2019-06-04 10:11:33 +02:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2016-12-16 11:02:56 +01:00
|
|
|
/*
|
|
|
|
*
|
|
|
|
* Copyright (C) 2011 Novell Inc.
|
|
|
|
* Copyright (C) 2016 Red Hat, Inc.
|
|
|
|
*/
|
|
|
|
|
|
|
|
struct ovl_config {
|
|
|
|
char *upperdir;
|
|
|
|
char *workdir;
|
2023-10-02 14:21:49 +03:00
|
|
|
char **lowerdirs;
|
2016-12-16 11:02:56 +01:00
|
|
|
bool default_permissions;
|
2023-06-17 09:42:36 +03:00
|
|
|
int redirect_mode;
|
2023-04-19 13:44:21 +02:00
|
|
|
int verity_mode;
|
2017-06-21 15:28:36 +03:00
|
|
|
bool index;
|
2023-06-26 16:34:25 +03:00
|
|
|
int uuid;
|
2018-01-19 11:26:53 +02:00
|
|
|
bool nfs_export;
|
2018-03-29 09:08:18 +03:00
|
|
|
int xino;
|
2018-05-11 11:49:27 -04:00
|
|
|
bool metacopy;
|
2020-12-14 15:26:14 +01:00
|
|
|
bool userxattr;
|
2020-08-31 14:15:29 -04:00
|
|
|
bool ovl_volatile;
|
2016-12-16 11:02:56 +01:00
|
|
|
};
|
|
|
|
|
2018-03-28 20:22:41 +03:00
|
|
|
struct ovl_sb {
|
|
|
|
struct super_block *sb;
|
|
|
|
dev_t pseudo_dev;
|
2019-11-14 22:28:41 +02:00
|
|
|
/* Unusable (conflicting) uuid */
|
|
|
|
bool bad_uuid;
|
2019-11-16 18:52:20 +02:00
|
|
|
/* Used as a lower layer (but maybe also as upper) */
|
|
|
|
bool is_lower;
|
2018-03-28 20:22:41 +03:00
|
|
|
};
|
|
|
|
|
2017-07-24 01:57:54 -05:00
|
|
|
struct ovl_layer {
|
2023-06-13 10:13:37 +02:00
|
|
|
/* ovl_free_fs() relies on @mnt being the first member! */
|
2017-07-24 01:57:54 -05:00
|
|
|
struct vfsmount *mnt;
|
ovl: detect overlapping layers
Overlapping overlay layers are not supported and can cause unexpected
behavior, but overlayfs does not currently check or warn about these
configurations.
User is not supposed to specify the same directory for upper and
lower dirs or for different lower layers and user is not supposed to
specify directories that are descendants of each other for overlay
layers, but that is exactly what this zysbot repro did:
https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000
Moving layer root directories into other layers while overlayfs
is mounted could also result in unexpected behavior.
This commit places "traps" in the overlay inode hash table.
Those traps are dummy overlay inodes that are hashed by the layers
root inodes.
On mount, the hash table trap entries are used to verify that overlay
layers are not overlapping. While at it, we also verify that overlay
layers are not overlapping with directories "in-use" by other overlay
instances as upperdir/workdir.
On lookup, the trap entries are used to verify that overlay layers
root inodes have not been moved into other layers after mount.
Some examples:
$ ./run --ov --samefs -s
...
( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt
mount -o bind base/lower lower
mount -o bind base/upper upper
mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w)
$ umount mnt
$ mount -t overlay none mnt ...
-o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w
[ 94.434900] overlayfs: overlapping upperdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w
[ 151.350132] overlayfs: conflicting lowerdir path
mount: none is already mounted or mnt busy
$ mount -t overlay none mnt ...
-o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w
[ 201.205045] overlayfs: overlapping lowerdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w
$ mv base/upper/0/ base/lower/
$ find mnt/0
mnt/0
mnt/0/w
find: 'mnt/0/w/work': Too many levels of symbolic links
find: 'mnt/0/u': Too many levels of symbolic links
Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2019-04-18 17:42:08 +03:00
|
|
|
/* Trap in ovl inode cache */
|
|
|
|
struct inode *trap;
|
2018-03-28 20:22:41 +03:00
|
|
|
struct ovl_sb *fs;
|
|
|
|
/* Index of this layer in fs root (upper idx == 0) */
|
2017-11-08 19:23:36 +02:00
|
|
|
int idx;
|
2018-03-28 20:22:41 +03:00
|
|
|
/* One fsid per unique underlying sb (upper fsid == 0) */
|
|
|
|
int fsid;
|
2024-01-20 12:18:39 +02:00
|
|
|
/* xwhiteouts were found on this layer */
|
|
|
|
bool has_xwhiteouts;
|
2017-07-24 01:57:54 -05:00
|
|
|
};
|
|
|
|
|
|
|
|
struct ovl_path {
|
2020-01-24 09:46:45 +01:00
|
|
|
const struct ovl_layer *layer;
|
2017-07-24 01:57:54 -05:00
|
|
|
struct dentry *dentry;
|
|
|
|
};
|
|
|
|
|
2023-04-08 12:31:13 +03:00
|
|
|
struct ovl_entry {
|
|
|
|
unsigned int __numlower;
|
|
|
|
struct ovl_path __lowerstack[];
|
|
|
|
};
|
|
|
|
|
2016-12-16 11:02:56 +01:00
|
|
|
/* private information held for overlayfs's superblock */
|
|
|
|
struct ovl_fs {
|
2019-11-15 14:12:40 +02:00
|
|
|
unsigned int numlayer;
|
2020-01-14 21:59:22 +02:00
|
|
|
/* Number of unique fs among layers including upper fs */
|
|
|
|
unsigned int numfs;
|
2023-04-27 12:48:46 +03:00
|
|
|
/* Number of data-only lower layers */
|
|
|
|
unsigned int numdatalayer;
|
2024-01-20 12:18:39 +02:00
|
|
|
struct ovl_layer *layers;
|
2020-01-14 21:59:22 +02:00
|
|
|
struct ovl_sb *fs;
|
2017-06-21 15:28:33 +03:00
|
|
|
/* workbasedir is the path at workdir= mount option */
|
|
|
|
struct dentry *workbasedir;
|
2023-11-19 20:55:00 +02:00
|
|
|
/* workdir is the 'work' or 'index' directory under workbasedir */
|
2016-12-16 11:02:56 +01:00
|
|
|
struct dentry *workdir;
|
2016-12-16 11:02:56 +01:00
|
|
|
long namelen;
|
2016-12-16 11:02:56 +01:00
|
|
|
/* pathnames of lower and upper dirs, for show_options */
|
|
|
|
struct ovl_config config;
|
|
|
|
/* creds of process who forced instantiation of super block */
|
|
|
|
const struct cred *creator_cred;
|
2017-01-17 06:34:53 +02:00
|
|
|
bool tmpfile;
|
2017-05-17 00:12:40 +03:00
|
|
|
bool noxattr;
|
2023-04-23 19:02:04 +03:00
|
|
|
bool nofh;
|
2017-09-29 10:21:21 +03:00
|
|
|
/* Did we take the inuse lock? */
|
|
|
|
bool upperdir_locked;
|
|
|
|
bool workdir_locked;
|
ovl: detect overlapping layers
Overlapping overlay layers are not supported and can cause unexpected
behavior, but overlayfs does not currently check or warn about these
configurations.
User is not supposed to specify the same directory for upper and
lower dirs or for different lower layers and user is not supposed to
specify directories that are descendants of each other for overlay
layers, but that is exactly what this zysbot repro did:
https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000
Moving layer root directories into other layers while overlayfs
is mounted could also result in unexpected behavior.
This commit places "traps" in the overlay inode hash table.
Those traps are dummy overlay inodes that are hashed by the layers
root inodes.
On mount, the hash table trap entries are used to verify that overlay
layers are not overlapping. While at it, we also verify that overlay
layers are not overlapping with directories "in-use" by other overlay
instances as upperdir/workdir.
On lookup, the trap entries are used to verify that overlay layers
root inodes have not been moved into other layers after mount.
Some examples:
$ ./run --ov --samefs -s
...
( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt
mount -o bind base/lower lower
mount -o bind base/upper upper
mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w)
$ umount mnt
$ mount -t overlay none mnt ...
-o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w
[ 94.434900] overlayfs: overlapping upperdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w
[ 151.350132] overlayfs: conflicting lowerdir path
mount: none is already mounted or mnt busy
$ mount -t overlay none mnt ...
-o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w
[ 201.205045] overlayfs: overlapping lowerdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w
$ mv base/upper/0/ base/lower/
$ find mnt/0
mnt/0
mnt/0/w
find: 'mnt/0/w/work': Too many levels of symbolic links
find: 'mnt/0/u': Too many levels of symbolic links
Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2019-04-18 17:42:08 +03:00
|
|
|
/* Traps in ovl inode cache */
|
2019-07-12 15:24:34 +03:00
|
|
|
struct inode *workbasedir_trap;
|
ovl: detect overlapping layers
Overlapping overlay layers are not supported and can cause unexpected
behavior, but overlayfs does not currently check or warn about these
configurations.
User is not supposed to specify the same directory for upper and
lower dirs or for different lower layers and user is not supposed to
specify directories that are descendants of each other for overlay
layers, but that is exactly what this zysbot repro did:
https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000
Moving layer root directories into other layers while overlayfs
is mounted could also result in unexpected behavior.
This commit places "traps" in the overlay inode hash table.
Those traps are dummy overlay inodes that are hashed by the layers
root inodes.
On mount, the hash table trap entries are used to verify that overlay
layers are not overlapping. While at it, we also verify that overlay
layers are not overlapping with directories "in-use" by other overlay
instances as upperdir/workdir.
On lookup, the trap entries are used to verify that overlay layers
root inodes have not been moved into other layers after mount.
Some examples:
$ ./run --ov --samefs -s
...
( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt
mount -o bind base/lower lower
mount -o bind base/upper upper
mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w)
$ umount mnt
$ mount -t overlay none mnt ...
-o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w
[ 94.434900] overlayfs: overlapping upperdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w
[ 151.350132] overlayfs: conflicting lowerdir path
mount: none is already mounted or mnt busy
$ mount -t overlay none mnt ...
-o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w
[ 201.205045] overlayfs: overlapping lowerdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w
$ mv base/upper/0/ base/lower/
$ find mnt/0
mnt/0
mnt/0/w
find: 'mnt/0/w/work': Too many levels of symbolic links
find: 'mnt/0/u': Too many levels of symbolic links
Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2019-04-18 17:42:08 +03:00
|
|
|
struct inode *workdir_trap;
|
2019-11-16 18:14:41 +02:00
|
|
|
/* -1: disabled, 0: same fs, 1..32: number of unused ino bits */
|
|
|
|
int xino_mode;
|
2020-02-21 16:34:43 +02:00
|
|
|
/* For allocation of non-persistent inode numbers */
|
|
|
|
atomic_long_t last_ino;
|
2023-06-17 09:12:50 +03:00
|
|
|
/* Shared whiteout cache */
|
2020-04-24 10:55:17 +08:00
|
|
|
struct dentry *whiteout;
|
2023-06-17 09:12:50 +03:00
|
|
|
bool no_shared_whiteout;
|
ovl: implement volatile-specific fsync error behaviour
Overlayfs's volatile option allows the user to bypass all forced sync calls
to the upperdir filesystem. This comes at the cost of safety. We can never
ensure that the user's data is intact, but we can make a best effort to
expose whether or not the data is likely to be in a bad state.
The best way to handle this in the time being is that if an overlayfs's
upperdir experiences an error after a volatile mount occurs, that error
will be returned on fsync, fdatasync, sync, and syncfs. This is
contradictory to the traditional behaviour of VFS which fails the call
once, and only raises an error if a subsequent fsync error has occurred,
and been raised by the filesystem.
One awkward aspect of the patch is that we have to manually set the
superblock's errseq_t after the sync_fs callback as opposed to just
returning an error from syncfs. This is because the call chain looks
something like this:
sys_syncfs ->
sync_filesystem ->
__sync_filesystem ->
/* The return value is ignored here
sb->s_op->sync_fs(sb)
_sync_blockdev
/* Where the VFS fetches the error to raise to userspace */
errseq_check_and_advance
Because of this we call errseq_set every time the sync_fs callback occurs.
Due to the nature of this seen / unseen dichotomy, if the upperdir is an
inconsistent state at the initial mount time, overlayfs will refuse to
mount, as overlayfs cannot get a snapshot of the upperdir's errseq that
will increment on error until the user calls syncfs.
Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Suggested-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Fixes: c86243b090bc ("ovl: provide a mount option "volatile"")
Cc: stable@vger.kernel.org
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2021-01-07 16:10:43 -08:00
|
|
|
/* r/o snapshot of upperdir sb's only taken on volatile mounts */
|
|
|
|
errseq_t errseq;
|
2016-12-16 11:02:56 +01:00
|
|
|
};
|
|
|
|
|
2023-04-27 12:48:46 +03:00
|
|
|
/* Number of lower layers, not including data-only layers */
|
|
|
|
static inline unsigned int ovl_numlowerlayer(struct ovl_fs *ofs)
|
|
|
|
{
|
|
|
|
return ofs->numlayer - ofs->numdatalayer - 1;
|
|
|
|
}
|
|
|
|
|
2020-06-04 10:48:19 +02:00
|
|
|
static inline struct vfsmount *ovl_upper_mnt(struct ovl_fs *ofs)
|
|
|
|
{
|
2020-06-04 10:48:19 +02:00
|
|
|
return ofs->layers[0].mnt;
|
2020-06-04 10:48:19 +02:00
|
|
|
}
|
|
|
|
|
2023-01-13 12:49:10 +01:00
|
|
|
static inline struct mnt_idmap *ovl_upper_mnt_idmap(struct ovl_fs *ofs)
|
|
|
|
{
|
|
|
|
return mnt_idmap(ovl_upper_mnt(ofs));
|
|
|
|
}
|
|
|
|
|
2023-05-21 10:28:12 +02:00
|
|
|
extern struct file_system_type ovl_fs_type;
|
|
|
|
|
2019-11-16 18:14:41 +02:00
|
|
|
static inline struct ovl_fs *OVL_FS(struct super_block *sb)
|
|
|
|
{
|
2023-05-21 10:28:13 +02:00
|
|
|
if (IS_ENABLED(CONFIG_OVERLAY_FS_DEBUG))
|
|
|
|
WARN_ON_ONCE(sb->s_type != &ovl_fs_type);
|
|
|
|
|
2019-11-16 18:14:41 +02:00
|
|
|
return (struct ovl_fs *)sb->s_fs_info;
|
|
|
|
}
|
|
|
|
|
2020-08-31 14:15:29 -04:00
|
|
|
static inline bool ovl_should_sync(struct ovl_fs *ofs)
|
|
|
|
{
|
|
|
|
return !ofs->config.ovl_volatile;
|
|
|
|
}
|
|
|
|
|
2023-04-03 11:51:47 +03:00
|
|
|
static inline unsigned int ovl_numlower(struct ovl_entry *oe)
|
|
|
|
{
|
|
|
|
return oe ? oe->__numlower : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct ovl_path *ovl_lowerstack(struct ovl_entry *oe)
|
|
|
|
{
|
|
|
|
return ovl_numlower(oe) ? oe->__lowerstack : NULL;
|
|
|
|
}
|
|
|
|
|
2023-04-01 10:29:19 +03:00
|
|
|
static inline struct ovl_path *ovl_lowerpath(struct ovl_entry *oe)
|
|
|
|
{
|
|
|
|
return ovl_lowerstack(oe);
|
|
|
|
}
|
|
|
|
|
2023-04-01 10:29:19 +03:00
|
|
|
static inline struct ovl_path *ovl_lowerdata(struct ovl_entry *oe)
|
|
|
|
{
|
|
|
|
struct ovl_path *lowerstack = ovl_lowerstack(oe);
|
|
|
|
|
|
|
|
return lowerstack ? &lowerstack[oe->__numlower - 1] : NULL;
|
|
|
|
}
|
|
|
|
|
2023-04-27 12:21:46 +03:00
|
|
|
/* May return NULL if lazy lookup of lowerdata is needed */
|
2023-04-01 10:29:19 +03:00
|
|
|
static inline struct dentry *ovl_lowerdata_dentry(struct ovl_entry *oe)
|
|
|
|
{
|
|
|
|
struct ovl_path *lowerdata = ovl_lowerdata(oe);
|
|
|
|
|
2023-04-27 13:39:09 +03:00
|
|
|
return lowerdata ? READ_ONCE(lowerdata->dentry) : NULL;
|
2023-04-01 10:29:19 +03:00
|
|
|
}
|
|
|
|
|
2023-04-08 12:31:13 +03:00
|
|
|
/* private information held for every overlayfs dentry */
|
2023-03-15 04:31:37 +02:00
|
|
|
static inline unsigned long *OVL_E_FLAGS(struct dentry *dentry)
|
|
|
|
{
|
2023-04-08 12:31:13 +03:00
|
|
|
return (unsigned long *) &dentry->d_fsdata;
|
2023-03-15 04:31:37 +02:00
|
|
|
}
|
|
|
|
|
2017-06-12 09:54:40 +03:00
|
|
|
struct ovl_inode {
|
2018-05-11 11:49:30 -04:00
|
|
|
union {
|
|
|
|
struct ovl_dir_cache *cache; /* directory */
|
2023-04-27 12:21:46 +03:00
|
|
|
const char *lowerdata_redirect; /* regular file */
|
2018-05-11 11:49:30 -04:00
|
|
|
};
|
2017-07-04 22:03:16 +02:00
|
|
|
const char *redirect;
|
2017-07-04 22:03:16 +02:00
|
|
|
u64 version;
|
2017-07-04 22:03:16 +02:00
|
|
|
unsigned long flags;
|
2017-06-12 09:54:40 +03:00
|
|
|
struct inode vfs_inode;
|
2017-07-04 22:03:16 +02:00
|
|
|
struct dentry *__upperdentry;
|
2023-04-08 12:31:13 +03:00
|
|
|
struct ovl_entry *oe;
|
2017-06-21 15:28:51 +03:00
|
|
|
|
|
|
|
/* synchronize copy up and more */
|
|
|
|
struct mutex lock;
|
2017-06-12 09:54:40 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline struct ovl_inode *OVL_I(struct inode *inode)
|
|
|
|
{
|
|
|
|
return container_of(inode, struct ovl_inode, vfs_inode);
|
|
|
|
}
|
2017-07-04 22:03:16 +02:00
|
|
|
|
2023-04-08 12:31:13 +03:00
|
|
|
static inline struct ovl_entry *OVL_I_E(struct inode *inode)
|
|
|
|
{
|
|
|
|
return inode ? OVL_I(inode)->oe : NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct ovl_entry *OVL_E(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return OVL_I_E(d_inode(dentry));
|
|
|
|
}
|
|
|
|
|
2017-07-04 22:03:16 +02:00
|
|
|
static inline struct dentry *ovl_upperdentry_dereference(struct ovl_inode *oi)
|
|
|
|
{
|
2017-10-24 11:22:48 +01:00
|
|
|
return READ_ONCE(oi->__upperdentry);
|
2017-07-04 22:03:16 +02:00
|
|
|
}
|