1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (C) 2011 Novell Inc.
8 #include <linux/slab.h>
9 #include <linux/cred.h>
10 #include <linux/xattr.h>
11 #include <linux/posix_acl.h>
12 #include <linux/ratelimit.h>
13 #include <linux/fiemap.h>
14 #include <linux/fileattr.h>
15 #include <linux/security.h>
16 #include <linux/namei.h>
17 #include <linux/posix_acl.h>
18 #include <linux/posix_acl_xattr.h>
19 #include "overlayfs.h"
22 int ovl_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
26 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
27 bool full_copy_up = false;
28 struct dentry *upperdentry;
29 const struct cred *old_cred;
31 err = setattr_prepare(&nop_mnt_idmap, dentry, attr);
35 err = ovl_want_write(dentry);
39 if (attr->ia_valid & ATTR_SIZE) {
40 /* Truncate should trigger data copy up as well */
45 err = ovl_copy_up(dentry);
47 err = ovl_copy_up_with_data(dentry);
49 struct inode *winode = NULL;
51 upperdentry = ovl_dentry_upper(dentry);
53 if (attr->ia_valid & ATTR_SIZE) {
54 winode = d_inode(upperdentry);
55 err = get_write_access(winode);
60 if (attr->ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID))
61 attr->ia_valid &= ~ATTR_MODE;
64 * We might have to translate ovl file into real file object
65 * once use cases emerge. For now, simply don't let underlying
66 * filesystem rely on attr->ia_file
68 attr->ia_valid &= ~ATTR_FILE;
71 * If open(O_TRUNC) is done, VFS calls ->setattr with ATTR_OPEN
72 * set. Overlayfs does not pass O_TRUNC flag to underlying
73 * filesystem during open -> do not pass ATTR_OPEN. This
74 * disables optimization in fuse which assumes open(O_TRUNC)
75 * already set file size to 0. But we never passed O_TRUNC to
76 * fuse. So by clearing ATTR_OPEN, fuse will be forced to send
77 * setattr request to server.
79 attr->ia_valid &= ~ATTR_OPEN;
81 inode_lock(upperdentry->d_inode);
82 old_cred = ovl_override_creds(dentry->d_sb);
83 err = ovl_do_notify_change(ofs, upperdentry, attr);
84 revert_creds(old_cred);
86 ovl_copyattr(dentry->d_inode);
87 inode_unlock(upperdentry->d_inode);
90 put_write_access(winode);
93 ovl_drop_write(dentry);
98 static void ovl_map_dev_ino(struct dentry *dentry, struct kstat *stat, int fsid)
100 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
101 bool samefs = ovl_same_fs(ofs);
102 unsigned int xinobits = ovl_xino_bits(ofs);
103 unsigned int xinoshift = 64 - xinobits;
107 * When all layers are on the same fs, all real inode
108 * number are unique, so we use the overlay st_dev,
109 * which is friendly to du -x.
111 stat->dev = dentry->d_sb->s_dev;
113 } else if (xinobits) {
115 * All inode numbers of underlying fs should not be using the
116 * high xinobits, so we use high xinobits to partition the
117 * overlay st_ino address space. The high bits holds the fsid
118 * (upper fsid is 0). The lowest xinobit is reserved for mapping
119 * the non-persistent inode numbers range in case of overflow.
120 * This way all overlay inode numbers are unique and use the
123 if (likely(!(stat->ino >> xinoshift))) {
124 stat->ino |= ((u64)fsid) << (xinoshift + 1);
125 stat->dev = dentry->d_sb->s_dev;
127 } else if (ovl_xino_warn(ofs)) {
128 pr_warn_ratelimited("inode number too big (%pd2, ino=%llu, xinobits=%d)\n",
129 dentry, stat->ino, xinobits);
133 /* The inode could not be mapped to a unified st_ino address space */
134 if (S_ISDIR(dentry->d_inode->i_mode)) {
136 * Always use the overlay st_dev for directories, so 'find
137 * -xdev' will scan the entire overlay mount and won't cross the
138 * overlay mount boundaries.
140 * If not all layers are on the same fs the pair {real st_ino;
141 * overlay st_dev} is not unique, so use the non persistent
142 * overlay st_ino for directories.
144 stat->dev = dentry->d_sb->s_dev;
145 stat->ino = dentry->d_inode->i_ino;
148 * For non-samefs setup, if we cannot map all layers st_ino
149 * to a unified address space, we need to make sure that st_dev
150 * is unique per underlying fs, so we use the unique anonymous
151 * bdev assigned to the underlying fs.
153 stat->dev = ofs->fs[fsid].pseudo_dev;
157 int ovl_getattr(struct mnt_idmap *idmap, const struct path *path,
158 struct kstat *stat, u32 request_mask, unsigned int flags)
160 struct dentry *dentry = path->dentry;
161 enum ovl_path_type type;
162 struct path realpath;
163 const struct cred *old_cred;
164 struct inode *inode = d_inode(dentry);
165 bool is_dir = S_ISDIR(inode->i_mode);
168 bool metacopy_blocks = false;
170 metacopy_blocks = ovl_is_metacopy_dentry(dentry);
172 type = ovl_path_real(dentry, &realpath);
173 old_cred = ovl_override_creds(dentry->d_sb);
174 err = vfs_getattr(&realpath, stat, request_mask, flags);
178 /* Report the effective immutable/append-only STATX flags */
179 generic_fill_statx_attr(inode, stat);
182 * For non-dir or same fs, we use st_ino of the copy up origin.
183 * This guaranties constant st_dev/st_ino across copy up.
184 * With xino feature and non-samefs, we use st_ino of the copy up
185 * origin masked with high bits that represent the layer id.
187 * If lower filesystem supports NFS file handles, this also guaranties
188 * persistent st_ino across mount cycle.
190 if (!is_dir || ovl_same_dev(OVL_FS(dentry->d_sb))) {
191 if (!OVL_TYPE_UPPER(type)) {
192 fsid = ovl_layer_lower(dentry)->fsid;
193 } else if (OVL_TYPE_ORIGIN(type)) {
194 struct kstat lowerstat;
195 u32 lowermask = STATX_INO | STATX_BLOCKS |
196 (!is_dir ? STATX_NLINK : 0);
198 ovl_path_lower(dentry, &realpath);
199 err = vfs_getattr(&realpath, &lowerstat,
205 * Lower hardlinks may be broken on copy up to different
206 * upper files, so we cannot use the lower origin st_ino
207 * for those different files, even for the same fs case.
209 * Similarly, several redirected dirs can point to the
210 * same dir on a lower layer. With the "verify_lower"
211 * feature, we do not use the lower origin st_ino, if
212 * we haven't verified that this redirect is unique.
214 * With inodes index enabled, it is safe to use st_ino
215 * of an indexed origin. The index validates that the
216 * upper hardlink is not broken and that a redirected
217 * dir is the only redirect to that origin.
219 if (ovl_test_flag(OVL_INDEX, d_inode(dentry)) ||
220 (!ovl_verify_lower(dentry->d_sb) &&
221 (is_dir || lowerstat.nlink == 1))) {
222 fsid = ovl_layer_lower(dentry)->fsid;
223 stat->ino = lowerstat.ino;
227 * If we are querying a metacopy dentry and lower
228 * dentry is data dentry, then use the blocks we
229 * queried just now. We don't have to do additional
230 * vfs_getattr(). If lower itself is metacopy, then
231 * additional vfs_getattr() is unavoidable.
233 if (metacopy_blocks &&
234 realpath.dentry == ovl_dentry_lowerdata(dentry)) {
235 stat->blocks = lowerstat.blocks;
236 metacopy_blocks = false;
240 if (metacopy_blocks) {
242 * If lower is not same as lowerdata or if there was
243 * no origin on upper, we can end up here.
244 * With lazy lowerdata lookup, guess lowerdata blocks
245 * from size to avoid lowerdata lookup on stat(2).
247 struct kstat lowerdatastat;
248 u32 lowermask = STATX_BLOCKS;
250 ovl_path_lowerdata(dentry, &realpath);
251 if (realpath.dentry) {
252 err = vfs_getattr(&realpath, &lowerdatastat,
257 lowerdatastat.blocks =
258 round_up(stat->size, stat->blksize) >> 9;
260 stat->blocks = lowerdatastat.blocks;
264 ovl_map_dev_ino(dentry, stat, fsid);
267 * It's probably not worth it to count subdirs to get the
268 * correct link count. nlink=1 seems to pacify 'find' and
271 if (is_dir && OVL_TYPE_MERGE(type))
275 * Return the overlay inode nlinks for indexed upper inodes.
276 * Overlay inode nlink counts the union of the upper hardlinks
277 * and non-covered lower hardlinks. It does not include the upper
280 if (!is_dir && ovl_test_flag(OVL_INDEX, d_inode(dentry)))
281 stat->nlink = dentry->d_inode->i_nlink;
284 revert_creds(old_cred);
289 int ovl_permission(struct mnt_idmap *idmap,
290 struct inode *inode, int mask)
292 struct inode *upperinode = ovl_inode_upper(inode);
293 struct inode *realinode;
294 struct path realpath;
295 const struct cred *old_cred;
298 /* Careful in RCU walk mode */
299 realinode = ovl_i_path_real(inode, &realpath);
301 WARN_ON(!(mask & MAY_NOT_BLOCK));
306 * Check overlay inode with the creds of task and underlying inode
307 * with creds of mounter
309 err = generic_permission(&nop_mnt_idmap, inode, mask);
313 old_cred = ovl_override_creds(inode->i_sb);
315 !special_file(realinode->i_mode) && mask & MAY_WRITE) {
316 mask &= ~(MAY_WRITE | MAY_APPEND);
317 /* Make sure mounter can read file for copy up later */
320 err = inode_permission(mnt_idmap(realpath.mnt), realinode, mask);
321 revert_creds(old_cred);
326 static const char *ovl_get_link(struct dentry *dentry,
328 struct delayed_call *done)
330 const struct cred *old_cred;
334 return ERR_PTR(-ECHILD);
336 old_cred = ovl_override_creds(dentry->d_sb);
337 p = vfs_get_link(ovl_dentry_real(dentry), done);
338 revert_creds(old_cred);
342 bool ovl_is_private_xattr(struct super_block *sb, const char *name)
344 struct ovl_fs *ofs = OVL_FS(sb);
346 if (ofs->config.userxattr)
347 return strncmp(name, OVL_XATTR_USER_PREFIX,
348 sizeof(OVL_XATTR_USER_PREFIX) - 1) == 0;
350 return strncmp(name, OVL_XATTR_TRUSTED_PREFIX,
351 sizeof(OVL_XATTR_TRUSTED_PREFIX) - 1) == 0;
354 int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
355 const void *value, size_t size, int flags)
358 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
359 struct dentry *upperdentry = ovl_i_dentry_upper(inode);
360 struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry);
361 struct path realpath;
362 const struct cred *old_cred;
364 err = ovl_want_write(dentry);
368 if (!value && !upperdentry) {
369 ovl_path_lower(dentry, &realpath);
370 old_cred = ovl_override_creds(dentry->d_sb);
371 err = vfs_getxattr(mnt_idmap(realpath.mnt), realdentry, name, NULL, 0);
372 revert_creds(old_cred);
378 err = ovl_copy_up(dentry);
382 realdentry = ovl_dentry_upper(dentry);
385 old_cred = ovl_override_creds(dentry->d_sb);
387 err = ovl_do_setxattr(ofs, realdentry, name, value, size,
390 WARN_ON(flags != XATTR_REPLACE);
391 err = ovl_do_removexattr(ofs, realdentry, name);
393 revert_creds(old_cred);
399 ovl_drop_write(dentry);
404 int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
405 void *value, size_t size)
408 const struct cred *old_cred;
409 struct path realpath;
411 ovl_i_path_real(inode, &realpath);
412 old_cred = ovl_override_creds(dentry->d_sb);
413 res = vfs_getxattr(mnt_idmap(realpath.mnt), realpath.dentry, name, value, size);
414 revert_creds(old_cred);
418 static bool ovl_can_list(struct super_block *sb, const char *s)
420 /* Never list private (.overlay) */
421 if (ovl_is_private_xattr(sb, s))
424 /* List all non-trusted xattrs */
425 if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
428 /* list other trusted for superuser only */
429 return ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
432 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
434 struct dentry *realdentry = ovl_dentry_real(dentry);
438 const struct cred *old_cred;
440 old_cred = ovl_override_creds(dentry->d_sb);
441 res = vfs_listxattr(realdentry, list, size);
442 revert_creds(old_cred);
443 if (res <= 0 || size == 0)
446 /* filter out private xattrs */
447 for (s = list, len = res; len;) {
448 size_t slen = strnlen(s, len) + 1;
450 /* underlying fs providing us with an broken xattr list? */
451 if (WARN_ON(slen > len))
455 if (!ovl_can_list(dentry->d_sb, s)) {
457 memmove(s, s + slen, len);
466 #ifdef CONFIG_FS_POSIX_ACL
468 * Apply the idmapping of the layer to POSIX ACLs. The caller must pass a clone
469 * of the POSIX ACLs retrieved from the lower layer to this function to not
470 * alter the POSIX ACLs for the underlying filesystem.
472 static void ovl_idmap_posix_acl(const struct inode *realinode,
473 struct mnt_idmap *idmap,
474 struct posix_acl *acl)
476 struct user_namespace *fs_userns = i_user_ns(realinode);
478 for (unsigned int i = 0; i < acl->a_count; i++) {
482 struct posix_acl_entry *e = &acl->a_entries[i];
485 vfsuid = make_vfsuid(idmap, fs_userns, e->e_uid);
486 e->e_uid = vfsuid_into_kuid(vfsuid);
489 vfsgid = make_vfsgid(idmap, fs_userns, e->e_gid);
490 e->e_gid = vfsgid_into_kgid(vfsgid);
497 * The @noperm argument is used to skip permission checking and is a temporary
498 * measure. Quoting Miklos from an earlier discussion:
500 * > So there are two paths to getting an acl:
501 * > 1) permission checking and 2) retrieving the value via getxattr(2).
502 * > This is a similar situation as reading a symlink vs. following it.
503 * > When following a symlink overlayfs always reads the link on the
504 * > underlying fs just as if it was a readlink(2) call, calling
505 * > security_inode_readlink() instead of security_inode_follow_link().
506 * > This is logical: we are reading the link from the underlying storage,
507 * > and following it on overlayfs.
509 * > Applying the same logic to acl: we do need to call the
510 * > security_inode_getxattr() on the underlying fs, even if just want to
511 * > check permissions on overlay. This is currently not done, which is an
514 * > Maybe adding the check to ovl_get_acl() is the right way to go, but
515 * > I'm a little afraid of a performance regression. Will look into that.
517 * Until we have made a decision allow this helper to take the @noperm
518 * argument. We should hopefully be able to remove it soon.
520 struct posix_acl *ovl_get_acl_path(const struct path *path,
521 const char *acl_name, bool noperm)
523 struct posix_acl *real_acl, *clone;
524 struct mnt_idmap *idmap;
525 struct inode *realinode = d_inode(path->dentry);
527 idmap = mnt_idmap(path->mnt);
530 real_acl = get_inode_acl(realinode, posix_acl_type(acl_name));
532 real_acl = vfs_get_acl(idmap, path->dentry, acl_name);
533 if (IS_ERR_OR_NULL(real_acl))
536 if (!is_idmapped_mnt(path->mnt))
540 * We cannot alter the ACLs returned from the relevant layer as that
541 * would alter the cached values filesystem wide for the lower
542 * filesystem. Instead we can clone the ACLs and then apply the
543 * relevant idmapping of the layer.
545 clone = posix_acl_clone(real_acl, GFP_KERNEL);
546 posix_acl_release(real_acl); /* release original acl */
548 return ERR_PTR(-ENOMEM);
550 ovl_idmap_posix_acl(realinode, idmap, clone);
555 * When the relevant layer is an idmapped mount we need to take the idmapping
556 * of the layer into account and translate any ACL_{GROUP,USER} values
557 * according to the idmapped mount.
559 * We cannot alter the ACLs returned from the relevant layer as that would
560 * alter the cached values filesystem wide for the lower filesystem. Instead we
561 * can clone the ACLs and then apply the relevant idmapping of the layer.
563 * This is obviously only relevant when idmapped layers are used.
565 struct posix_acl *do_ovl_get_acl(struct mnt_idmap *idmap,
566 struct inode *inode, int type,
567 bool rcu, bool noperm)
569 struct inode *realinode;
570 struct posix_acl *acl;
571 struct path realpath;
573 /* Careful in RCU walk mode */
574 realinode = ovl_i_path_real(inode, &realpath);
577 return ERR_PTR(-ECHILD);
580 if (!IS_POSIXACL(realinode))
585 * If the layer is idmapped drop out of RCU path walk
586 * so we can clone the ACLs.
588 if (is_idmapped_mnt(realpath.mnt))
589 return ERR_PTR(-ECHILD);
591 acl = get_cached_acl_rcu(realinode, type);
593 const struct cred *old_cred;
595 old_cred = ovl_override_creds(inode->i_sb);
596 acl = ovl_get_acl_path(&realpath, posix_acl_xattr_name(type), noperm);
597 revert_creds(old_cred);
603 static int ovl_set_or_remove_acl(struct dentry *dentry, struct inode *inode,
604 struct posix_acl *acl, int type)
607 struct path realpath;
608 const char *acl_name;
609 const struct cred *old_cred;
610 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
611 struct dentry *upperdentry = ovl_dentry_upper(dentry);
612 struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry);
614 err = ovl_want_write(dentry);
619 * If ACL is to be removed from a lower file, check if it exists in
620 * the first place before copying it up.
622 acl_name = posix_acl_xattr_name(type);
623 if (!acl && !upperdentry) {
624 struct posix_acl *real_acl;
626 ovl_path_lower(dentry, &realpath);
627 old_cred = ovl_override_creds(dentry->d_sb);
628 real_acl = vfs_get_acl(mnt_idmap(realpath.mnt), realdentry,
630 revert_creds(old_cred);
631 if (IS_ERR(real_acl)) {
632 err = PTR_ERR(real_acl);
635 posix_acl_release(real_acl);
639 err = ovl_copy_up(dentry);
643 realdentry = ovl_dentry_upper(dentry);
646 old_cred = ovl_override_creds(dentry->d_sb);
648 err = ovl_do_set_acl(ofs, realdentry, acl_name, acl);
650 err = ovl_do_remove_acl(ofs, realdentry, acl_name);
651 revert_creds(old_cred);
657 ovl_drop_write(dentry);
661 int ovl_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
662 struct posix_acl *acl, int type)
665 struct inode *inode = d_inode(dentry);
666 struct dentry *workdir = ovl_workdir(dentry);
667 struct inode *realinode = ovl_inode_real(inode);
669 if (!IS_POSIXACL(d_inode(workdir)))
671 if (!realinode->i_op->set_acl)
673 if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
674 return acl ? -EACCES : 0;
675 if (!inode_owner_or_capable(&nop_mnt_idmap, inode))
679 * Check if sgid bit needs to be cleared (actual setacl operation will
680 * be done with mounter's capabilities and so that won't do it for us).
682 if (unlikely(inode->i_mode & S_ISGID) && type == ACL_TYPE_ACCESS &&
683 !in_group_p(inode->i_gid) &&
684 !capable_wrt_inode_uidgid(&nop_mnt_idmap, inode, CAP_FSETID)) {
685 struct iattr iattr = { .ia_valid = ATTR_KILL_SGID };
687 err = ovl_setattr(&nop_mnt_idmap, dentry, &iattr);
692 return ovl_set_or_remove_acl(dentry, inode, acl, type);
696 int ovl_update_time(struct inode *inode, int flags)
698 if (flags & S_ATIME) {
699 struct ovl_fs *ofs = OVL_FS(inode->i_sb);
700 struct path upperpath = {
701 .mnt = ovl_upper_mnt(ofs),
702 .dentry = ovl_upperdentry_dereference(OVL_I(inode)),
705 if (upperpath.dentry) {
706 touch_atime(&upperpath);
707 inode_set_atime_to_ts(inode,
708 inode_get_atime(d_inode(upperpath.dentry)));
714 static int ovl_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
718 struct inode *realinode = ovl_inode_realdata(inode);
719 const struct cred *old_cred;
724 if (!realinode->i_op->fiemap)
727 old_cred = ovl_override_creds(inode->i_sb);
728 err = realinode->i_op->fiemap(realinode, fieinfo, start, len);
729 revert_creds(old_cred);
735 * Work around the fact that security_file_ioctl() takes a file argument.
736 * Introducing security_inode_fileattr_get/set() hooks would solve this issue
739 static int ovl_security_fileattr(const struct path *realpath, struct fileattr *fa,
746 file = dentry_open(realpath, O_RDONLY, current_cred());
748 return PTR_ERR(file);
751 cmd = fa->fsx_valid ? FS_IOC_FSSETXATTR : FS_IOC_SETFLAGS;
753 cmd = fa->fsx_valid ? FS_IOC_FSGETXATTR : FS_IOC_GETFLAGS;
755 err = security_file_ioctl(file, cmd, 0);
761 int ovl_real_fileattr_set(const struct path *realpath, struct fileattr *fa)
765 err = ovl_security_fileattr(realpath, fa, true);
769 return vfs_fileattr_set(mnt_idmap(realpath->mnt), realpath->dentry, fa);
772 int ovl_fileattr_set(struct mnt_idmap *idmap,
773 struct dentry *dentry, struct fileattr *fa)
775 struct inode *inode = d_inode(dentry);
776 struct path upperpath;
777 const struct cred *old_cred;
781 err = ovl_want_write(dentry);
785 err = ovl_copy_up(dentry);
787 ovl_path_real(dentry, &upperpath);
789 old_cred = ovl_override_creds(inode->i_sb);
791 * Store immutable/append-only flags in xattr and clear them
792 * in upper fileattr (in case they were set by older kernel)
793 * so children of "ovl-immutable" directories lower aliases of
794 * "ovl-immutable" hardlinks could be copied up.
795 * Clear xattr when flags are cleared.
797 err = ovl_set_protattr(inode, upperpath.dentry, fa);
799 err = ovl_real_fileattr_set(&upperpath, fa);
800 revert_creds(old_cred);
803 * Merge real inode flags with inode flags read from
804 * overlay.protattr xattr
806 flags = ovl_inode_real(inode)->i_flags & OVL_COPY_I_FLAGS_MASK;
808 BUILD_BUG_ON(OVL_PROT_I_FLAGS_MASK & ~OVL_COPY_I_FLAGS_MASK);
809 flags |= inode->i_flags & OVL_PROT_I_FLAGS_MASK;
810 inode_set_flags(inode, flags, OVL_COPY_I_FLAGS_MASK);
815 ovl_drop_write(dentry);
820 /* Convert inode protection flags to fileattr flags */
821 static void ovl_fileattr_prot_flags(struct inode *inode, struct fileattr *fa)
823 BUILD_BUG_ON(OVL_PROT_FS_FLAGS_MASK & ~FS_COMMON_FL);
824 BUILD_BUG_ON(OVL_PROT_FSX_FLAGS_MASK & ~FS_XFLAG_COMMON);
826 if (inode->i_flags & S_APPEND) {
827 fa->flags |= FS_APPEND_FL;
828 fa->fsx_xflags |= FS_XFLAG_APPEND;
830 if (inode->i_flags & S_IMMUTABLE) {
831 fa->flags |= FS_IMMUTABLE_FL;
832 fa->fsx_xflags |= FS_XFLAG_IMMUTABLE;
836 int ovl_real_fileattr_get(const struct path *realpath, struct fileattr *fa)
840 err = ovl_security_fileattr(realpath, fa, false);
844 err = vfs_fileattr_get(realpath->dentry, fa);
845 if (err == -ENOIOCTLCMD)
850 int ovl_fileattr_get(struct dentry *dentry, struct fileattr *fa)
852 struct inode *inode = d_inode(dentry);
853 struct path realpath;
854 const struct cred *old_cred;
857 ovl_path_real(dentry, &realpath);
859 old_cred = ovl_override_creds(inode->i_sb);
860 err = ovl_real_fileattr_get(&realpath, fa);
861 ovl_fileattr_prot_flags(inode, fa);
862 revert_creds(old_cred);
867 static const struct inode_operations ovl_file_inode_operations = {
868 .setattr = ovl_setattr,
869 .permission = ovl_permission,
870 .getattr = ovl_getattr,
871 .listxattr = ovl_listxattr,
872 .get_inode_acl = ovl_get_inode_acl,
873 .get_acl = ovl_get_acl,
874 .set_acl = ovl_set_acl,
875 .update_time = ovl_update_time,
876 .fiemap = ovl_fiemap,
877 .fileattr_get = ovl_fileattr_get,
878 .fileattr_set = ovl_fileattr_set,
881 static const struct inode_operations ovl_symlink_inode_operations = {
882 .setattr = ovl_setattr,
883 .get_link = ovl_get_link,
884 .getattr = ovl_getattr,
885 .listxattr = ovl_listxattr,
886 .update_time = ovl_update_time,
889 static const struct inode_operations ovl_special_inode_operations = {
890 .setattr = ovl_setattr,
891 .permission = ovl_permission,
892 .getattr = ovl_getattr,
893 .listxattr = ovl_listxattr,
894 .get_inode_acl = ovl_get_inode_acl,
895 .get_acl = ovl_get_acl,
896 .set_acl = ovl_set_acl,
897 .update_time = ovl_update_time,
900 static const struct address_space_operations ovl_aops = {
901 /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */
902 .direct_IO = noop_direct_IO,
906 * It is possible to stack overlayfs instance on top of another
907 * overlayfs instance as lower layer. We need to annotate the
908 * stackable i_mutex locks according to stack level of the super
909 * block instance. An overlayfs instance can never be in stack
910 * depth 0 (there is always a real fs below it). An overlayfs
911 * inode lock will use the lockdep annotation ovl_i_mutex_key[depth].
913 * For example, here is a snip from /proc/lockdep_chains after
914 * dir_iterate of nested overlayfs:
916 * [...] &ovl_i_mutex_dir_key[depth] (stack_depth=2)
917 * [...] &ovl_i_mutex_dir_key[depth]#2 (stack_depth=1)
918 * [...] &type->i_mutex_dir_key (stack_depth=0)
920 * Locking order w.r.t ovl_want_write() is important for nested overlayfs.
922 * This chain is valid:
923 * - inode->i_rwsem (inode_lock[2])
924 * - upper_mnt->mnt_sb->s_writers (ovl_want_write[0])
925 * - OVL_I(inode)->lock (ovl_inode_lock[2])
926 * - OVL_I(lowerinode)->lock (ovl_inode_lock[1])
928 * And this chain is valid:
929 * - inode->i_rwsem (inode_lock[2])
930 * - OVL_I(inode)->lock (ovl_inode_lock[2])
931 * - lowerinode->i_rwsem (inode_lock[1])
932 * - OVL_I(lowerinode)->lock (ovl_inode_lock[1])
934 * But lowerinode->i_rwsem SHOULD NOT be acquired while ovl_want_write() is
935 * held, because it is in reverse order of the non-nested case using the same
937 * - inode->i_rwsem (inode_lock[1])
938 * - upper_mnt->mnt_sb->s_writers (ovl_want_write[0])
939 * - OVL_I(inode)->lock (ovl_inode_lock[1])
941 #define OVL_MAX_NESTING FILESYSTEM_MAX_STACK_DEPTH
943 static inline void ovl_lockdep_annotate_inode_mutex_key(struct inode *inode)
945 #ifdef CONFIG_LOCKDEP
946 static struct lock_class_key ovl_i_mutex_key[OVL_MAX_NESTING];
947 static struct lock_class_key ovl_i_mutex_dir_key[OVL_MAX_NESTING];
948 static struct lock_class_key ovl_i_lock_key[OVL_MAX_NESTING];
950 int depth = inode->i_sb->s_stack_depth - 1;
952 if (WARN_ON_ONCE(depth < 0 || depth >= OVL_MAX_NESTING))
955 if (S_ISDIR(inode->i_mode))
956 lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_dir_key[depth]);
958 lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_key[depth]);
960 lockdep_set_class(&OVL_I(inode)->lock, &ovl_i_lock_key[depth]);
964 static void ovl_next_ino(struct inode *inode)
966 struct ovl_fs *ofs = OVL_FS(inode->i_sb);
968 inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
969 if (unlikely(!inode->i_ino))
970 inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
973 static void ovl_map_ino(struct inode *inode, unsigned long ino, int fsid)
975 struct ovl_fs *ofs = OVL_FS(inode->i_sb);
976 int xinobits = ovl_xino_bits(ofs);
977 unsigned int xinoshift = 64 - xinobits;
980 * When d_ino is consistent with st_ino (samefs or i_ino has enough
981 * bits to encode layer), set the same value used for st_ino to i_ino,
982 * so inode number exposed via /proc/locks and a like will be
983 * consistent with d_ino and st_ino values. An i_ino value inconsistent
984 * with d_ino also causes nfsd readdirplus to fail.
987 if (ovl_same_fs(ofs)) {
989 } else if (xinobits && likely(!(ino >> xinoshift))) {
990 inode->i_ino |= (unsigned long)fsid << (xinoshift + 1);
995 * For directory inodes on non-samefs with xino disabled or xino
996 * overflow, we allocate a non-persistent inode number, to be used for
997 * resolving st_ino collisions in ovl_map_dev_ino().
999 * To avoid ino collision with legitimate xino values from upper
1000 * layer (fsid 0), use the lowest xinobit to map the non
1001 * persistent inode numbers to the unified st_ino address space.
1003 if (S_ISDIR(inode->i_mode)) {
1004 ovl_next_ino(inode);
1006 inode->i_ino &= ~0UL >> xinobits;
1007 inode->i_ino |= 1UL << xinoshift;
1012 void ovl_inode_init(struct inode *inode, struct ovl_inode_params *oip,
1013 unsigned long ino, int fsid)
1015 struct inode *realinode;
1016 struct ovl_inode *oi = OVL_I(inode);
1018 oi->__upperdentry = oip->upperdentry;
1020 oi->redirect = oip->redirect;
1021 oi->lowerdata_redirect = oip->lowerdata_redirect;
1023 realinode = ovl_inode_real(inode);
1024 ovl_copyattr(inode);
1025 ovl_copyflags(realinode, inode);
1026 ovl_map_ino(inode, ino, fsid);
1029 static void ovl_fill_inode(struct inode *inode, umode_t mode, dev_t rdev)
1031 inode->i_mode = mode;
1032 inode->i_flags |= S_NOCMTIME;
1033 #ifdef CONFIG_FS_POSIX_ACL
1034 inode->i_acl = inode->i_default_acl = ACL_DONT_CACHE;
1037 ovl_lockdep_annotate_inode_mutex_key(inode);
1039 switch (mode & S_IFMT) {
1041 inode->i_op = &ovl_file_inode_operations;
1042 inode->i_fop = &ovl_file_operations;
1043 inode->i_mapping->a_ops = &ovl_aops;
1047 inode->i_op = &ovl_dir_inode_operations;
1048 inode->i_fop = &ovl_dir_operations;
1052 inode->i_op = &ovl_symlink_inode_operations;
1056 inode->i_op = &ovl_special_inode_operations;
1057 init_special_inode(inode, mode, rdev);
1063 * With inodes index enabled, an overlay inode nlink counts the union of upper
1064 * hardlinks and non-covered lower hardlinks. During the lifetime of a non-pure
1065 * upper inode, the following nlink modifying operations can happen:
1067 * 1. Lower hardlink copy up
1068 * 2. Upper hardlink created, unlinked or renamed over
1069 * 3. Lower hardlink whiteout or renamed over
1071 * For the first, copy up case, the union nlink does not change, whether the
1072 * operation succeeds or fails, but the upper inode nlink may change.
1073 * Therefore, before copy up, we store the union nlink value relative to the
1074 * lower inode nlink in the index inode xattr .overlay.nlink.
1076 * For the second, upper hardlink case, the union nlink should be incremented
1077 * or decremented IFF the operation succeeds, aligned with nlink change of the
1078 * upper inode. Therefore, before link/unlink/rename, we store the union nlink
1079 * value relative to the upper inode nlink in the index inode.
1081 * For the last, lower cover up case, we simplify things by preceding the
1082 * whiteout or cover up with copy up. This makes sure that there is an index
1083 * upper inode where the nlink xattr can be stored before the copied up upper
1086 #define OVL_NLINK_ADD_UPPER (1 << 0)
1089 * On-disk format for indexed nlink:
1091 * nlink relative to the upper inode - "U[+-]NUM"
1092 * nlink relative to the lower inode - "L[+-]NUM"
1095 static int ovl_set_nlink_common(struct dentry *dentry,
1096 struct dentry *realdentry, const char *format)
1098 struct inode *inode = d_inode(dentry);
1099 struct inode *realinode = d_inode(realdentry);
1103 len = snprintf(buf, sizeof(buf), format,
1104 (int) (inode->i_nlink - realinode->i_nlink));
1106 if (WARN_ON(len >= sizeof(buf)))
1109 return ovl_setxattr(OVL_FS(inode->i_sb), ovl_dentry_upper(dentry),
1110 OVL_XATTR_NLINK, buf, len);
1113 int ovl_set_nlink_upper(struct dentry *dentry)
1115 return ovl_set_nlink_common(dentry, ovl_dentry_upper(dentry), "U%+i");
1118 int ovl_set_nlink_lower(struct dentry *dentry)
1120 return ovl_set_nlink_common(dentry, ovl_dentry_lower(dentry), "L%+i");
1123 unsigned int ovl_get_nlink(struct ovl_fs *ofs, struct dentry *lowerdentry,
1124 struct dentry *upperdentry,
1125 unsigned int fallback)
1132 if (!lowerdentry || !upperdentry || d_inode(lowerdentry)->i_nlink == 1)
1135 err = ovl_getxattr_upper(ofs, upperdentry, OVL_XATTR_NLINK,
1136 &buf, sizeof(buf) - 1);
1141 if ((buf[0] != 'L' && buf[0] != 'U') ||
1142 (buf[1] != '+' && buf[1] != '-'))
1145 err = kstrtoint(buf + 1, 10, &nlink_diff);
1149 nlink = d_inode(buf[0] == 'L' ? lowerdentry : upperdentry)->i_nlink;
1150 nlink += nlink_diff;
1158 pr_warn_ratelimited("failed to get index nlink (%pd2, err=%i)\n",
1163 struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev)
1165 struct inode *inode;
1167 inode = new_inode(sb);
1169 ovl_fill_inode(inode, mode, rdev);
1174 static int ovl_inode_test(struct inode *inode, void *data)
1176 return inode->i_private == data;
1179 static int ovl_inode_set(struct inode *inode, void *data)
1181 inode->i_private = data;
1185 static bool ovl_verify_inode(struct inode *inode, struct dentry *lowerdentry,
1186 struct dentry *upperdentry, bool strict)
1189 * For directories, @strict verify from lookup path performs consistency
1190 * checks, so NULL lower/upper in dentry must match NULL lower/upper in
1191 * inode. Non @strict verify from NFS handle decode path passes NULL for
1192 * 'unknown' lower/upper.
1194 if (S_ISDIR(inode->i_mode) && strict) {
1195 /* Real lower dir moved to upper layer under us? */
1196 if (!lowerdentry && ovl_inode_lower(inode))
1199 /* Lookup of an uncovered redirect origin? */
1200 if (!upperdentry && ovl_inode_upper(inode))
1205 * Allow non-NULL lower inode in ovl_inode even if lowerdentry is NULL.
1206 * This happens when finding a copied up overlay inode for a renamed
1207 * or hardlinked overlay dentry and lower dentry cannot be followed
1208 * by origin because lower fs does not support file handles.
1210 if (lowerdentry && ovl_inode_lower(inode) != d_inode(lowerdentry))
1214 * Allow non-NULL __upperdentry in inode even if upperdentry is NULL.
1215 * This happens when finding a lower alias for a copied up hard link.
1217 if (upperdentry && ovl_inode_upper(inode) != d_inode(upperdentry))
1223 struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real,
1226 struct inode *inode, *key = d_inode(real);
1228 inode = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1232 if (!ovl_verify_inode(inode, is_upper ? NULL : real,
1233 is_upper ? real : NULL, false)) {
1235 return ERR_PTR(-ESTALE);
1241 bool ovl_lookup_trap_inode(struct super_block *sb, struct dentry *dir)
1243 struct inode *key = d_inode(dir);
1247 trap = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1251 res = IS_DEADDIR(trap) && !ovl_inode_upper(trap) &&
1252 !ovl_inode_lower(trap);
1259 * Create an inode cache entry for layer root dir, that will intentionally
1260 * fail ovl_verify_inode(), so any lookup that will find some layer root
1263 struct inode *ovl_get_trap_inode(struct super_block *sb, struct dentry *dir)
1265 struct inode *key = d_inode(dir);
1269 return ERR_PTR(-ENOTDIR);
1271 trap = iget5_locked(sb, (unsigned long) key, ovl_inode_test,
1272 ovl_inode_set, key);
1274 return ERR_PTR(-ENOMEM);
1276 if (!(trap->i_state & I_NEW)) {
1277 /* Conflicting layer roots? */
1279 return ERR_PTR(-ELOOP);
1282 trap->i_mode = S_IFDIR;
1283 trap->i_flags = S_DEAD;
1284 unlock_new_inode(trap);
1290 * Does overlay inode need to be hashed by lower inode?
1292 static bool ovl_hash_bylower(struct super_block *sb, struct dentry *upper,
1293 struct dentry *lower, bool index)
1295 struct ovl_fs *ofs = OVL_FS(sb);
1297 /* No, if pure upper */
1301 /* Yes, if already indexed */
1305 /* Yes, if won't be copied up */
1306 if (!ovl_upper_mnt(ofs))
1309 /* No, if lower hardlink is or will be broken on copy up */
1310 if ((upper || !ovl_indexdir(sb)) &&
1311 !d_is_dir(lower) && d_inode(lower)->i_nlink > 1)
1314 /* No, if non-indexed upper with NFS export */
1315 if (ofs->config.nfs_export && upper)
1318 /* Otherwise, hash by lower inode for fsnotify */
1322 static struct inode *ovl_iget5(struct super_block *sb, struct inode *newinode,
1325 return newinode ? inode_insert5(newinode, (unsigned long) key,
1326 ovl_inode_test, ovl_inode_set, key) :
1327 iget5_locked(sb, (unsigned long) key,
1328 ovl_inode_test, ovl_inode_set, key);
1331 struct inode *ovl_get_inode(struct super_block *sb,
1332 struct ovl_inode_params *oip)
1334 struct ovl_fs *ofs = OVL_FS(sb);
1335 struct dentry *upperdentry = oip->upperdentry;
1336 struct ovl_path *lowerpath = ovl_lowerpath(oip->oe);
1337 struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
1338 struct inode *inode;
1339 struct dentry *lowerdentry = lowerpath ? lowerpath->dentry : NULL;
1340 struct path realpath = {
1341 .dentry = upperdentry ?: lowerdentry,
1342 .mnt = upperdentry ? ovl_upper_mnt(ofs) : lowerpath->layer->mnt,
1344 bool bylower = ovl_hash_bylower(sb, upperdentry, lowerdentry,
1346 int fsid = bylower ? lowerpath->layer->fsid : 0;
1348 unsigned long ino = 0;
1349 int err = oip->newinode ? -EEXIST : -ENOMEM;
1352 realinode = d_inode(lowerdentry);
1355 * Copy up origin (lower) may exist for non-indexed upper, but we must
1356 * not use lower as hash key if this is a broken hardlink.
1358 is_dir = S_ISDIR(realinode->i_mode);
1359 if (upperdentry || bylower) {
1360 struct inode *key = d_inode(bylower ? lowerdentry :
1362 unsigned int nlink = is_dir ? 1 : realinode->i_nlink;
1364 inode = ovl_iget5(sb, oip->newinode, key);
1367 if (!(inode->i_state & I_NEW)) {
1369 * Verify that the underlying files stored in the inode
1370 * match those in the dentry.
1372 if (!ovl_verify_inode(inode, lowerdentry, upperdentry,
1380 ovl_free_entry(oip->oe);
1381 kfree(oip->redirect);
1382 kfree(oip->lowerdata_redirect);
1386 /* Recalculate nlink for non-dir due to indexing */
1388 nlink = ovl_get_nlink(ofs, lowerdentry, upperdentry,
1390 set_nlink(inode, nlink);
1393 /* Lower hardlink that will be broken on copy up */
1394 inode = new_inode(sb);
1399 ino = realinode->i_ino;
1400 fsid = lowerpath->layer->fsid;
1402 ovl_fill_inode(inode, realinode->i_mode, realinode->i_rdev);
1403 ovl_inode_init(inode, oip, ino, fsid);
1405 if (upperdentry && ovl_is_impuredir(sb, upperdentry))
1406 ovl_set_flag(OVL_IMPURE, inode);
1409 ovl_set_flag(OVL_INDEX, inode);
1412 ovl_set_flag(OVL_CONST_INO, inode);
1414 /* Check for non-merge dir that may have whiteouts */
1416 if (((upperdentry && lowerdentry) || ovl_numlower(oip->oe) > 1) ||
1417 ovl_path_check_origin_xattr(ofs, &realpath)) {
1418 ovl_set_flag(OVL_WHITEOUTS, inode);
1422 /* Check for immutable/append-only inode flags in xattr */
1424 ovl_check_protattr(inode, upperdentry);
1426 if (inode->i_state & I_NEW)
1427 unlock_new_inode(inode);
1432 pr_warn_ratelimited("failed to get inode (%i)\n", err);
1433 inode = ERR_PTR(err);
projects / linux-2.6-microblaze.git / blob