1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (C) 2011 Novell Inc.
8 #include <linux/slab.h>
9 #include <linux/cred.h>
10 #include <linux/xattr.h>
11 #include <linux/posix_acl.h>
12 #include <linux/ratelimit.h>
13 #include <linux/fiemap.h>
14 #include <linux/fileattr.h>
15 #include <linux/security.h>
16 #include <linux/namei.h>
17 #include <linux/posix_acl.h>
18 #include <linux/posix_acl_xattr.h>
19 #include "overlayfs.h"
22 int ovl_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
26 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
27 bool full_copy_up = false;
28 struct dentry *upperdentry;
29 const struct cred *old_cred;
31 err = setattr_prepare(&nop_mnt_idmap, dentry, attr);
35 err = ovl_want_write(dentry);
39 if (attr->ia_valid & ATTR_SIZE) {
40 /* Truncate should trigger data copy up as well */
45 err = ovl_copy_up(dentry);
47 err = ovl_copy_up_with_data(dentry);
49 struct inode *winode = NULL;
51 upperdentry = ovl_dentry_upper(dentry);
53 if (attr->ia_valid & ATTR_SIZE) {
54 winode = d_inode(upperdentry);
55 err = get_write_access(winode);
60 if (attr->ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID))
61 attr->ia_valid &= ~ATTR_MODE;
64 * We might have to translate ovl file into real file object
65 * once use cases emerge. For now, simply don't let underlying
66 * filesystem rely on attr->ia_file
68 attr->ia_valid &= ~ATTR_FILE;
71 * If open(O_TRUNC) is done, VFS calls ->setattr with ATTR_OPEN
72 * set. Overlayfs does not pass O_TRUNC flag to underlying
73 * filesystem during open -> do not pass ATTR_OPEN. This
74 * disables optimization in fuse which assumes open(O_TRUNC)
75 * already set file size to 0. But we never passed O_TRUNC to
76 * fuse. So by clearing ATTR_OPEN, fuse will be forced to send
77 * setattr request to server.
79 attr->ia_valid &= ~ATTR_OPEN;
81 inode_lock(upperdentry->d_inode);
82 old_cred = ovl_override_creds(dentry->d_sb);
83 err = ovl_do_notify_change(ofs, upperdentry, attr);
84 revert_creds(old_cred);
86 ovl_copyattr(dentry->d_inode);
87 inode_unlock(upperdentry->d_inode);
90 put_write_access(winode);
93 ovl_drop_write(dentry);
98 static void ovl_map_dev_ino(struct dentry *dentry, struct kstat *stat, int fsid)
100 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
101 bool samefs = ovl_same_fs(ofs);
102 unsigned int xinobits = ovl_xino_bits(ofs);
103 unsigned int xinoshift = 64 - xinobits;
107 * When all layers are on the same fs, all real inode
108 * number are unique, so we use the overlay st_dev,
109 * which is friendly to du -x.
111 stat->dev = dentry->d_sb->s_dev;
113 } else if (xinobits) {
115 * All inode numbers of underlying fs should not be using the
116 * high xinobits, so we use high xinobits to partition the
117 * overlay st_ino address space. The high bits holds the fsid
118 * (upper fsid is 0). The lowest xinobit is reserved for mapping
119 * the non-persistent inode numbers range in case of overflow.
120 * This way all overlay inode numbers are unique and use the
123 if (likely(!(stat->ino >> xinoshift))) {
124 stat->ino |= ((u64)fsid) << (xinoshift + 1);
125 stat->dev = dentry->d_sb->s_dev;
127 } else if (ovl_xino_warn(ofs)) {
128 pr_warn_ratelimited("inode number too big (%pd2, ino=%llu, xinobits=%d)\n",
129 dentry, stat->ino, xinobits);
133 /* The inode could not be mapped to a unified st_ino address space */
134 if (S_ISDIR(dentry->d_inode->i_mode)) {
136 * Always use the overlay st_dev for directories, so 'find
137 * -xdev' will scan the entire overlay mount and won't cross the
138 * overlay mount boundaries.
140 * If not all layers are on the same fs the pair {real st_ino;
141 * overlay st_dev} is not unique, so use the non persistent
142 * overlay st_ino for directories.
144 stat->dev = dentry->d_sb->s_dev;
145 stat->ino = dentry->d_inode->i_ino;
148 * For non-samefs setup, if we cannot map all layers st_ino
149 * to a unified address space, we need to make sure that st_dev
150 * is unique per underlying fs, so we use the unique anonymous
151 * bdev assigned to the underlying fs.
153 stat->dev = ofs->fs[fsid].pseudo_dev;
157 int ovl_getattr(struct mnt_idmap *idmap, const struct path *path,
158 struct kstat *stat, u32 request_mask, unsigned int flags)
160 struct dentry *dentry = path->dentry;
161 enum ovl_path_type type;
162 struct path realpath;
163 const struct cred *old_cred;
164 struct inode *inode = d_inode(dentry);
165 bool is_dir = S_ISDIR(inode->i_mode);
168 bool metacopy_blocks = false;
170 metacopy_blocks = ovl_is_metacopy_dentry(dentry);
172 type = ovl_path_real(dentry, &realpath);
173 old_cred = ovl_override_creds(dentry->d_sb);
174 err = vfs_getattr(&realpath, stat, request_mask, flags);
178 /* Report the effective immutable/append-only STATX flags */
179 generic_fill_statx_attr(inode, stat);
182 * For non-dir or same fs, we use st_ino of the copy up origin.
183 * This guaranties constant st_dev/st_ino across copy up.
184 * With xino feature and non-samefs, we use st_ino of the copy up
185 * origin masked with high bits that represent the layer id.
187 * If lower filesystem supports NFS file handles, this also guaranties
188 * persistent st_ino across mount cycle.
190 if (!is_dir || ovl_same_dev(OVL_FS(dentry->d_sb))) {
191 if (!OVL_TYPE_UPPER(type)) {
192 fsid = ovl_layer_lower(dentry)->fsid;
193 } else if (OVL_TYPE_ORIGIN(type)) {
194 struct kstat lowerstat;
195 u32 lowermask = STATX_INO | STATX_BLOCKS |
196 (!is_dir ? STATX_NLINK : 0);
198 ovl_path_lower(dentry, &realpath);
199 err = vfs_getattr(&realpath, &lowerstat,
205 * Lower hardlinks may be broken on copy up to different
206 * upper files, so we cannot use the lower origin st_ino
207 * for those different files, even for the same fs case.
209 * Similarly, several redirected dirs can point to the
210 * same dir on a lower layer. With the "verify_lower"
211 * feature, we do not use the lower origin st_ino, if
212 * we haven't verified that this redirect is unique.
214 * With inodes index enabled, it is safe to use st_ino
215 * of an indexed origin. The index validates that the
216 * upper hardlink is not broken and that a redirected
217 * dir is the only redirect to that origin.
219 if (ovl_test_flag(OVL_INDEX, d_inode(dentry)) ||
220 (!ovl_verify_lower(dentry->d_sb) &&
221 (is_dir || lowerstat.nlink == 1))) {
222 fsid = ovl_layer_lower(dentry)->fsid;
223 stat->ino = lowerstat.ino;
227 * If we are querying a metacopy dentry and lower
228 * dentry is data dentry, then use the blocks we
229 * queried just now. We don't have to do additional
230 * vfs_getattr(). If lower itself is metacopy, then
231 * additional vfs_getattr() is unavoidable.
233 if (metacopy_blocks &&
234 realpath.dentry == ovl_dentry_lowerdata(dentry)) {
235 stat->blocks = lowerstat.blocks;
236 metacopy_blocks = false;
240 if (metacopy_blocks) {
242 * If lower is not same as lowerdata or if there was
243 * no origin on upper, we can end up here.
244 * With lazy lowerdata lookup, guess lowerdata blocks
245 * from size to avoid lowerdata lookup on stat(2).
247 struct kstat lowerdatastat;
248 u32 lowermask = STATX_BLOCKS;
250 ovl_path_lowerdata(dentry, &realpath);
251 if (realpath.dentry) {
252 err = vfs_getattr(&realpath, &lowerdatastat,
257 lowerdatastat.blocks =
258 round_up(stat->size, stat->blksize) >> 9;
260 stat->blocks = lowerdatastat.blocks;
264 ovl_map_dev_ino(dentry, stat, fsid);
267 * It's probably not worth it to count subdirs to get the
268 * correct link count. nlink=1 seems to pacify 'find' and
271 if (is_dir && OVL_TYPE_MERGE(type))
275 * Return the overlay inode nlinks for indexed upper inodes.
276 * Overlay inode nlink counts the union of the upper hardlinks
277 * and non-covered lower hardlinks. It does not include the upper
280 if (!is_dir && ovl_test_flag(OVL_INDEX, d_inode(dentry)))
281 stat->nlink = dentry->d_inode->i_nlink;
284 revert_creds(old_cred);
289 int ovl_permission(struct mnt_idmap *idmap,
290 struct inode *inode, int mask)
292 struct inode *upperinode = ovl_inode_upper(inode);
293 struct inode *realinode;
294 struct path realpath;
295 const struct cred *old_cred;
298 /* Careful in RCU walk mode */
299 realinode = ovl_i_path_real(inode, &realpath);
301 WARN_ON(!(mask & MAY_NOT_BLOCK));
306 * Check overlay inode with the creds of task and underlying inode
307 * with creds of mounter
309 err = generic_permission(&nop_mnt_idmap, inode, mask);
313 old_cred = ovl_override_creds(inode->i_sb);
315 !special_file(realinode->i_mode) && mask & MAY_WRITE) {
316 mask &= ~(MAY_WRITE | MAY_APPEND);
317 /* Make sure mounter can read file for copy up later */
320 err = inode_permission(mnt_idmap(realpath.mnt), realinode, mask);
321 revert_creds(old_cred);
326 static const char *ovl_get_link(struct dentry *dentry,
328 struct delayed_call *done)
330 const struct cred *old_cred;
334 return ERR_PTR(-ECHILD);
336 old_cred = ovl_override_creds(dentry->d_sb);
337 p = vfs_get_link(ovl_dentry_real(dentry), done);
338 revert_creds(old_cred);
342 bool ovl_is_private_xattr(struct super_block *sb, const char *name)
344 struct ovl_fs *ofs = OVL_FS(sb);
346 if (ofs->config.userxattr)
347 return strncmp(name, OVL_XATTR_USER_PREFIX,
348 sizeof(OVL_XATTR_USER_PREFIX) - 1) == 0;
350 return strncmp(name, OVL_XATTR_TRUSTED_PREFIX,
351 sizeof(OVL_XATTR_TRUSTED_PREFIX) - 1) == 0;
354 int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
355 const void *value, size_t size, int flags)
358 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
359 struct dentry *upperdentry = ovl_i_dentry_upper(inode);
360 struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry);
361 struct path realpath;
362 const struct cred *old_cred;
364 err = ovl_want_write(dentry);
368 if (!value && !upperdentry) {
369 ovl_path_lower(dentry, &realpath);
370 old_cred = ovl_override_creds(dentry->d_sb);
371 err = vfs_getxattr(mnt_idmap(realpath.mnt), realdentry, name, NULL, 0);
372 revert_creds(old_cred);
378 err = ovl_copy_up(dentry);
382 realdentry = ovl_dentry_upper(dentry);
385 old_cred = ovl_override_creds(dentry->d_sb);
387 err = ovl_do_setxattr(ofs, realdentry, name, value, size,
390 WARN_ON(flags != XATTR_REPLACE);
391 err = ovl_do_removexattr(ofs, realdentry, name);
393 revert_creds(old_cred);
399 ovl_drop_write(dentry);
404 int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
405 void *value, size_t size)
408 const struct cred *old_cred;
409 struct path realpath;
411 ovl_i_path_real(inode, &realpath);
412 old_cred = ovl_override_creds(dentry->d_sb);
413 res = vfs_getxattr(mnt_idmap(realpath.mnt), realpath.dentry, name, value, size);
414 revert_creds(old_cred);
418 static bool ovl_can_list(struct super_block *sb, const char *s)
420 /* Never list private (.overlay) */
421 if (ovl_is_private_xattr(sb, s))
424 /* List all non-trusted xattrs */
425 if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
428 /* list other trusted for superuser only */
429 return ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
432 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
434 struct dentry *realdentry = ovl_dentry_real(dentry);
438 const struct cred *old_cred;
440 old_cred = ovl_override_creds(dentry->d_sb);
441 res = vfs_listxattr(realdentry, list, size);
442 revert_creds(old_cred);
443 if (res <= 0 || size == 0)
446 /* filter out private xattrs */
447 for (s = list, len = res; len;) {
448 size_t slen = strnlen(s, len) + 1;
450 /* underlying fs providing us with an broken xattr list? */
451 if (WARN_ON(slen > len))
455 if (!ovl_can_list(dentry->d_sb, s)) {
457 memmove(s, s + slen, len);
466 #ifdef CONFIG_FS_POSIX_ACL
468 * Apply the idmapping of the layer to POSIX ACLs. The caller must pass a clone
469 * of the POSIX ACLs retrieved from the lower layer to this function to not
470 * alter the POSIX ACLs for the underlying filesystem.
472 static void ovl_idmap_posix_acl(const struct inode *realinode,
473 struct mnt_idmap *idmap,
474 struct posix_acl *acl)
476 struct user_namespace *fs_userns = i_user_ns(realinode);
478 for (unsigned int i = 0; i < acl->a_count; i++) {
482 struct posix_acl_entry *e = &acl->a_entries[i];
485 vfsuid = make_vfsuid(idmap, fs_userns, e->e_uid);
486 e->e_uid = vfsuid_into_kuid(vfsuid);
489 vfsgid = make_vfsgid(idmap, fs_userns, e->e_gid);
490 e->e_gid = vfsgid_into_kgid(vfsgid);
497 * The @noperm argument is used to skip permission checking and is a temporary
498 * measure. Quoting Miklos from an earlier discussion:
500 * > So there are two paths to getting an acl:
501 * > 1) permission checking and 2) retrieving the value via getxattr(2).
502 * > This is a similar situation as reading a symlink vs. following it.
503 * > When following a symlink overlayfs always reads the link on the
504 * > underlying fs just as if it was a readlink(2) call, calling
505 * > security_inode_readlink() instead of security_inode_follow_link().
506 * > This is logical: we are reading the link from the underlying storage,
507 * > and following it on overlayfs.
509 * > Applying the same logic to acl: we do need to call the
510 * > security_inode_getxattr() on the underlying fs, even if just want to
511 * > check permissions on overlay. This is currently not done, which is an
514 * > Maybe adding the check to ovl_get_acl() is the right way to go, but
515 * > I'm a little afraid of a performance regression. Will look into that.
517 * Until we have made a decision allow this helper to take the @noperm
518 * argument. We should hopefully be able to remove it soon.
520 struct posix_acl *ovl_get_acl_path(const struct path *path,
521 const char *acl_name, bool noperm)
523 struct posix_acl *real_acl, *clone;
524 struct mnt_idmap *idmap;
525 struct inode *realinode = d_inode(path->dentry);
527 idmap = mnt_idmap(path->mnt);
530 real_acl = get_inode_acl(realinode, posix_acl_type(acl_name));
532 real_acl = vfs_get_acl(idmap, path->dentry, acl_name);
533 if (IS_ERR_OR_NULL(real_acl))
536 if (!is_idmapped_mnt(path->mnt))
540 * We cannot alter the ACLs returned from the relevant layer as that
541 * would alter the cached values filesystem wide for the lower
542 * filesystem. Instead we can clone the ACLs and then apply the
543 * relevant idmapping of the layer.
545 clone = posix_acl_clone(real_acl, GFP_KERNEL);
546 posix_acl_release(real_acl); /* release original acl */
548 return ERR_PTR(-ENOMEM);
550 ovl_idmap_posix_acl(realinode, idmap, clone);
555 * When the relevant layer is an idmapped mount we need to take the idmapping
556 * of the layer into account and translate any ACL_{GROUP,USER} values
557 * according to the idmapped mount.
559 * We cannot alter the ACLs returned from the relevant layer as that would
560 * alter the cached values filesystem wide for the lower filesystem. Instead we
561 * can clone the ACLs and then apply the relevant idmapping of the layer.
563 * This is obviously only relevant when idmapped layers are used.
565 struct posix_acl *do_ovl_get_acl(struct mnt_idmap *idmap,
566 struct inode *inode, int type,
567 bool rcu, bool noperm)
569 struct inode *realinode;
570 struct posix_acl *acl;
571 struct path realpath;
573 /* Careful in RCU walk mode */
574 realinode = ovl_i_path_real(inode, &realpath);
577 return ERR_PTR(-ECHILD);
580 if (!IS_POSIXACL(realinode))
585 * If the layer is idmapped drop out of RCU path walk
586 * so we can clone the ACLs.
588 if (is_idmapped_mnt(realpath.mnt))
589 return ERR_PTR(-ECHILD);
591 acl = get_cached_acl_rcu(realinode, type);
593 const struct cred *old_cred;
595 old_cred = ovl_override_creds(inode->i_sb);
596 acl = ovl_get_acl_path(&realpath, posix_acl_xattr_name(type), noperm);
597 revert_creds(old_cred);
603 static int ovl_set_or_remove_acl(struct dentry *dentry, struct inode *inode,
604 struct posix_acl *acl, int type)
607 struct path realpath;
608 const char *acl_name;
609 const struct cred *old_cred;
610 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
611 struct dentry *upperdentry = ovl_dentry_upper(dentry);
612 struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry);
614 err = ovl_want_write(dentry);
619 * If ACL is to be removed from a lower file, check if it exists in
620 * the first place before copying it up.
622 acl_name = posix_acl_xattr_name(type);
623 if (!acl && !upperdentry) {
624 struct posix_acl *real_acl;
626 ovl_path_lower(dentry, &realpath);
627 old_cred = ovl_override_creds(dentry->d_sb);
628 real_acl = vfs_get_acl(mnt_idmap(realpath.mnt), realdentry,
630 revert_creds(old_cred);
631 if (IS_ERR(real_acl)) {
632 err = PTR_ERR(real_acl);
635 posix_acl_release(real_acl);
639 err = ovl_copy_up(dentry);
643 realdentry = ovl_dentry_upper(dentry);
646 old_cred = ovl_override_creds(dentry->d_sb);
648 err = ovl_do_set_acl(ofs, realdentry, acl_name, acl);
650 err = ovl_do_remove_acl(ofs, realdentry, acl_name);
651 revert_creds(old_cred);
657 ovl_drop_write(dentry);
661 int ovl_set_acl(struct mnt_idmap *idmap, struct dentry *dentry,
662 struct posix_acl *acl, int type)
665 struct inode *inode = d_inode(dentry);
666 struct dentry *workdir = ovl_workdir(dentry);
667 struct inode *realinode = ovl_inode_real(inode);
669 if (!IS_POSIXACL(d_inode(workdir)))
671 if (!realinode->i_op->set_acl)
673 if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
674 return acl ? -EACCES : 0;
675 if (!inode_owner_or_capable(&nop_mnt_idmap, inode))
679 * Check if sgid bit needs to be cleared (actual setacl operation will
680 * be done with mounter's capabilities and so that won't do it for us).
682 if (unlikely(inode->i_mode & S_ISGID) && type == ACL_TYPE_ACCESS &&
683 !in_group_p(inode->i_gid) &&
684 !capable_wrt_inode_uidgid(&nop_mnt_idmap, inode, CAP_FSETID)) {
685 struct iattr iattr = { .ia_valid = ATTR_KILL_SGID };
687 err = ovl_setattr(&nop_mnt_idmap, dentry, &iattr);
692 return ovl_set_or_remove_acl(dentry, inode, acl, type);
696 int ovl_update_time(struct inode *inode, int flags)
698 if (flags & S_ATIME) {
699 struct ovl_fs *ofs = OVL_FS(inode->i_sb);
700 struct path upperpath = {
701 .mnt = ovl_upper_mnt(ofs),
702 .dentry = ovl_upperdentry_dereference(OVL_I(inode)),
705 if (upperpath.dentry) {
706 touch_atime(&upperpath);
707 inode->i_atime = d_inode(upperpath.dentry)->i_atime;
713 static int ovl_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
717 struct inode *realinode = ovl_inode_realdata(inode);
718 const struct cred *old_cred;
723 if (!realinode->i_op->fiemap)
726 old_cred = ovl_override_creds(inode->i_sb);
727 err = realinode->i_op->fiemap(realinode, fieinfo, start, len);
728 revert_creds(old_cred);
734 * Work around the fact that security_file_ioctl() takes a file argument.
735 * Introducing security_inode_fileattr_get/set() hooks would solve this issue
738 static int ovl_security_fileattr(const struct path *realpath, struct fileattr *fa,
745 file = dentry_open(realpath, O_RDONLY, current_cred());
747 return PTR_ERR(file);
750 cmd = fa->fsx_valid ? FS_IOC_FSSETXATTR : FS_IOC_SETFLAGS;
752 cmd = fa->fsx_valid ? FS_IOC_FSGETXATTR : FS_IOC_GETFLAGS;
754 err = security_file_ioctl(file, cmd, 0);
760 int ovl_real_fileattr_set(const struct path *realpath, struct fileattr *fa)
764 err = ovl_security_fileattr(realpath, fa, true);
768 return vfs_fileattr_set(mnt_idmap(realpath->mnt), realpath->dentry, fa);
771 int ovl_fileattr_set(struct mnt_idmap *idmap,
772 struct dentry *dentry, struct fileattr *fa)
774 struct inode *inode = d_inode(dentry);
775 struct path upperpath;
776 const struct cred *old_cred;
780 err = ovl_want_write(dentry);
784 err = ovl_copy_up(dentry);
786 ovl_path_real(dentry, &upperpath);
788 old_cred = ovl_override_creds(inode->i_sb);
790 * Store immutable/append-only flags in xattr and clear them
791 * in upper fileattr (in case they were set by older kernel)
792 * so children of "ovl-immutable" directories lower aliases of
793 * "ovl-immutable" hardlinks could be copied up.
794 * Clear xattr when flags are cleared.
796 err = ovl_set_protattr(inode, upperpath.dentry, fa);
798 err = ovl_real_fileattr_set(&upperpath, fa);
799 revert_creds(old_cred);
802 * Merge real inode flags with inode flags read from
803 * overlay.protattr xattr
805 flags = ovl_inode_real(inode)->i_flags & OVL_COPY_I_FLAGS_MASK;
807 BUILD_BUG_ON(OVL_PROT_I_FLAGS_MASK & ~OVL_COPY_I_FLAGS_MASK);
808 flags |= inode->i_flags & OVL_PROT_I_FLAGS_MASK;
809 inode_set_flags(inode, flags, OVL_COPY_I_FLAGS_MASK);
814 ovl_drop_write(dentry);
819 /* Convert inode protection flags to fileattr flags */
820 static void ovl_fileattr_prot_flags(struct inode *inode, struct fileattr *fa)
822 BUILD_BUG_ON(OVL_PROT_FS_FLAGS_MASK & ~FS_COMMON_FL);
823 BUILD_BUG_ON(OVL_PROT_FSX_FLAGS_MASK & ~FS_XFLAG_COMMON);
825 if (inode->i_flags & S_APPEND) {
826 fa->flags |= FS_APPEND_FL;
827 fa->fsx_xflags |= FS_XFLAG_APPEND;
829 if (inode->i_flags & S_IMMUTABLE) {
830 fa->flags |= FS_IMMUTABLE_FL;
831 fa->fsx_xflags |= FS_XFLAG_IMMUTABLE;
835 int ovl_real_fileattr_get(const struct path *realpath, struct fileattr *fa)
839 err = ovl_security_fileattr(realpath, fa, false);
843 err = vfs_fileattr_get(realpath->dentry, fa);
844 if (err == -ENOIOCTLCMD)
849 int ovl_fileattr_get(struct dentry *dentry, struct fileattr *fa)
851 struct inode *inode = d_inode(dentry);
852 struct path realpath;
853 const struct cred *old_cred;
856 ovl_path_real(dentry, &realpath);
858 old_cred = ovl_override_creds(inode->i_sb);
859 err = ovl_real_fileattr_get(&realpath, fa);
860 ovl_fileattr_prot_flags(inode, fa);
861 revert_creds(old_cred);
866 static const struct inode_operations ovl_file_inode_operations = {
867 .setattr = ovl_setattr,
868 .permission = ovl_permission,
869 .getattr = ovl_getattr,
870 .listxattr = ovl_listxattr,
871 .get_inode_acl = ovl_get_inode_acl,
872 .get_acl = ovl_get_acl,
873 .set_acl = ovl_set_acl,
874 .update_time = ovl_update_time,
875 .fiemap = ovl_fiemap,
876 .fileattr_get = ovl_fileattr_get,
877 .fileattr_set = ovl_fileattr_set,
880 static const struct inode_operations ovl_symlink_inode_operations = {
881 .setattr = ovl_setattr,
882 .get_link = ovl_get_link,
883 .getattr = ovl_getattr,
884 .listxattr = ovl_listxattr,
885 .update_time = ovl_update_time,
888 static const struct inode_operations ovl_special_inode_operations = {
889 .setattr = ovl_setattr,
890 .permission = ovl_permission,
891 .getattr = ovl_getattr,
892 .listxattr = ovl_listxattr,
893 .get_inode_acl = ovl_get_inode_acl,
894 .get_acl = ovl_get_acl,
895 .set_acl = ovl_set_acl,
896 .update_time = ovl_update_time,
899 static const struct address_space_operations ovl_aops = {
900 /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */
901 .direct_IO = noop_direct_IO,
905 * It is possible to stack overlayfs instance on top of another
906 * overlayfs instance as lower layer. We need to annotate the
907 * stackable i_mutex locks according to stack level of the super
908 * block instance. An overlayfs instance can never be in stack
909 * depth 0 (there is always a real fs below it). An overlayfs
910 * inode lock will use the lockdep annotation ovl_i_mutex_key[depth].
912 * For example, here is a snip from /proc/lockdep_chains after
913 * dir_iterate of nested overlayfs:
915 * [...] &ovl_i_mutex_dir_key[depth] (stack_depth=2)
916 * [...] &ovl_i_mutex_dir_key[depth]#2 (stack_depth=1)
917 * [...] &type->i_mutex_dir_key (stack_depth=0)
919 * Locking order w.r.t ovl_want_write() is important for nested overlayfs.
921 * This chain is valid:
922 * - inode->i_rwsem (inode_lock[2])
923 * - upper_mnt->mnt_sb->s_writers (ovl_want_write[0])
924 * - OVL_I(inode)->lock (ovl_inode_lock[2])
925 * - OVL_I(lowerinode)->lock (ovl_inode_lock[1])
927 * And this chain is valid:
928 * - inode->i_rwsem (inode_lock[2])
929 * - OVL_I(inode)->lock (ovl_inode_lock[2])
930 * - lowerinode->i_rwsem (inode_lock[1])
931 * - OVL_I(lowerinode)->lock (ovl_inode_lock[1])
933 * But lowerinode->i_rwsem SHOULD NOT be acquired while ovl_want_write() is
934 * held, because it is in reverse order of the non-nested case using the same
936 * - inode->i_rwsem (inode_lock[1])
937 * - upper_mnt->mnt_sb->s_writers (ovl_want_write[0])
938 * - OVL_I(inode)->lock (ovl_inode_lock[1])
940 #define OVL_MAX_NESTING FILESYSTEM_MAX_STACK_DEPTH
942 static inline void ovl_lockdep_annotate_inode_mutex_key(struct inode *inode)
944 #ifdef CONFIG_LOCKDEP
945 static struct lock_class_key ovl_i_mutex_key[OVL_MAX_NESTING];
946 static struct lock_class_key ovl_i_mutex_dir_key[OVL_MAX_NESTING];
947 static struct lock_class_key ovl_i_lock_key[OVL_MAX_NESTING];
949 int depth = inode->i_sb->s_stack_depth - 1;
951 if (WARN_ON_ONCE(depth < 0 || depth >= OVL_MAX_NESTING))
954 if (S_ISDIR(inode->i_mode))
955 lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_dir_key[depth]);
957 lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_key[depth]);
959 lockdep_set_class(&OVL_I(inode)->lock, &ovl_i_lock_key[depth]);
963 static void ovl_next_ino(struct inode *inode)
965 struct ovl_fs *ofs = OVL_FS(inode->i_sb);
967 inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
968 if (unlikely(!inode->i_ino))
969 inode->i_ino = atomic_long_inc_return(&ofs->last_ino);
972 static void ovl_map_ino(struct inode *inode, unsigned long ino, int fsid)
974 struct ovl_fs *ofs = OVL_FS(inode->i_sb);
975 int xinobits = ovl_xino_bits(ofs);
976 unsigned int xinoshift = 64 - xinobits;
979 * When d_ino is consistent with st_ino (samefs or i_ino has enough
980 * bits to encode layer), set the same value used for st_ino to i_ino,
981 * so inode number exposed via /proc/locks and a like will be
982 * consistent with d_ino and st_ino values. An i_ino value inconsistent
983 * with d_ino also causes nfsd readdirplus to fail.
986 if (ovl_same_fs(ofs)) {
988 } else if (xinobits && likely(!(ino >> xinoshift))) {
989 inode->i_ino |= (unsigned long)fsid << (xinoshift + 1);
994 * For directory inodes on non-samefs with xino disabled or xino
995 * overflow, we allocate a non-persistent inode number, to be used for
996 * resolving st_ino collisions in ovl_map_dev_ino().
998 * To avoid ino collision with legitimate xino values from upper
999 * layer (fsid 0), use the lowest xinobit to map the non
1000 * persistent inode numbers to the unified st_ino address space.
1002 if (S_ISDIR(inode->i_mode)) {
1003 ovl_next_ino(inode);
1005 inode->i_ino &= ~0UL >> xinobits;
1006 inode->i_ino |= 1UL << xinoshift;
1011 void ovl_inode_init(struct inode *inode, struct ovl_inode_params *oip,
1012 unsigned long ino, int fsid)
1014 struct inode *realinode;
1015 struct ovl_inode *oi = OVL_I(inode);
1017 oi->__upperdentry = oip->upperdentry;
1019 oi->redirect = oip->redirect;
1020 oi->lowerdata_redirect = oip->lowerdata_redirect;
1022 realinode = ovl_inode_real(inode);
1023 ovl_copyattr(inode);
1024 ovl_copyflags(realinode, inode);
1025 ovl_map_ino(inode, ino, fsid);
1028 static void ovl_fill_inode(struct inode *inode, umode_t mode, dev_t rdev)
1030 inode->i_mode = mode;
1031 inode->i_flags |= S_NOCMTIME;
1032 #ifdef CONFIG_FS_POSIX_ACL
1033 inode->i_acl = inode->i_default_acl = ACL_DONT_CACHE;
1036 ovl_lockdep_annotate_inode_mutex_key(inode);
1038 switch (mode & S_IFMT) {
1040 inode->i_op = &ovl_file_inode_operations;
1041 inode->i_fop = &ovl_file_operations;
1042 inode->i_mapping->a_ops = &ovl_aops;
1046 inode->i_op = &ovl_dir_inode_operations;
1047 inode->i_fop = &ovl_dir_operations;
1051 inode->i_op = &ovl_symlink_inode_operations;
1055 inode->i_op = &ovl_special_inode_operations;
1056 init_special_inode(inode, mode, rdev);
1062 * With inodes index enabled, an overlay inode nlink counts the union of upper
1063 * hardlinks and non-covered lower hardlinks. During the lifetime of a non-pure
1064 * upper inode, the following nlink modifying operations can happen:
1066 * 1. Lower hardlink copy up
1067 * 2. Upper hardlink created, unlinked or renamed over
1068 * 3. Lower hardlink whiteout or renamed over
1070 * For the first, copy up case, the union nlink does not change, whether the
1071 * operation succeeds or fails, but the upper inode nlink may change.
1072 * Therefore, before copy up, we store the union nlink value relative to the
1073 * lower inode nlink in the index inode xattr .overlay.nlink.
1075 * For the second, upper hardlink case, the union nlink should be incremented
1076 * or decremented IFF the operation succeeds, aligned with nlink change of the
1077 * upper inode. Therefore, before link/unlink/rename, we store the union nlink
1078 * value relative to the upper inode nlink in the index inode.
1080 * For the last, lower cover up case, we simplify things by preceding the
1081 * whiteout or cover up with copy up. This makes sure that there is an index
1082 * upper inode where the nlink xattr can be stored before the copied up upper
1085 #define OVL_NLINK_ADD_UPPER (1 << 0)
1088 * On-disk format for indexed nlink:
1090 * nlink relative to the upper inode - "U[+-]NUM"
1091 * nlink relative to the lower inode - "L[+-]NUM"
1094 static int ovl_set_nlink_common(struct dentry *dentry,
1095 struct dentry *realdentry, const char *format)
1097 struct inode *inode = d_inode(dentry);
1098 struct inode *realinode = d_inode(realdentry);
1102 len = snprintf(buf, sizeof(buf), format,
1103 (int) (inode->i_nlink - realinode->i_nlink));
1105 if (WARN_ON(len >= sizeof(buf)))
1108 return ovl_setxattr(OVL_FS(inode->i_sb), ovl_dentry_upper(dentry),
1109 OVL_XATTR_NLINK, buf, len);
1112 int ovl_set_nlink_upper(struct dentry *dentry)
1114 return ovl_set_nlink_common(dentry, ovl_dentry_upper(dentry), "U%+i");
1117 int ovl_set_nlink_lower(struct dentry *dentry)
1119 return ovl_set_nlink_common(dentry, ovl_dentry_lower(dentry), "L%+i");
1122 unsigned int ovl_get_nlink(struct ovl_fs *ofs, struct dentry *lowerdentry,
1123 struct dentry *upperdentry,
1124 unsigned int fallback)
1131 if (!lowerdentry || !upperdentry || d_inode(lowerdentry)->i_nlink == 1)
1134 err = ovl_getxattr_upper(ofs, upperdentry, OVL_XATTR_NLINK,
1135 &buf, sizeof(buf) - 1);
1140 if ((buf[0] != 'L' && buf[0] != 'U') ||
1141 (buf[1] != '+' && buf[1] != '-'))
1144 err = kstrtoint(buf + 1, 10, &nlink_diff);
1148 nlink = d_inode(buf[0] == 'L' ? lowerdentry : upperdentry)->i_nlink;
1149 nlink += nlink_diff;
1157 pr_warn_ratelimited("failed to get index nlink (%pd2, err=%i)\n",
1162 struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev)
1164 struct inode *inode;
1166 inode = new_inode(sb);
1168 ovl_fill_inode(inode, mode, rdev);
1173 static int ovl_inode_test(struct inode *inode, void *data)
1175 return inode->i_private == data;
1178 static int ovl_inode_set(struct inode *inode, void *data)
1180 inode->i_private = data;
1184 static bool ovl_verify_inode(struct inode *inode, struct dentry *lowerdentry,
1185 struct dentry *upperdentry, bool strict)
1188 * For directories, @strict verify from lookup path performs consistency
1189 * checks, so NULL lower/upper in dentry must match NULL lower/upper in
1190 * inode. Non @strict verify from NFS handle decode path passes NULL for
1191 * 'unknown' lower/upper.
1193 if (S_ISDIR(inode->i_mode) && strict) {
1194 /* Real lower dir moved to upper layer under us? */
1195 if (!lowerdentry && ovl_inode_lower(inode))
1198 /* Lookup of an uncovered redirect origin? */
1199 if (!upperdentry && ovl_inode_upper(inode))
1204 * Allow non-NULL lower inode in ovl_inode even if lowerdentry is NULL.
1205 * This happens when finding a copied up overlay inode for a renamed
1206 * or hardlinked overlay dentry and lower dentry cannot be followed
1207 * by origin because lower fs does not support file handles.
1209 if (lowerdentry && ovl_inode_lower(inode) != d_inode(lowerdentry))
1213 * Allow non-NULL __upperdentry in inode even if upperdentry is NULL.
1214 * This happens when finding a lower alias for a copied up hard link.
1216 if (upperdentry && ovl_inode_upper(inode) != d_inode(upperdentry))
1222 struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real,
1225 struct inode *inode, *key = d_inode(real);
1227 inode = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1231 if (!ovl_verify_inode(inode, is_upper ? NULL : real,
1232 is_upper ? real : NULL, false)) {
1234 return ERR_PTR(-ESTALE);
1240 bool ovl_lookup_trap_inode(struct super_block *sb, struct dentry *dir)
1242 struct inode *key = d_inode(dir);
1246 trap = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
1250 res = IS_DEADDIR(trap) && !ovl_inode_upper(trap) &&
1251 !ovl_inode_lower(trap);
1258 * Create an inode cache entry for layer root dir, that will intentionally
1259 * fail ovl_verify_inode(), so any lookup that will find some layer root
1262 struct inode *ovl_get_trap_inode(struct super_block *sb, struct dentry *dir)
1264 struct inode *key = d_inode(dir);
1268 return ERR_PTR(-ENOTDIR);
1270 trap = iget5_locked(sb, (unsigned long) key, ovl_inode_test,
1271 ovl_inode_set, key);
1273 return ERR_PTR(-ENOMEM);
1275 if (!(trap->i_state & I_NEW)) {
1276 /* Conflicting layer roots? */
1278 return ERR_PTR(-ELOOP);
1281 trap->i_mode = S_IFDIR;
1282 trap->i_flags = S_DEAD;
1283 unlock_new_inode(trap);
1289 * Does overlay inode need to be hashed by lower inode?
1291 static bool ovl_hash_bylower(struct super_block *sb, struct dentry *upper,
1292 struct dentry *lower, bool index)
1294 struct ovl_fs *ofs = OVL_FS(sb);
1296 /* No, if pure upper */
1300 /* Yes, if already indexed */
1304 /* Yes, if won't be copied up */
1305 if (!ovl_upper_mnt(ofs))
1308 /* No, if lower hardlink is or will be broken on copy up */
1309 if ((upper || !ovl_indexdir(sb)) &&
1310 !d_is_dir(lower) && d_inode(lower)->i_nlink > 1)
1313 /* No, if non-indexed upper with NFS export */
1314 if (ofs->config.nfs_export && upper)
1317 /* Otherwise, hash by lower inode for fsnotify */
1321 static struct inode *ovl_iget5(struct super_block *sb, struct inode *newinode,
1324 return newinode ? inode_insert5(newinode, (unsigned long) key,
1325 ovl_inode_test, ovl_inode_set, key) :
1326 iget5_locked(sb, (unsigned long) key,
1327 ovl_inode_test, ovl_inode_set, key);
1330 struct inode *ovl_get_inode(struct super_block *sb,
1331 struct ovl_inode_params *oip)
1333 struct ovl_fs *ofs = OVL_FS(sb);
1334 struct dentry *upperdentry = oip->upperdentry;
1335 struct ovl_path *lowerpath = ovl_lowerpath(oip->oe);
1336 struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
1337 struct inode *inode;
1338 struct dentry *lowerdentry = lowerpath ? lowerpath->dentry : NULL;
1339 struct path realpath = {
1340 .dentry = upperdentry ?: lowerdentry,
1341 .mnt = upperdentry ? ovl_upper_mnt(ofs) : lowerpath->layer->mnt,
1343 bool bylower = ovl_hash_bylower(sb, upperdentry, lowerdentry,
1345 int fsid = bylower ? lowerpath->layer->fsid : 0;
1347 unsigned long ino = 0;
1348 int err = oip->newinode ? -EEXIST : -ENOMEM;
1351 realinode = d_inode(lowerdentry);
1354 * Copy up origin (lower) may exist for non-indexed upper, but we must
1355 * not use lower as hash key if this is a broken hardlink.
1357 is_dir = S_ISDIR(realinode->i_mode);
1358 if (upperdentry || bylower) {
1359 struct inode *key = d_inode(bylower ? lowerdentry :
1361 unsigned int nlink = is_dir ? 1 : realinode->i_nlink;
1363 inode = ovl_iget5(sb, oip->newinode, key);
1366 if (!(inode->i_state & I_NEW)) {
1368 * Verify that the underlying files stored in the inode
1369 * match those in the dentry.
1371 if (!ovl_verify_inode(inode, lowerdentry, upperdentry,
1379 ovl_free_entry(oip->oe);
1380 kfree(oip->redirect);
1381 kfree(oip->lowerdata_redirect);
1385 /* Recalculate nlink for non-dir due to indexing */
1387 nlink = ovl_get_nlink(ofs, lowerdentry, upperdentry,
1389 set_nlink(inode, nlink);
1392 /* Lower hardlink that will be broken on copy up */
1393 inode = new_inode(sb);
1398 ino = realinode->i_ino;
1399 fsid = lowerpath->layer->fsid;
1401 ovl_fill_inode(inode, realinode->i_mode, realinode->i_rdev);
1402 ovl_inode_init(inode, oip, ino, fsid);
1404 if (upperdentry && ovl_is_impuredir(sb, upperdentry))
1405 ovl_set_flag(OVL_IMPURE, inode);
1408 ovl_set_flag(OVL_INDEX, inode);
1411 ovl_set_flag(OVL_CONST_INO, inode);
1413 /* Check for non-merge dir that may have whiteouts */
1415 if (((upperdentry && lowerdentry) || ovl_numlower(oip->oe) > 1) ||
1416 ovl_path_check_origin_xattr(ofs, &realpath)) {
1417 ovl_set_flag(OVL_WHITEOUTS, inode);
1421 /* Check for immutable/append-only inode flags in xattr */
1423 ovl_check_protattr(inode, upperdentry);
1425 if (inode->i_state & I_NEW)
1426 unlock_new_inode(inode);
1431 pr_warn_ratelimited("failed to get inode (%i)\n", err);
1432 inode = ERR_PTR(err);
projects / platform / kernel / linux-starfive.git / blob