search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
[linux-stable.git] / fs / overlayfs / copy_up.c
blob3601ddfeddc2ec70764756905d528570ad1020e1
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 *
4 * Copyright (C) 2011 Novell Inc.
5 */
6
7 #include <linux/module.h>
8 #include <linux/fs.h>
9 #include <linux/slab.h>
10 #include <linux/file.h>
11 #include <linux/fileattr.h>
12 #include <linux/splice.h>
13 #include <linux/xattr.h>
14 #include <linux/security.h>
15 #include <linux/uaccess.h>
16 #include <linux/sched/signal.h>
17 #include <linux/cred.h>
18 #include <linux/namei.h>
19 #include <linux/ratelimit.h>
20 #include <linux/exportfs.h>
21 #include "overlayfs.h"
22
23 #define OVL_COPY_UP_CHUNK_SIZE (1 << 20)
24
25 static int ovl_ccup_set(const char *buf, const struct kernel_param *param)
26 {
27 pr_warn("\"check_copy_up\" module option is obsolete\n");
28 return 0;
29 }
30
31 static int ovl_ccup_get(char *buf, const struct kernel_param *param)
32 {
33 return sprintf(buf, "N\n");
34 }
35
36 module_param_call(check_copy_up, ovl_ccup_set, ovl_ccup_get, NULL, 0644);
37 MODULE_PARM_DESC(check_copy_up, "Obsolete; does nothing");
38
39 static bool ovl_must_copy_xattr(const char *name)
40 {
41 return !strcmp(name, XATTR_POSIX_ACL_ACCESS) ||
42 !strcmp(name, XATTR_POSIX_ACL_DEFAULT) ||
43 !strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN);
44 }
45
46 static int ovl_copy_acl(struct ovl_fs *ofs, const struct path *path,
47 struct dentry *dentry, const char *acl_name)
48 {
49 int err;
50 struct posix_acl *clone, *real_acl = NULL;
51
52 real_acl = ovl_get_acl_path(path, acl_name, false);
53 if (!real_acl)
54 return 0;
55
56 if (IS_ERR(real_acl)) {
57 err = PTR_ERR(real_acl);
58 if (err == -ENODATA || err == -EOPNOTSUPP)
59 return 0;
60 return err;
61 }
62
63 clone = posix_acl_clone(real_acl, GFP_KERNEL);
64 posix_acl_release(real_acl); /* release original acl */
65 if (!clone)
66 return -ENOMEM;
67
68 err = ovl_do_set_acl(ofs, dentry, acl_name, clone);
69
70 /* release cloned acl */
71 posix_acl_release(clone);
72 return err;
73 }
74
75 int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct dentry *new)
76 {
77 struct dentry *old = oldpath->dentry;
78 ssize_t list_size, size, value_size = 0;
79 char *buf, *name, *value = NULL;
80 int error = 0;
81 size_t slen;
82
83 if (!old->d_inode->i_op->listxattr || !new->d_inode->i_op->listxattr)
84 return 0;
85
86 list_size = vfs_listxattr(old, NULL, 0);
87 if (list_size <= 0) {
88 if (list_size == -EOPNOTSUPP)
89 return 0;
90 return list_size;
91 }
92
93 buf = kvzalloc(list_size, GFP_KERNEL);
94 if (!buf)
95 return -ENOMEM;
96
97 list_size = vfs_listxattr(old, buf, list_size);
98 if (list_size <= 0) {
99 error = list_size;
100 goto out;
101 }
102
103 for (name = buf; list_size; name += slen) {
104 slen = strnlen(name, list_size) + 1;
105
106 /* underlying fs providing us with an broken xattr list? */
107 if (WARN_ON(slen > list_size)) {
108 error = -EIO;
109 break;
110 }
111 list_size -= slen;
112
113 if (ovl_is_private_xattr(sb, name))
114 continue;
115
116 error = security_inode_copy_up_xattr(old, name);
117 if (error == -ECANCELED) {
118 error = 0;
119 continue; /* Discard */
120 }
121 if (error < 0 && error != -EOPNOTSUPP)
122 break;
123
124 if (is_posix_acl_xattr(name)) {
125 error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name);
126 if (!error)
127 continue;
128 /* POSIX ACLs must be copied. */
129 break;
130 }
131
132 retry:
133 size = ovl_do_getxattr(oldpath, name, value, value_size);
134 if (size == -ERANGE)
135 size = ovl_do_getxattr(oldpath, name, NULL, 0);
136
137 if (size < 0) {
138 error = size;
139 break;
140 }
141
142 if (size > value_size) {
143 void *new;
144
145 new = kvmalloc(size, GFP_KERNEL);
146 if (!new) {
147 error = -ENOMEM;
148 break;
149 }
150 kvfree(value);
151 value = new;
152 value_size = size;
153 goto retry;
154 }
155
156 error = ovl_do_setxattr(OVL_FS(sb), new, name, value, size, 0);
157 if (error) {
158 if (error != -EOPNOTSUPP || ovl_must_copy_xattr(name))
159 break;
160
161 /* Ignore failure to copy unknown xattrs */
162 error = 0;
163 }
164 }
165 kvfree(value);
166 out:
167 kvfree(buf);
168 return error;
169 }
170
171 static int ovl_copy_fileattr(struct inode *inode, const struct path *old,
172 const struct path *new)
173 {
174 struct fileattr oldfa = { .flags_valid = true };
175 struct fileattr newfa = { .flags_valid = true };
176 int err;
177
178 err = ovl_real_fileattr_get(old, &oldfa);
179 if (err) {
180 /* Ntfs-3g returns -EINVAL for "no fileattr support" */
181 if (err == -ENOTTY || err == -EINVAL)
182 return 0;
183 pr_warn("failed to retrieve lower fileattr (%pd2, err=%i)\n",
184 old->dentry, err);
185 return err;
186 }
187
188 /*
189 * We cannot set immutable and append-only flags on upper inode,
190 * because we would not be able to link upper inode to upper dir
191 * not set overlay private xattr on upper inode.
192 * Store these flags in overlay.protattr xattr instead.
193 */
194 if (oldfa.flags & OVL_PROT_FS_FLAGS_MASK) {
195 err = ovl_set_protattr(inode, new->dentry, &oldfa);
196 if (err == -EPERM)
197 pr_warn_once("copying fileattr: no xattr on upper\n");
198 else if (err)
199 return err;
200 }
201
202 /* Don't bother copying flags if none are set */
203 if (!(oldfa.flags & OVL_COPY_FS_FLAGS_MASK))
204 return 0;
205
206 err = ovl_real_fileattr_get(new, &newfa);
207 if (err) {
208 /*
209 * Returning an error if upper doesn't support fileattr will
210 * result in a regression, so revert to the old behavior.
211 */
212 if (err == -ENOTTY || err == -EINVAL) {
213 pr_warn_once("copying fileattr: no support on upper\n");
214 return 0;
215 }
216 pr_warn("failed to retrieve upper fileattr (%pd2, err=%i)\n",
217 new->dentry, err);
218 return err;
219 }
220
221 BUILD_BUG_ON(OVL_COPY_FS_FLAGS_MASK & ~FS_COMMON_FL);
222 newfa.flags &= ~OVL_COPY_FS_FLAGS_MASK;
223 newfa.flags |= (oldfa.flags & OVL_COPY_FS_FLAGS_MASK);
224
225 BUILD_BUG_ON(OVL_COPY_FSX_FLAGS_MASK & ~FS_XFLAG_COMMON);
226 newfa.fsx_xflags &= ~OVL_COPY_FSX_FLAGS_MASK;
227 newfa.fsx_xflags |= (oldfa.fsx_xflags & OVL_COPY_FSX_FLAGS_MASK);
228
229 return ovl_real_fileattr_set(new, &newfa);
230 }
231
232 static int ovl_verify_area(loff_t pos, loff_t pos2, loff_t len, loff_t totlen)
233 {
234 loff_t tmp;
235
236 if (pos != pos2)
237 return -EIO;
238 if (pos < 0 || len < 0 || totlen < 0)
239 return -EIO;
240 if (check_add_overflow(pos, len, &tmp))
241 return -EIO;
242 return 0;
243 }
244
245 static int ovl_sync_file(struct path *path)
246 {
247 struct file *new_file;
248 int err;
249
250 new_file = ovl_path_open(path, O_LARGEFILE | O_RDONLY);
251 if (IS_ERR(new_file))
252 return PTR_ERR(new_file);
253
254 err = vfs_fsync(new_file, 0);
255 fput(new_file);
256
257 return err;
258 }
259
260 static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry,
261 struct file *new_file, loff_t len,
262 bool datasync)
263 {
264 struct path datapath;
265 struct file *old_file;
266 loff_t old_pos = 0;
267 loff_t new_pos = 0;
268 loff_t cloned;
269 loff_t data_pos = -1;
270 loff_t hole_len;
271 bool skip_hole = false;
272 int error = 0;
273
274 ovl_path_lowerdata(dentry, &datapath);
275 if (WARN_ON_ONCE(datapath.dentry == NULL) ||
276 WARN_ON_ONCE(len < 0))
277 return -EIO;
278
279 old_file = ovl_path_open(&datapath, O_LARGEFILE | O_RDONLY);
280 if (IS_ERR(old_file))
281 return PTR_ERR(old_file);
282
283 /* Try to use clone_file_range to clone up within the same fs */
284 cloned = vfs_clone_file_range(old_file, 0, new_file, 0, len, 0);
285 if (cloned == len)
286 goto out_fput;
287
288 /* Couldn't clone, so now we try to copy the data */
289 error = rw_verify_area(READ, old_file, &old_pos, len);
290 if (!error)
291 error = rw_verify_area(WRITE, new_file, &new_pos, len);
292 if (error)
293 goto out_fput;
294
295 /* Check if lower fs supports seek operation */
296 if (old_file->f_mode & FMODE_LSEEK)
297 skip_hole = true;
298
299 while (len) {
300 size_t this_len = OVL_COPY_UP_CHUNK_SIZE;
301 ssize_t bytes;
302
303 if (len < this_len)
304 this_len = len;
305
306 if (signal_pending_state(TASK_KILLABLE, current)) {
307 error = -EINTR;
308 break;
309 }
310
311 /*
312 * Fill zero for hole will cost unnecessary disk space
313 * and meanwhile slow down the copy-up speed, so we do
314 * an optimization for hole during copy-up, it relies
315 * on SEEK_DATA implementation in lower fs so if lower
316 * fs does not support it, copy-up will behave as before.
317 *
318 * Detail logic of hole detection as below:
319 * When we detect next data position is larger than current
320 * position we will skip that hole, otherwise we copy
321 * data in the size of OVL_COPY_UP_CHUNK_SIZE. Actually,
322 * it may not recognize all kind of holes and sometimes
323 * only skips partial of hole area. However, it will be
324 * enough for most of the use cases.
325 *
326 * We do not hold upper sb_writers throughout the loop to avert
327 * lockdep warning with llseek of lower file in nested overlay:
328 * - upper sb_writers
329 * -- lower ovl_inode_lock (ovl_llseek)
330 */
331 if (skip_hole && data_pos < old_pos) {
332 data_pos = vfs_llseek(old_file, old_pos, SEEK_DATA);
333 if (data_pos > old_pos) {
334 hole_len = data_pos - old_pos;
335 len -= hole_len;
336 old_pos = new_pos = data_pos;
337 continue;
338 } else if (data_pos == -ENXIO) {
339 break;
340 } else if (data_pos < 0) {
341 skip_hole = false;
342 }
343 }
344
345 error = ovl_verify_area(old_pos, new_pos, this_len, len);
346 if (error)
347 break;
348
349 bytes = do_splice_direct(old_file, &old_pos,
350 new_file, &new_pos,
351 this_len, SPLICE_F_MOVE);
352 if (bytes <= 0) {
353 error = bytes;
354 break;
355 }
356 WARN_ON(old_pos != new_pos);
357
358 len -= bytes;
359 }
360 /* call fsync once, either now or later along with metadata */
361 if (!error && ovl_should_sync(ofs) && datasync)
362 error = vfs_fsync(new_file, 0);
363 out_fput:
364 fput(old_file);
365 return error;
366 }
367
368 static int ovl_set_size(struct ovl_fs *ofs,
369 struct dentry *upperdentry, struct kstat *stat)
370 {
371 struct iattr attr = {
372 .ia_valid = ATTR_SIZE,
373 .ia_size = stat->size,
374 };
375
376 return ovl_do_notify_change(ofs, upperdentry, &attr);
377 }
378
379 static int ovl_set_timestamps(struct ovl_fs *ofs, struct dentry *upperdentry,
380 struct kstat *stat)
381 {
382 struct iattr attr = {
383 .ia_valid =
384 ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_CTIME,
385 .ia_atime = stat->atime,
386 .ia_mtime = stat->mtime,
387 };
388
389 return ovl_do_notify_change(ofs, upperdentry, &attr);
390 }
391
392 int ovl_set_attr(struct ovl_fs *ofs, struct dentry *upperdentry,
393 struct kstat *stat)
394 {
395 int err = 0;
396
397 if (!S_ISLNK(stat->mode)) {
398 struct iattr attr = {
399 .ia_valid = ATTR_MODE,
400 .ia_mode = stat->mode,
401 };
402 err = ovl_do_notify_change(ofs, upperdentry, &attr);
403 }
404 if (!err) {
405 struct iattr attr = {
406 .ia_valid = ATTR_UID | ATTR_GID,
407 .ia_vfsuid = VFSUIDT_INIT(stat->uid),
408 .ia_vfsgid = VFSGIDT_INIT(stat->gid),
409 };
410 err = ovl_do_notify_change(ofs, upperdentry, &attr);
411 }
412 if (!err)
413 ovl_set_timestamps(ofs, upperdentry, stat);
414
415 return err;
416 }
417
418 struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real,
419 bool is_upper)
420 {
421 struct ovl_fh *fh;
422 int fh_type, dwords;
423 int buflen = MAX_HANDLE_SZ;
424 uuid_t *uuid = &real->d_sb->s_uuid;
425 int err;
426
427 /* Make sure the real fid stays 32bit aligned */
428 BUILD_BUG_ON(OVL_FH_FID_OFFSET % 4);
429 BUILD_BUG_ON(MAX_HANDLE_SZ + OVL_FH_FID_OFFSET > 255);
430
431 fh = kzalloc(buflen + OVL_FH_FID_OFFSET, GFP_KERNEL);
432 if (!fh)
433 return ERR_PTR(-ENOMEM);
434
435 /*
436 * We encode a non-connectable file handle for non-dir, because we
437 * only need to find the lower inode number and we don't want to pay
438 * the price or reconnecting the dentry.
439 */
440 dwords = buflen >> 2;
441 fh_type = exportfs_encode_fh(real, (void *)fh->fb.fid, &dwords, 0);
442 buflen = (dwords << 2);
443
444 err = -EIO;
445 if (WARN_ON(fh_type < 0) ||
446 WARN_ON(buflen > MAX_HANDLE_SZ) ||
447 WARN_ON(fh_type == FILEID_INVALID))
448 goto out_err;
449
450 fh->fb.version = OVL_FH_VERSION;
451 fh->fb.magic = OVL_FH_MAGIC;
452 fh->fb.type = fh_type;
453 fh->fb.flags = OVL_FH_FLAG_CPU_ENDIAN;
454 /*
455 * When we will want to decode an overlay dentry from this handle
456 * and all layers are on the same fs, if we get a disconncted real
457 * dentry when we decode fid, the only way to tell if we should assign
458 * it to upperdentry or to lowerstack is by checking this flag.
459 */
460 if (is_upper)
461 fh->fb.flags |= OVL_FH_FLAG_PATH_UPPER;
462 fh->fb.len = sizeof(fh->fb) + buflen;
463 if (ovl_origin_uuid(ofs))
464 fh->fb.uuid = *uuid;
465
466 return fh;
467
468 out_err:
469 kfree(fh);
470 return ERR_PTR(err);
471 }
472
473 struct ovl_fh *ovl_get_origin_fh(struct ovl_fs *ofs, struct dentry *origin)
474 {
475 /*
476 * When lower layer doesn't support export operations store a 'null' fh,
477 * so we can use the overlay.origin xattr to distignuish between a copy
478 * up and a pure upper inode.
479 */
480 if (!ovl_can_decode_fh(origin->d_sb))
481 return NULL;
482
483 return ovl_encode_real_fh(ofs, origin, false);
484 }
485
486 int ovl_set_origin_fh(struct ovl_fs *ofs, const struct ovl_fh *fh,
487 struct dentry *upper)
488 {
489 int err;
490
491 /*
492 * Do not fail when upper doesn't support xattrs.
493 */
494 err = ovl_check_setxattr(ofs, upper, OVL_XATTR_ORIGIN, fh->buf,
495 fh ? fh->fb.len : 0, 0);
496
497 /* Ignore -EPERM from setting "user.*" on symlink/special */
498 return err == -EPERM ? 0 : err;
499 }
500
501 /* Store file handle of @upper dir in @index dir entry */
502 static int ovl_set_upper_fh(struct ovl_fs *ofs, struct dentry *upper,
503 struct dentry *index)
504 {
505 const struct ovl_fh *fh;
506 int err;
507
508 fh = ovl_encode_real_fh(ofs, upper, true);
509 if (IS_ERR(fh))
510 return PTR_ERR(fh);
511
512 err = ovl_setxattr(ofs, index, OVL_XATTR_UPPER, fh->buf, fh->fb.len);
513
514 kfree(fh);
515 return err;
516 }
517
518 /*
519 * Create and install index entry.
520 *
521 * Caller must hold i_mutex on indexdir.
522 */
523 static int ovl_create_index(struct dentry *dentry, const struct ovl_fh *fh,
524 struct dentry *upper)
525 {
526 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
527 struct dentry *indexdir = ovl_indexdir(dentry->d_sb);
528 struct inode *dir = d_inode(indexdir);
529 struct dentry *index = NULL;
530 struct dentry *temp = NULL;
531 struct qstr name = { };
532 int err;
533
534 /*
535 * For now this is only used for creating index entry for directories,
536 * because non-dir are copied up directly to index and then hardlinked
537 * to upper dir.
538 *
539 * TODO: implement create index for non-dir, so we can call it when
540 * encoding file handle for non-dir in case index does not exist.
541 */
542 if (WARN_ON(!d_is_dir(dentry)))
543 return -EIO;
544
545 /* Directory not expected to be indexed before copy up */
546 if (WARN_ON(ovl_test_flag(OVL_INDEX, d_inode(dentry))))
547 return -EIO;
548
549 err = ovl_get_index_name_fh(fh, &name);
550 if (err)
551 return err;
552
553 temp = ovl_create_temp(ofs, indexdir, OVL_CATTR(S_IFDIR | 0));
554 err = PTR_ERR(temp);
555 if (IS_ERR(temp))
556 goto free_name;
557
558 err = ovl_set_upper_fh(ofs, upper, temp);
559 if (err)
560 goto out;
561
562 index = ovl_lookup_upper(ofs, name.name, indexdir, name.len);
563 if (IS_ERR(index)) {
564 err = PTR_ERR(index);
565 } else {
566 err = ovl_do_rename(ofs, dir, temp, dir, index, 0);
567 dput(index);
568 }
569 out:
570 if (err)
571 ovl_cleanup(ofs, dir, temp);
572 dput(temp);
573 free_name:
574 kfree(name.name);
575 return err;
576 }
577
578 struct ovl_copy_up_ctx {
579 struct dentry *parent;
580 struct dentry *dentry;
581 struct path lowerpath;
582 struct kstat stat;
583 struct kstat pstat;
584 const char *link;
585 struct dentry *destdir;
586 struct qstr destname;
587 struct dentry *workdir;
588 const struct ovl_fh *origin_fh;
589 bool origin;
590 bool indexed;
591 bool metacopy;
592 bool metacopy_digest;
593 bool metadata_fsync;
594 };
595
596 static int ovl_link_up(struct ovl_copy_up_ctx *c)
597 {
598 int err;
599 struct dentry *upper;
600 struct dentry *upperdir = ovl_dentry_upper(c->parent);
601 struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
602 struct inode *udir = d_inode(upperdir);
603
604 ovl_start_write(c->dentry);
605
606 /* Mark parent "impure" because it may now contain non-pure upper */
607 err = ovl_set_impure(c->parent, upperdir);
608 if (err)
609 goto out;
610
611 err = ovl_set_nlink_lower(c->dentry);
612 if (err)
613 goto out;
614
615 inode_lock_nested(udir, I_MUTEX_PARENT);
616 upper = ovl_lookup_upper(ofs, c->dentry->d_name.name, upperdir,
617 c->dentry->d_name.len);
618 err = PTR_ERR(upper);
619 if (!IS_ERR(upper)) {
620 err = ovl_do_link(ofs, ovl_dentry_upper(c->dentry), udir, upper);
621 dput(upper);
622
623 if (!err) {
624 /* Restore timestamps on parent (best effort) */
625 ovl_set_timestamps(ofs, upperdir, &c->pstat);
626 ovl_dentry_set_upper_alias(c->dentry);
627 ovl_dentry_update_reval(c->dentry, upper);
628 }
629 }
630 inode_unlock(udir);
631 if (err)
632 goto out;
633
634 err = ovl_set_nlink_upper(c->dentry);
635
636 out:
637 ovl_end_write(c->dentry);
638 return err;
639 }
640
641 static int ovl_copy_up_data(struct ovl_copy_up_ctx *c, const struct path *temp)
642 {
643 struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
644 struct file *new_file;
645 int err;
646
647 if (!S_ISREG(c->stat.mode) || c->metacopy || !c->stat.size)
648 return 0;
649
650 new_file = ovl_path_open(temp, O_LARGEFILE | O_WRONLY);
651 if (IS_ERR(new_file))
652 return PTR_ERR(new_file);
653
654 err = ovl_copy_up_file(ofs, c->dentry, new_file, c->stat.size,
655 !c->metadata_fsync);
656 fput(new_file);
657
658 return err;
659 }
660
661 static int ovl_copy_up_metadata(struct ovl_copy_up_ctx *c, struct dentry *temp)
662 {
663 struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
664 struct inode *inode = d_inode(c->dentry);
665 struct path upperpath = { .mnt = ovl_upper_mnt(ofs), .dentry = temp };
666 int err;
667
668 err = ovl_copy_xattr(c->dentry->d_sb, &c->lowerpath, temp);
669 if (err)
670 return err;
671
672 if (inode->i_flags & OVL_COPY_I_FLAGS_MASK &&
673 (S_ISREG(c->stat.mode) || S_ISDIR(c->stat.mode))) {
674 /*
675 * Copy the fileattr inode flags that are the source of already
676 * copied i_flags
677 */
678 err = ovl_copy_fileattr(inode, &c->lowerpath, &upperpath);
679 if (err)
680 return err;
681 }
682
683 /*
684 * Store identifier of lower inode in upper inode xattr to
685 * allow lookup of the copy up origin inode.
686 *
687 * Don't set origin when we are breaking the association with a lower
688 * hard link.
689 */
690 if (c->origin) {
691 err = ovl_set_origin_fh(ofs, c->origin_fh, temp);
692 if (err)
693 return err;
694 }
695
696 if (c->metacopy) {
697 struct path lowerdatapath;
698 struct ovl_metacopy metacopy_data = OVL_METACOPY_INIT;
699
700 ovl_path_lowerdata(c->dentry, &lowerdatapath);
701 if (WARN_ON_ONCE(lowerdatapath.dentry == NULL))
702 return -EIO;
703 err = ovl_get_verity_digest(ofs, &lowerdatapath, &metacopy_data);
704 if (err)
705 return err;
706
707 if (metacopy_data.digest_algo)
708 c->metacopy_digest = true;
709
710 err = ovl_set_metacopy_xattr(ofs, temp, &metacopy_data);
711 if (err)
712 return err;
713 }
714
715 inode_lock(temp->d_inode);
716 if (S_ISREG(c->stat.mode))
717 err = ovl_set_size(ofs, temp, &c->stat);
718 if (!err)
719 err = ovl_set_attr(ofs, temp, &c->stat);
720 inode_unlock(temp->d_inode);
721
722 /* fsync metadata before moving it into upper dir */
723 if (!err && ovl_should_sync(ofs) && c->metadata_fsync)
724 err = ovl_sync_file(&upperpath);
725
726 return err;
727 }
728
729 struct ovl_cu_creds {
730 const struct cred *old;
731 struct cred *new;
732 };
733
734 static int ovl_prep_cu_creds(struct dentry *dentry, struct ovl_cu_creds *cc)
735 {
736 int err;
737
738 cc->old = cc->new = NULL;
739 err = security_inode_copy_up(dentry, &cc->new);
740 if (err < 0)
741 return err;
742
743 if (cc->new)
744 cc->old = override_creds(cc->new);
745
746 return 0;
747 }
748
749 static void ovl_revert_cu_creds(struct ovl_cu_creds *cc)
750 {
751 if (cc->new) {
752 revert_creds(cc->old);
753 put_cred(cc->new);
754 }
755 }
756
757 /*
758 * Copyup using workdir to prepare temp file. Used when copying up directories,
759 * special files or when upper fs doesn't support O_TMPFILE.
760 */
761 static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
762 {
763 struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
764 struct inode *inode;
765 struct inode *udir = d_inode(c->destdir), *wdir = d_inode(c->workdir);
766 struct path path = { .mnt = ovl_upper_mnt(ofs) };
767 struct dentry *temp, *upper, *trap;
768 struct ovl_cu_creds cc;
769 int err;
770 struct ovl_cattr cattr = {
771 /* Can't properly set mode on creation because of the umask */
772 .mode = c->stat.mode & S_IFMT,
773 .rdev = c->stat.rdev,
774 .link = c->link
775 };
776
777 err = ovl_prep_cu_creds(c->dentry, &cc);
778 if (err)
779 return err;
780
781 ovl_start_write(c->dentry);
782 inode_lock(wdir);
783 temp = ovl_create_temp(ofs, c->workdir, &cattr);
784 inode_unlock(wdir);
785 ovl_end_write(c->dentry);
786 ovl_revert_cu_creds(&cc);
787
788 if (IS_ERR(temp))
789 return PTR_ERR(temp);
790
791 /*
792 * Copy up data first and then xattrs. Writing data after
793 * xattrs will remove security.capability xattr automatically.
794 */
795 path.dentry = temp;
796 err = ovl_copy_up_data(c, &path);
797 /*
798 * We cannot hold lock_rename() throughout this helper, because of
799 * lock ordering with sb_writers, which shouldn't be held when calling
800 * ovl_copy_up_data(), so lock workdir and destdir and make sure that
801 * temp wasn't moved before copy up completion or cleanup.
802 */
803 ovl_start_write(c->dentry);
804 trap = lock_rename(c->workdir, c->destdir);
805 if (trap || temp->d_parent != c->workdir) {
806 /* temp or workdir moved underneath us? abort without cleanup */
807 dput(temp);
808 err = -EIO;
809 if (IS_ERR(trap))
810 goto out;
811 goto unlock;
812 } else if (err) {
813 goto cleanup;
814 }
815
816 err = ovl_copy_up_metadata(c, temp);
817 if (err)
818 goto cleanup;
819
820 if (S_ISDIR(c->stat.mode) && c->indexed) {
821 err = ovl_create_index(c->dentry, c->origin_fh, temp);
822 if (err)
823 goto cleanup;
824 }
825
826 upper = ovl_lookup_upper(ofs, c->destname.name, c->destdir,
827 c->destname.len);
828 err = PTR_ERR(upper);
829 if (IS_ERR(upper))
830 goto cleanup;
831
832 err = ovl_do_rename(ofs, wdir, temp, udir, upper, 0);
833 dput(upper);
834 if (err)
835 goto cleanup;
836
837 inode = d_inode(c->dentry);
838 if (c->metacopy_digest)
839 ovl_set_flag(OVL_HAS_DIGEST, inode);
840 else
841 ovl_clear_flag(OVL_HAS_DIGEST, inode);
842 ovl_clear_flag(OVL_VERIFIED_DIGEST, inode);
843
844 if (!c->metacopy)
845 ovl_set_upperdata(inode);
846 ovl_inode_update(inode, temp);
847 if (S_ISDIR(inode->i_mode))
848 ovl_set_flag(OVL_WHITEOUTS, inode);
849 unlock:
850 unlock_rename(c->workdir, c->destdir);
851 out:
852 ovl_end_write(c->dentry);
853
854 return err;
855
856 cleanup:
857 ovl_cleanup(ofs, wdir, temp);
858 dput(temp);
859 goto unlock;
860 }
861
862 /* Copyup using O_TMPFILE which does not require cross dir locking */
863 static int ovl_copy_up_tmpfile(struct ovl_copy_up_ctx *c)
864 {
865 struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
866 struct inode *udir = d_inode(c->destdir);
867 struct dentry *temp, *upper;
868 struct file *tmpfile;
869 struct ovl_cu_creds cc;
870 int err;
871
872 err = ovl_prep_cu_creds(c->dentry, &cc);
873 if (err)
874 return err;
875
876 ovl_start_write(c->dentry);
877 tmpfile = ovl_do_tmpfile(ofs, c->workdir, c->stat.mode);
878 ovl_end_write(c->dentry);
879 ovl_revert_cu_creds(&cc);
880 if (IS_ERR(tmpfile))
881 return PTR_ERR(tmpfile);
882
883 temp = tmpfile->f_path.dentry;
884 if (!c->metacopy && c->stat.size) {
885 err = ovl_copy_up_file(ofs, c->dentry, tmpfile, c->stat.size,
886 !c->metadata_fsync);
887 if (err)
888 goto out_fput;
889 }
890
891 ovl_start_write(c->dentry);
892
893 err = ovl_copy_up_metadata(c, temp);
894 if (err)
895 goto out;
896
897 inode_lock_nested(udir, I_MUTEX_PARENT);
898
899 upper = ovl_lookup_upper(ofs, c->destname.name, c->destdir,
900 c->destname.len);
901 err = PTR_ERR(upper);
902 if (!IS_ERR(upper)) {
903 err = ovl_do_link(ofs, temp, udir, upper);
904 dput(upper);
905 }
906 inode_unlock(udir);
907
908 if (err)
909 goto out;
910
911 if (c->metacopy_digest)
912 ovl_set_flag(OVL_HAS_DIGEST, d_inode(c->dentry));
913 else
914 ovl_clear_flag(OVL_HAS_DIGEST, d_inode(c->dentry));
915 ovl_clear_flag(OVL_VERIFIED_DIGEST, d_inode(c->dentry));
916
917 if (!c->metacopy)
918 ovl_set_upperdata(d_inode(c->dentry));
919 ovl_inode_update(d_inode(c->dentry), dget(temp));
920
921 out:
922 ovl_end_write(c->dentry);
923 out_fput:
924 fput(tmpfile);
925 return err;
926 }
927
928 /*
929 * Copy up a single dentry
930 *
931 * All renames start with copy up of source if necessary. The actual
932 * rename will only proceed once the copy up was successful. Copy up uses
933 * upper parent i_mutex for exclusion. Since rename can change d_parent it
934 * is possible that the copy up will lock the old parent. At that point
935 * the file will have already been copied up anyway.
936 */
937 static int ovl_do_copy_up(struct ovl_copy_up_ctx *c)
938 {
939 int err;
940 struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
941 struct dentry *origin = c->lowerpath.dentry;
942 struct ovl_fh *fh = NULL;
943 bool to_index = false;
944
945 /*
946 * Indexed non-dir is copied up directly to the index entry and then
947 * hardlinked to upper dir. Indexed dir is copied up to indexdir,
948 * then index entry is created and then copied up dir installed.
949 * Copying dir up to indexdir instead of workdir simplifies locking.
950 */
951 if (ovl_need_index(c->dentry)) {
952 c->indexed = true;
953 if (S_ISDIR(c->stat.mode))
954 c->workdir = ovl_indexdir(c->dentry->d_sb);
955 else
956 to_index = true;
957 }
958
959 if (S_ISDIR(c->stat.mode) || c->stat.nlink == 1 || to_index) {
960 fh = ovl_get_origin_fh(ofs, origin);
961 if (IS_ERR(fh))
962 return PTR_ERR(fh);
963
964 /* origin_fh may be NULL */
965 c->origin_fh = fh;
966 c->origin = true;
967 }
968
969 if (to_index) {
970 c->destdir = ovl_indexdir(c->dentry->d_sb);
971 err = ovl_get_index_name(ofs, origin, &c->destname);
972 if (err)
973 goto out_free_fh;
974 } else if (WARN_ON(!c->parent)) {
975 /* Disconnected dentry must be copied up to index dir */
976 err = -EIO;
977 goto out_free_fh;
978 } else {
979 /*
980 * c->dentry->d_name is stabilzed by ovl_copy_up_start(),
981 * because if we got here, it means that c->dentry has no upper
982 * alias and changing ->d_name means going through ovl_rename()
983 * that will call ovl_copy_up() on source and target dentry.
984 */
985 c->destname = c->dentry->d_name;
986 /*
987 * Mark parent "impure" because it may now contain non-pure
988 * upper
989 */
990 ovl_start_write(c->dentry);
991 err = ovl_set_impure(c->parent, c->destdir);
992 ovl_end_write(c->dentry);
993 if (err)
994 goto out_free_fh;
995 }
996
997 /* Should we copyup with O_TMPFILE or with workdir? */
998 if (S_ISREG(c->stat.mode) && ofs->tmpfile)
999 err = ovl_copy_up_tmpfile(c);
1000 else
1001 err = ovl_copy_up_workdir(c);
1002 if (err)
1003 goto out;
1004
1005 if (c->indexed)
1006 ovl_set_flag(OVL_INDEX, d_inode(c->dentry));
1007
1008 ovl_start_write(c->dentry);
1009 if (to_index) {
1010 /* Initialize nlink for copy up of disconnected dentry */
1011 err = ovl_set_nlink_upper(c->dentry);
1012 } else {
1013 struct inode *udir = d_inode(c->destdir);
1014
1015 /* Restore timestamps on parent (best effort) */
1016 inode_lock(udir);
1017 ovl_set_timestamps(ofs, c->destdir, &c->pstat);
1018 inode_unlock(udir);
1019
1020 ovl_dentry_set_upper_alias(c->dentry);
1021 ovl_dentry_update_reval(c->dentry, ovl_dentry_upper(c->dentry));
1022 }
1023 ovl_end_write(c->dentry);
1024
1025 out:
1026 if (to_index)
1027 kfree(c->destname.name);
1028 out_free_fh:
1029 kfree(fh);
1030 return err;
1031 }
1032
1033 static bool ovl_need_meta_copy_up(struct dentry *dentry, umode_t mode,
1034 int flags)
1035 {
1036 struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
1037
1038 if (!ofs->config.metacopy)
1039 return false;
1040
1041 if (!S_ISREG(mode))
1042 return false;
1043
1044 if (flags && ((OPEN_FMODE(flags) & FMODE_WRITE) || (flags & O_TRUNC)))
1045 return false;
1046
1047 /* Fall back to full copy if no fsverity on source data and we require verity */
1048 if (ofs->config.verity_mode == OVL_VERITY_REQUIRE) {
1049 struct path lowerdata;
1050
1051 ovl_path_lowerdata(dentry, &lowerdata);
1052
1053 if (WARN_ON_ONCE(lowerdata.dentry == NULL) ||
1054 ovl_ensure_verity_loaded(&lowerdata) ||
1055 !fsverity_active(d_inode(lowerdata.dentry))) {
1056 return false;
1057 }
1058 }
1059
1060 return true;
1061 }
1062
1063 static ssize_t ovl_getxattr_value(const struct path *path, char *name, char **value)
1064 {
1065 ssize_t res;
1066 char *buf;
1067
1068 res = ovl_do_getxattr(path, name, NULL, 0);
1069 if (res == -ENODATA || res == -EOPNOTSUPP)
1070 res = 0;
1071
1072 if (res > 0) {
1073 buf = kzalloc(res, GFP_KERNEL);
1074 if (!buf)
1075 return -ENOMEM;
1076
1077 res = ovl_do_getxattr(path, name, buf, res);
1078 if (res < 0)
1079 kfree(buf);
1080 else
1081 *value = buf;
1082 }
1083 return res;
1084 }
1085
1086 /* Copy up data of an inode which was copied up metadata only in the past. */
1087 static int ovl_copy_up_meta_inode_data(struct ovl_copy_up_ctx *c)
1088 {
1089 struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
1090 struct path upperpath;
1091 int err;
1092 char *capability = NULL;
1093 ssize_t cap_size;
1094
1095 ovl_path_upper(c->dentry, &upperpath);
1096 if (WARN_ON(upperpath.dentry == NULL))
1097 return -EIO;
1098
1099 if (c->stat.size) {
1100 err = cap_size = ovl_getxattr_value(&upperpath, XATTR_NAME_CAPS,
1101 &capability);
1102 if (cap_size < 0)
1103 goto out;
1104 }
1105
1106 err = ovl_copy_up_data(c, &upperpath);
1107 if (err)
1108 goto out_free;
1109
1110 /*
1111 * Writing to upper file will clear security.capability xattr. We
1112 * don't want that to happen for normal copy-up operation.
1113 */
1114 ovl_start_write(c->dentry);
1115 if (capability) {
1116 err = ovl_do_setxattr(ofs, upperpath.dentry, XATTR_NAME_CAPS,
1117 capability, cap_size, 0);
1118 }
1119 if (!err) {
1120 err = ovl_removexattr(ofs, upperpath.dentry,
1121 OVL_XATTR_METACOPY);
1122 }
1123 ovl_end_write(c->dentry);
1124 if (err)
1125 goto out_free;
1126
1127 ovl_clear_flag(OVL_HAS_DIGEST, d_inode(c->dentry));
1128 ovl_clear_flag(OVL_VERIFIED_DIGEST, d_inode(c->dentry));
1129 ovl_set_upperdata(d_inode(c->dentry));
1130 out_free:
1131 kfree(capability);
1132 out:
1133 return err;
1134 }
1135
1136 static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry,
1137 int flags)
1138 {
1139 int err;
1140 DEFINE_DELAYED_CALL(done);
1141 struct path parentpath;
1142 struct ovl_copy_up_ctx ctx = {
1143 .parent = parent,
1144 .dentry = dentry,
1145 .workdir = ovl_workdir(dentry),
1146 };
1147
1148 if (WARN_ON(!ctx.workdir))
1149 return -EROFS;
1150
1151 ovl_path_lower(dentry, &ctx.lowerpath);
1152 err = vfs_getattr(&ctx.lowerpath, &ctx.stat,
1153 STATX_BASIC_STATS, AT_STATX_SYNC_AS_STAT);
1154 if (err)
1155 return err;
1156
1157 if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) ||
1158 !kgid_has_mapping(current_user_ns(), ctx.stat.gid))
1159 return -EOVERFLOW;
1160
1161 /*
1162 * With metacopy disabled, we fsync after final metadata copyup, for
1163 * both regular files and directories to get atomic copyup semantics
1164 * on filesystems that do not use strict metadata ordering (e.g. ubifs).
1165 *
1166 * With metacopy enabled we want to avoid fsync on all meta copyup
1167 * that will hurt performance of workloads such as chown -R, so we
1168 * only fsync on data copyup as legacy behavior.
1169 */
1170 ctx.metadata_fsync = !OVL_FS(dentry->d_sb)->config.metacopy &&
1171 (S_ISREG(ctx.stat.mode) || S_ISDIR(ctx.stat.mode));
1172 ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags);
1173
1174 if (parent) {
1175 ovl_path_upper(parent, &parentpath);
1176 ctx.destdir = parentpath.dentry;
1177
1178 err = vfs_getattr(&parentpath, &ctx.pstat,
1179 STATX_ATIME | STATX_MTIME,
1180 AT_STATX_SYNC_AS_STAT);
1181 if (err)
1182 return err;
1183 }
1184
1185 /* maybe truncate regular file. this has no effect on dirs */
1186 if (flags & O_TRUNC)
1187 ctx.stat.size = 0;
1188
1189 if (S_ISLNK(ctx.stat.mode)) {
1190 ctx.link = vfs_get_link(ctx.lowerpath.dentry, &done);
1191 if (IS_ERR(ctx.link))
1192 return PTR_ERR(ctx.link);
1193 }
1194
1195 err = ovl_copy_up_start(dentry, flags);
1196 /* err < 0: interrupted, err > 0: raced with another copy-up */
1197 if (unlikely(err)) {
1198 if (err > 0)
1199 err = 0;
1200 } else {
1201 if (!ovl_dentry_upper(dentry))
1202 err = ovl_do_copy_up(&ctx);
1203 if (!err && parent && !ovl_dentry_has_upper_alias(dentry))
1204 err = ovl_link_up(&ctx);
1205 if (!err && ovl_dentry_needs_data_copy_up_locked(dentry, flags))
1206 err = ovl_copy_up_meta_inode_data(&ctx);
1207 ovl_copy_up_end(dentry);
1208 }
1209 do_delayed_call(&done);
1210
1211 return err;
1212 }
1213
1214 static int ovl_copy_up_flags(struct dentry *dentry, int flags)
1215 {
1216 int err = 0;
1217 const struct cred *old_cred;
1218 bool disconnected = (dentry->d_flags & DCACHE_DISCONNECTED);
1219
1220 /*
1221 * With NFS export, copy up can get called for a disconnected non-dir.
1222 * In this case, we will copy up lower inode to index dir without
1223 * linking it to upper dir.
1224 */
1225 if (WARN_ON(disconnected && d_is_dir(dentry)))
1226 return -EIO;
1227
1228 /*
1229 * We may not need lowerdata if we are only doing metacopy up, but it is
1230 * not very important to optimize this case, so do lazy lowerdata lookup
1231 * before any copy up, so we can do it before taking ovl_inode_lock().
1232 */
1233 err = ovl_verify_lowerdata(dentry);
1234 if (err)
1235 return err;
1236
1237 old_cred = ovl_override_creds(dentry->d_sb);
1238 while (!err) {
1239 struct dentry *next;
1240 struct dentry *parent = NULL;
1241
1242 if (ovl_already_copied_up(dentry, flags))
1243 break;
1244
1245 next = dget(dentry);
1246 /* find the topmost dentry not yet copied up */
1247 for (; !disconnected;) {
1248 parent = dget_parent(next);
1249
1250 if (ovl_dentry_upper(parent))
1251 break;
1252
1253 dput(next);
1254 next = parent;
1255 }
1256
1257 err = ovl_copy_up_one(parent, next, flags);
1258
1259 dput(parent);
1260 dput(next);
1261 }
1262 ovl_revert_creds(old_cred);
1263
1264 return err;
1265 }
1266
1267 static bool ovl_open_need_copy_up(struct dentry *dentry, int flags)
1268 {
1269 /* Copy up of disconnected dentry does not set upper alias */
1270 if (ovl_already_copied_up(dentry, flags))
1271 return false;
1272
1273 if (special_file(d_inode(dentry)->i_mode))
1274 return false;
1275
1276 if (!ovl_open_flags_need_copy_up(flags))
1277 return false;
1278
1279 return true;
1280 }
1281
1282 int ovl_maybe_copy_up(struct dentry *dentry, int flags)
1283 {
1284 if (!ovl_open_need_copy_up(dentry, flags))
1285 return 0;
1286
1287 return ovl_copy_up_flags(dentry, flags);
1288 }
1289
1290 int ovl_copy_up_with_data(struct dentry *dentry)
1291 {
1292 return ovl_copy_up_flags(dentry, O_WRONLY);
1293 }
1294
1295 int ovl_copy_up(struct dentry *dentry)
1296 {
1297 return ovl_copy_up_flags(dentry, 0);
1298 }
Linux kernel stable tree