fs/overlayfs/inode.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  *
0004  * Copyright (C) 2011 Novell Inc.
0005  */
0006
0007 #include <linux/fs.h>
0008 #include <linux/slab.h>
0009 #include <linux/cred.h>
0010 #include <linux/xattr.h>
0011 #include <linux/posix_acl.h>
0012 #include <linux/ratelimit.h>
0013 #include <linux/fiemap.h>
0014 #include <linux/fileattr.h>
0015 #include <linux/security.h>
0016 #include <linux/namei.h>
0017 #include "overlayfs.h"
0018
0019
0020 int ovl_setattr(struct user_namespace *mnt_userns, struct dentry *dentry,
0021         struct iattr *attr)
0022 {
0023     int err;
0024     struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
0025     bool full_copy_up = false;
0026     struct dentry *upperdentry;
0027     const struct cred *old_cred;
0028
0029     err = setattr_prepare(&init_user_ns, dentry, attr);
0030     if (err)
0031         return err;
0032
0033     err = ovl_want_write(dentry);
0034     if (err)
0035         goto out;
0036
0037     if (attr->ia_valid & ATTR_SIZE) {
0038         /* Truncate should trigger data copy up as well */
0039         full_copy_up = true;
0040     }
0041
0042     if (!full_copy_up)
0043         err = ovl_copy_up(dentry);
0044     else
0045         err = ovl_copy_up_with_data(dentry);
0046     if (!err) {
0047         struct inode *winode = NULL;
0048
0049         upperdentry = ovl_dentry_upper(dentry);
0050
0051         if (attr->ia_valid & ATTR_SIZE) {
0052             winode = d_inode(upperdentry);
0053             err = get_write_access(winode);
0054             if (err)
0055                 goto out_drop_write;
0056         }
0057
0058         if (attr->ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID))
0059             attr->ia_valid &= ~ATTR_MODE;
0060
0061         /*
0062          * We might have to translate ovl file into real file object
0063          * once use cases emerge.  For now, simply don't let underlying
0064          * filesystem rely on attr->ia_file
0065          */
0066         attr->ia_valid &= ~ATTR_FILE;
0067
0068         /*
0069          * If open(O_TRUNC) is done, VFS calls ->setattr with ATTR_OPEN
0070          * set.  Overlayfs does not pass O_TRUNC flag to underlying
0071          * filesystem during open -> do not pass ATTR_OPEN.  This
0072          * disables optimization in fuse which assumes open(O_TRUNC)
0073          * already set file size to 0.  But we never passed O_TRUNC to
0074          * fuse.  So by clearing ATTR_OPEN, fuse will be forced to send
0075          * setattr request to server.
0076          */
0077         attr->ia_valid &= ~ATTR_OPEN;
0078
0079         inode_lock(upperdentry->d_inode);
0080         old_cred = ovl_override_creds(dentry->d_sb);
0081         err = ovl_do_notify_change(ofs, upperdentry, attr);
0082         revert_creds(old_cred);
0083         if (!err)
0084             ovl_copyattr(dentry->d_inode);
0085         inode_unlock(upperdentry->d_inode);
0086
0087         if (winode)
0088             put_write_access(winode);
0089     }
0090 out_drop_write:
0091     ovl_drop_write(dentry);
0092 out:
0093     return err;
0094 }
0095
0096 static void ovl_map_dev_ino(struct dentry *dentry, struct kstat *stat, int fsid)
0097 {
0098     bool samefs = ovl_same_fs(dentry->d_sb);
0099     unsigned int xinobits = ovl_xino_bits(dentry->d_sb);
0100     unsigned int xinoshift = 64 - xinobits;
0101
0102     if (samefs) {
0103         /*
0104          * When all layers are on the same fs, all real inode
0105          * number are unique, so we use the overlay st_dev,
0106          * which is friendly to du -x.
0107          */
0108         stat->dev = dentry->d_sb->s_dev;
0109         return;
0110     } else if (xinobits) {
0111         /*
0112          * All inode numbers of underlying fs should not be using the
0113          * high xinobits, so we use high xinobits to partition the
0114          * overlay st_ino address space. The high bits holds the fsid
0115          * (upper fsid is 0). The lowest xinobit is reserved for mapping
0116          * the non-persistent inode numbers range in case of overflow.
0117          * This way all overlay inode numbers are unique and use the
0118          * overlay st_dev.
0119          */
0120         if (likely(!(stat->ino >> xinoshift))) {
0121             stat->ino |= ((u64)fsid) << (xinoshift + 1);
0122             stat->dev = dentry->d_sb->s_dev;
0123             return;
0124         } else if (ovl_xino_warn(dentry->d_sb)) {
0125             pr_warn_ratelimited("inode number too big (%pd2, ino=%llu, xinobits=%d)\n",
0126                         dentry, stat->ino, xinobits);
0127         }
0128     }
0129
0130     /* The inode could not be mapped to a unified st_ino address space */
0131     if (S_ISDIR(dentry->d_inode->i_mode)) {
0132         /*
0133          * Always use the overlay st_dev for directories, so 'find
0134          * -xdev' will scan the entire overlay mount and won't cross the
0135          * overlay mount boundaries.
0136          *
0137          * If not all layers are on the same fs the pair {real st_ino;
0138          * overlay st_dev} is not unique, so use the non persistent
0139          * overlay st_ino for directories.
0140          */
0141         stat->dev = dentry->d_sb->s_dev;
0142         stat->ino = dentry->d_inode->i_ino;
0143     } else {
0144         /*
0145          * For non-samefs setup, if we cannot map all layers st_ino
0146          * to a unified address space, we need to make sure that st_dev
0147          * is unique per underlying fs, so we use the unique anonymous
0148          * bdev assigned to the underlying fs.
0149          */
0150         stat->dev = OVL_FS(dentry->d_sb)->fs[fsid].pseudo_dev;
0151     }
0152 }
0153
0154 int ovl_getattr(struct user_namespace *mnt_userns, const struct path *path,
0155         struct kstat *stat, u32 request_mask, unsigned int flags)
0156 {
0157     struct dentry *dentry = path->dentry;
0158     enum ovl_path_type type;
0159     struct path realpath;
0160     const struct cred *old_cred;
0161     struct inode *inode = d_inode(dentry);
0162     bool is_dir = S_ISDIR(inode->i_mode);
0163     int fsid = 0;
0164     int err;
0165     bool metacopy_blocks = false;
0166
0167     metacopy_blocks = ovl_is_metacopy_dentry(dentry);
0168
0169     type = ovl_path_real(dentry, &realpath);
0170     old_cred = ovl_override_creds(dentry->d_sb);
0171     err = vfs_getattr(&realpath, stat, request_mask, flags);
0172     if (err)
0173         goto out;
0174
0175     /* Report the effective immutable/append-only STATX flags */
0176     generic_fill_statx_attr(inode, stat);
0177
0178     /*
0179      * For non-dir or same fs, we use st_ino of the copy up origin.
0180      * This guaranties constant st_dev/st_ino across copy up.
0181      * With xino feature and non-samefs, we use st_ino of the copy up
0182      * origin masked with high bits that represent the layer id.
0183      *
0184      * If lower filesystem supports NFS file handles, this also guaranties
0185      * persistent st_ino across mount cycle.
0186      */
0187     if (!is_dir || ovl_same_dev(dentry->d_sb)) {
0188         if (!OVL_TYPE_UPPER(type)) {
0189             fsid = ovl_layer_lower(dentry)->fsid;
0190         } else if (OVL_TYPE_ORIGIN(type)) {
0191             struct kstat lowerstat;
0192             u32 lowermask = STATX_INO | STATX_BLOCKS |
0193                     (!is_dir ? STATX_NLINK : 0);
0194
0195             ovl_path_lower(dentry, &realpath);
0196             err = vfs_getattr(&realpath, &lowerstat,
0197                       lowermask, flags);
0198             if (err)
0199                 goto out;
0200
0201             /*
0202              * Lower hardlinks may be broken on copy up to different
0203              * upper files, so we cannot use the lower origin st_ino
0204              * for those different files, even for the same fs case.
0205              *
0206              * Similarly, several redirected dirs can point to the
0207              * same dir on a lower layer. With the "verify_lower"
0208              * feature, we do not use the lower origin st_ino, if
0209              * we haven't verified that this redirect is unique.
0210              *
0211              * With inodes index enabled, it is safe to use st_ino
0212              * of an indexed origin. The index validates that the
0213              * upper hardlink is not broken and that a redirected
0214              * dir is the only redirect to that origin.
0215              */
0216             if (ovl_test_flag(OVL_INDEX, d_inode(dentry)) ||
0217                 (!ovl_verify_lower(dentry->d_sb) &&
0218                  (is_dir || lowerstat.nlink == 1))) {
0219                 fsid = ovl_layer_lower(dentry)->fsid;
0220                 stat->ino = lowerstat.ino;
0221             }
0222
0223             /*
0224              * If we are querying a metacopy dentry and lower
0225              * dentry is data dentry, then use the blocks we
0226              * queried just now. We don't have to do additional
0227              * vfs_getattr(). If lower itself is metacopy, then
0228              * additional vfs_getattr() is unavoidable.
0229              */
0230             if (metacopy_blocks &&
0231                 realpath.dentry == ovl_dentry_lowerdata(dentry)) {
0232                 stat->blocks = lowerstat.blocks;
0233                 metacopy_blocks = false;
0234             }
0235         }
0236
0237         if (metacopy_blocks) {
0238             /*
0239              * If lower is not same as lowerdata or if there was
0240              * no origin on upper, we can end up here.
0241              */
0242             struct kstat lowerdatastat;
0243             u32 lowermask = STATX_BLOCKS;
0244
0245             ovl_path_lowerdata(dentry, &realpath);
0246             err = vfs_getattr(&realpath, &lowerdatastat,
0247                       lowermask, flags);
0248             if (err)
0249                 goto out;
0250             stat->blocks = lowerdatastat.blocks;
0251         }
0252     }
0253
0254     ovl_map_dev_ino(dentry, stat, fsid);
0255
0256     /*
0257      * It's probably not worth it to count subdirs to get the
0258      * correct link count.  nlink=1 seems to pacify 'find' and
0259      * other utilities.
0260      */
0261     if (is_dir && OVL_TYPE_MERGE(type))
0262         stat->nlink = 1;
0263
0264     /*
0265      * Return the overlay inode nlinks for indexed upper inodes.
0266      * Overlay inode nlink counts the union of the upper hardlinks
0267      * and non-covered lower hardlinks. It does not include the upper
0268      * index hardlink.
0269      */
0270     if (!is_dir && ovl_test_flag(OVL_INDEX, d_inode(dentry)))
0271         stat->nlink = dentry->d_inode->i_nlink;
0272
0273 out:
0274     revert_creds(old_cred);
0275
0276     return err;
0277 }
0278
0279 int ovl_permission(struct user_namespace *mnt_userns,
0280            struct inode *inode, int mask)
0281 {
0282     struct inode *upperinode = ovl_inode_upper(inode);
0283     struct inode *realinode;
0284     struct path realpath;
0285     const struct cred *old_cred;
0286     int err;
0287
0288     /* Careful in RCU walk mode */
0289     ovl_i_path_real(inode, &realpath);
0290     if (!realpath.dentry) {
0291         WARN_ON(!(mask & MAY_NOT_BLOCK));
0292         return -ECHILD;
0293     }
0294
0295     /*
0296      * Check overlay inode with the creds of task and underlying inode
0297      * with creds of mounter
0298      */
0299     err = generic_permission(&init_user_ns, inode, mask);
0300     if (err)
0301         return err;
0302
0303     realinode = d_inode(realpath.dentry);
0304     old_cred = ovl_override_creds(inode->i_sb);
0305     if (!upperinode &&
0306         !special_file(realinode->i_mode) && mask & MAY_WRITE) {
0307         mask &= ~(MAY_WRITE | MAY_APPEND);
0308         /* Make sure mounter can read file for copy up later */
0309         mask |= MAY_READ;
0310     }
0311     err = inode_permission(mnt_user_ns(realpath.mnt), realinode, mask);
0312     revert_creds(old_cred);
0313
0314     return err;
0315 }
0316
0317 static const char *ovl_get_link(struct dentry *dentry,
0318                 struct inode *inode,
0319                 struct delayed_call *done)
0320 {
0321     const struct cred *old_cred;
0322     const char *p;
0323
0324     if (!dentry)
0325         return ERR_PTR(-ECHILD);
0326
0327     old_cred = ovl_override_creds(dentry->d_sb);
0328     p = vfs_get_link(ovl_dentry_real(dentry), done);
0329     revert_creds(old_cred);
0330     return p;
0331 }
0332
0333 bool ovl_is_private_xattr(struct super_block *sb, const char *name)
0334 {
0335     struct ovl_fs *ofs = sb->s_fs_info;
0336
0337     if (ofs->config.userxattr)
0338         return strncmp(name, OVL_XATTR_USER_PREFIX,
0339                    sizeof(OVL_XATTR_USER_PREFIX) - 1) == 0;
0340     else
0341         return strncmp(name, OVL_XATTR_TRUSTED_PREFIX,
0342                    sizeof(OVL_XATTR_TRUSTED_PREFIX) - 1) == 0;
0343 }
0344
0345 int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
0346           const void *value, size_t size, int flags)
0347 {
0348     int err;
0349     struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
0350     struct dentry *upperdentry = ovl_i_dentry_upper(inode);
0351     struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry);
0352     struct path realpath;
0353     const struct cred *old_cred;
0354
0355     err = ovl_want_write(dentry);
0356     if (err)
0357         goto out;
0358
0359     if (!value && !upperdentry) {
0360         ovl_path_lower(dentry, &realpath);
0361         old_cred = ovl_override_creds(dentry->d_sb);
0362         err = vfs_getxattr(mnt_user_ns(realpath.mnt), realdentry, name, NULL, 0);
0363         revert_creds(old_cred);
0364         if (err < 0)
0365             goto out_drop_write;
0366     }
0367
0368     if (!upperdentry) {
0369         err = ovl_copy_up(dentry);
0370         if (err)
0371             goto out_drop_write;
0372
0373         realdentry = ovl_dentry_upper(dentry);
0374     }
0375
0376     old_cred = ovl_override_creds(dentry->d_sb);
0377     if (value) {
0378         err = ovl_do_setxattr(ofs, realdentry, name, value, size,
0379                       flags);
0380     } else {
0381         WARN_ON(flags != XATTR_REPLACE);
0382         err = ovl_do_removexattr(ofs, realdentry, name);
0383     }
0384     revert_creds(old_cred);
0385
0386     /* copy c/mtime */
0387     ovl_copyattr(inode);
0388
0389 out_drop_write:
0390     ovl_drop_write(dentry);
0391 out:
0392     return err;
0393 }
0394
0395 int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
0396           void *value, size_t size)
0397 {
0398     ssize_t res;
0399     const struct cred *old_cred;
0400     struct path realpath;
0401
0402     ovl_i_path_real(inode, &realpath);
0403     old_cred = ovl_override_creds(dentry->d_sb);
0404     res = vfs_getxattr(mnt_user_ns(realpath.mnt), realpath.dentry, name, value, size);
0405     revert_creds(old_cred);
0406     return res;
0407 }
0408
0409 static bool ovl_can_list(struct super_block *sb, const char *s)
0410 {
0411     /* Never list private (.overlay) */
0412     if (ovl_is_private_xattr(sb, s))
0413         return false;
0414
0415     /* List all non-trusted xattrs */
0416     if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
0417         return true;
0418
0419     /* list other trusted for superuser only */
0420     return ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
0421 }
0422
0423 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
0424 {
0425     struct dentry *realdentry = ovl_dentry_real(dentry);
0426     ssize_t res;
0427     size_t len;
0428     char *s;
0429     const struct cred *old_cred;
0430
0431     old_cred = ovl_override_creds(dentry->d_sb);
0432     res = vfs_listxattr(realdentry, list, size);
0433     revert_creds(old_cred);
0434     if (res <= 0 || size == 0)
0435         return res;
0436
0437     /* filter out private xattrs */
0438     for (s = list, len = res; len;) {
0439         size_t slen = strnlen(s, len) + 1;
0440
0441         /* underlying fs providing us with an broken xattr list? */
0442         if (WARN_ON(slen > len))
0443             return -EIO;
0444
0445         len -= slen;
0446         if (!ovl_can_list(dentry->d_sb, s)) {
0447             res -= slen;
0448             memmove(s, s + slen, len);
0449         } else {
0450             s += slen;
0451         }
0452     }
0453
0454     return res;
0455 }
0456
0457 #ifdef CONFIG_FS_POSIX_ACL
0458 /*
0459  * Apply the idmapping of the layer to POSIX ACLs. The caller must pass a clone
0460  * of the POSIX ACLs retrieved from the lower layer to this function to not
0461  * alter the POSIX ACLs for the underlying filesystem.
0462  */
0463 static void ovl_idmap_posix_acl(struct inode *realinode,
0464                 struct user_namespace *mnt_userns,
0465                 struct posix_acl *acl)
0466 {
0467     struct user_namespace *fs_userns = i_user_ns(realinode);
0468
0469     for (unsigned int i = 0; i < acl->a_count; i++) {
0470         vfsuid_t vfsuid;
0471         vfsgid_t vfsgid;
0472
0473         struct posix_acl_entry *e = &acl->a_entries[i];
0474         switch (e->e_tag) {
0475         case ACL_USER:
0476             vfsuid = make_vfsuid(mnt_userns, fs_userns, e->e_uid);
0477             e->e_uid = vfsuid_into_kuid(vfsuid);
0478             break;
0479         case ACL_GROUP:
0480             vfsgid = make_vfsgid(mnt_userns, fs_userns, e->e_gid);
0481             e->e_gid = vfsgid_into_kgid(vfsgid);
0482             break;
0483         }
0484     }
0485 }
0486
0487 /*
0488  * When the relevant layer is an idmapped mount we need to take the idmapping
0489  * of the layer into account and translate any ACL_{GROUP,USER} values
0490  * according to the idmapped mount.
0491  *
0492  * We cannot alter the ACLs returned from the relevant layer as that would
0493  * alter the cached values filesystem wide for the lower filesystem. Instead we
0494  * can clone the ACLs and then apply the relevant idmapping of the layer.
0495  *
0496  * This is obviously only relevant when idmapped layers are used.
0497  */
0498 struct posix_acl *ovl_get_acl(struct inode *inode, int type, bool rcu)
0499 {
0500     struct inode *realinode = ovl_inode_real(inode);
0501     struct posix_acl *acl, *clone;
0502     struct path realpath;
0503
0504     if (!IS_POSIXACL(realinode))
0505         return NULL;
0506
0507     /* Careful in RCU walk mode */
0508     ovl_i_path_real(inode, &realpath);
0509     if (!realpath.dentry) {
0510         WARN_ON(!rcu);
0511         return ERR_PTR(-ECHILD);
0512     }
0513
0514     if (rcu) {
0515         acl = get_cached_acl_rcu(realinode, type);
0516     } else {
0517         const struct cred *old_cred;
0518
0519         old_cred = ovl_override_creds(inode->i_sb);
0520         acl = get_acl(realinode, type);
0521         revert_creds(old_cred);
0522     }
0523     /*
0524      * If there are no POSIX ACLs, or we encountered an error,
0525      * or the layer isn't idmapped we don't need to do anything.
0526      */
0527     if (!is_idmapped_mnt(realpath.mnt) || IS_ERR_OR_NULL(acl))
0528         return acl;
0529
0530     /*
0531      * We only get here if the layer is idmapped. So drop out of RCU path
0532      * walk so we can clone the ACLs. There's no need to release the ACLs
0533      * since get_cached_acl_rcu() doesn't take a reference on the ACLs.
0534      */
0535     if (rcu)
0536         return ERR_PTR(-ECHILD);
0537
0538     clone = posix_acl_clone(acl, GFP_KERNEL);
0539     if (!clone)
0540         clone = ERR_PTR(-ENOMEM);
0541     else
0542         ovl_idmap_posix_acl(realinode, mnt_user_ns(realpath.mnt), clone);
0543     /*
0544      * Since we're not in RCU path walk we always need to release the
0545      * original ACLs.
0546      */
0547     posix_acl_release(acl);
0548     return clone;
0549 }
0550 #endif
0551
0552 int ovl_update_time(struct inode *inode, struct timespec64 *ts, int flags)
0553 {
0554     if (flags & S_ATIME) {
0555         struct ovl_fs *ofs = inode->i_sb->s_fs_info;
0556         struct path upperpath = {
0557             .mnt = ovl_upper_mnt(ofs),
0558             .dentry = ovl_upperdentry_dereference(OVL_I(inode)),
0559         };
0560
0561         if (upperpath.dentry) {
0562             touch_atime(&upperpath);
0563             inode->i_atime = d_inode(upperpath.dentry)->i_atime;
0564         }
0565     }
0566     return 0;
0567 }
0568
0569 static int ovl_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
0570               u64 start, u64 len)
0571 {
0572     int err;
0573     struct inode *realinode = ovl_inode_realdata(inode);
0574     const struct cred *old_cred;
0575
0576     if (!realinode->i_op->fiemap)
0577         return -EOPNOTSUPP;
0578
0579     old_cred = ovl_override_creds(inode->i_sb);
0580     err = realinode->i_op->fiemap(realinode, fieinfo, start, len);
0581     revert_creds(old_cred);
0582
0583     return err;
0584 }
0585
0586 /*
0587  * Work around the fact that security_file_ioctl() takes a file argument.
0588  * Introducing security_inode_fileattr_get/set() hooks would solve this issue
0589  * properly.
0590  */
0591 static int ovl_security_fileattr(struct path *realpath, struct fileattr *fa,
0592                  bool set)
0593 {
0594     struct file *file;
0595     unsigned int cmd;
0596     int err;
0597
0598     file = dentry_open(realpath, O_RDONLY, current_cred());
0599     if (IS_ERR(file))
0600         return PTR_ERR(file);
0601
0602     if (set)
0603         cmd = fa->fsx_valid ? FS_IOC_FSSETXATTR : FS_IOC_SETFLAGS;
0604     else
0605         cmd = fa->fsx_valid ? FS_IOC_FSGETXATTR : FS_IOC_GETFLAGS;
0606
0607     err = security_file_ioctl(file, cmd, 0);
0608     fput(file);
0609
0610     return err;
0611 }
0612
0613 int ovl_real_fileattr_set(struct path *realpath, struct fileattr *fa)
0614 {
0615     int err;
0616
0617     err = ovl_security_fileattr(realpath, fa, true);
0618     if (err)
0619         return err;
0620
0621     return vfs_fileattr_set(mnt_user_ns(realpath->mnt), realpath->dentry, fa);
0622 }
0623
0624 int ovl_fileattr_set(struct user_namespace *mnt_userns,
0625              struct dentry *dentry, struct fileattr *fa)
0626 {
0627     struct inode *inode = d_inode(dentry);
0628     struct path upperpath;
0629     const struct cred *old_cred;
0630     unsigned int flags;
0631     int err;
0632
0633     err = ovl_want_write(dentry);
0634     if (err)
0635         goto out;
0636
0637     err = ovl_copy_up(dentry);
0638     if (!err) {
0639         ovl_path_real(dentry, &upperpath);
0640
0641         old_cred = ovl_override_creds(inode->i_sb);
0642         /*
0643          * Store immutable/append-only flags in xattr and clear them
0644          * in upper fileattr (in case they were set by older kernel)
0645          * so children of "ovl-immutable" directories lower aliases of
0646          * "ovl-immutable" hardlinks could be copied up.
0647          * Clear xattr when flags are cleared.
0648          */
0649         err = ovl_set_protattr(inode, upperpath.dentry, fa);
0650         if (!err)
0651             err = ovl_real_fileattr_set(&upperpath, fa);
0652         revert_creds(old_cred);
0653
0654         /*
0655          * Merge real inode flags with inode flags read from
0656          * overlay.protattr xattr
0657          */
0658         flags = ovl_inode_real(inode)->i_flags & OVL_COPY_I_FLAGS_MASK;
0659
0660         BUILD_BUG_ON(OVL_PROT_I_FLAGS_MASK & ~OVL_COPY_I_FLAGS_MASK);
0661         flags |= inode->i_flags & OVL_PROT_I_FLAGS_MASK;
0662         inode_set_flags(inode, flags, OVL_COPY_I_FLAGS_MASK);
0663
0664         /* Update ctime */
0665         ovl_copyattr(inode);
0666     }
0667     ovl_drop_write(dentry);
0668 out:
0669     return err;
0670 }
0671
0672 /* Convert inode protection flags to fileattr flags */
0673 static void ovl_fileattr_prot_flags(struct inode *inode, struct fileattr *fa)
0674 {
0675     BUILD_BUG_ON(OVL_PROT_FS_FLAGS_MASK & ~FS_COMMON_FL);
0676     BUILD_BUG_ON(OVL_PROT_FSX_FLAGS_MASK & ~FS_XFLAG_COMMON);
0677
0678     if (inode->i_flags & S_APPEND) {
0679         fa->flags |= FS_APPEND_FL;
0680         fa->fsx_xflags |= FS_XFLAG_APPEND;
0681     }
0682     if (inode->i_flags & S_IMMUTABLE) {
0683         fa->flags |= FS_IMMUTABLE_FL;
0684         fa->fsx_xflags |= FS_XFLAG_IMMUTABLE;
0685     }
0686 }
0687
0688 int ovl_real_fileattr_get(struct path *realpath, struct fileattr *fa)
0689 {
0690     int err;
0691
0692     err = ovl_security_fileattr(realpath, fa, false);
0693     if (err)
0694         return err;
0695
0696     err = vfs_fileattr_get(realpath->dentry, fa);
0697     if (err == -ENOIOCTLCMD)
0698         err = -ENOTTY;
0699     return err;
0700 }
0701
0702 int ovl_fileattr_get(struct dentry *dentry, struct fileattr *fa)
0703 {
0704     struct inode *inode = d_inode(dentry);
0705     struct path realpath;
0706     const struct cred *old_cred;
0707     int err;
0708
0709     ovl_path_real(dentry, &realpath);
0710
0711     old_cred = ovl_override_creds(inode->i_sb);
0712     err = ovl_real_fileattr_get(&realpath, fa);
0713     ovl_fileattr_prot_flags(inode, fa);
0714     revert_creds(old_cred);
0715
0716     return err;
0717 }
0718
0719 static const struct inode_operations ovl_file_inode_operations = {
0720     .setattr    = ovl_setattr,
0721     .permission = ovl_permission,
0722     .getattr    = ovl_getattr,
0723     .listxattr  = ovl_listxattr,
0724     .get_acl    = ovl_get_acl,
0725     .update_time    = ovl_update_time,
0726     .fiemap     = ovl_fiemap,
0727     .fileattr_get   = ovl_fileattr_get,
0728     .fileattr_set   = ovl_fileattr_set,
0729 };
0730
0731 static const struct inode_operations ovl_symlink_inode_operations = {
0732     .setattr    = ovl_setattr,
0733     .get_link   = ovl_get_link,
0734     .getattr    = ovl_getattr,
0735     .listxattr  = ovl_listxattr,
0736     .update_time    = ovl_update_time,
0737 };
0738
0739 static const struct inode_operations ovl_special_inode_operations = {
0740     .setattr    = ovl_setattr,
0741     .permission = ovl_permission,
0742     .getattr    = ovl_getattr,
0743     .listxattr  = ovl_listxattr,
0744     .get_acl    = ovl_get_acl,
0745     .update_time    = ovl_update_time,
0746 };
0747
0748 static const struct address_space_operations ovl_aops = {
0749     /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */
0750     .direct_IO      = noop_direct_IO,
0751 };
0752
0753 /*
0754  * It is possible to stack overlayfs instance on top of another
0755  * overlayfs instance as lower layer. We need to annotate the
0756  * stackable i_mutex locks according to stack level of the super
0757  * block instance. An overlayfs instance can never be in stack
0758  * depth 0 (there is always a real fs below it).  An overlayfs
0759  * inode lock will use the lockdep annotation ovl_i_mutex_key[depth].
0760  *
0761  * For example, here is a snip from /proc/lockdep_chains after
0762  * dir_iterate of nested overlayfs:
0763  *
0764  * [...] &ovl_i_mutex_dir_key[depth]   (stack_depth=2)
0765  * [...] &ovl_i_mutex_dir_key[depth]#2 (stack_depth=1)
0766  * [...] &type->i_mutex_dir_key        (stack_depth=0)
0767  *
0768  * Locking order w.r.t ovl_want_write() is important for nested overlayfs.
0769  *
0770  * This chain is valid:
0771  * - inode->i_rwsem         (inode_lock[2])
0772  * - upper_mnt->mnt_sb->s_writers   (ovl_want_write[0])
0773  * - OVL_I(inode)->lock         (ovl_inode_lock[2])
0774  * - OVL_I(lowerinode)->lock        (ovl_inode_lock[1])
0775  *
0776  * And this chain is valid:
0777  * - inode->i_rwsem         (inode_lock[2])
0778  * - OVL_I(inode)->lock         (ovl_inode_lock[2])
0779  * - lowerinode->i_rwsem        (inode_lock[1])
0780  * - OVL_I(lowerinode)->lock        (ovl_inode_lock[1])
0781  *
0782  * But lowerinode->i_rwsem SHOULD NOT be acquired while ovl_want_write() is
0783  * held, because it is in reverse order of the non-nested case using the same
0784  * upper fs:
0785  * - inode->i_rwsem         (inode_lock[1])
0786  * - upper_mnt->mnt_sb->s_writers   (ovl_want_write[0])
0787  * - OVL_I(inode)->lock         (ovl_inode_lock[1])
0788  */
0789 #define OVL_MAX_NESTING FILESYSTEM_MAX_STACK_DEPTH
0790
0791 static inline void ovl_lockdep_annotate_inode_mutex_key(struct inode *inode)
0792 {
0793 #ifdef CONFIG_LOCKDEP
0794     static struct lock_class_key ovl_i_mutex_key[OVL_MAX_NESTING];
0795     static struct lock_class_key ovl_i_mutex_dir_key[OVL_MAX_NESTING];
0796     static struct lock_class_key ovl_i_lock_key[OVL_MAX_NESTING];
0797
0798     int depth = inode->i_sb->s_stack_depth - 1;
0799
0800     if (WARN_ON_ONCE(depth < 0 || depth >= OVL_MAX_NESTING))
0801         depth = 0;
0802
0803     if (S_ISDIR(inode->i_mode))
0804         lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_dir_key[depth]);
0805     else
0806         lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_key[depth]);
0807
0808     lockdep_set_class(&OVL_I(inode)->lock, &ovl_i_lock_key[depth]);
0809 #endif
0810 }
0811
0812 static void ovl_next_ino(struct inode *inode)
0813 {
0814     struct ovl_fs *ofs = inode->i_sb->s_fs_info;
0815
0816     inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
0817     if (unlikely(!inode->i_ino))
0818         inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
0819 }
0820
0821 static void ovl_map_ino(struct inode *inode, unsigned long ino, int fsid)
0822 {
0823     int xinobits = ovl_xino_bits(inode->i_sb);
0824     unsigned int xinoshift = 64 - xinobits;
0825
0826     /*
0827      * When d_ino is consistent with st_ino (samefs or i_ino has enough
0828      * bits to encode layer), set the same value used for st_ino to i_ino,
0829      * so inode number exposed via /proc/locks and a like will be
0830      * consistent with d_ino and st_ino values. An i_ino value inconsistent
0831      * with d_ino also causes nfsd readdirplus to fail.
0832      */
0833     inode->i_ino = ino;
0834     if (ovl_same_fs(inode->i_sb)) {
0835         return;
0836     } else if (xinobits && likely(!(ino >> xinoshift))) {
0837         inode->i_ino |= (unsigned long)fsid << (xinoshift + 1);
0838         return;
0839     }
0840
0841     /*
0842      * For directory inodes on non-samefs with xino disabled or xino
0843      * overflow, we allocate a non-persistent inode number, to be used for
0844      * resolving st_ino collisions in ovl_map_dev_ino().
0845      *
0846      * To avoid ino collision with legitimate xino values from upper
0847      * layer (fsid 0), use the lowest xinobit to map the non
0848      * persistent inode numbers to the unified st_ino address space.
0849      */
0850     if (S_ISDIR(inode->i_mode)) {
0851         ovl_next_ino(inode);
0852         if (xinobits) {
0853             inode->i_ino &= ~0UL >> xinobits;
0854             inode->i_ino |= 1UL << xinoshift;
0855         }
0856     }
0857 }
0858
0859 void ovl_inode_init(struct inode *inode, struct ovl_inode_params *oip,
0860             unsigned long ino, int fsid)
0861 {
0862     struct inode *realinode;
0863     struct ovl_inode *oi = OVL_I(inode);
0864
0865     if (oip->upperdentry)
0866         oi->__upperdentry = oip->upperdentry;
0867     if (oip->lowerpath && oip->lowerpath->dentry) {
0868         oi->lowerpath.dentry = dget(oip->lowerpath->dentry);
0869         oi->lowerpath.layer = oip->lowerpath->layer;
0870     }
0871     if (oip->lowerdata)
0872         oi->lowerdata = igrab(d_inode(oip->lowerdata));
0873
0874     realinode = ovl_inode_real(inode);
0875     ovl_copyattr(inode);
0876     ovl_copyflags(realinode, inode);
0877     ovl_map_ino(inode, ino, fsid);
0878 }
0879
0880 static void ovl_fill_inode(struct inode *inode, umode_t mode, dev_t rdev)
0881 {
0882     inode->i_mode = mode;
0883     inode->i_flags |= S_NOCMTIME;
0884 #ifdef CONFIG_FS_POSIX_ACL
0885     inode->i_acl = inode->i_default_acl = ACL_DONT_CACHE;
0886 #endif
0887
0888     ovl_lockdep_annotate_inode_mutex_key(inode);
0889
0890     switch (mode & S_IFMT) {
0891     case S_IFREG:
0892         inode->i_op = &ovl_file_inode_operations;
0893         inode->i_fop = &ovl_file_operations;
0894         inode->i_mapping->a_ops = &ovl_aops;
0895         break;
0896
0897     case S_IFDIR:
0898         inode->i_op = &ovl_dir_inode_operations;
0899         inode->i_fop = &ovl_dir_operations;
0900         break;
0901
0902     case S_IFLNK:
0903         inode->i_op = &ovl_symlink_inode_operations;
0904         break;
0905
0906     default:
0907         inode->i_op = &ovl_special_inode_operations;
0908         init_special_inode(inode, mode, rdev);
0909         break;
0910     }
0911 }
0912
0913 /*
0914  * With inodes index enabled, an overlay inode nlink counts the union of upper
0915  * hardlinks and non-covered lower hardlinks. During the lifetime of a non-pure
0916  * upper inode, the following nlink modifying operations can happen:
0917  *
0918  * 1. Lower hardlink copy up
0919  * 2. Upper hardlink created, unlinked or renamed over
0920  * 3. Lower hardlink whiteout or renamed over
0921  *
0922  * For the first, copy up case, the union nlink does not change, whether the
0923  * operation succeeds or fails, but the upper inode nlink may change.
0924  * Therefore, before copy up, we store the union nlink value relative to the
0925  * lower inode nlink in the index inode xattr .overlay.nlink.
0926  *
0927  * For the second, upper hardlink case, the union nlink should be incremented
0928  * or decremented IFF the operation succeeds, aligned with nlink change of the
0929  * upper inode. Therefore, before link/unlink/rename, we store the union nlink
0930  * value relative to the upper inode nlink in the index inode.
0931  *
0932  * For the last, lower cover up case, we simplify things by preceding the
0933  * whiteout or cover up with copy up. This makes sure that there is an index
0934  * upper inode where the nlink xattr can be stored before the copied up upper
0935  * entry is unlink.
0936  */
0937 #define OVL_NLINK_ADD_UPPER (1 << 0)
0938
0939 /*
0940  * On-disk format for indexed nlink:
0941  *
0942  * nlink relative to the upper inode - "U[+-]NUM"
0943  * nlink relative to the lower inode - "L[+-]NUM"
0944  */
0945
0946 static int ovl_set_nlink_common(struct dentry *dentry,
0947                 struct dentry *realdentry, const char *format)
0948 {
0949     struct inode *inode = d_inode(dentry);
0950     struct inode *realinode = d_inode(realdentry);
0951     char buf[13];
0952     int len;
0953
0954     len = snprintf(buf, sizeof(buf), format,
0955                (int) (inode->i_nlink - realinode->i_nlink));
0956
0957     if (WARN_ON(len >= sizeof(buf)))
0958         return -EIO;
0959
0960     return ovl_setxattr(OVL_FS(inode->i_sb), ovl_dentry_upper(dentry),
0961                 OVL_XATTR_NLINK, buf, len);
0962 }
0963
0964 int ovl_set_nlink_upper(struct dentry *dentry)
0965 {
0966     return ovl_set_nlink_common(dentry, ovl_dentry_upper(dentry), "U%+i");
0967 }
0968
0969 int ovl_set_nlink_lower(struct dentry *dentry)
0970 {
0971     return ovl_set_nlink_common(dentry, ovl_dentry_lower(dentry), "L%+i");
0972 }
0973
0974 unsigned int ovl_get_nlink(struct ovl_fs *ofs, struct dentry *lowerdentry,
0975                struct dentry *upperdentry,
0976                unsigned int fallback)
0977 {
0978     int nlink_diff;
0979     int nlink;
0980     char buf[13];
0981     int err;
0982
0983     if (!lowerdentry || !upperdentry || d_inode(lowerdentry)->i_nlink == 1)
0984         return fallback;
0985
0986     err = ovl_getxattr_upper(ofs, upperdentry, OVL_XATTR_NLINK,
0987                  &buf, sizeof(buf) - 1);
0988     if (err < 0)
0989         goto fail;
0990
0991     buf[err] = '\0';
0992     if ((buf[0] != 'L' && buf[0] != 'U') ||
0993         (buf[1] != '+' && buf[1] != '-'))
0994         goto fail;
0995
0996     err = kstrtoint(buf + 1, 10, &nlink_diff);
0997     if (err < 0)
0998         goto fail;
0999
1000     nlink = d_inode(buf[0] == 'L' ? lowerdentry : upperdentry)->i_nlink;
1001     nlink += nlink_diff;
1002
1003     if (nlink <= 0)
1004         goto fail;
1005
1006     return nlink;
1007
1008 fail:
1009     pr_warn_ratelimited("failed to get index nlink (%pd2, err=%i)\n",
1010                 upperdentry, err);
1011     return fallback;
1012 }
1013
1014 struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev)
1015 {
1016     struct inode *inode;
1017
1018     inode = new_inode(sb);
1019     if (inode)
1020         ovl_fill_inode(inode, mode, rdev);
1021
1022     return inode;
1023 }
1024
1025 static int ovl_inode_test(struct inode *inode, void *data)
1026 {
1027     return inode->i_private == data;
1028 }
1029
1030 static int ovl_inode_set(struct inode *inode, void *data)
1031 {
1032     inode->i_private = data;
1033     return 0;
1034 }
1035
1036 static bool ovl_verify_inode(struct inode *inode, struct dentry *lowerdentry,
1037                  struct dentry *upperdentry, bool strict)
1038 {
1039     /*
1040      * For directories, @strict verify from lookup path performs consistency
1041      * checks, so NULL lower/upper in dentry must match NULL lower/upper in
1042      * inode. Non @strict verify from NFS handle decode path passes NULL for
1043      * 'unknown' lower/upper.
1044      */
1045     if (S_ISDIR(inode->i_mode) && strict) {
1046         /* Real lower dir moved to upper layer under us? */
1047         if (!lowerdentry && ovl_inode_lower(inode))
1048             return false;
1049
1050         /* Lookup of an uncovered redirect origin? */
1051         if (!upperdentry && ovl_inode_upper(inode))
1052             return false;
1053     }
1054
1055     /*
1056      * Allow non-NULL lower inode in ovl_inode even if lowerdentry is NULL.
1057      * This happens when finding a copied up overlay inode for a renamed
1058      * or hardlinked overlay dentry and lower dentry cannot be followed
1059      * by origin because lower fs does not support file handles.
1060      */
1061     if (lowerdentry && ovl_inode_lower(inode) != d_inode(lowerdentry))
1062         return false;
1063
1064     /*
1065      * Allow non-NULL __upperdentry in inode even if upperdentry is NULL.
1066      * This happens when finding a lower alias for a copied up hard link.
1067      */
1068     if (upperdentry && ovl_inode_upper(inode) != d_inode(upperdentry))
1069         return false;
1070
1071     return true;
1072 }
1073
1074 struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real,
1075                    bool is_upper)
1076 {
1077     struct inode *inode, *key = d_inode(real);
1078
1079     inode = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1080     if (!inode)
1081         return NULL;
1082
1083     if (!ovl_verify_inode(inode, is_upper ? NULL : real,
1084                   is_upper ? real : NULL, false)) {
1085         iput(inode);
1086         return ERR_PTR(-ESTALE);
1087     }
1088
1089     return inode;
1090 }
1091
1092 bool ovl_lookup_trap_inode(struct super_block *sb, struct dentry *dir)
1093 {
1094     struct inode *key = d_inode(dir);
1095     struct inode *trap;
1096     bool res;
1097
1098     trap = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1099     if (!trap)
1100         return false;
1101
1102     res = IS_DEADDIR(trap) && !ovl_inode_upper(trap) &&
1103                   !ovl_inode_lower(trap);
1104
1105     iput(trap);
1106     return res;
1107 }
1108
1109 /*
1110  * Create an inode cache entry for layer root dir, that will intentionally
1111  * fail ovl_verify_inode(), so any lookup that will find some layer root
1112  * will fail.
1113  */
1114 struct inode *ovl_get_trap_inode(struct super_block *sb, struct dentry *dir)
1115 {
1116     struct inode *key = d_inode(dir);
1117     struct inode *trap;
1118
1119     if (!d_is_dir(dir))
1120         return ERR_PTR(-ENOTDIR);
1121
1122     trap = iget5_locked(sb, (unsigned long) key, ovl_inode_test,
1123                 ovl_inode_set, key);
1124     if (!trap)
1125         return ERR_PTR(-ENOMEM);
1126
1127     if (!(trap->i_state & I_NEW)) {
1128         /* Conflicting layer roots? */
1129         iput(trap);
1130         return ERR_PTR(-ELOOP);
1131     }
1132
1133     trap->i_mode = S_IFDIR;
1134     trap->i_flags = S_DEAD;
1135     unlock_new_inode(trap);
1136
1137     return trap;
1138 }
1139
1140 /*
1141  * Does overlay inode need to be hashed by lower inode?
1142  */
1143 static bool ovl_hash_bylower(struct super_block *sb, struct dentry *upper,
1144                  struct dentry *lower, bool index)
1145 {
1146     struct ovl_fs *ofs = sb->s_fs_info;
1147
1148     /* No, if pure upper */
1149     if (!lower)
1150         return false;
1151
1152     /* Yes, if already indexed */
1153     if (index)
1154         return true;
1155
1156     /* Yes, if won't be copied up */
1157     if (!ovl_upper_mnt(ofs))
1158         return true;
1159
1160     /* No, if lower hardlink is or will be broken on copy up */
1161     if ((upper || !ovl_indexdir(sb)) &&
1162         !d_is_dir(lower) && d_inode(lower)->i_nlink > 1)
1163         return false;
1164
1165     /* No, if non-indexed upper with NFS export */
1166     if (sb->s_export_op && upper)
1167         return false;
1168
1169     /* Otherwise, hash by lower inode for fsnotify */
1170     return true;
1171 }
1172
1173 static struct inode *ovl_iget5(struct super_block *sb, struct inode *newinode,
1174                    struct inode *key)
1175 {
1176     return newinode ? inode_insert5(newinode, (unsigned long) key,
1177                      ovl_inode_test, ovl_inode_set, key) :
1178               iget5_locked(sb, (unsigned long) key,
1179                        ovl_inode_test, ovl_inode_set, key);
1180 }
1181
1182 struct inode *ovl_get_inode(struct super_block *sb,
1183                 struct ovl_inode_params *oip)
1184 {
1185     struct ovl_fs *ofs = OVL_FS(sb);
1186     struct dentry *upperdentry = oip->upperdentry;
1187     struct ovl_path *lowerpath = oip->lowerpath;
1188     struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
1189     struct inode *inode;
1190     struct dentry *lowerdentry = lowerpath ? lowerpath->dentry : NULL;
1191     struct path realpath = {
1192         .dentry = upperdentry ?: lowerdentry,
1193         .mnt = upperdentry ? ovl_upper_mnt(ofs) : lowerpath->layer->mnt,
1194     };
1195     bool bylower = ovl_hash_bylower(sb, upperdentry, lowerdentry,
1196                     oip->index);
1197     int fsid = bylower ? lowerpath->layer->fsid : 0;
1198     bool is_dir;
1199     unsigned long ino = 0;
1200     int err = oip->newinode ? -EEXIST : -ENOMEM;
1201
1202     if (!realinode)
1203         realinode = d_inode(lowerdentry);
1204
1205     /*
1206      * Copy up origin (lower) may exist for non-indexed upper, but we must
1207      * not use lower as hash key if this is a broken hardlink.
1208      */
1209     is_dir = S_ISDIR(realinode->i_mode);
1210     if (upperdentry || bylower) {
1211         struct inode *key = d_inode(bylower ? lowerdentry :
1212                               upperdentry);
1213         unsigned int nlink = is_dir ? 1 : realinode->i_nlink;
1214
1215         inode = ovl_iget5(sb, oip->newinode, key);
1216         if (!inode)
1217             goto out_err;
1218         if (!(inode->i_state & I_NEW)) {
1219             /*
1220              * Verify that the underlying files stored in the inode
1221              * match those in the dentry.
1222              */
1223             if (!ovl_verify_inode(inode, lowerdentry, upperdentry,
1224                           true)) {
1225                 iput(inode);
1226                 err = -ESTALE;
1227                 goto out_err;
1228             }
1229
1230             dput(upperdentry);
1231             kfree(oip->redirect);
1232             goto out;
1233         }
1234
1235         /* Recalculate nlink for non-dir due to indexing */
1236         if (!is_dir)
1237             nlink = ovl_get_nlink(ofs, lowerdentry, upperdentry,
1238                           nlink);
1239         set_nlink(inode, nlink);
1240         ino = key->i_ino;
1241     } else {
1242         /* Lower hardlink that will be broken on copy up */
1243         inode = new_inode(sb);
1244         if (!inode) {
1245             err = -ENOMEM;
1246             goto out_err;
1247         }
1248         ino = realinode->i_ino;
1249         fsid = lowerpath->layer->fsid;
1250     }
1251     ovl_fill_inode(inode, realinode->i_mode, realinode->i_rdev);
1252     ovl_inode_init(inode, oip, ino, fsid);
1253
1254     if (upperdentry && ovl_is_impuredir(sb, upperdentry))
1255         ovl_set_flag(OVL_IMPURE, inode);
1256
1257     if (oip->index)
1258         ovl_set_flag(OVL_INDEX, inode);
1259
1260     OVL_I(inode)->redirect = oip->redirect;
1261
1262     if (bylower)
1263         ovl_set_flag(OVL_CONST_INO, inode);
1264
1265     /* Check for non-merge dir that may have whiteouts */
1266     if (is_dir) {
1267         if (((upperdentry && lowerdentry) || oip->numlower > 1) ||
1268             ovl_path_check_origin_xattr(ofs, &realpath)) {
1269             ovl_set_flag(OVL_WHITEOUTS, inode);
1270         }
1271     }
1272
1273     /* Check for immutable/append-only inode flags in xattr */
1274     if (upperdentry)
1275         ovl_check_protattr(inode, upperdentry);
1276
1277     if (inode->i_state & I_NEW)
1278         unlock_new_inode(inode);
1279 out:
1280     return inode;
1281
1282 out_err:
1283     pr_warn_ratelimited("failed to get inode (%i)\n", err);
1284     inode = ERR_PTR(err);
1285     goto out;
1286 }