err = -EIO;
687 	else
688 		return index;
689 
690 	dput(index);
691 	return ERR_PTR(err);
692 }
693 
694 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper,
695 				struct dentry *origin, bool verify)
696 {
697 	struct dentry *index;
698 	struct inode *inode;
699 	struct qstr name;
700 	bool is_dir = d_is_dir(origin);
701 	int err;
702 
703 	err = ovl_get_index_name(ofs, origin, &name);
704 	if (err)
705 		return ERR_PTR(err);
706 
707 	index = lookup_positive_unlocked(name.name, ofs->indexdir, name.len);
708 	if (IS_ERR(index)) {
709 		err = PTR_ERR(index);
710 		if (err == -ENOENT) {
711 			index = NULL;
712 			goto out;
713 		}
714 		pr_warn_ratelimited("failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n"
715 				    "overlayfs: mount with '-o index=off' to disable inodes index.\n",
716 				    d_inode(origin)->i_ino, name.len, name.name,
717 				    err);
718 		goto out;
719 	}
720 
721 	inode = d_inode(index);
722 	if (ovl_is_whiteout(index) && !verify) {
723 		/*
724 		 * When index lookup is called with !verify for decoding an
725 		 * overlay file handle, a whiteout index implies that decode
726 		 * should treat file handle as stale and no need to print a
727 		 * warning about it.
728 		 */
729 		dput(index);
730 		index = ERR_PTR(-ESTALE);
731 		goto out;
732 	} else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
733 		   ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) {
734 		/*
735 		 * Index should always be of the same file type as origin
736 		 * except for the case of a whiteout index. A whiteout
737 		 * index should only exist if all lower aliases have been
738 		 * unlinked, which means that finding a lower origin on lookup
739 		 * whose index is a whiteout should be treated as an error.
740 		 */
741 		pr_warn_ratelimited("bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n",
742 				    index, d_inode(index)->i_mode & S_IFMT,
743 				    d_inode(origin)->i_mode & S_IFMT);
744 		goto fail;
745 	} else if (is_dir && verify) {
746 		if (!upper) {
747 			pr_warn_ratelimited("suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n",
748 					    origin, index);
749 			goto fail;
750 		}
751 
752 		/* Verify that dir index 'upper' xattr points to upper dir */
753 		err = ovl_verify_upper(ofs, index, upper, false);
754 		if (err) {
755 			if (err == -ESTALE) {
756 				pr_warn_ratelimited("suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n",
757 						    upper, origin, index);
758 			}
759 			goto fail;
760 		}
761 	} else if (upper && d_inode(upper) != inode) {
762 		goto out_dput;
763 	}
764 out:
765 	kfree(name.name);
766 	return index;
767 
768 out_dput:
769 	dput(index);
770 	index = NULL;
771 	goto out;
772 
773 fail:
774 	dput(index);
775 	index = ERR_PTR(-EIO);
776 	goto out;
777 }
778 
779 /*
780  * Returns next layer in stack starting from top.
781  * Returns -1 if this is the last layer.
782  */
783 int ovl_path_next(int idx, struct dentry *dentry, struct path *path)
784 {
785 	struct ovl_entry *oe = dentry->d_fsdata;
786 
787 	BUG_ON(idx < 0);
788 	if (idx == 0) {
789 		ovl_path_upper(dentry, path);
790 		if (path->dentry)
791 			return oe->numlower ? 1 : -1;
792 		idx++;
793 	}
794 	BUG_ON(idx > oe->numlower);
795 	path->dentry = oe->lowerstack[idx - 1].dentry;
796 	path->mnt = oe->lowerstack[idx - 1].layer->mnt;
797 
798 	return (idx < oe->numlower) ? idx + 1 : -1;
799 }
800 
801 /* Fix missing 'origin' xattr */
802 static int ovl_fix_origin(struct ovl_fs *ofs, struct dentry *dentry,
803 			  struct dentry *lower, struct dentry *upper)
804 {
805 	int err;
806 
807 	if (ovl_check_origin_xattr(ofs, upper))
808 		return 0;
809 
810 	err = ovl_want_write(dentry);
811 	if (err)
812 		return err;
813 
814 	err = ovl_set_origin(ofs, dentry, lower, upper);
815 	if (!err)
816 		err = ovl_set_impure(dentry->d_parent, upper->d_parent);
817 
818 	ovl_drop_write(dentry);
819 	return err;
820 }
821 
822 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
823 			  unsigned int flags)
824 {
825 	struct ovl_entry *oe;
826 	const struct cred *old_cred;
827 	struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
828 	struct ovl_entry *poe = dentry->d_parent->d_fsdata;
829 	struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata;
830 	struct ovl_path *stack = NULL, *origin_path = NULL;
831 	struct dentry *upperdir, *upperdentry = NULL;
832 	struct dentry *origin = NULL;
833 	struct dentry *index = NULL;
834 	unsigned int ctr = 0;
835 	struct inode *inode = NULL;
836 	bool upperopaque = false;
837 	char *upperredirect = NULL;
838 	struct dentry *this;
839 	unsigned int i;
840 	int err;
841 	bool uppermetacopy = false;
842 	struct ovl_lookup_data d = {
843 		.sb = dentry->d_sb,
844 		.name = dentry->d_name,
845 		.is_dir = false,
846 		.opaque = false,
847 		.stop = false,
848 		.last = ofs->config.redirect_follow ? false : !poe->numlower,
849 		.redirect = NULL,
850 		.metacopy = false,
851 	};
852 
853 	if (dentry->d_name.len > ofs->namelen)
854 		return ERR_PTR(-ENAMETOOLONG);
855 
856 	old_cred = ovl_override_creds(dentry->d_sb);
857 	upperdir = ovl_dentry_upper(dentry->d_parent);
858 	if (upperdir) {
859 		err = ovl_lookup_layer(upperdir, &d, &upperdentry, true);
860 		if (err)
861 			goto out;
862 
863 		if (upperdentry && upperdentry->d_flags & DCACHE_OP_REAL) {
864 			dput(upperdentry);
865 			err = -EREMOTE;
866 			goto out;
867 		}
868 		if (upperdentry && !d.is_dir) {
869 			/*
870 			 * Lookup copy up origin by decoding origin file handle.
871 			 * We may get a disconnected dentry, which is fine,
872 			 * because we only need to hold the origin inode in
873 			 * cache and use its inode number.  We may even get a
874 			 * connected dentry, that is not under any of the lower
875 			 * layers root.  That is also fine for using it's inode
876 			 * number - it's the same as if we held a reference
877 			 * to a dentry in lower layer that was moved under us.
878 			 */
879 			err = ovl_check_origin(ofs, upperdentry, &origin_path);
880 			if (err)
881 				goto out_put_upper;
882 
883 			if (d.metacopy)
884 				uppermetacopy = true;
885 		}
886 
887 		if (d.redirect) {
888 			err = -ENOMEM;
889 			upperredirect = kstrdup(d.redirect, GFP_KERNEL);
890 			if (!upperredirect)
891 				goto out_put_upper;
892 			if (d.redirect[0] == '/')
893 				poe = roe;
894 		}
895 		upperopaque = d.opaque;
896 	}
897 
898 	if (!d.stop && poe->numlower) {
899 		err = -ENOMEM;
900 		stack = kcalloc(ofs->numlayer - 1, sizeof(struct ovl_path),
901 				GFP_KERNEL);
902 		if (!stack)
903 			goto out_put_upper;
904 	}
905 
906 	for (i = 0; !d.stop && i < poe->numlower; i++) {
907 		struct ovl_path lower = poe->lowerstack[i];
908 
909 		if (!ofs->config.redirect_follow)
910 			d.last = i == poe->numlower - 1;
911 		else
912 			d.last = lower.layer->idx == roe->numlower;
913 
914 		err = ovl_lookup_layer(lower.dentry, &d, &this, false);
915 		if (err)
916 			goto out_put;
917 
918 		if (!this)
919 			continue;
920 
921 		if ((uppermetacopy || d.metacopy) && !ofs->config.metacopy) {
922 			err = -EPERM;
923 			pr_warn_ratelimited("refusing to follow metacopy origin for (%pd2)\n", dentry);
924 			goto out_put;
925 		}
926 
927 		/*
928 		 * If no origin fh is stored in upper of a merge dir, store fh
929 		 * of lower dir and set upper parent "impure".
930 		 */
931 		if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) {
932 			err = ovl_fix_origin(ofs, dentry, this, upperdentry);
933 			if (err) {
934 				dput(this);
935 				goto out_put;
936 			}
937 		}
938 
939 		/*
940 		 * When "verify_lower" feature is enabled, do not merge with a
941 		 * lower dir that does not match a stored origin xattr. In any
942 		 * case, only verified origin is used for index lookup.
943 		 *
944 		 * For non-dir dentry, if index=on, then ensure origin
945 		 * matches the dentry found using path based lookup,
946 		 * otherwise error out.
947 		 */
948 		if (upperdentry && !ctr &&
949 		    ((d.is_dir && ovl_verify_lower(dentry->d_sb)) ||
950 		     (!d.is_dir && ofs->config.index && origin_path))) {
951 			err = ovl_verify_origin(ofs, upperdentry, this, false);
952 			if (err) {
953 				dput(this);
954 				if (d.is_dir)
955 					break;
956 				goto out_put;
957 			}
958 			origin = this;
959 		}
960 
961 		if (d.metacopy && ctr) {
962 			/*
963 			 * Do not store intermediate metacopy dentries in
964 			 * lower chain, except top most lower metacopy dentry.
965 			 * Continue the loop so that if there is an absolute
966 			 * redirect on this dentry, poe can be reset to roe.
967 			 */
968 			dput(this);
969 			this = NULL;
970 		} else {
971 			stack[ctr].dentry = this;
972 			stack[ctr].layer = lower.layer;
973 			ctr++;
974 		}
975 
976 		/*
977 		 * Following redirects can have security consequences: it's like
978 		 * a symlink into the lower layer without the permission checks.
979 		 * This is only a problem if the upper layer is untrusted (e.g
980 		 * comes from an USB drive).  This can allow a non-readable file
981 		 * or directory to become readable.
982 		 *
983 		 * Only following redirects when redirects are enabled disables
984 		 * this attack vector when not necessary.
985 		 */
986 		err = -EPERM;
987 		if (d.redirect && !ofs->config.redirect_follow) {
988 			pr_warn_ratelimited("refusing to follow redirect for (%pd2)\n",
989 					    dentry);
990 			goto out_put;
991 		}
992 
993 		if (d.stop)
994 			break;
995 
996 		if (d.redirect && d.redirect[0] == '/' && poe != roe) {
997 			poe = roe;
998 			/* Find the current layer on the root dentry */
999 			i = lower.layer->idx - 1;
1000 		}
1001 	}
1002 
1003 	/*
1004 	 * For regular non-metacopy upper dentries, there is no lower
1005 	 * path based lookup, hence ctr will be zero. If a dentry is found
1006 	 * using ORIGIN xattr on upper, install it in stack.
1007 	 *
1008 	 * For metacopy dentry, path based lookup will find lower dentries.
1009 	 * Just make sure a corresponding data dentry has been found.
1010 	 */
1011 	if (d.metacopy || (uppermetacopy && !ctr)) {
1012 		pr_warn_ratelimited("metacopy with no lower data found - abort lookup (%pd2)\n",
1013 				    dentry);
1014 		err = -EIO;
1015 		goto out_put;
1016 	} else if (!d.is_dir && upperdentry && !ctr && origin_path) {
1017 		if (WARN_ON(stack != NULL)) {
1018 			err = -EIO;
1019 			goto out_put;
1020 		}
1021 		stack = origin_path;
1022 		ctr = 1;
1023 		origin = origin_path->dentry;
1024 		origin_path = NULL;
1025 	}
1026 
1027 	/*
1028 	 * Always lookup index if there is no-upperdentry.
1029 	 *
1030 	 * For the case of upperdentry, we have set origin by now if it
1031 	 * needed to be set. There are basically three cases.
1032 	 *
1033 	 * For directories, lookup index by lower inode and verify it matches
1034 	 * upper inode. We only trust dir index if we verified that lower dir
1035 	 * matches origin, otherwise dir index entries may be inconsistent
1036 	 * and we ignore them.
1037 	 *
1038 	 * For regular upper, we already set origin if upper had ORIGIN
1039 	 * xattr. There is no verification though as there is no path
1040 	 * based dentry lookup in lower in this case.
1041 	 *
1042 	 * For metacopy upper, we set a verified origin already if index
1043 	 * is enabled and if upper had an ORIGIN xattr.
1044 	 *
1045 	 */
1046 	if (!upperdentry && ctr)
1047 		origin = stack[0].dentry;
1048 
1049 	if (origin && ovl_indexdir(dentry->d_sb) &&
1050 	    (!d.is_dir || ovl_index_all(dentry->d_sb))) {
1051 		index = ovl_lookup_index(ofs, upperdentry, origin, true);
1052 		if (IS_ERR(index)) {
1053 			err = PTR_ERR(index);
1054 			index = NULL;
1055 			goto out_put;
1056 		}
1057 	}
1058 
1059 	oe = ovl_alloc_entry(ctr);
1060 	err = -ENOMEM;
1061 	if (!oe)
1062 		goto out_put;
1063 
1064 	memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr);
1065 	dentry->d_fsdata = oe;
1066 
1067 	if (upperopaque)
1068 		ovl_dentry_set_opaque(dentry);
1069 
1070 	if (upperdentry)
1071 		ovl_dentry_set_upper_alias(dentry);
1072 	else if (index) {
1073 		upperdentry = dget(index);
1074 		upperredirect = ovl_get_redirect_xattr(ofs, upperdentry, 0);
1075 		if (IS_ERR(upperredirect)) {
1076 			err = PTR_ERR(upperredirect);
1077 			upperredirect = NULL;
1078 			goto out_free_oe;
1079 		}
1080 		err = ovl_check_metacopy_xattr(ofs, upperdentry);
1081 		if (err < 0)
1082 			goto out_free_oe;
1083 		uppermetacopy = err;
1084 	}
1085 
1086 	if (upperdentry || ctr) {
1087 		struct ovl_inode_params oip = {
1088 			.upperdentry = upperdentry,
1089 			.lowerpath = stack,
1090 			.index = index,
1091 			.numlower = ctr,
1092 			.redirect = upperredirect,
1093 			.lowerdata = (ctr > 1 && !d.is_dir) ?
1094 				      stack[ctr - 1].dentry : NULL,
1095 		};
1096 
1097 		inode = ovl_get_inode(dentry->d_sb, &oip);
1098 		err = PTR_ERR(inode);
1099 		if (IS_ERR(inode))
1100 			goto out_free_oe;
1101 		if (upperdentry && !uppermetacopy)
1102 			ovl_set_flag(OVL_UPPERDATA, inode);
1103 	}
1104 
1105 	ovl_dentry_update_reval(dentry, upperdentry,
1106 			DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE);
1107 
1108 	revert_creds(old_cred);
1109 	if (origin_path) {
1110 		dput(origin_path->dentry);
1111 		kfree(origin_path);
1112 	}
1113 	dput(index);
1114 	kfree(stack);
1115 	kfree(d.redirect);
1116 	return d_splice_alias(inode, dentry);
1117 
1118 out_free_oe:
1119 	dentry->d_fsdata = NULL;
1120 	kfree(oe);
1121 out_put:
1122 	dput(index);
1123 	for (i = 0; i < ctr; i++)
1124 		dput(stack[i].dentry);
1125 	kfree(stack);
1126 out_put_upper:
1127 	if (origin_path) {
1128 		dput(origin_path->dentry);
1129 		kfree(origin_path);
1130 	}
1131 	dput(upperdentry);
1132 	kfree(upperredirect);
1133 out:
1134 	kfree(d.redirect);
1135 	revert_creds(old_cred);
1136 	return ERR_PTR(err);
1137 }
1138 
1139 bool ovl_lower_positive(struct dentry *dentry)
1140 {
1141 	struct ovl_entry *poe = dentry->d_parent->d_fsdata;
1142 	const struct qstr *name = &dentry->d_name;
1143 	const struct cred *old_cred;
1144 	unsigned int i;
1145 	bool positive = false;
1146 	bool done = false;
1147 
1148 	/*
1149 	 * If dentry is negative, then lower is positive iff this is a
1150 	 * whiteout.
1151 	 */
1152 	if (!dentry->d_inode)
1153 		return ovl_dentry_is_opaque(dentry);
1154 
1155 	/* Negative upper -> positive lower */
1156 	if (!ovl_dentry_upper(dentry))
1157 		return true;
1158 
1159 	old_cred = ovl_override_creds(dentry->d_sb);
1160 	/* Positive upper -> have to look up lower to see whether it exists */
1161 	for (i = 0; !done && !positive && i < poe->numlower; i++) {
1162 		struct dentry *this;
1163 		struct dentry *lowerdir = poe->lowerstack[i].dentry;
1164 
1165 		this = lookup_positive_unlocked(name->name, lowerdir,
1166 					       name->len);
1167 		if (IS_ERR(this)) {
1168 			switch (PTR_ERR(this)) {
1169 			case -ENOENT:
1170 			case -ENAMETOOLONG:
1171 				break;
1172 
1173 			default:
1174 				/*
1175 				 * Assume something is there, we just couldn't
1176 				 * access it.
1177 				 */
1178 				positive = true;
1179 				break;
1180 			}
1181 		} else {
1182 			positive = !ovl_is_whiteout(this);
1183 			done = true;
1184 			dput(this);
1185 		}
1186 	}
1187 	revert_creds(old_cred);
1188 
1189 	return positive;
1190 }
1191