copy_up.c 31 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. *
  4. * Copyright (C) 2011 Novell Inc.
  5. */
  6. #include <linux/module.h>
  7. #include <linux/fs.h>
  8. #include <linux/slab.h>
  9. #include <linux/file.h>
  10. #include <linux/fileattr.h>
  11. #include <linux/splice.h>
  12. #include <linux/xattr.h>
  13. #include <linux/security.h>
  14. #include <linux/uaccess.h>
  15. #include <linux/sched/signal.h>
  16. #include <linux/cred.h>
  17. #include <linux/namei.h>
  18. #include <linux/ratelimit.h>
  19. #include <linux/exportfs.h>
  20. #include "overlayfs.h"
  21. #define OVL_COPY_UP_CHUNK_SIZE (1 << 20)
  22. static int ovl_ccup_set(const char *buf, const struct kernel_param *param)
  23. {
  24. pr_warn("\"check_copy_up\" module option is obsolete\n");
  25. return 0;
  26. }
  27. static int ovl_ccup_get(char *buf, const struct kernel_param *param)
  28. {
  29. return sprintf(buf, "N\n");
  30. }
  31. module_param_call(check_copy_up, ovl_ccup_set, ovl_ccup_get, NULL, 0644);
  32. MODULE_PARM_DESC(check_copy_up, "Obsolete; does nothing");
  33. static bool ovl_must_copy_xattr(const char *name)
  34. {
  35. return !strcmp(name, XATTR_POSIX_ACL_ACCESS) ||
  36. !strcmp(name, XATTR_POSIX_ACL_DEFAULT) ||
  37. !strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN);
  38. }
  39. static int ovl_copy_acl(struct ovl_fs *ofs, const struct path *path,
  40. struct dentry *dentry, const char *acl_name)
  41. {
  42. int err;
  43. struct posix_acl *clone, *real_acl = NULL;
  44. real_acl = ovl_get_acl_path(path, acl_name, false);
  45. if (!real_acl)
  46. return 0;
  47. if (IS_ERR(real_acl)) {
  48. err = PTR_ERR(real_acl);
  49. if (err == -ENODATA || err == -EOPNOTSUPP)
  50. return 0;
  51. return err;
  52. }
  53. clone = posix_acl_clone(real_acl, GFP_KERNEL);
  54. posix_acl_release(real_acl); /* release original acl */
  55. if (!clone)
  56. return -ENOMEM;
  57. err = ovl_do_set_acl(ofs, dentry, acl_name, clone);
  58. /* release cloned acl */
  59. posix_acl_release(clone);
  60. return err;
  61. }
  62. int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct dentry *new)
  63. {
  64. struct dentry *old = oldpath->dentry;
  65. ssize_t list_size, size, value_size = 0;
  66. char *buf, *name, *value = NULL;
  67. int error = 0;
  68. size_t slen;
  69. if (!old->d_inode->i_op->listxattr || !new->d_inode->i_op->listxattr)
  70. return 0;
  71. list_size = vfs_listxattr(old, NULL, 0);
  72. if (list_size <= 0) {
  73. if (list_size == -EOPNOTSUPP)
  74. return 0;
  75. return list_size;
  76. }
  77. buf = kvzalloc(list_size, GFP_KERNEL);
  78. if (!buf)
  79. return -ENOMEM;
  80. list_size = vfs_listxattr(old, buf, list_size);
  81. if (list_size <= 0) {
  82. error = list_size;
  83. goto out;
  84. }
  85. for (name = buf; list_size; name += slen) {
  86. slen = strnlen(name, list_size) + 1;
  87. /* underlying fs providing us with an broken xattr list? */
  88. if (WARN_ON(slen > list_size)) {
  89. error = -EIO;
  90. break;
  91. }
  92. list_size -= slen;
  93. if (ovl_is_private_xattr(sb, name))
  94. continue;
  95. error = security_inode_copy_up_xattr(old, name);
  96. if (error == -ECANCELED) {
  97. error = 0;
  98. continue; /* Discard */
  99. }
  100. if (error < 0 && error != -EOPNOTSUPP)
  101. break;
  102. if (is_posix_acl_xattr(name)) {
  103. error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name);
  104. if (!error)
  105. continue;
  106. /* POSIX ACLs must be copied. */
  107. break;
  108. }
  109. retry:
  110. size = ovl_do_getxattr(oldpath, name, value, value_size);
  111. if (size == -ERANGE)
  112. size = ovl_do_getxattr(oldpath, name, NULL, 0);
  113. if (size < 0) {
  114. error = size;
  115. break;
  116. }
  117. if (size > value_size) {
  118. void *new;
  119. new = kvmalloc(size, GFP_KERNEL);
  120. if (!new) {
  121. error = -ENOMEM;
  122. break;
  123. }
  124. kvfree(value);
  125. value = new;
  126. value_size = size;
  127. goto retry;
  128. }
  129. error = ovl_do_setxattr(OVL_FS(sb), new, name, value, size, 0);
  130. if (error) {
  131. if (error != -EOPNOTSUPP || ovl_must_copy_xattr(name))
  132. break;
  133. /* Ignore failure to copy unknown xattrs */
  134. error = 0;
  135. }
  136. }
  137. kvfree(value);
  138. out:
  139. kvfree(buf);
  140. return error;
  141. }
  142. static int ovl_copy_fileattr(struct inode *inode, const struct path *old,
  143. const struct path *new)
  144. {
  145. struct file_kattr oldfa = { .flags_valid = true };
  146. struct file_kattr newfa = { .flags_valid = true };
  147. int err;
  148. err = ovl_real_fileattr_get(old, &oldfa);
  149. if (err) {
  150. /* Ntfs-3g returns -EINVAL for "no fileattr support" */
  151. if (err == -ENOTTY || err == -EINVAL)
  152. return 0;
  153. pr_warn("failed to retrieve lower fileattr (%pd2, err=%i)\n",
  154. old->dentry, err);
  155. return err;
  156. }
  157. /*
  158. * We cannot set immutable and append-only flags on upper inode,
  159. * because we would not be able to link upper inode to upper dir
  160. * not set overlay private xattr on upper inode.
  161. * Store these flags in overlay.protattr xattr instead.
  162. */
  163. if (oldfa.flags & OVL_PROT_FS_FLAGS_MASK) {
  164. err = ovl_set_protattr(inode, new->dentry, &oldfa);
  165. if (err == -EPERM)
  166. pr_warn_once("copying fileattr: no xattr on upper\n");
  167. else if (err)
  168. return err;
  169. }
  170. /* Don't bother copying flags if none are set */
  171. if (!(oldfa.flags & OVL_COPY_FS_FLAGS_MASK))
  172. return 0;
  173. err = ovl_real_fileattr_get(new, &newfa);
  174. if (err) {
  175. /*
  176. * Returning an error if upper doesn't support fileattr will
  177. * result in a regression, so revert to the old behavior.
  178. */
  179. if (err == -ENOTTY || err == -EINVAL) {
  180. pr_warn_once("copying fileattr: no support on upper\n");
  181. return 0;
  182. }
  183. pr_warn("failed to retrieve upper fileattr (%pd2, err=%i)\n",
  184. new->dentry, err);
  185. return err;
  186. }
  187. BUILD_BUG_ON(OVL_COPY_FS_FLAGS_MASK & ~FS_COMMON_FL);
  188. newfa.flags &= ~OVL_COPY_FS_FLAGS_MASK;
  189. newfa.flags |= (oldfa.flags & OVL_COPY_FS_FLAGS_MASK);
  190. BUILD_BUG_ON(OVL_COPY_FSX_FLAGS_MASK & ~FS_XFLAG_COMMON);
  191. newfa.fsx_xflags &= ~OVL_COPY_FSX_FLAGS_MASK;
  192. newfa.fsx_xflags |= (oldfa.fsx_xflags & OVL_COPY_FSX_FLAGS_MASK);
  193. return ovl_real_fileattr_set(new, &newfa);
  194. }
  195. static int ovl_verify_area(loff_t pos, loff_t pos2, loff_t len, loff_t totlen)
  196. {
  197. loff_t tmp;
  198. if (pos != pos2)
  199. return -EIO;
  200. if (pos < 0 || len < 0 || totlen < 0)
  201. return -EIO;
  202. if (check_add_overflow(pos, len, &tmp))
  203. return -EIO;
  204. return 0;
  205. }
  206. static int ovl_sync_file(const struct path *path)
  207. {
  208. struct file *new_file;
  209. int err;
  210. new_file = ovl_path_open(path, O_LARGEFILE | O_RDONLY);
  211. if (IS_ERR(new_file))
  212. return PTR_ERR(new_file);
  213. err = vfs_fsync(new_file, 0);
  214. fput(new_file);
  215. return err;
  216. }
  217. static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry,
  218. struct file *new_file, loff_t len,
  219. bool datasync)
  220. {
  221. struct path datapath;
  222. struct file *old_file;
  223. loff_t old_pos = 0;
  224. loff_t new_pos = 0;
  225. loff_t cloned;
  226. loff_t data_pos = -1;
  227. loff_t hole_len;
  228. bool skip_hole = false;
  229. int error = 0;
  230. ovl_path_lowerdata(dentry, &datapath);
  231. if (WARN_ON_ONCE(datapath.dentry == NULL) ||
  232. WARN_ON_ONCE(len < 0))
  233. return -EIO;
  234. old_file = ovl_path_open(&datapath, O_LARGEFILE | O_RDONLY);
  235. if (IS_ERR(old_file))
  236. return PTR_ERR(old_file);
  237. /* Try to use clone_file_range to clone up within the same fs */
  238. cloned = vfs_clone_file_range(old_file, 0, new_file, 0, len, 0);
  239. if (cloned == len)
  240. goto out_fput;
  241. /* Couldn't clone, so now we try to copy the data */
  242. error = rw_verify_area(READ, old_file, &old_pos, len);
  243. if (!error)
  244. error = rw_verify_area(WRITE, new_file, &new_pos, len);
  245. if (error)
  246. goto out_fput;
  247. /* Check if lower fs supports seek operation */
  248. if (old_file->f_mode & FMODE_LSEEK)
  249. skip_hole = true;
  250. while (len) {
  251. size_t this_len = OVL_COPY_UP_CHUNK_SIZE;
  252. ssize_t bytes;
  253. if (len < this_len)
  254. this_len = len;
  255. if (signal_pending_state(TASK_KILLABLE, current)) {
  256. error = -EINTR;
  257. break;
  258. }
  259. /*
  260. * Fill zero for hole will cost unnecessary disk space
  261. * and meanwhile slow down the copy-up speed, so we do
  262. * an optimization for hole during copy-up, it relies
  263. * on SEEK_DATA implementation in lower fs so if lower
  264. * fs does not support it, copy-up will behave as before.
  265. *
  266. * Detail logic of hole detection as below:
  267. * When we detect next data position is larger than current
  268. * position we will skip that hole, otherwise we copy
  269. * data in the size of OVL_COPY_UP_CHUNK_SIZE. Actually,
  270. * it may not recognize all kind of holes and sometimes
  271. * only skips partial of hole area. However, it will be
  272. * enough for most of the use cases.
  273. *
  274. * We do not hold upper sb_writers throughout the loop to avert
  275. * lockdep warning with llseek of lower file in nested overlay:
  276. * - upper sb_writers
  277. * -- lower ovl_inode_lock (ovl_llseek)
  278. */
  279. if (skip_hole && data_pos < old_pos) {
  280. data_pos = vfs_llseek(old_file, old_pos, SEEK_DATA);
  281. if (data_pos > old_pos) {
  282. hole_len = data_pos - old_pos;
  283. len -= hole_len;
  284. old_pos = new_pos = data_pos;
  285. continue;
  286. } else if (data_pos == -ENXIO) {
  287. break;
  288. } else if (data_pos < 0) {
  289. skip_hole = false;
  290. }
  291. }
  292. error = ovl_verify_area(old_pos, new_pos, this_len, len);
  293. if (error)
  294. break;
  295. bytes = do_splice_direct(old_file, &old_pos,
  296. new_file, &new_pos,
  297. this_len, SPLICE_F_MOVE);
  298. if (bytes <= 0) {
  299. error = bytes;
  300. break;
  301. }
  302. WARN_ON(old_pos != new_pos);
  303. len -= bytes;
  304. }
  305. /* call fsync once, either now or later along with metadata */
  306. if (!error && ovl_should_sync(ofs) && datasync)
  307. error = vfs_fsync(new_file, 0);
  308. out_fput:
  309. fput(old_file);
  310. return error;
  311. }
  312. static int ovl_set_size(struct ovl_fs *ofs,
  313. struct dentry *upperdentry, struct kstat *stat)
  314. {
  315. struct iattr attr = {
  316. .ia_valid = ATTR_SIZE,
  317. .ia_size = stat->size,
  318. };
  319. return ovl_do_notify_change(ofs, upperdentry, &attr);
  320. }
  321. static int ovl_set_timestamps(struct ovl_fs *ofs, struct dentry *upperdentry,
  322. struct kstat *stat)
  323. {
  324. struct iattr attr = {
  325. .ia_valid =
  326. ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_CTIME,
  327. .ia_atime = stat->atime,
  328. .ia_mtime = stat->mtime,
  329. };
  330. return ovl_do_notify_change(ofs, upperdentry, &attr);
  331. }
  332. int ovl_set_attr(struct ovl_fs *ofs, struct dentry *upperdentry,
  333. struct kstat *stat)
  334. {
  335. int err = 0;
  336. if (!S_ISLNK(stat->mode)) {
  337. struct iattr attr = {
  338. .ia_valid = ATTR_MODE,
  339. .ia_mode = stat->mode,
  340. };
  341. err = ovl_do_notify_change(ofs, upperdentry, &attr);
  342. }
  343. if (!err) {
  344. struct iattr attr = {
  345. .ia_valid = ATTR_UID | ATTR_GID,
  346. .ia_vfsuid = VFSUIDT_INIT(stat->uid),
  347. .ia_vfsgid = VFSGIDT_INIT(stat->gid),
  348. };
  349. err = ovl_do_notify_change(ofs, upperdentry, &attr);
  350. }
  351. if (!err)
  352. ovl_set_timestamps(ofs, upperdentry, stat);
  353. return err;
  354. }
  355. struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct inode *realinode,
  356. bool is_upper)
  357. {
  358. struct ovl_fh *fh;
  359. int fh_type, dwords;
  360. int buflen = MAX_HANDLE_SZ;
  361. uuid_t *uuid = &realinode->i_sb->s_uuid;
  362. int err;
  363. /* Make sure the real fid stays 32bit aligned */
  364. BUILD_BUG_ON(OVL_FH_FID_OFFSET % 4);
  365. BUILD_BUG_ON(MAX_HANDLE_SZ + OVL_FH_FID_OFFSET > 255);
  366. fh = kzalloc(buflen + OVL_FH_FID_OFFSET, GFP_KERNEL);
  367. if (!fh)
  368. return ERR_PTR(-ENOMEM);
  369. /*
  370. * We encode a non-connectable file handle for non-dir, because we
  371. * only need to find the lower inode number and we don't want to pay
  372. * the price or reconnecting the dentry.
  373. */
  374. dwords = buflen >> 2;
  375. fh_type = exportfs_encode_inode_fh(realinode, (void *)fh->fb.fid,
  376. &dwords, NULL, 0);
  377. buflen = (dwords << 2);
  378. err = -EIO;
  379. if (fh_type < 0 || fh_type == FILEID_INVALID ||
  380. WARN_ON(buflen > MAX_HANDLE_SZ))
  381. goto out_err;
  382. fh->fb.version = OVL_FH_VERSION;
  383. fh->fb.magic = OVL_FH_MAGIC;
  384. fh->fb.type = fh_type;
  385. fh->fb.flags = OVL_FH_FLAG_CPU_ENDIAN;
  386. /*
  387. * When we will want to decode an overlay dentry from this handle
  388. * and all layers are on the same fs, if we get a disconncted real
  389. * dentry when we decode fid, the only way to tell if we should assign
  390. * it to upperdentry or to lowerstack is by checking this flag.
  391. */
  392. if (is_upper)
  393. fh->fb.flags |= OVL_FH_FLAG_PATH_UPPER;
  394. fh->fb.len = sizeof(fh->fb) + buflen;
  395. if (ovl_origin_uuid(ofs))
  396. fh->fb.uuid = *uuid;
  397. return fh;
  398. out_err:
  399. kfree(fh);
  400. return ERR_PTR(err);
  401. }
  402. struct ovl_fh *ovl_get_origin_fh(struct ovl_fs *ofs, struct dentry *origin)
  403. {
  404. /*
  405. * When lower layer doesn't support export operations store a 'null' fh,
  406. * so we can use the overlay.origin xattr to distignuish between a copy
  407. * up and a pure upper inode.
  408. */
  409. if (!ovl_can_decode_fh(origin->d_sb))
  410. return NULL;
  411. return ovl_encode_real_fh(ofs, d_inode(origin), false);
  412. }
  413. int ovl_set_origin_fh(struct ovl_fs *ofs, const struct ovl_fh *fh,
  414. struct dentry *upper)
  415. {
  416. int err;
  417. /*
  418. * Do not fail when upper doesn't support xattrs.
  419. */
  420. err = ovl_check_setxattr(ofs, upper, OVL_XATTR_ORIGIN, fh->buf,
  421. fh ? fh->fb.len : 0, 0);
  422. /* Ignore -EPERM from setting "user.*" on symlink/special */
  423. return err == -EPERM ? 0 : err;
  424. }
  425. /* Store file handle of @upper dir in @index dir entry */
  426. static int ovl_set_upper_fh(struct ovl_fs *ofs, struct dentry *upper,
  427. struct dentry *index)
  428. {
  429. const struct ovl_fh *fh;
  430. int err;
  431. fh = ovl_encode_real_fh(ofs, d_inode(upper), true);
  432. if (IS_ERR(fh))
  433. return PTR_ERR(fh);
  434. err = ovl_setxattr(ofs, index, OVL_XATTR_UPPER, fh->buf, fh->fb.len);
  435. kfree(fh);
  436. return err;
  437. }
  438. /*
  439. * Create and install index entry.
  440. */
  441. static int ovl_create_index(struct dentry *dentry, const struct ovl_fh *fh,
  442. struct dentry *upper)
  443. {
  444. struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
  445. struct dentry *indexdir = ovl_indexdir(dentry->d_sb);
  446. struct dentry *temp = NULL;
  447. struct renamedata rd = {};
  448. struct qstr name = { };
  449. int err;
  450. /*
  451. * For now this is only used for creating index entry for directories,
  452. * because non-dir are copied up directly to index and then hardlinked
  453. * to upper dir.
  454. *
  455. * TODO: implement create index for non-dir, so we can call it when
  456. * encoding file handle for non-dir in case index does not exist.
  457. */
  458. if (WARN_ON(!d_is_dir(dentry)))
  459. return -EIO;
  460. /* Directory not expected to be indexed before copy up */
  461. if (WARN_ON(ovl_test_flag(OVL_INDEX, d_inode(dentry))))
  462. return -EIO;
  463. err = ovl_get_index_name_fh(fh, &name);
  464. if (err)
  465. return err;
  466. temp = ovl_create_temp(ofs, indexdir, OVL_CATTR(S_IFDIR | 0));
  467. err = PTR_ERR(temp);
  468. if (IS_ERR(temp))
  469. goto free_name;
  470. err = ovl_set_upper_fh(ofs, upper, temp);
  471. if (err)
  472. goto out;
  473. rd.mnt_idmap = ovl_upper_mnt_idmap(ofs);
  474. rd.old_parent = indexdir;
  475. rd.new_parent = indexdir;
  476. err = start_renaming_dentry(&rd, 0, temp, &name);
  477. if (err)
  478. goto out;
  479. err = ovl_do_rename_rd(&rd);
  480. end_renaming(&rd);
  481. out:
  482. if (err)
  483. ovl_cleanup(ofs, indexdir, temp);
  484. dput(temp);
  485. free_name:
  486. kfree(name.name);
  487. return err;
  488. }
  489. struct ovl_copy_up_ctx {
  490. struct dentry *parent;
  491. struct dentry *dentry;
  492. struct path lowerpath;
  493. struct kstat stat;
  494. struct kstat pstat;
  495. const char *link;
  496. struct dentry *destdir;
  497. struct qstr destname;
  498. struct dentry *workdir;
  499. const struct ovl_fh *origin_fh;
  500. bool origin;
  501. bool indexed;
  502. bool metacopy;
  503. bool metacopy_digest;
  504. bool metadata_fsync;
  505. };
  506. static int ovl_link_up(struct ovl_copy_up_ctx *c)
  507. {
  508. int err;
  509. struct dentry *upper;
  510. struct dentry *upperdir = ovl_dentry_upper(c->parent);
  511. struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
  512. struct inode *udir = d_inode(upperdir);
  513. ovl_start_write(c->dentry);
  514. /* Mark parent "impure" because it may now contain non-pure upper */
  515. err = ovl_set_impure(c->parent, upperdir);
  516. if (err)
  517. goto out;
  518. err = ovl_set_nlink_lower(c->dentry);
  519. if (err)
  520. goto out;
  521. upper = ovl_start_creating_upper(ofs, upperdir,
  522. &QSTR_LEN(c->dentry->d_name.name,
  523. c->dentry->d_name.len));
  524. err = PTR_ERR(upper);
  525. if (!IS_ERR(upper)) {
  526. err = ovl_do_link(ofs, ovl_dentry_upper(c->dentry), udir, upper);
  527. if (!err) {
  528. /* Restore timestamps on parent (best effort) */
  529. ovl_set_timestamps(ofs, upperdir, &c->pstat);
  530. ovl_dentry_set_upper_alias(c->dentry);
  531. ovl_dentry_update_reval(c->dentry, upper);
  532. }
  533. end_creating(upper);
  534. }
  535. if (err)
  536. goto out;
  537. err = ovl_set_nlink_upper(c->dentry);
  538. out:
  539. ovl_end_write(c->dentry);
  540. return err;
  541. }
  542. static int ovl_copy_up_data(struct ovl_copy_up_ctx *c, const struct path *temp)
  543. {
  544. struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
  545. struct file *new_file;
  546. int err;
  547. if (!S_ISREG(c->stat.mode) || c->metacopy || !c->stat.size)
  548. return 0;
  549. new_file = ovl_path_open(temp, O_LARGEFILE | O_WRONLY);
  550. if (IS_ERR(new_file))
  551. return PTR_ERR(new_file);
  552. err = ovl_copy_up_file(ofs, c->dentry, new_file, c->stat.size,
  553. !c->metadata_fsync);
  554. fput(new_file);
  555. return err;
  556. }
  557. static int ovl_copy_up_metadata(struct ovl_copy_up_ctx *c, struct dentry *temp)
  558. {
  559. struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
  560. struct inode *inode = d_inode(c->dentry);
  561. struct path upperpath = { .mnt = ovl_upper_mnt(ofs), .dentry = temp };
  562. int err;
  563. err = ovl_copy_xattr(c->dentry->d_sb, &c->lowerpath, temp);
  564. if (err)
  565. return err;
  566. if (inode->i_flags & OVL_FATTR_I_FLAGS_MASK &&
  567. (S_ISREG(c->stat.mode) || S_ISDIR(c->stat.mode))) {
  568. /*
  569. * Copy the fileattr inode flags that are the source of already
  570. * copied i_flags
  571. */
  572. err = ovl_copy_fileattr(inode, &c->lowerpath, &upperpath);
  573. if (err)
  574. return err;
  575. }
  576. /*
  577. * Store identifier of lower inode in upper inode xattr to
  578. * allow lookup of the copy up origin inode.
  579. *
  580. * Don't set origin when we are breaking the association with a lower
  581. * hard link.
  582. */
  583. if (c->origin) {
  584. err = ovl_set_origin_fh(ofs, c->origin_fh, temp);
  585. if (err)
  586. return err;
  587. }
  588. if (c->metacopy) {
  589. struct path lowerdatapath;
  590. struct ovl_metacopy metacopy_data = OVL_METACOPY_INIT;
  591. ovl_path_lowerdata(c->dentry, &lowerdatapath);
  592. if (WARN_ON_ONCE(lowerdatapath.dentry == NULL))
  593. return -EIO;
  594. err = ovl_get_verity_digest(ofs, &lowerdatapath, &metacopy_data);
  595. if (err)
  596. return err;
  597. if (metacopy_data.digest_algo)
  598. c->metacopy_digest = true;
  599. err = ovl_set_metacopy_xattr(ofs, temp, &metacopy_data);
  600. if (err)
  601. return err;
  602. }
  603. inode_lock(temp->d_inode);
  604. if (S_ISREG(c->stat.mode))
  605. err = ovl_set_size(ofs, temp, &c->stat);
  606. if (!err)
  607. err = ovl_set_attr(ofs, temp, &c->stat);
  608. inode_unlock(temp->d_inode);
  609. /* fsync metadata before moving it into upper dir */
  610. if (!err && ovl_should_sync(ofs) && c->metadata_fsync)
  611. err = ovl_sync_file(&upperpath);
  612. return err;
  613. }
  614. static const struct cred *ovl_prepare_copy_up_creds(struct dentry *dentry)
  615. {
  616. struct cred *copy_up_cred = NULL;
  617. int err;
  618. err = security_inode_copy_up(dentry, &copy_up_cred);
  619. if (err < 0)
  620. return ERR_PTR(err);
  621. if (!copy_up_cred)
  622. return NULL;
  623. return override_creds(copy_up_cred);
  624. }
  625. static void ovl_revert_copy_up_creds(const struct cred *orig_cred)
  626. {
  627. const struct cred *copy_up_cred;
  628. copy_up_cred = revert_creds(orig_cred);
  629. put_cred(copy_up_cred);
  630. }
  631. DEFINE_CLASS(copy_up_creds, const struct cred *,
  632. if (!IS_ERR_OR_NULL(_T)) ovl_revert_copy_up_creds(_T),
  633. ovl_prepare_copy_up_creds(dentry), struct dentry *dentry)
  634. /*
  635. * Copyup using workdir to prepare temp file. Used when copying up directories,
  636. * special files or when upper fs doesn't support O_TMPFILE.
  637. */
  638. static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
  639. {
  640. struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
  641. struct inode *inode;
  642. struct path path = { .mnt = ovl_upper_mnt(ofs) };
  643. struct renamedata rd = {};
  644. struct dentry *temp;
  645. int err;
  646. struct ovl_cattr cattr = {
  647. /* Can't properly set mode on creation because of the umask */
  648. .mode = c->stat.mode & S_IFMT,
  649. .rdev = c->stat.rdev,
  650. .link = c->link
  651. };
  652. scoped_class(copy_up_creds, copy_up_creds, c->dentry) {
  653. if (IS_ERR(copy_up_creds))
  654. return PTR_ERR(copy_up_creds);
  655. ovl_start_write(c->dentry);
  656. temp = ovl_create_temp(ofs, c->workdir, &cattr);
  657. ovl_end_write(c->dentry);
  658. }
  659. if (IS_ERR(temp))
  660. return PTR_ERR(temp);
  661. /*
  662. * Copy up data first and then xattrs. Writing data after
  663. * xattrs will remove security.capability xattr automatically.
  664. */
  665. path.dentry = temp;
  666. err = ovl_copy_up_data(c, &path);
  667. ovl_start_write(c->dentry);
  668. if (err)
  669. goto cleanup_unlocked;
  670. if (S_ISDIR(c->stat.mode) && c->indexed) {
  671. err = ovl_create_index(c->dentry, c->origin_fh, temp);
  672. if (err)
  673. goto cleanup_unlocked;
  674. }
  675. /*
  676. * We cannot hold lock_rename() throughout this helper, because of
  677. * lock ordering with sb_writers, which shouldn't be held when calling
  678. * ovl_copy_up_data(), so lock workdir and destdir and make sure that
  679. * temp wasn't moved before copy up completion or cleanup.
  680. */
  681. rd.mnt_idmap = ovl_upper_mnt_idmap(ofs);
  682. rd.old_parent = c->workdir;
  683. rd.new_parent = c->destdir;
  684. rd.flags = 0;
  685. err = start_renaming_dentry(&rd, 0, temp,
  686. &QSTR_LEN(c->destname.name, c->destname.len));
  687. if (err) {
  688. /* temp or workdir moved underneath us? map to -EIO */
  689. err = -EIO;
  690. }
  691. if (err)
  692. goto cleanup_unlocked;
  693. err = ovl_copy_up_metadata(c, temp);
  694. if (!err)
  695. err = ovl_do_rename_rd(&rd);
  696. end_renaming(&rd);
  697. if (err)
  698. goto cleanup_unlocked;
  699. inode = d_inode(c->dentry);
  700. if (c->metacopy_digest)
  701. ovl_set_flag(OVL_HAS_DIGEST, inode);
  702. else
  703. ovl_clear_flag(OVL_HAS_DIGEST, inode);
  704. ovl_clear_flag(OVL_VERIFIED_DIGEST, inode);
  705. if (!c->metacopy)
  706. ovl_set_upperdata(inode);
  707. ovl_inode_update(inode, temp);
  708. if (S_ISDIR(inode->i_mode))
  709. ovl_set_flag(OVL_WHITEOUTS, inode);
  710. out:
  711. ovl_end_write(c->dentry);
  712. return err;
  713. cleanup_unlocked:
  714. ovl_cleanup(ofs, c->workdir, temp);
  715. dput(temp);
  716. goto out;
  717. }
  718. /* Copyup using O_TMPFILE which does not require cross dir locking */
  719. static int ovl_copy_up_tmpfile(struct ovl_copy_up_ctx *c)
  720. {
  721. struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
  722. struct inode *udir = d_inode(c->destdir);
  723. struct dentry *temp, *upper;
  724. struct file *tmpfile;
  725. int err;
  726. scoped_class(copy_up_creds, copy_up_creds, c->dentry) {
  727. if (IS_ERR(copy_up_creds))
  728. return PTR_ERR(copy_up_creds);
  729. ovl_start_write(c->dentry);
  730. tmpfile = ovl_do_tmpfile(ofs, c->workdir, c->stat.mode);
  731. ovl_end_write(c->dentry);
  732. }
  733. if (IS_ERR(tmpfile))
  734. return PTR_ERR(tmpfile);
  735. temp = tmpfile->f_path.dentry;
  736. if (!c->metacopy && c->stat.size) {
  737. err = ovl_copy_up_file(ofs, c->dentry, tmpfile, c->stat.size,
  738. !c->metadata_fsync);
  739. if (err)
  740. goto out_fput;
  741. }
  742. ovl_start_write(c->dentry);
  743. err = ovl_copy_up_metadata(c, temp);
  744. if (err)
  745. goto out;
  746. upper = ovl_start_creating_upper(ofs, c->destdir,
  747. &QSTR_LEN(c->destname.name,
  748. c->destname.len));
  749. err = PTR_ERR(upper);
  750. if (!IS_ERR(upper)) {
  751. err = ovl_do_link(ofs, temp, udir, upper);
  752. end_creating(upper);
  753. }
  754. if (err)
  755. goto out;
  756. if (c->metacopy_digest)
  757. ovl_set_flag(OVL_HAS_DIGEST, d_inode(c->dentry));
  758. else
  759. ovl_clear_flag(OVL_HAS_DIGEST, d_inode(c->dentry));
  760. ovl_clear_flag(OVL_VERIFIED_DIGEST, d_inode(c->dentry));
  761. if (!c->metacopy)
  762. ovl_set_upperdata(d_inode(c->dentry));
  763. ovl_inode_update(d_inode(c->dentry), dget(temp));
  764. out:
  765. ovl_end_write(c->dentry);
  766. out_fput:
  767. fput(tmpfile);
  768. return err;
  769. }
  770. /*
  771. * Copy up a single dentry
  772. *
  773. * All renames start with copy up of source if necessary. The actual
  774. * rename will only proceed once the copy up was successful. Copy up uses
  775. * upper parent i_mutex for exclusion. Since rename can change d_parent it
  776. * is possible that the copy up will lock the old parent. At that point
  777. * the file will have already been copied up anyway.
  778. */
  779. static int ovl_do_copy_up(struct ovl_copy_up_ctx *c)
  780. {
  781. int err;
  782. struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
  783. struct dentry *origin = c->lowerpath.dentry;
  784. struct ovl_fh *fh = NULL;
  785. bool to_index = false;
  786. /*
  787. * Indexed non-dir is copied up directly to the index entry and then
  788. * hardlinked to upper dir. Indexed dir is copied up to indexdir,
  789. * then index entry is created and then copied up dir installed.
  790. * Copying dir up to indexdir instead of workdir simplifies locking.
  791. */
  792. if (ovl_need_index(c->dentry)) {
  793. c->indexed = true;
  794. if (S_ISDIR(c->stat.mode))
  795. c->workdir = ovl_indexdir(c->dentry->d_sb);
  796. else
  797. to_index = true;
  798. }
  799. if (S_ISDIR(c->stat.mode) || c->stat.nlink == 1 || to_index) {
  800. fh = ovl_get_origin_fh(ofs, origin);
  801. if (IS_ERR(fh))
  802. return PTR_ERR(fh);
  803. /* origin_fh may be NULL */
  804. c->origin_fh = fh;
  805. c->origin = true;
  806. }
  807. if (to_index) {
  808. c->destdir = ovl_indexdir(c->dentry->d_sb);
  809. err = ovl_get_index_name(ofs, origin, &c->destname);
  810. if (err)
  811. goto out_free_fh;
  812. } else if (WARN_ON(!c->parent)) {
  813. /* Disconnected dentry must be copied up to index dir */
  814. err = -EIO;
  815. goto out_free_fh;
  816. } else {
  817. /*
  818. * c->dentry->d_name is stabilzed by ovl_copy_up_start(),
  819. * because if we got here, it means that c->dentry has no upper
  820. * alias and changing ->d_name means going through ovl_rename()
  821. * that will call ovl_copy_up() on source and target dentry.
  822. */
  823. c->destname = c->dentry->d_name;
  824. /*
  825. * Mark parent "impure" because it may now contain non-pure
  826. * upper
  827. */
  828. ovl_start_write(c->dentry);
  829. err = ovl_set_impure(c->parent, c->destdir);
  830. ovl_end_write(c->dentry);
  831. if (err)
  832. goto out_free_fh;
  833. }
  834. /* Should we copyup with O_TMPFILE or with workdir? */
  835. if (S_ISREG(c->stat.mode) && ofs->tmpfile)
  836. err = ovl_copy_up_tmpfile(c);
  837. else
  838. err = ovl_copy_up_workdir(c);
  839. if (err)
  840. goto out;
  841. if (c->indexed)
  842. ovl_set_flag(OVL_INDEX, d_inode(c->dentry));
  843. ovl_start_write(c->dentry);
  844. if (to_index) {
  845. /* Initialize nlink for copy up of disconnected dentry */
  846. err = ovl_set_nlink_upper(c->dentry);
  847. } else {
  848. struct inode *udir = d_inode(c->destdir);
  849. /* Restore timestamps on parent (best effort) */
  850. inode_lock(udir);
  851. ovl_set_timestamps(ofs, c->destdir, &c->pstat);
  852. inode_unlock(udir);
  853. ovl_dentry_set_upper_alias(c->dentry);
  854. ovl_dentry_update_reval(c->dentry, ovl_dentry_upper(c->dentry));
  855. }
  856. ovl_end_write(c->dentry);
  857. out:
  858. if (to_index)
  859. kfree(c->destname.name);
  860. out_free_fh:
  861. kfree(fh);
  862. return err;
  863. }
  864. static bool ovl_need_meta_copy_up(struct dentry *dentry, umode_t mode,
  865. int flags)
  866. {
  867. struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
  868. if (!ofs->config.metacopy)
  869. return false;
  870. if (!S_ISREG(mode))
  871. return false;
  872. if (flags && ((OPEN_FMODE(flags) & FMODE_WRITE) || (flags & O_TRUNC)))
  873. return false;
  874. /* Fall back to full copy if no fsverity on source data and we require verity */
  875. if (ofs->config.verity_mode == OVL_VERITY_REQUIRE) {
  876. struct path lowerdata;
  877. ovl_path_lowerdata(dentry, &lowerdata);
  878. if (WARN_ON_ONCE(lowerdata.dentry == NULL) ||
  879. ovl_ensure_verity_loaded(&lowerdata) ||
  880. !fsverity_active(d_inode(lowerdata.dentry))) {
  881. return false;
  882. }
  883. }
  884. return true;
  885. }
  886. static ssize_t ovl_getxattr_value(const struct path *path, char *name, char **value)
  887. {
  888. ssize_t res;
  889. char *buf;
  890. res = ovl_do_getxattr(path, name, NULL, 0);
  891. if (res == -ENODATA || res == -EOPNOTSUPP)
  892. res = 0;
  893. if (res > 0) {
  894. buf = kzalloc(res, GFP_KERNEL);
  895. if (!buf)
  896. return -ENOMEM;
  897. res = ovl_do_getxattr(path, name, buf, res);
  898. if (res < 0)
  899. kfree(buf);
  900. else
  901. *value = buf;
  902. }
  903. return res;
  904. }
  905. /* Copy up data of an inode which was copied up metadata only in the past. */
  906. static int ovl_copy_up_meta_inode_data(struct ovl_copy_up_ctx *c)
  907. {
  908. struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);
  909. struct path upperpath;
  910. int err;
  911. char *capability = NULL;
  912. ssize_t cap_size;
  913. ovl_path_upper(c->dentry, &upperpath);
  914. if (WARN_ON(upperpath.dentry == NULL))
  915. return -EIO;
  916. if (c->stat.size) {
  917. err = cap_size = ovl_getxattr_value(&upperpath, XATTR_NAME_CAPS,
  918. &capability);
  919. if (cap_size < 0)
  920. goto out;
  921. }
  922. err = ovl_copy_up_data(c, &upperpath);
  923. if (err)
  924. goto out_free;
  925. /*
  926. * Writing to upper file will clear security.capability xattr. We
  927. * don't want that to happen for normal copy-up operation.
  928. */
  929. ovl_start_write(c->dentry);
  930. if (capability) {
  931. err = ovl_do_setxattr(ofs, upperpath.dentry, XATTR_NAME_CAPS,
  932. capability, cap_size, 0);
  933. }
  934. if (!err) {
  935. err = ovl_removexattr(ofs, upperpath.dentry,
  936. OVL_XATTR_METACOPY);
  937. }
  938. ovl_end_write(c->dentry);
  939. if (err)
  940. goto out_free;
  941. ovl_clear_flag(OVL_HAS_DIGEST, d_inode(c->dentry));
  942. ovl_clear_flag(OVL_VERIFIED_DIGEST, d_inode(c->dentry));
  943. ovl_set_upperdata(d_inode(c->dentry));
  944. out_free:
  945. kfree(capability);
  946. out:
  947. return err;
  948. }
  949. static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry,
  950. int flags)
  951. {
  952. int err;
  953. DEFINE_DELAYED_CALL(done);
  954. struct path parentpath;
  955. struct ovl_copy_up_ctx ctx = {
  956. .parent = parent,
  957. .dentry = dentry,
  958. .workdir = ovl_workdir(dentry),
  959. };
  960. if (WARN_ON(!ctx.workdir))
  961. return -EROFS;
  962. ovl_path_lower(dentry, &ctx.lowerpath);
  963. err = vfs_getattr(&ctx.lowerpath, &ctx.stat,
  964. STATX_BASIC_STATS, AT_STATX_SYNC_AS_STAT);
  965. if (err)
  966. return err;
  967. if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) ||
  968. !kgid_has_mapping(current_user_ns(), ctx.stat.gid))
  969. return -EOVERFLOW;
  970. /*
  971. * With "fsync=strict", we fsync after final metadata copyup, for
  972. * both regular files and directories to get atomic copyup semantics
  973. * on filesystems that do not use strict metadata ordering (e.g. ubifs).
  974. *
  975. * By default, we want to avoid fsync on all meta copyup, because
  976. * that will hurt performance of workloads such as chown -R, so we
  977. * only fsync on data copyup as legacy behavior.
  978. */
  979. ctx.metadata_fsync = ovl_should_sync_metadata(OVL_FS(dentry->d_sb)) &&
  980. (S_ISREG(ctx.stat.mode) || S_ISDIR(ctx.stat.mode));
  981. ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags);
  982. if (parent) {
  983. ovl_path_upper(parent, &parentpath);
  984. ctx.destdir = parentpath.dentry;
  985. err = vfs_getattr(&parentpath, &ctx.pstat,
  986. STATX_ATIME | STATX_MTIME,
  987. AT_STATX_SYNC_AS_STAT);
  988. if (err)
  989. return err;
  990. }
  991. /* maybe truncate regular file. this has no effect on dirs */
  992. if (flags & O_TRUNC)
  993. ctx.stat.size = 0;
  994. if (S_ISLNK(ctx.stat.mode)) {
  995. ctx.link = vfs_get_link(ctx.lowerpath.dentry, &done);
  996. if (IS_ERR(ctx.link))
  997. return PTR_ERR(ctx.link);
  998. }
  999. err = ovl_copy_up_start(dentry, flags);
  1000. /* err < 0: interrupted, err > 0: raced with another copy-up */
  1001. if (unlikely(err)) {
  1002. if (err > 0)
  1003. err = 0;
  1004. } else {
  1005. if (!ovl_dentry_upper(dentry))
  1006. err = ovl_do_copy_up(&ctx);
  1007. if (!err && parent && !ovl_dentry_has_upper_alias(dentry))
  1008. err = ovl_link_up(&ctx);
  1009. if (!err && ovl_dentry_needs_data_copy_up_locked(dentry, flags))
  1010. err = ovl_copy_up_meta_inode_data(&ctx);
  1011. ovl_copy_up_end(dentry);
  1012. }
  1013. do_delayed_call(&done);
  1014. return err;
  1015. }
  1016. static int ovl_copy_up_flags(struct dentry *dentry, int flags)
  1017. {
  1018. int err = 0;
  1019. bool disconnected = (dentry->d_flags & DCACHE_DISCONNECTED);
  1020. /*
  1021. * With NFS export, copy up can get called for a disconnected non-dir.
  1022. * In this case, we will copy up lower inode to index dir without
  1023. * linking it to upper dir.
  1024. */
  1025. if (WARN_ON(disconnected && d_is_dir(dentry)))
  1026. return -EIO;
  1027. /*
  1028. * We may not need lowerdata if we are only doing metacopy up, but it is
  1029. * not very important to optimize this case, so do lazy lowerdata lookup
  1030. * before any copy up, so we can do it before taking ovl_inode_lock().
  1031. */
  1032. err = ovl_verify_lowerdata(dentry);
  1033. if (err)
  1034. return err;
  1035. while (!err) {
  1036. struct dentry *next;
  1037. struct dentry *parent = NULL;
  1038. if (ovl_already_copied_up(dentry, flags))
  1039. break;
  1040. next = dget(dentry);
  1041. /* find the topmost dentry not yet copied up */
  1042. for (; !disconnected;) {
  1043. parent = dget_parent(next);
  1044. if (ovl_dentry_upper(parent))
  1045. break;
  1046. dput(next);
  1047. next = parent;
  1048. }
  1049. with_ovl_creds(dentry->d_sb)
  1050. err = ovl_copy_up_one(parent, next, flags);
  1051. dput(parent);
  1052. dput(next);
  1053. }
  1054. return err;
  1055. }
  1056. static bool ovl_open_need_copy_up(struct dentry *dentry, int flags)
  1057. {
  1058. /* Copy up of disconnected dentry does not set upper alias */
  1059. if (ovl_already_copied_up(dentry, flags))
  1060. return false;
  1061. if (special_file(d_inode(dentry)->i_mode))
  1062. return false;
  1063. if (!ovl_open_flags_need_copy_up(flags))
  1064. return false;
  1065. return true;
  1066. }
  1067. int ovl_maybe_copy_up(struct dentry *dentry, int flags)
  1068. {
  1069. if (!ovl_open_need_copy_up(dentry, flags))
  1070. return 0;
  1071. return ovl_copy_up_flags(dentry, flags);
  1072. }
  1073. int ovl_copy_up_with_data(struct dentry *dentry)
  1074. {
  1075. return ovl_copy_up_flags(dentry, O_WRONLY);
  1076. }
  1077. int ovl_copy_up(struct dentry *dentry)
  1078. {
  1079. return ovl_copy_up_flags(dentry, 0);
  1080. }