LXR linux/fs/overlayfs/inode.c

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 *
   4 * Copyright (C) 2011 Novell Inc.
   5 */
   6
   7#include <linux/fs.h>
   8#include <linux/slab.h>
   9#include <linux/cred.h>
  10#include <linux/xattr.h>
  11#include <linux/posix_acl.h>
  12#include <linux/ratelimit.h>
  13#include <linux/fiemap.h>
  14#include <linux/fileattr.h>
  15#include <linux/security.h>
  16#include <linux/namei.h>
  17#include "overlayfs.h"
  18
  19
  20int ovl_setattr(struct user_namespace *mnt_userns, struct dentry *dentry,
  21                struct iattr *attr)
  22{
  23        int err;
  24        struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
  25        bool full_copy_up = false;
  26        struct dentry *upperdentry;
  27        const struct cred *old_cred;
  28
  29        err = setattr_prepare(&init_user_ns, dentry, attr);
  30        if (err)
  31                return err;
  32
  33        err = ovl_want_write(dentry);
  34        if (err)
  35                goto out;
  36
  37        if (attr->ia_valid & ATTR_SIZE) {
  38                /* Truncate should trigger data copy up as well */
  39                full_copy_up = true;
  40        }
  41
  42        if (!full_copy_up)
  43                err = ovl_copy_up(dentry);
  44        else
  45                err = ovl_copy_up_with_data(dentry);
  46        if (!err) {
  47                struct inode *winode = NULL;
  48
  49                upperdentry = ovl_dentry_upper(dentry);
  50
  51                if (attr->ia_valid & ATTR_SIZE) {
  52                        winode = d_inode(upperdentry);
  53                        err = get_write_access(winode);
  54                        if (err)
  55                                goto out_drop_write;
  56                }
  57
  58                if (attr->ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID))
  59                        attr->ia_valid &= ~ATTR_MODE;
  60
  61                /*
  62                 * We might have to translate ovl file into real file object
  63                 * once use cases emerge.  For now, simply don't let underlying
  64                 * filesystem rely on attr->ia_file
  65                 */
  66                attr->ia_valid &= ~ATTR_FILE;
  67
  68                /*
  69                 * If open(O_TRUNC) is done, VFS calls ->setattr with ATTR_OPEN
  70                 * set.  Overlayfs does not pass O_TRUNC flag to underlying
  71                 * filesystem during open -> do not pass ATTR_OPEN.  This
  72                 * disables optimization in fuse which assumes open(O_TRUNC)
  73                 * already set file size to 0.  But we never passed O_TRUNC to
  74                 * fuse.  So by clearing ATTR_OPEN, fuse will be forced to send
  75                 * setattr request to server.
  76                 */
  77                attr->ia_valid &= ~ATTR_OPEN;
  78
  79                inode_lock(upperdentry->d_inode);
  80                old_cred = ovl_override_creds(dentry->d_sb);
  81                err = ovl_do_notify_change(ofs, upperdentry, attr);
  82                revert_creds(old_cred);
  83                if (!err)
  84                        ovl_copyattr(dentry->d_inode);
  85                inode_unlock(upperdentry->d_inode);
  86
  87                if (winode)
  88                        put_write_access(winode);
  89        }
  90out_drop_write:
  91        ovl_drop_write(dentry);
  92out:
  93        return err;
  94}
  95
  96static void ovl_map_dev_ino(struct dentry *dentry, struct kstat *stat, int fsid)
  97{
  98        bool samefs = ovl_same_fs(dentry->d_sb);
  99        unsigned int xinobits = ovl_xino_bits(dentry->d_sb);
 100        unsigned int xinoshift = 64 - xinobits;
 101
 102        if (samefs) {
 103                /*
 104                 * When all layers are on the same fs, all real inode
 105                 * number are unique, so we use the overlay st_dev,
 106                 * which is friendly to du -x.
 107                 */
 108                stat->dev = dentry->d_sb->s_dev;
 109                return;
 110        } else if (xinobits) {
 111                /*
 112                 * All inode numbers of underlying fs should not be using the
 113                 * high xinobits, so we use high xinobits to partition the
 114                 * overlay st_ino address space. The high bits holds the fsid
 115                 * (upper fsid is 0). The lowest xinobit is reserved for mapping
 116                 * the non-persistent inode numbers range in case of overflow.
 117                 * This way all overlay inode numbers are unique and use the
 118                 * overlay st_dev.
 119                 */
 120                if (likely(!(stat->ino >> xinoshift))) {
 121                        stat->ino |= ((u64)fsid) << (xinoshift + 1);
 122                        stat->dev = dentry->d_sb->s_dev;
 123                        return;
 124                } else if (ovl_xino_warn(dentry->d_sb)) {
 125                        pr_warn_ratelimited("inode number too big (%pd2, ino=%llu, xinobits=%d)\n",
 126                                            dentry, stat->ino, xinobits);
 127                }
 128        }
 129
 130        /* The inode could not be mapped to a unified st_ino address space */
 131        if (S_ISDIR(dentry->d_inode->i_mode)) {
 132                /*
 133                 * Always use the overlay st_dev for directories, so 'find
 134                 * -xdev' will scan the entire overlay mount and won't cross the
 135                 * overlay mount boundaries.
 136                 *
 137                 * If not all layers are on the same fs the pair {real st_ino;
 138                 * overlay st_dev} is not unique, so use the non persistent
 139                 * overlay st_ino for directories.
 140                 */
 141                stat->dev = dentry->d_sb->s_dev;
 142                stat->ino = dentry->d_inode->i_ino;
 143        } else {
 144                /*
 145                 * For non-samefs setup, if we cannot map all layers st_ino
 146                 * to a unified address space, we need to make sure that st_dev
 147                 * is unique per underlying fs, so we use the unique anonymous
 148                 * bdev assigned to the underlying fs.
 149                 */
 150                stat->dev = OVL_FS(dentry->d_sb)->fs[fsid].pseudo_dev;
 151        }
 152}
 153
 154int ovl_getattr(struct user_namespace *mnt_userns, const struct path *path,
 155                struct kstat *stat, u32 request_mask, unsigned int flags)
 156{
 157        struct dentry *dentry = path->dentry;
 158        enum ovl_path_type type;
 159        struct path realpath;
 160        const struct cred *old_cred;
 161        struct inode *inode = d_inode(dentry);
 162        bool is_dir = S_ISDIR(inode->i_mode);
 163        int fsid = 0;
 164        int err;
 165        bool metacopy_blocks = false;
 166
 167        metacopy_blocks = ovl_is_metacopy_dentry(dentry);
 168
 169        type = ovl_path_real(dentry, &realpath);
 170        old_cred = ovl_override_creds(dentry->d_sb);
 171        err = vfs_getattr(&realpath, stat, request_mask, flags);
 172        if (err)
 173                goto out;
 174
 175        /* Report the effective immutable/append-only STATX flags */
 176        generic_fill_statx_attr(inode, stat);
 177
 178        /*
 179         * For non-dir or same fs, we use st_ino of the copy up origin.
 180         * This guaranties constant st_dev/st_ino across copy up.
 181         * With xino feature and non-samefs, we use st_ino of the copy up
 182         * origin masked with high bits that represent the layer id.
 183         *
 184         * If lower filesystem supports NFS file handles, this also guaranties
 185         * persistent st_ino across mount cycle.
 186         */
 187        if (!is_dir || ovl_same_dev(dentry->d_sb)) {
 188                if (!OVL_TYPE_UPPER(type)) {
 189                        fsid = ovl_layer_lower(dentry)->fsid;
 190                } else if (OVL_TYPE_ORIGIN(type)) {
 191                        struct kstat lowerstat;
 192                        u32 lowermask = STATX_INO | STATX_BLOCKS |
 193                                        (!is_dir ? STATX_NLINK : 0);
 194
 195                        ovl_path_lower(dentry, &realpath);
 196                        err = vfs_getattr(&realpath, &lowerstat,
 197                                          lowermask, flags);
 198                        if (err)
 199                                goto out;
 200
 201                        /*
 202                         * Lower hardlinks may be broken on copy up to different
 203                         * upper files, so we cannot use the lower origin st_ino
 204                         * for those different files, even for the same fs case.
 205                         *
 206                         * Similarly, several redirected dirs can point to the
 207                         * same dir on a lower layer. With the "verify_lower"
 208                         * feature, we do not use the lower origin st_ino, if
 209                         * we haven't verified that this redirect is unique.
 210                         *
 211                         * With inodes index enabled, it is safe to use st_ino
 212                         * of an indexed origin. The index validates that the
 213                         * upper hardlink is not broken and that a redirected
 214                         * dir is the only redirect to that origin.
 215                         */
 216                        if (ovl_test_flag(OVL_INDEX, d_inode(dentry)) ||
 217                            (!ovl_verify_lower(dentry->d_sb) &&
 218                             (is_dir || lowerstat.nlink == 1))) {
 219                                fsid = ovl_layer_lower(dentry)->fsid;
 220                                stat->ino = lowerstat.ino;
 221                        }
 222
 223                        /*
 224                         * If we are querying a metacopy dentry and lower
 225                         * dentry is data dentry, then use the blocks we
 226                         * queried just now. We don't have to do additional
 227                         * vfs_getattr(). If lower itself is metacopy, then
 228                         * additional vfs_getattr() is unavoidable.
 229                         */
 230                        if (metacopy_blocks &&
 231                            realpath.dentry == ovl_dentry_lowerdata(dentry)) {
 232                                stat->blocks = lowerstat.blocks;
 233                                metacopy_blocks = false;
 234                        }
 235                }
 236
 237                if (metacopy_blocks) {
 238                        /*
 239                         * If lower is not same as lowerdata or if there was
 240                         * no origin on upper, we can end up here.
 241                         */
 242                        struct kstat lowerdatastat;
 243                        u32 lowermask = STATX_BLOCKS;
 244
 245                        ovl_path_lowerdata(dentry, &realpath);
 246                        err = vfs_getattr(&realpath, &lowerdatastat,
 247                                          lowermask, flags);
 248                        if (err)
 249                                goto out;
 250                        stat->blocks = lowerdatastat.blocks;
 251                }
 252        }
 253
 254        ovl_map_dev_ino(dentry, stat, fsid);
 255
 256        /*
 257         * It's probably not worth it to count subdirs to get the
 258         * correct link count.  nlink=1 seems to pacify 'find' and
 259         * other utilities.
 260         */
 261        if (is_dir && OVL_TYPE_MERGE(type))
 262                stat->nlink = 1;
 263
 264        /*
 265         * Return the overlay inode nlinks for indexed upper inodes.
 266         * Overlay inode nlink counts the union of the upper hardlinks
 267         * and non-covered lower hardlinks. It does not include the upper
 268         * index hardlink.
 269         */
 270        if (!is_dir && ovl_test_flag(OVL_INDEX, d_inode(dentry)))
 271                stat->nlink = dentry->d_inode->i_nlink;
 272
 273out:
 274        revert_creds(old_cred);
 275
 276        return err;
 277}
 278
 279int ovl_permission(struct user_namespace *mnt_userns,
 280                   struct inode *inode, int mask)
 281{
 282        struct inode *upperinode = ovl_inode_upper(inode);
 283        struct inode *realinode;
 284        struct path realpath;
 285        const struct cred *old_cred;
 286        int err;
 287
 288        /* Careful in RCU walk mode */
 289        ovl_i_path_real(inode, &realpath);
 290        if (!realpath.dentry) {
 291                WARN_ON(!(mask & MAY_NOT_BLOCK));
 292                return -ECHILD;
 293        }
 294
 295        /*
 296         * Check overlay inode with the creds of task and underlying inode
 297         * with creds of mounter
 298         */
 299        err = generic_permission(&init_user_ns, inode, mask);
 300        if (err)
 301                return err;
 302
 303        realinode = d_inode(realpath.dentry);
 304        old_cred = ovl_override_creds(inode->i_sb);
 305        if (!upperinode &&
 306            !special_file(realinode->i_mode) && mask & MAY_WRITE) {
 307                mask &= ~(MAY_WRITE | MAY_APPEND);
 308                /* Make sure mounter can read file for copy up later */
 309                mask |= MAY_READ;
 310        }
 311        err = inode_permission(mnt_user_ns(realpath.mnt), realinode, mask);
 312        revert_creds(old_cred);
 313
 314        return err;
 315}
 316
 317static const char *ovl_get_link(struct dentry *dentry,
 318                                struct inode *inode,
 319                                struct delayed_call *done)
 320{
 321        const struct cred *old_cred;
 322        const char *p;
 323
 324        if (!dentry)
 325                return ERR_PTR(-ECHILD);
 326
 327        old_cred = ovl_override_creds(dentry->d_sb);
 328        p = vfs_get_link(ovl_dentry_real(dentry), done);
 329        revert_creds(old_cred);
 330        return p;
 331}
 332
 333bool ovl_is_private_xattr(struct super_block *sb, const char *name)
 334{
 335        struct ovl_fs *ofs = sb->s_fs_info;
 336
 337        if (ofs->config.userxattr)
 338                return strncmp(name, OVL_XATTR_USER_PREFIX,
 339                               sizeof(OVL_XATTR_USER_PREFIX) - 1) == 0;
 340        else
 341                return strncmp(name, OVL_XATTR_TRUSTED_PREFIX,
 342                               sizeof(OVL_XATTR_TRUSTED_PREFIX) - 1) == 0;
 343}
 344
 345int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
 346                  const void *value, size_t size, int flags)
 347{
 348        int err;
 349        struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
 350        struct dentry *upperdentry = ovl_i_dentry_upper(inode);
 351        struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry);
 352        struct path realpath;
 353        const struct cred *old_cred;
 354
 355        err = ovl_want_write(dentry);
 356        if (err)
 357                goto out;
 358
 359        if (!value && !upperdentry) {
 360                ovl_path_lower(dentry, &realpath);
 361                old_cred = ovl_override_creds(dentry->d_sb);
 362                err = vfs_getxattr(mnt_user_ns(realpath.mnt), realdentry, name, NULL, 0);
 363                revert_creds(old_cred);
 364                if (err < 0)
 365                        goto out_drop_write;
 366        }
 367
 368        if (!upperdentry) {
 369                err = ovl_copy_up(dentry);
 370                if (err)
 371                        goto out_drop_write;
 372
 373                realdentry = ovl_dentry_upper(dentry);
 374        }
 375
 376        old_cred = ovl_override_creds(dentry->d_sb);
 377        if (value) {
 378                err = ovl_do_setxattr(ofs, realdentry, name, value, size,
 379                                      flags);
 380        } else {
 381                WARN_ON(flags != XATTR_REPLACE);
 382                err = ovl_do_removexattr(ofs, realdentry, name);
 383        }
 384        revert_creds(old_cred);
 385
 386        /* copy c/mtime */
 387        ovl_copyattr(inode);
 388
 389out_drop_write:
 390        ovl_drop_write(dentry);
 391out:
 392        return err;
 393}
 394
 395int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
 396                  void *value, size_t size)
 397{
 398        ssize_t res;
 399        const struct cred *old_cred;
 400        struct path realpath;
 401
 402        ovl_i_path_real(inode, &realpath);
 403        old_cred = ovl_override_creds(dentry->d_sb);
 404        res = vfs_getxattr(mnt_user_ns(realpath.mnt), realpath.dentry, name, value, size);
 405        revert_creds(old_cred);
 406        return res;
 407}
 408
 409static bool ovl_can_list(struct super_block *sb, const char *s)
 410{
 411        /* Never list private (.overlay) */
 412        if (ovl_is_private_xattr(sb, s))
 413                return false;
 414
 415        /* List all non-trusted xattrs */
 416        if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
 417                return true;
 418
 419        /* list other trusted for superuser only */
 420        return ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
 421}
 422
 423ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
 424{
 425        struct dentry *realdentry = ovl_dentry_real(dentry);
 426        ssize_t res;
 427        size_t len;
 428        char *s;
 429        const struct cred *old_cred;
 430
 431        old_cred = ovl_override_creds(dentry->d_sb);
 432        res = vfs_listxattr(realdentry, list, size);
 433        revert_creds(old_cred);
 434        if (res <= 0 || size == 0)
 435                return res;
 436
 437        /* filter out private xattrs */
 438        for (s = list, len = res; len;) {
 439                size_t slen = strnlen(s, len) + 1;
 440
 441                /* underlying fs providing us with an broken xattr list? */
 442                if (WARN_ON(slen > len))
 443                        return -EIO;
 444
 445                len -= slen;
 446                if (!ovl_can_list(dentry->d_sb, s)) {
 447                        res -= slen;
 448                        memmove(s, s + slen, len);
 449                } else {
 450                        s += slen;
 451                }
 452        }
 453
 454        return res;
 455}
 456
 457struct posix_acl *ovl_get_acl(struct inode *inode, int type, bool rcu)
 458{
 459        struct inode *realinode = ovl_inode_real(inode);
 460        const struct cred *old_cred;
 461        struct posix_acl *acl;
 462
 463        if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode))
 464                return NULL;
 465
 466        if (rcu)
 467                return get_cached_acl_rcu(realinode, type);
 468
 469        old_cred = ovl_override_creds(inode->i_sb);
 470        acl = get_acl(realinode, type);
 471        revert_creds(old_cred);
 472
 473        return acl;
 474}
 475
 476int ovl_update_time(struct inode *inode, struct timespec64 *ts, int flags)
 477{
 478        if (flags & S_ATIME) {
 479                struct ovl_fs *ofs = inode->i_sb->s_fs_info;
 480                struct path upperpath = {
 481                        .mnt = ovl_upper_mnt(ofs),
 482                        .dentry = ovl_upperdentry_dereference(OVL_I(inode)),
 483                };
 484
 485                if (upperpath.dentry) {
 486                        touch_atime(&upperpath);
 487                        inode->i_atime = d_inode(upperpath.dentry)->i_atime;
 488                }
 489        }
 490        return 0;
 491}
 492
 493static int ovl_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
 494                      u64 start, u64 len)
 495{
 496        int err;
 497        struct inode *realinode = ovl_inode_realdata(inode);
 498        const struct cred *old_cred;
 499
 500        if (!realinode->i_op->fiemap)
 501                return -EOPNOTSUPP;
 502
 503        old_cred = ovl_override_creds(inode->i_sb);
 504        err = realinode->i_op->fiemap(realinode, fieinfo, start, len);
 505        revert_creds(old_cred);
 506
 507        return err;
 508}
 509
 510/*
 511 * Work around the fact that security_file_ioctl() takes a file argument.
 512 * Introducing security_inode_fileattr_get/set() hooks would solve this issue
 513 * properly.
 514 */
 515static int ovl_security_fileattr(struct path *realpath, struct fileattr *fa,
 516                                 bool set)
 517{
 518        struct file *file;
 519        unsigned int cmd;
 520        int err;
 521
 522        file = dentry_open(realpath, O_RDONLY, current_cred());
 523        if (IS_ERR(file))
 524                return PTR_ERR(file);
 525
 526        if (set)
 527                cmd = fa->fsx_valid ? FS_IOC_FSSETXATTR : FS_IOC_SETFLAGS;
 528        else
 529                cmd = fa->fsx_valid ? FS_IOC_FSGETXATTR : FS_IOC_GETFLAGS;
 530
 531        err = security_file_ioctl(file, cmd, 0);
 532        fput(file);
 533
 534        return err;
 535}
 536
 537int ovl_real_fileattr_set(struct path *realpath, struct fileattr *fa)
 538{
 539        int err;
 540
 541        err = ovl_security_fileattr(realpath, fa, true);
 542        if (err)
 543                return err;
 544
 545        return vfs_fileattr_set(mnt_user_ns(realpath->mnt), realpath->dentry, fa);
 546}
 547
 548int ovl_fileattr_set(struct user_namespace *mnt_userns,
 549                     struct dentry *dentry, struct fileattr *fa)
 550{
 551        struct inode *inode = d_inode(dentry);
 552        struct path upperpath;
 553        const struct cred *old_cred;
 554        unsigned int flags;
 555        int err;
 556
 557        err = ovl_want_write(dentry);
 558        if (err)
 559                goto out;
 560
 561        err = ovl_copy_up(dentry);
 562        if (!err) {
 563                ovl_path_real(dentry, &upperpath);
 564
 565                old_cred = ovl_override_creds(inode->i_sb);
 566                /*
 567                 * Store immutable/append-only flags in xattr and clear them
 568                 * in upper fileattr (in case they were set by older kernel)
 569                 * so children of "ovl-immutable" directories lower aliases of
 570                 * "ovl-immutable" hardlinks could be copied up.
 571                 * Clear xattr when flags are cleared.
 572                 */
 573                err = ovl_set_protattr(inode, upperpath.dentry, fa);
 574                if (!err)
 575                        err = ovl_real_fileattr_set(&upperpath, fa);
 576                revert_creds(old_cred);
 577
 578                /*
 579                 * Merge real inode flags with inode flags read from
 580                 * overlay.protattr xattr
 581                 */
 582                flags = ovl_inode_real(inode)->i_flags & OVL_COPY_I_FLAGS_MASK;
 583
 584                BUILD_BUG_ON(OVL_PROT_I_FLAGS_MASK & ~OVL_COPY_I_FLAGS_MASK);
 585                flags |= inode->i_flags & OVL_PROT_I_FLAGS_MASK;
 586                inode_set_flags(inode, flags, OVL_COPY_I_FLAGS_MASK);
 587
 588                /* Update ctime */
 589                ovl_copyattr(inode);
 590        }
 591        ovl_drop_write(dentry);
 592out:
 593        return err;
 594}
 595
 596/* Convert inode protection flags to fileattr flags */
 597static void ovl_fileattr_prot_flags(struct inode *inode, struct fileattr *fa)
 598{
 599        BUILD_BUG_ON(OVL_PROT_FS_FLAGS_MASK & ~FS_COMMON_FL);
 600        BUILD_BUG_ON(OVL_PROT_FSX_FLAGS_MASK & ~FS_XFLAG_COMMON);
 601
 602        if (inode->i_flags & S_APPEND) {
 603                fa->flags |= FS_APPEND_FL;
 604                fa->fsx_xflags |= FS_XFLAG_APPEND;
 605        }
 606        if (inode->i_flags & S_IMMUTABLE) {
 607                fa->flags |= FS_IMMUTABLE_FL;
 608                fa->fsx_xflags |= FS_XFLAG_IMMUTABLE;
 609        }
 610}
 611
 612int ovl_real_fileattr_get(struct path *realpath, struct fileattr *fa)
 613{
 614        int err;
 615
 616        err = ovl_security_fileattr(realpath, fa, false);
 617        if (err)
 618                return err;
 619
 620        err = vfs_fileattr_get(realpath->dentry, fa);
 621        if (err == -ENOIOCTLCMD)
 622                err = -ENOTTY;
 623        return err;
 624}
 625
 626int ovl_fileattr_get(struct dentry *dentry, struct fileattr *fa)
 627{
 628        struct inode *inode = d_inode(dentry);
 629        struct path realpath;
 630        const struct cred *old_cred;
 631        int err;
 632
 633        ovl_path_real(dentry, &realpath);
 634
 635        old_cred = ovl_override_creds(inode->i_sb);
 636        err = ovl_real_fileattr_get(&realpath, fa);
 637        ovl_fileattr_prot_flags(inode, fa);
 638        revert_creds(old_cred);
 639
 640        return err;
 641}
 642
 643static const struct inode_operations ovl_file_inode_operations = {
 644        .setattr        = ovl_setattr,
 645        .permission     = ovl_permission,
 646        .getattr        = ovl_getattr,
 647        .listxattr      = ovl_listxattr,
 648        .get_acl        = ovl_get_acl,
 649        .update_time    = ovl_update_time,
 650        .fiemap         = ovl_fiemap,
 651        .fileattr_get   = ovl_fileattr_get,
 652        .fileattr_set   = ovl_fileattr_set,
 653};
 654
 655static const struct inode_operations ovl_symlink_inode_operations = {
 656        .setattr        = ovl_setattr,
 657        .get_link       = ovl_get_link,
 658        .getattr        = ovl_getattr,
 659        .listxattr      = ovl_listxattr,
 660        .update_time    = ovl_update_time,
 661};
 662
 663static const struct inode_operations ovl_special_inode_operations = {
 664        .setattr        = ovl_setattr,
 665        .permission     = ovl_permission,
 666        .getattr        = ovl_getattr,
 667        .listxattr      = ovl_listxattr,
 668        .get_acl        = ovl_get_acl,
 669        .update_time    = ovl_update_time,
 670};
 671
 672static const struct address_space_operations ovl_aops = {
 673        /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */
 674        .direct_IO              = noop_direct_IO,
 675};
 676
 677/*
 678 * It is possible to stack overlayfs instance on top of another
 679 * overlayfs instance as lower layer. We need to annotate the
 680 * stackable i_mutex locks according to stack level of the super
 681 * block instance. An overlayfs instance can never be in stack
 682 * depth 0 (there is always a real fs below it).  An overlayfs
 683 * inode lock will use the lockdep annotation ovl_i_mutex_key[depth].
 684 *
 685 * For example, here is a snip from /proc/lockdep_chains after
 686 * dir_iterate of nested overlayfs:
 687 *
 688 * [...] &ovl_i_mutex_dir_key[depth]   (stack_depth=2)
 689 * [...] &ovl_i_mutex_dir_key[depth]#2 (stack_depth=1)
 690 * [...] &type->i_mutex_dir_key        (stack_depth=0)
 691 *
 692 * Locking order w.r.t ovl_want_write() is important for nested overlayfs.
 693 *
 694 * This chain is valid:
 695 * - inode->i_rwsem                     (inode_lock[2])
 696 * - upper_mnt->mnt_sb->s_writers       (ovl_want_write[0])
 697 * - OVL_I(inode)->lock                 (ovl_inode_lock[2])
 698 * - OVL_I(lowerinode)->lock            (ovl_inode_lock[1])
 699 *
 700 * And this chain is valid:
 701 * - inode->i_rwsem                     (inode_lock[2])
 702 * - OVL_I(inode)->lock                 (ovl_inode_lock[2])
 703 * - lowerinode->i_rwsem                (inode_lock[1])
 704 * - OVL_I(lowerinode)->lock            (ovl_inode_lock[1])
 705 *
 706 * But lowerinode->i_rwsem SHOULD NOT be acquired while ovl_want_write() is
 707 * held, because it is in reverse order of the non-nested case using the same
 708 * upper fs:
 709 * - inode->i_rwsem                     (inode_lock[1])
 710 * - upper_mnt->mnt_sb->s_writers       (ovl_want_write[0])
 711 * - OVL_I(inode)->lock                 (ovl_inode_lock[1])
 712 */
 713#define OVL_MAX_NESTING FILESYSTEM_MAX_STACK_DEPTH
 714
 715static inline void ovl_lockdep_annotate_inode_mutex_key(struct inode *inode)
 716{
 717#ifdef CONFIG_LOCKDEP
 718        static struct lock_class_key ovl_i_mutex_key[OVL_MAX_NESTING];
 719        static struct lock_class_key ovl_i_mutex_dir_key[OVL_MAX_NESTING];
 720        static struct lock_class_key ovl_i_lock_key[OVL_MAX_NESTING];
 721
 722        int depth = inode->i_sb->s_stack_depth - 1;
 723
 724        if (WARN_ON_ONCE(depth < 0 || depth >= OVL_MAX_NESTING))
 725                depth = 0;
 726
 727        if (S_ISDIR(inode->i_mode))
 728                lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_dir_key[depth]);
 729        else
 730                lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_key[depth]);
 731
 732        lockdep_set_class(&OVL_I(inode)->lock, &ovl_i_lock_key[depth]);
 733#endif
 734}
 735
 736static void ovl_next_ino(struct inode *inode)
 737{
 738        struct ovl_fs *ofs = inode->i_sb->s_fs_info;
 739
 740        inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
 741        if (unlikely(!inode->i_ino))
 742                inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
 743}
 744
 745static void ovl_map_ino(struct inode *inode, unsigned long ino, int fsid)
 746{
 747        int xinobits = ovl_xino_bits(inode->i_sb);
 748        unsigned int xinoshift = 64 - xinobits;
 749
 750        /*
 751         * When d_ino is consistent with st_ino (samefs or i_ino has enough
 752         * bits to encode layer), set the same value used for st_ino to i_ino,
 753         * so inode number exposed via /proc/locks and a like will be
 754         * consistent with d_ino and st_ino values. An i_ino value inconsistent
 755         * with d_ino also causes nfsd readdirplus to fail.
 756         */
 757        inode->i_ino = ino;
 758        if (ovl_same_fs(inode->i_sb)) {
 759                return;
 760        } else if (xinobits && likely(!(ino >> xinoshift))) {
 761                inode->i_ino |= (unsigned long)fsid << (xinoshift + 1);
 762                return;
 763        }
 764
 765        /*
 766         * For directory inodes on non-samefs with xino disabled or xino
 767         * overflow, we allocate a non-persistent inode number, to be used for
 768         * resolving st_ino collisions in ovl_map_dev_ino().
 769         *
 770         * To avoid ino collision with legitimate xino values from upper
 771         * layer (fsid 0), use the lowest xinobit to map the non
 772         * persistent inode numbers to the unified st_ino address space.
 773         */
 774        if (S_ISDIR(inode->i_mode)) {
 775                ovl_next_ino(inode);
 776                if (xinobits) {
 777                        inode->i_ino &= ~0UL >> xinobits;
 778                        inode->i_ino |= 1UL << xinoshift;
 779                }
 780        }
 781}
 782
 783void ovl_inode_init(struct inode *inode, struct ovl_inode_params *oip,
 784                    unsigned long ino, int fsid)
 785{
 786        struct inode *realinode;
 787        struct ovl_inode *oi = OVL_I(inode);
 788
 789        if (oip->upperdentry)
 790                oi->__upperdentry = oip->upperdentry;
 791        if (oip->lowerpath && oip->lowerpath->dentry) {
 792                oi->lowerpath.dentry = dget(oip->lowerpath->dentry);
 793                oi->lowerpath.layer = oip->lowerpath->layer;
 794        }
 795        if (oip->lowerdata)
 796                oi->lowerdata = igrab(d_inode(oip->lowerdata));
 797
 798        realinode = ovl_inode_real(inode);
 799        ovl_copyattr(inode);
 800        ovl_copyflags(realinode, inode);
 801        ovl_map_ino(inode, ino, fsid);
 802}
 803
 804static void ovl_fill_inode(struct inode *inode, umode_t mode, dev_t rdev)
 805{
 806        inode->i_mode = mode;
 807        inode->i_flags |= S_NOCMTIME;
 808#ifdef CONFIG_FS_POSIX_ACL
 809        inode->i_acl = inode->i_default_acl = ACL_DONT_CACHE;
 810#endif
 811
 812        ovl_lockdep_annotate_inode_mutex_key(inode);
 813
 814        switch (mode & S_IFMT) {
 815        case S_IFREG:
 816                inode->i_op = &ovl_file_inode_operations;
 817                inode->i_fop = &ovl_file_operations;
 818                inode->i_mapping->a_ops = &ovl_aops;
 819                break;
 820
 821        case S_IFDIR:
 822                inode->i_op = &ovl_dir_inode_operations;
 823                inode->i_fop = &ovl_dir_operations;
 824                break;
 825
 826        case S_IFLNK:
 827                inode->i_op = &ovl_symlink_inode_operations;
 828                break;
 829
 830        default:
 831                inode->i_op = &ovl_special_inode_operations;
 832                init_special_inode(inode, mode, rdev);
 833                break;
 834        }
 835}
 836
 837/*
 838 * With inodes index enabled, an overlay inode nlink counts the union of upper
 839 * hardlinks and non-covered lower hardlinks. During the lifetime of a non-pure
 840 * upper inode, the following nlink modifying operations can happen:
 841 *
 842 * 1. Lower hardlink copy up
 843 * 2. Upper hardlink created, unlinked or renamed over
 844 * 3. Lower hardlink whiteout or renamed over
 845 *
 846 * For the first, copy up case, the union nlink does not change, whether the
 847 * operation succeeds or fails, but the upper inode nlink may change.
 848 * Therefore, before copy up, we store the union nlink value relative to the
 849 * lower inode nlink in the index inode xattr .overlay.nlink.
 850 *
 851 * For the second, upper hardlink case, the union nlink should be incremented
 852 * or decremented IFF the operation succeeds, aligned with nlink change of the
 853 * upper inode. Therefore, before link/unlink/rename, we store the union nlink
 854 * value relative to the upper inode nlink in the index inode.
 855 *
 856 * For the last, lower cover up case, we simplify things by preceding the
 857 * whiteout or cover up with copy up. This makes sure that there is an index
 858 * upper inode where the nlink xattr can be stored before the copied up upper
 859 * entry is unlink.
 860 */
 861#define OVL_NLINK_ADD_UPPER     (1 << 0)
 862
 863/*
 864 * On-disk format for indexed nlink:
 865 *
 866 * nlink relative to the upper inode - "U[+-]NUM"
 867 * nlink relative to the lower inode - "L[+-]NUM"
 868 */
 869
 870static int ovl_set_nlink_common(struct dentry *dentry,
 871                                struct dentry *realdentry, const char *format)
 872{
 873        struct inode *inode = d_inode(dentry);
 874        struct inode *realinode = d_inode(realdentry);
 875        char buf[13];
 876        int len;
 877
 878        len = snprintf(buf, sizeof(buf), format,
 879                       (int) (inode->i_nlink - realinode->i_nlink));
 880
 881        if (WARN_ON(len >= sizeof(buf)))
 882                return -EIO;
 883
 884        return ovl_setxattr(OVL_FS(inode->i_sb), ovl_dentry_upper(dentry),
 885                            OVL_XATTR_NLINK, buf, len);
 886}
 887
 888int ovl_set_nlink_upper(struct dentry *dentry)
 889{
 890        return ovl_set_nlink_common(dentry, ovl_dentry_upper(dentry), "U%+i");
 891}
 892
 893int ovl_set_nlink_lower(struct dentry *dentry)
 894{
 895        return ovl_set_nlink_common(dentry, ovl_dentry_lower(dentry), "L%+i");
 896}
 897
 898unsigned int ovl_get_nlink(struct ovl_fs *ofs, struct dentry *lowerdentry,
 899                           struct dentry *upperdentry,
 900                           unsigned int fallback)
 901{
 902        int nlink_diff;
 903        int nlink;
 904        char buf[13];
 905        int err;
 906
 907        if (!lowerdentry || !upperdentry || d_inode(lowerdentry)->i_nlink == 1)
 908                return fallback;
 909
 910        err = ovl_getxattr_upper(ofs, upperdentry, OVL_XATTR_NLINK,
 911                                 &buf, sizeof(buf) - 1);
 912        if (err < 0)
 913                goto fail;
 914
 915        buf[err] = '\0';
 916        if ((buf[0] != 'L' && buf[0] != 'U') ||
 917            (buf[1] != '+' && buf[1] != '-'))
 918                goto fail;
 919
 920        err = kstrtoint(buf + 1, 10, &nlink_diff);
 921        if (err < 0)
 922                goto fail;
 923
 924        nlink = d_inode(buf[0] == 'L' ? lowerdentry : upperdentry)->i_nlink;
 925        nlink += nlink_diff;
 926
 927        if (nlink <= 0)
 928                goto fail;
 929
 930        return nlink;
 931
 932fail:
 933        pr_warn_ratelimited("failed to get index nlink (%pd2, err=%i)\n",
 934                            upperdentry, err);
 935        return fallback;
 936}
 937
 938struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev)
 939{
 940        struct inode *inode;
 941
 942        inode = new_inode(sb);
 943        if (inode)
 944                ovl_fill_inode(inode, mode, rdev);
 945
 946        return inode;
 947}
 948
 949static int ovl_inode_test(struct inode *inode, void *data)
 950{
 951        return inode->i_private == data;
 952}
 953
 954static int ovl_inode_set(struct inode *inode, void *data)
 955{
 956        inode->i_private = data;
 957        return 0;
 958}
 959
 960static bool ovl_verify_inode(struct inode *inode, struct dentry *lowerdentry,
 961                             struct dentry *upperdentry, bool strict)
 962{
 963        /*
 964         * For directories, @strict verify from lookup path performs consistency
 965         * checks, so NULL lower/upper in dentry must match NULL lower/upper in
 966         * inode. Non @strict verify from NFS handle decode path passes NULL for
 967         * 'unknown' lower/upper.
 968         */
 969        if (S_ISDIR(inode->i_mode) && strict) {
 970                /* Real lower dir moved to upper layer under us? */
 971                if (!lowerdentry && ovl_inode_lower(inode))
 972                        return false;
 973
 974                /* Lookup of an uncovered redirect origin? */
 975                if (!upperdentry && ovl_inode_upper(inode))
 976                        return false;
 977        }
 978
 979        /*
 980         * Allow non-NULL lower inode in ovl_inode even if lowerdentry is NULL.
 981         * This happens when finding a copied up overlay inode for a renamed
 982         * or hardlinked overlay dentry and lower dentry cannot be followed
 983         * by origin because lower fs does not support file handles.
 984         */
 985        if (lowerdentry && ovl_inode_lower(inode) != d_inode(lowerdentry))
 986                return false;
 987
 988        /*
 989         * Allow non-NULL __upperdentry in inode even if upperdentry is NULL.
 990         * This happens when finding a lower alias for a copied up hard link.
 991         */
 992        if (upperdentry && ovl_inode_upper(inode) != d_inode(upperdentry))
 993                return false;
 994
 995        return true;
 996}
 997
 998struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real,
 999                               bool is_upper)
1000{

1001        struct inode *inode, *key = d_inode(real);
1002
1003        inode = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1004        if (!inode)
1005                return NULL;
1006
1007        if (!ovl_verify_inode(inode, is_upper ? NULL : real,
1008                              is_upper ? real : NULL, false)) {
1009                iput(inode);
1010                return ERR_PTR(-ESTALE);
1011        }
1012
1013        return inode;
1014}
1015
1016bool ovl_lookup_trap_inode(struct super_block *sb, struct dentry *dir)
1017{
1018        struct inode *key = d_inode(dir);
1019        struct inode *trap;
1020        bool res;
1021
1022        trap = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1023        if (!trap)
1024                return false;
1025
1026        res = IS_DEADDIR(trap) && !ovl_inode_upper(trap) &&
1027                                  !ovl_inode_lower(trap);
1028
1029        iput(trap);
1030        return res;
1031}
1032
1033/*
1034 * Create an inode cache entry for layer root dir, that will intentionally
1035 * fail ovl_verify_inode(), so any lookup that will find some layer root
1036 * will fail.
1037 */
1038struct inode *ovl_get_trap_inode(struct super_block *sb, struct dentry *dir)
1039{
1040        struct inode *key = d_inode(dir);
1041        struct inode *trap;
1042
1043        if (!d_is_dir(dir))
1044                return ERR_PTR(-ENOTDIR);
1045
1046        trap = iget5_locked(sb, (unsigned long) key, ovl_inode_test,
1047                            ovl_inode_set, key);
1048        if (!trap)
1049                return ERR_PTR(-ENOMEM);
1050
1051        if (!(trap->i_state & I_NEW)) {
1052                /* Conflicting layer roots? */
1053                iput(trap);
1054                return ERR_PTR(-ELOOP);
1055        }
1056
1057        trap->i_mode = S_IFDIR;
1058        trap->i_flags = S_DEAD;
1059        unlock_new_inode(trap);
1060
1061        return trap;
1062}
1063
1064/*
1065 * Does overlay inode need to be hashed by lower inode?
1066 */
1067static bool ovl_hash_bylower(struct super_block *sb, struct dentry *upper,
1068                             struct dentry *lower, bool index)
1069{
1070        struct ovl_fs *ofs = sb->s_fs_info;
1071
1072        /* No, if pure upper */
1073        if (!lower)
1074                return false;
1075
1076        /* Yes, if already indexed */
1077        if (index)
1078                return true;
1079
1080        /* Yes, if won't be copied up */
1081        if (!ovl_upper_mnt(ofs))
1082                return true;
1083
1084        /* No, if lower hardlink is or will be broken on copy up */
1085        if ((upper || !ovl_indexdir(sb)) &&
1086            !d_is_dir(lower) && d_inode(lower)->i_nlink > 1)
1087                return false;
1088
1089        /* No, if non-indexed upper with NFS export */
1090        if (sb->s_export_op && upper)
1091                return false;
1092
1093        /* Otherwise, hash by lower inode for fsnotify */
1094        return true;
1095}
1096
1097static struct inode *ovl_iget5(struct super_block *sb, struct inode *newinode,
1098                               struct inode *key)
1099{
1100        return newinode ? inode_insert5(newinode, (unsigned long) key,
1101                                         ovl_inode_test, ovl_inode_set, key) :
1102                          iget5_locked(sb, (unsigned long) key,
1103                                       ovl_inode_test, ovl_inode_set, key);
1104}
1105
1106struct inode *ovl_get_inode(struct super_block *sb,
1107                            struct ovl_inode_params *oip)
1108{
1109        struct ovl_fs *ofs = OVL_FS(sb);
1110        struct dentry *upperdentry = oip->upperdentry;
1111        struct ovl_path *lowerpath = oip->lowerpath;
1112        struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
1113        struct inode *inode;
1114        struct dentry *lowerdentry = lowerpath ? lowerpath->dentry : NULL;
1115        struct path realpath = {
1116                .dentry = upperdentry ?: lowerdentry,
1117                .mnt = upperdentry ? ovl_upper_mnt(ofs) : lowerpath->layer->mnt,
1118        };
1119        bool bylower = ovl_hash_bylower(sb, upperdentry, lowerdentry,
1120                                        oip->index);
1121        int fsid = bylower ? lowerpath->layer->fsid : 0;
1122        bool is_dir;
1123        unsigned long ino = 0;
1124        int err = oip->newinode ? -EEXIST : -ENOMEM;
1125
1126        if (!realinode)
1127                realinode = d_inode(lowerdentry);
1128
1129        /*
1130         * Copy up origin (lower) may exist for non-indexed upper, but we must
1131         * not use lower as hash key if this is a broken hardlink.
1132         */
1133        is_dir = S_ISDIR(realinode->i_mode);
1134        if (upperdentry || bylower) {
1135                struct inode *key = d_inode(bylower ? lowerdentry :
1136                                                      upperdentry);
1137                unsigned int nlink = is_dir ? 1 : realinode->i_nlink;
1138
1139                inode = ovl_iget5(sb, oip->newinode, key);
1140                if (!inode)
1141                        goto out_err;
1142                if (!(inode->i_state & I_NEW)) {
1143                        /*
1144                         * Verify that the underlying files stored in the inode
1145                         * match those in the dentry.
1146                         */
1147                        if (!ovl_verify_inode(inode, lowerdentry, upperdentry,
1148                                              true)) {
1149                                iput(inode);
1150                                err = -ESTALE;
1151                                goto out_err;
1152                        }
1153
1154                        dput(upperdentry);
1155                        kfree(oip->redirect);
1156                        goto out;
1157                }
1158
1159                /* Recalculate nlink for non-dir due to indexing */
1160                if (!is_dir)
1161                        nlink = ovl_get_nlink(ofs, lowerdentry, upperdentry,
1162                                              nlink);
1163                set_nlink(inode, nlink);
1164                ino = key->i_ino;
1165        } else {
1166                /* Lower hardlink that will be broken on copy up */
1167                inode = new_inode(sb);
1168                if (!inode) {
1169                        err = -ENOMEM;
1170                        goto out_err;
1171                }
1172                ino = realinode->i_ino;
1173                fsid = lowerpath->layer->fsid;
1174        }
1175        ovl_fill_inode(inode, realinode->i_mode, realinode->i_rdev);
1176        ovl_inode_init(inode, oip, ino, fsid);
1177
1178        if (upperdentry && ovl_is_impuredir(sb, upperdentry))
1179                ovl_set_flag(OVL_IMPURE, inode);
1180
1181        if (oip->index)
1182                ovl_set_flag(OVL_INDEX, inode);
1183
1184        OVL_I(inode)->redirect = oip->redirect;
1185
1186        if (bylower)
1187                ovl_set_flag(OVL_CONST_INO, inode);
1188
1189        /* Check for non-merge dir that may have whiteouts */
1190        if (is_dir) {
1191                if (((upperdentry && lowerdentry) || oip->numlower > 1) ||
1192                    ovl_path_check_origin_xattr(ofs, &realpath)) {
1193                        ovl_set_flag(OVL_WHITEOUTS, inode);
1194                }
1195        }
1196
1197        /* Check for immutable/append-only inode flags in xattr */
1198        if (upperdentry)
1199                ovl_check_protattr(inode, upperdentry);
1200
1201        if (inode->i_state & I_NEW)
1202                unlock_new_inode(inode);
1203out:
1204        return inode;
1205
1206out_err:
1207        pr_warn_ratelimited("failed to get inode (%i)\n", err);
1208        inode = ERR_PTR(err);
1209        goto out;
1210}
1211