copy_up.c source code [linux/fs/overlayfs/copy_up.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	*
4	* Copyright (C) 2011 Novell Inc.
5	*/
6
7	#include <linux/module.h>
8	#include <linux/fs.h>
9	#include <linux/slab.h>
10	#include <linux/file.h>
11	#include <linux/fileattr.h>
12	#include <linux/splice.h>
13	#include <linux/xattr.h>
14	#include <linux/security.h>
15	#include <linux/uaccess.h>
16	#include <linux/sched/signal.h>
17	#include <linux/cred.h>
18	#include <linux/namei.h>
19	#include <linux/ratelimit.h>
20	#include <linux/exportfs.h>
21	#include "overlayfs.h"
22
23	#define OVL_COPY_UP_CHUNK_SIZE (1 << 20)
24
25	static int ovl_ccup_set(const char buf, const* struct kernel_param *param)
26	{
27	pr_warn("\"check_copy_up\" module option is obsolete\n");
28	return `0`;
29	}
30
31	static int ovl_ccup_get(char buf, const* struct kernel_param *param)
32	{
33	return sprintf(buf, fmt: "N\n");
34	}
35
36	module_param_call(check_copy_up, ovl_ccup_set, ovl_ccup_get, NULL, `0644`);
37	MODULE_PARM_DESC(check_copy_up, "Obsolete; does nothing");
38
39	static bool ovl_must_copy_xattr(const char *name)
40	{
41	return !strcmp(name, XATTR_POSIX_ACL_ACCESS) \|\|
42	!strcmp(name, XATTR_POSIX_ACL_DEFAULT) \|\|
43	!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN);
44	}
45
46	static int ovl_copy_acl(struct ovl_fs ofs, const* struct path *path,
47	struct dentry dentry, const* char *acl_name)
48	{
49	int err;
50	struct posix_acl clone, real_acl = NULL;
51
52	real_acl = ovl_get_acl_path(path, acl_name, noperm: false);
53	if (!real_acl)
54	return `0`;
55
56	if (IS_ERR(ptr: real_acl)) {
57	err = PTR_ERR(ptr: real_acl);
58	if (err == -ENODATA \|\| err == -EOPNOTSUPP)
59	return `0`;
60	return err;
61	}
62
63	clone = posix_acl_clone(acl: real_acl, GFP_KERNEL);
64	posix_acl_release(acl: real_acl); / release original acl /
65	if (!clone)
66	return -ENOMEM;
67
68	err = ovl_do_set_acl(ofs, dentry, acl_name, acl: clone);
69
70	/ release cloned acl /
71	posix_acl_release(acl: clone);
72	return err;
73	}
74
75	int ovl_copy_xattr(struct super_block sb, const* struct path oldpath, struct* dentry *new)
76	{
77	struct dentry *old = oldpath->dentry;
78	ssize_t list_size, size, value_size = `0`;
79	char buf, name, *value = NULL;
80	int error = `0`;
81	size_t slen;
82
83	if (!old->d_inode->i_op->listxattr \|\| !new->d_inode->i_op->listxattr)
84	return `0`;
85
86	list_size = vfs_listxattr(d: old, NULL, size: `0`);
87	if (list_size <= `0`) {
88	if (list_size == -EOPNOTSUPP)
89	return `0`;
90	return list_size;
91	}
92
93	buf = kvzalloc(list_size, GFP_KERNEL);
94	if (!buf)
95	return -ENOMEM;
96
97	list_size = vfs_listxattr(d: old, list: buf, size: list_size);
98	if (list_size <= `0`) {
99	error = list_size;
100	goto out;
101	}
102
103	for (name = buf; list_size; name += slen) {
104	slen = strnlen(p: name, maxlen: list_size) + `1`;
105
106	/ underlying fs providing us with an broken xattr list? /
107	if (WARN_ON(slen > list_size)) {
108	error = -EIO;
109	break;
110	}
111	list_size -= slen;
112
113	if (ovl_is_private_xattr(sb, name))
114	continue;
115
116	error = security_inode_copy_up_xattr(src: old, name);
117	if (error == -ECANCELED) {
118	error = `0`;
119	continue; / Discard /
120	}
121	if (error < `0` && error != -EOPNOTSUPP)
122	break;
123
124	if (is_posix_acl_xattr(name)) {
125	error = ovl_copy_acl(ofs: OVL_FS(sb), path: oldpath, dentry: new, acl_name: name);
126	if (!error)
127	continue;
128	/ POSIX ACLs must be copied. /
129	break;
130	}
131
132	retry:
133	size = ovl_do_getxattr(path: oldpath, name, value, size: value_size);
134	if (size == -ERANGE)
135	size = ovl_do_getxattr(path: oldpath, name, NULL, size: `0`);
136
137	if (size < `0`) {
138	error = size;
139	break;
140	}
141
142	if (size > value_size) {
143	void *new;
144
145	new = kvmalloc(size, GFP_KERNEL);
146	if (!new) {
147	error = -ENOMEM;
148	break;
149	}
150	kvfree(addr: value);
151	value = new;
152	value_size = size;
153	goto retry;
154	}
155
156	error = ovl_do_setxattr(ofs: OVL_FS(sb), dentry: new, name, value, size, flags: `0`);
157	if (error) {
158	if (error != -EOPNOTSUPP \|\| ovl_must_copy_xattr(name))
159	break;
160
161	/ Ignore failure to copy unknown xattrs /
162	error = `0`;
163	}
164	}
165	kvfree(addr: value);
166	out:
167	kvfree(addr: buf);
168	return error;
169	}
170
171	static int ovl_copy_fileattr(struct inode inode, const* struct path *old,
172	const struct path *new)
173	{
174	struct fileattr oldfa = { .flags_valid = true };
175	struct fileattr newfa = { .flags_valid = true };
176	int err;
177
178	err = ovl_real_fileattr_get(realpath: old, fa: &oldfa);
179	if (err) {
180	/ Ntfs-3g returns -EINVAL for "no fileattr support" /
181	if (err == -ENOTTY \|\| err == -EINVAL)
182	return `0`;
183	pr_warn("failed to retrieve lower fileattr (%pd2, err=%i)\n",
184	old->dentry, err);
185	return err;
186	}
187
188	/*
189	* We cannot set immutable and append-only flags on upper inode,
190	* because we would not be able to link upper inode to upper dir
191	* not set overlay private xattr on upper inode.
192	* Store these flags in overlay.protattr xattr instead.
193	*/
194	if (oldfa.flags & OVL_PROT_FS_FLAGS_MASK) {
195	err = ovl_set_protattr(inode, upper: new->dentry, fa: &oldfa);
196	if (err == -EPERM)
197	pr_warn_once("copying fileattr: no xattr on upper\n");
198	else if (err)
199	return err;
200	}
201
202	/ Don't bother copying flags if none are set /
203	if (!(oldfa.flags & OVL_COPY_FS_FLAGS_MASK))
204	return `0`;
205
206	err = ovl_real_fileattr_get(realpath: new, fa: &newfa);
207	if (err) {
208	/*
209	* Returning an error if upper doesn't support fileattr will
210	* result in a regression, so revert to the old behavior.
211	*/
212	if (err == -ENOTTY \|\| err == -EINVAL) {
213	pr_warn_once("copying fileattr: no support on upper\n");
214	return `0`;
215	}
216	pr_warn("failed to retrieve upper fileattr (%pd2, err=%i)\n",
217	new->dentry, err);
218	return err;
219	}
220
221	BUILD_BUG_ON(OVL_COPY_FS_FLAGS_MASK & ~FS_COMMON_FL);
222	newfa.flags &= ~OVL_COPY_FS_FLAGS_MASK;
223	newfa.flags \|= (oldfa.flags & OVL_COPY_FS_FLAGS_MASK);
224
225	BUILD_BUG_ON(OVL_COPY_FSX_FLAGS_MASK & ~FS_XFLAG_COMMON);
226	newfa.fsx_xflags &= ~OVL_COPY_FSX_FLAGS_MASK;
227	newfa.fsx_xflags \|= (oldfa.fsx_xflags & OVL_COPY_FSX_FLAGS_MASK);
228
229	return ovl_real_fileattr_set(realpath: new, fa: &newfa);
230	}
231
232	static int ovl_verify_area(loff_t pos, loff_t pos2, loff_t len, loff_t totlen)
233	{
234	loff_t tmp;
235
236	if (pos != pos2)
237	return -EIO;
238	if (pos < `0` \|\| len < `0` \|\| totlen < `0`)
239	return -EIO;
240	if (check_add_overflow(pos, len, &tmp))
241	return -EIO;
242	return `0`;
243	}
244
245	static int ovl_sync_file(struct path *path)
246	{
247	struct file *new_file;
248	int err;
249
250	new_file = ovl_path_open(path, O_LARGEFILE \| O_RDONLY);
251	if (IS_ERR(ptr: new_file))
252	return PTR_ERR(ptr: new_file);
253
254	err = vfs_fsync(file: new_file, datasync: `0`);
255	fput(new_file);
256
257	return err;
258	}
259
260	static int ovl_copy_up_file(struct ovl_fs ofs, struct* dentry *dentry,
261	struct file *new_file, loff_t len,
262	bool datasync)
263	{
264	struct path datapath;
265	struct file *old_file;
266	loff_t old_pos = `0`;
267	loff_t new_pos = `0`;
268	loff_t cloned;
269	loff_t data_pos = -`1`;
270	loff_t hole_len;
271	bool skip_hole = false;
272	int error = `0`;
273
274	ovl_path_lowerdata(dentry, path: &datapath);
275	if (WARN_ON_ONCE(datapath.dentry == NULL) \|\|
276	WARN_ON_ONCE(len < `0`))
277	return -EIO;
278
279	old_file = ovl_path_open(path: &datapath, O_LARGEFILE \| O_RDONLY);
280	if (IS_ERR(ptr: old_file))
281	return PTR_ERR(ptr: old_file);
282
283	/ Try to use clone_file_range to clone up within the same fs /
284	cloned = vfs_clone_file_range(file_in: old_file, pos_in: `0`, file_out: new_file, pos_out: `0`, len, remap_flags: `0`);
285	if (cloned == len)
286	goto out_fput;
287
288	/ Couldn't clone, so now we try to copy the data /
289	error = rw_verify_area(READ, old_file, &old_pos, len);
290	if (!error)
291	error = rw_verify_area(WRITE, new_file, &new_pos, len);
292	if (error)
293	goto out_fput;
294
295	/ Check if lower fs supports seek operation /
296	if (old_file->f_mode & FMODE_LSEEK)
297	skip_hole = true;
298
299	while (len) {
300	size_t this_len = OVL_COPY_UP_CHUNK_SIZE;
301	ssize_t bytes;
302
303	if (len < this_len)
304	this_len = len;
305
306	if (signal_pending_state(TASK_KILLABLE, current)) {
307	error = -EINTR;
308	break;
309	}
310
311	/*
312	* Fill zero for hole will cost unnecessary disk space
313	* and meanwhile slow down the copy-up speed, so we do
314	* an optimization for hole during copy-up, it relies
315	* on SEEK_DATA implementation in lower fs so if lower
316	* fs does not support it, copy-up will behave as before.
317	*
318	* Detail logic of hole detection as below:
319	* When we detect next data position is larger than current
320	* position we will skip that hole, otherwise we copy
321	* data in the size of OVL_COPY_UP_CHUNK_SIZE. Actually,
322	* it may not recognize all kind of holes and sometimes
323	* only skips partial of hole area. However, it will be
324	* enough for most of the use cases.
325	*
326	* We do not hold upper sb_writers throughout the loop to avert
327	* lockdep warning with llseek of lower file in nested overlay:
328	* - upper sb_writers
329	* -- lower ovl_inode_lock (ovl_llseek)
330	*/
331	if (skip_hole && data_pos < old_pos) {
332	data_pos = vfs_llseek(file: old_file, offset: old_pos, SEEK_DATA);
333	if (data_pos > old_pos) {
334	hole_len = data_pos - old_pos;
335	len -= hole_len;
336	old_pos = new_pos = data_pos;
337	continue;
338	} else if (data_pos == -ENXIO) {
339	break;
340	} else if (data_pos < `0`) {
341	skip_hole = false;
342	}
343	}
344
345	error = ovl_verify_area(pos: old_pos, pos2: new_pos, len: this_len, totlen: len);
346	if (error)
347	break;
348
349	bytes = do_splice_direct(in: old_file, ppos: &old_pos,
350	out: new_file, opos: &new_pos,
351	len: this_len, SPLICE_F_MOVE);
352	if (bytes <= `0`) {
353	error = bytes;
354	break;
355	}
356	WARN_ON(old_pos != new_pos);
357
358	len -= bytes;
359	}
360	/ call fsync once, either now or later along with metadata /
361	if (!error && ovl_should_sync(ofs) && datasync)
362	error = vfs_fsync(file: new_file, datasync: `0`);
363	out_fput:
364	fput(old_file);
365	return error;
366	}
367
368	static int ovl_set_size(struct ovl_fs *ofs,
369	struct dentry upperdentry, struct* kstat *stat)
370	{
371	struct iattr attr = {
372	.ia_valid = ATTR_SIZE,
373	.ia_size = stat->size,
374	};
375
376	return ovl_do_notify_change(ofs, upperdentry, attr: &attr);
377	}
378
379	static int ovl_set_timestamps(struct ovl_fs ofs, struct* dentry *upperdentry,
380	struct kstat *stat)
381	{
382	struct iattr attr = {
383	.ia_valid =
384	ATTR_ATIME \| ATTR_MTIME \| ATTR_ATIME_SET \| ATTR_MTIME_SET \| ATTR_CTIME,
385	.ia_atime = stat->atime,
386	.ia_mtime = stat->mtime,
387	};
388
389	return ovl_do_notify_change(ofs, upperdentry, attr: &attr);
390	}
391
392	int ovl_set_attr(struct ovl_fs ofs, struct* dentry *upperdentry,
393	struct kstat *stat)
394	{
395	int err = `0`;
396
397	if (!S_ISLNK(stat->mode)) {
398	struct iattr attr = {
399	.ia_valid = ATTR_MODE,
400	.ia_mode = stat->mode,
401	};
402	err = ovl_do_notify_change(ofs, upperdentry, attr: &attr);
403	}
404	if (!err) {
405	struct iattr attr = {
406	.ia_valid = ATTR_UID \| ATTR_GID,
407	.ia_vfsuid = VFSUIDT_INIT(stat->uid),
408	.ia_vfsgid = VFSGIDT_INIT(stat->gid),
409	};
410	err = ovl_do_notify_change(ofs, upperdentry, attr: &attr);
411	}
412	if (!err)
413	ovl_set_timestamps(ofs, upperdentry, stat);
414
415	return err;
416	}
417
418	struct ovl_fh ovl_encode_real_fh(struct* ovl_fs ofs, struct* inode *realinode,
419	bool is_upper)
420	{
421	struct ovl_fh *fh;
422	int fh_type, dwords;
423	int buflen = MAX_HANDLE_SZ;
424	uuid_t *uuid = &realinode->i_sb->s_uuid;
425	int err;
426
427	/ Make sure the real fid stays 32bit aligned /
428	BUILD_BUG_ON(OVL_FH_FID_OFFSET % `4`);
429	BUILD_BUG_ON(MAX_HANDLE_SZ + OVL_FH_FID_OFFSET > `255`);
430
431	fh = kzalloc(buflen + OVL_FH_FID_OFFSET, GFP_KERNEL);
432	if (!fh)
433	return ERR_PTR(error: -ENOMEM);
434
435	/*
436	* We encode a non-connectable file handle for non-dir, because we
437	* only need to find the lower inode number and we don't want to pay
438	* the price or reconnecting the dentry.
439	*/
440	dwords = buflen >> `2`;
441	fh_type = exportfs_encode_inode_fh(inode: realinode, fid: (void *)fh->fb.fid,
442	max_len: &dwords, NULL, flags: `0`);
443	buflen = (dwords << `2`);
444
445	err = -EIO;
446	if (fh_type < `0` \|\| fh_type == FILEID_INVALID \|\|
447	WARN_ON(buflen > MAX_HANDLE_SZ))
448	goto out_err;
449
450	fh->fb.version = OVL_FH_VERSION;
451	fh->fb.magic = OVL_FH_MAGIC;
452	fh->fb.type = fh_type;
453	fh->fb.flags = OVL_FH_FLAG_CPU_ENDIAN;
454	/*
455	* When we will want to decode an overlay dentry from this handle
456	* and all layers are on the same fs, if we get a disconncted real
457	* dentry when we decode fid, the only way to tell if we should assign
458	* it to upperdentry or to lowerstack is by checking this flag.
459	*/
460	if (is_upper)
461	fh->fb.flags \|= OVL_FH_FLAG_PATH_UPPER;
462	fh->fb.len = sizeof(fh->fb) + buflen;
463	if (ovl_origin_uuid(ofs))
464	fh->fb.uuid = *uuid;
465
466	return fh;
467
468	out_err:
469	kfree(objp: fh);
470	return ERR_PTR(error: err);
471	}
472
473	struct ovl_fh ovl_get_origin_fh(struct* ovl_fs ofs, struct* dentry *origin)
474	{
475	/*
476	* When lower layer doesn't support export operations store a 'null' fh,
477	* so we can use the overlay.origin xattr to distignuish between a copy
478	* up and a pure upper inode.
479	*/
480	if (!ovl_can_decode_fh(sb: origin->d_sb))
481	return NULL;
482
483	return ovl_encode_real_fh(ofs, realinode: d_inode(dentry: origin), is_upper: false);
484	}
485
486	int ovl_set_origin_fh(struct ovl_fs ofs, const* struct ovl_fh *fh,
487	struct dentry *upper)
488	{
489	int err;
490
491	/*
492	* Do not fail when upper doesn't support xattrs.
493	*/
494	err = ovl_check_setxattr(ofs, upperdentry: upper, ox: OVL_XATTR_ORIGIN, value: fh->buf,
495	size: fh ? fh->fb.len : `0`, xerr: `0`);
496
497	/ Ignore -EPERM from setting "user." on symlink/special /*
498	return err == -EPERM ? `0` : err;
499	}
500
501	/ Store file handle of @upper dir in @index dir entry /
502	static int ovl_set_upper_fh(struct ovl_fs ofs, struct* dentry *upper,
503	struct dentry *index)
504	{
505	const struct ovl_fh *fh;
506	int err;
507
508	fh = ovl_encode_real_fh(ofs, realinode: d_inode(dentry: upper), is_upper: true);
509	if (IS_ERR(ptr: fh))
510	return PTR_ERR(ptr: fh);
511
512	err = ovl_setxattr(ofs, dentry: index, ox: OVL_XATTR_UPPER, value: fh->buf, size: fh->fb.len);
513
514	kfree(objp: fh);
515	return err;
516	}
517
518	/*
519	* Create and install index entry.
520	*
521	* Caller must hold i_mutex on indexdir.
522	*/
523	static int ovl_create_index(struct dentry dentry, const* struct ovl_fh *fh,
524	struct dentry *upper)
525	{
526	struct ovl_fs *ofs = OVL_FS(sb: dentry->d_sb);
527	struct dentry *indexdir = ovl_indexdir(sb: dentry->d_sb);
528	struct inode *dir = d_inode(dentry: indexdir);
529	struct dentry *index = NULL;
530	struct dentry *temp = NULL;
531	struct qstr name = { };
532	int err;
533
534	/*
535	* For now this is only used for creating index entry for directories,
536	* because non-dir are copied up directly to index and then hardlinked
537	* to upper dir.
538	*
539	* TODO: implement create index for non-dir, so we can call it when
540	* encoding file handle for non-dir in case index does not exist.
541	*/
542	if (WARN_ON(!d_is_dir(dentry)))
543	return -EIO;
544
545	/ Directory not expected to be indexed before copy up /
546	if (WARN_ON(ovl_test_flag(OVL_INDEX, d_inode(dentry))))
547	return -EIO;
548
549	err = ovl_get_index_name_fh(fh, name: &name);
550	if (err)
551	return err;
552
553	temp = ovl_create_temp(ofs, workdir: indexdir, OVL_CATTR(S_IFDIR \| `0`));
554	err = PTR_ERR(ptr: temp);
555	if (IS_ERR(ptr: temp))
556	goto free_name;
557
558	err = ovl_set_upper_fh(ofs, upper, index: temp);
559	if (err)
560	goto out;
561
562	index = ovl_lookup_upper(ofs, name: name.name, base: indexdir, len: name.len);
563	if (IS_ERR(ptr: index)) {
564	err = PTR_ERR(ptr: index);
565	} else {
566	err = ovl_do_rename(ofs, olddir: dir, olddentry: temp, newdir: dir, newdentry: index, flags: `0`);
567	dput(index);
568	}
569	out:
570	if (err)
571	ovl_cleanup(ofs, dir, dentry: temp);
572	dput(temp);
573	free_name:
574	kfree(objp: name.name);
575	return err;
576	}
577
578	struct ovl_copy_up_ctx {
579	struct dentry *parent;
580	struct dentry *dentry;
581	struct path lowerpath;
582	struct kstat stat;
583	struct kstat pstat;
584	const char *link;
585	struct dentry *destdir;
586	struct qstr destname;
587	struct dentry *workdir;
588	const struct ovl_fh *origin_fh;
589	bool origin;
590	bool indexed;
591	bool metacopy;
592	bool metacopy_digest;
593	bool metadata_fsync;
594	};
595
596	static int ovl_link_up(struct ovl_copy_up_ctx *c)
597	{
598	int err;
599	struct dentry *upper;
600	struct dentry *upperdir = ovl_dentry_upper(dentry: c->parent);
601	struct ovl_fs *ofs = OVL_FS(sb: c->dentry->d_sb);
602	struct inode *udir = d_inode(dentry: upperdir);
603
604	ovl_start_write(dentry: c->dentry);
605
606	/ Mark parent "impure" because it may now contain non-pure upper /
607	err = ovl_set_impure(dentry: c->parent, upperdentry: upperdir);
608	if (err)
609	goto out;
610
611	err = ovl_set_nlink_lower(dentry: c->dentry);
612	if (err)
613	goto out;
614
615	inode_lock_nested(inode: udir, subclass: I_MUTEX_PARENT);
616	upper = ovl_lookup_upper(ofs, name: c->dentry->d_name.name, base: upperdir,
617	len: c->dentry->d_name.len);
618	err = PTR_ERR(ptr: upper);
619	if (!IS_ERR(ptr: upper)) {
620	err = ovl_do_link(ofs, old_dentry: ovl_dentry_upper(dentry: c->dentry), dir: udir, new_dentry: upper);
621
622	if (!err) {
623	/ Restore timestamps on parent (best effort) /
624	ovl_set_timestamps(ofs, upperdentry: upperdir, stat: &c->pstat);
625	ovl_dentry_set_upper_alias(dentry: c->dentry);
626	ovl_dentry_update_reval(dentry: c->dentry, realdentry: upper);
627	}
628	dput(upper);
629	}
630	inode_unlock(inode: udir);
631	if (err)
632	goto out;
633
634	err = ovl_set_nlink_upper(dentry: c->dentry);
635
636	out:
637	ovl_end_write(dentry: c->dentry);
638	return err;
639	}
640
641	static int ovl_copy_up_data(struct ovl_copy_up_ctx c, const* struct path *temp)
642	{
643	struct ovl_fs *ofs = OVL_FS(sb: c->dentry->d_sb);
644	struct file *new_file;
645	int err;
646
647	if (!S_ISREG(c->stat.mode) \|\| c->metacopy \|\| !c->stat.size)
648	return `0`;
649
650	new_file = ovl_path_open(path: temp, O_LARGEFILE \| O_WRONLY);
651	if (IS_ERR(ptr: new_file))
652	return PTR_ERR(ptr: new_file);
653
654	err = ovl_copy_up_file(ofs, dentry: c->dentry, new_file, len: c->stat.size,
655	datasync: !c->metadata_fsync);
656	fput(new_file);
657
658	return err;
659	}
660
661	static int ovl_copy_up_metadata(struct ovl_copy_up_ctx c, struct* dentry *temp)
662	{
663	struct ovl_fs *ofs = OVL_FS(sb: c->dentry->d_sb);
664	struct inode *inode = d_inode(dentry: c->dentry);
665	struct path upperpath = { .mnt = ovl_upper_mnt(ofs), .dentry = temp };
666	int err;
667
668	err = ovl_copy_xattr(sb: c->dentry->d_sb, oldpath: &c->lowerpath, new: temp);
669	if (err)
670	return err;
671
672	if (inode->i_flags & OVL_COPY_I_FLAGS_MASK &&
673	(S_ISREG(c->stat.mode) \|\| S_ISDIR(c->stat.mode))) {
674	/*
675	* Copy the fileattr inode flags that are the source of already
676	* copied i_flags
677	*/
678	err = ovl_copy_fileattr(inode, old: &c->lowerpath, new: &upperpath);
679	if (err)
680	return err;
681	}
682
683	/*
684	* Store identifier of lower inode in upper inode xattr to
685	* allow lookup of the copy up origin inode.
686	*
687	* Don't set origin when we are breaking the association with a lower
688	* hard link.
689	*/
690	if (c->origin) {
691	err = ovl_set_origin_fh(ofs, fh: c->origin_fh, upper: temp);
692	if (err)
693	return err;
694	}
695
696	if (c->metacopy) {
697	struct path lowerdatapath;
698	struct ovl_metacopy metacopy_data = OVL_METACOPY_INIT;
699
700	ovl_path_lowerdata(dentry: c->dentry, path: &lowerdatapath);
701	if (WARN_ON_ONCE(lowerdatapath.dentry == NULL))
702	return -EIO;
703	err = ovl_get_verity_digest(ofs, src: &lowerdatapath, metacopy: &metacopy_data);
704	if (err)
705	return err;
706
707	if (metacopy_data.digest_algo)
708	c->metacopy_digest = true;
709
710	err = ovl_set_metacopy_xattr(ofs, d: temp, metacopy: &metacopy_data);
711	if (err)
712	return err;
713	}
714
715	inode_lock(inode: temp->d_inode);
716	if (S_ISREG(c->stat.mode))
717	err = ovl_set_size(ofs, upperdentry: temp, stat: &c->stat);
718	if (!err)
719	err = ovl_set_attr(ofs, upperdentry: temp, stat: &c->stat);
720	inode_unlock(inode: temp->d_inode);
721
722	/ fsync metadata before moving it into upper dir /
723	if (!err && ovl_should_sync(ofs) && c->metadata_fsync)
724	err = ovl_sync_file(path: &upperpath);
725
726	return err;
727	}
728
729	struct ovl_cu_creds {
730	const struct cred *old;
731	struct cred *new;
732	};
733
734	static int ovl_prep_cu_creds(struct dentry dentry, struct* ovl_cu_creds *cc)
735	{
736	int err;
737
738	cc->old = cc->new = NULL;
739	err = security_inode_copy_up(src: dentry, new: &cc->new);
740	if (err < `0`)
741	return err;
742
743	if (cc->new)
744	cc->old = override_creds(override_cred: cc->new);
745
746	return `0`;
747	}
748
749	static void ovl_revert_cu_creds(struct ovl_cu_creds *cc)
750	{
751	if (cc->new) {
752	revert_creds(revert_cred: cc->old);
753	put_cred(cred: cc->new);
754	}
755	}
756
757	/*
758	* Copyup using workdir to prepare temp file. Used when copying up directories,
759	* special files or when upper fs doesn't support O_TMPFILE.
760	*/
761	static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
762	{
763	struct ovl_fs *ofs = OVL_FS(sb: c->dentry->d_sb);
764	struct inode *inode;
765	struct inode udir = d_inode(dentry: c->destdir), wdir = d_inode(dentry: c->workdir);
766	struct path path = { .mnt = ovl_upper_mnt(ofs) };
767	struct dentry temp, upper, *trap;
768	struct ovl_cu_creds cc;
769	int err;
770	struct ovl_cattr cattr = {
771	/ Can't properly set mode on creation because of the umask /
772	.mode = c->stat.mode & S_IFMT,
773	.rdev = c->stat.rdev,
774	.link = c->link
775	};
776
777	err = ovl_prep_cu_creds(dentry: c->dentry, cc: &cc);
778	if (err)
779	return err;
780
781	ovl_start_write(dentry: c->dentry);
782	inode_lock(inode: wdir);
783	temp = ovl_create_temp(ofs, workdir: c->workdir, attr: &cattr);
784	inode_unlock(inode: wdir);
785	ovl_end_write(dentry: c->dentry);
786	ovl_revert_cu_creds(cc: &cc);
787
788	if (IS_ERR(ptr: temp))
789	return PTR_ERR(ptr: temp);
790
791	/*
792	* Copy up data first and then xattrs. Writing data after
793	* xattrs will remove security.capability xattr automatically.
794	*/
795	path.dentry = temp;
796	err = ovl_copy_up_data(c, temp: &path);
797	/*
798	* We cannot hold lock_rename() throughout this helper, because of
799	* lock ordering with sb_writers, which shouldn't be held when calling
800	* ovl_copy_up_data(), so lock workdir and destdir and make sure that
801	* temp wasn't moved before copy up completion or cleanup.
802	*/
803	ovl_start_write(dentry: c->dentry);
804	trap = lock_rename(c->workdir, c->destdir);
805	if (trap \|\| temp->d_parent != c->workdir) {
806	/ temp or workdir moved underneath us? abort without cleanup /
807	dput(temp);
808	err = -EIO;
809	if (IS_ERR(ptr: trap))
810	goto out;
811	goto unlock;
812	} else if (err) {
813	goto cleanup;
814	}
815
816	err = ovl_copy_up_metadata(c, temp);
817	if (err)
818	goto cleanup;
819
820	if (S_ISDIR(c->stat.mode) && c->indexed) {
821	err = ovl_create_index(dentry: c->dentry, fh: c->origin_fh, upper: temp);
822	if (err)
823	goto cleanup;
824	}
825
826	upper = ovl_lookup_upper(ofs, name: c->destname.name, base: c->destdir,
827	len: c->destname.len);
828	err = PTR_ERR(ptr: upper);
829	if (IS_ERR(ptr: upper))
830	goto cleanup;
831
832	err = ovl_do_rename(ofs, olddir: wdir, olddentry: temp, newdir: udir, newdentry: upper, flags: `0`);
833	dput(upper);
834	if (err)
835	goto cleanup;
836
837	inode = d_inode(dentry: c->dentry);
838	if (c->metacopy_digest)
839	ovl_set_flag(flag: OVL_HAS_DIGEST, inode);
840	else
841	ovl_clear_flag(flag: OVL_HAS_DIGEST, inode);
842	ovl_clear_flag(flag: OVL_VERIFIED_DIGEST, inode);
843
844	if (!c->metacopy)
845	ovl_set_upperdata(inode);
846	ovl_inode_update(inode, upperdentry: temp);
847	if (S_ISDIR(inode->i_mode))
848	ovl_set_flag(flag: OVL_WHITEOUTS, inode);
849	unlock:
850	unlock_rename(c->workdir, c->destdir);
851	out:
852	ovl_end_write(dentry: c->dentry);
853
854	return err;
855
856	cleanup:
857	ovl_cleanup(ofs, dir: wdir, dentry: temp);
858	dput(temp);
859	goto unlock;
860	}
861
862	/ Copyup using O_TMPFILE which does not require cross dir locking /
863	static int ovl_copy_up_tmpfile(struct ovl_copy_up_ctx *c)
864	{
865	struct ovl_fs *ofs = OVL_FS(sb: c->dentry->d_sb);
866	struct inode *udir = d_inode(dentry: c->destdir);
867	struct dentry temp, upper;
868	struct file *tmpfile;
869	struct ovl_cu_creds cc;
870	int err;
871
872	err = ovl_prep_cu_creds(dentry: c->dentry, cc: &cc);
873	if (err)
874	return err;
875
876	ovl_start_write(dentry: c->dentry);
877	tmpfile = ovl_do_tmpfile(ofs, dentry: c->workdir, mode: c->stat.mode);
878	ovl_end_write(dentry: c->dentry);
879	ovl_revert_cu_creds(cc: &cc);
880	if (IS_ERR(ptr: tmpfile))
881	return PTR_ERR(ptr: tmpfile);
882
883	temp = tmpfile->f_path.dentry;
884	if (!c->metacopy && c->stat.size) {
885	err = ovl_copy_up_file(ofs, dentry: c->dentry, new_file: tmpfile, len: c->stat.size,
886	datasync: !c->metadata_fsync);
887	if (err)
888	goto out_fput;
889	}
890
891	ovl_start_write(dentry: c->dentry);
892
893	err = ovl_copy_up_metadata(c, temp);
894	if (err)
895	goto out;
896
897	inode_lock_nested(inode: udir, subclass: I_MUTEX_PARENT);
898
899	upper = ovl_lookup_upper(ofs, name: c->destname.name, base: c->destdir,
900	len: c->destname.len);
901	err = PTR_ERR(ptr: upper);
902	if (!IS_ERR(ptr: upper)) {
903	err = ovl_do_link(ofs, old_dentry: temp, dir: udir, new_dentry: upper);
904	dput(upper);
905	}
906	inode_unlock(inode: udir);
907
908	if (err)
909	goto out;
910
911	if (c->metacopy_digest)
912	ovl_set_flag(flag: OVL_HAS_DIGEST, inode: d_inode(dentry: c->dentry));
913	else
914	ovl_clear_flag(flag: OVL_HAS_DIGEST, inode: d_inode(dentry: c->dentry));
915	ovl_clear_flag(flag: OVL_VERIFIED_DIGEST, inode: d_inode(dentry: c->dentry));
916
917	if (!c->metacopy)
918	ovl_set_upperdata(inode: d_inode(dentry: c->dentry));
919	ovl_inode_update(inode: d_inode(dentry: c->dentry), upperdentry: dget(dentry: temp));
920
921	out:
922	ovl_end_write(dentry: c->dentry);
923	out_fput:
924	fput(tmpfile);
925	return err;
926	}
927
928	/*
929	* Copy up a single dentry
930	*
931	* All renames start with copy up of source if necessary. The actual
932	* rename will only proceed once the copy up was successful. Copy up uses
933	* upper parent i_mutex for exclusion. Since rename can change d_parent it
934	* is possible that the copy up will lock the old parent. At that point
935	* the file will have already been copied up anyway.
936	*/
937	static int ovl_do_copy_up(struct ovl_copy_up_ctx *c)
938	{
939	int err;
940	struct ovl_fs *ofs = OVL_FS(sb: c->dentry->d_sb);
941	struct dentry *origin = c->lowerpath.dentry;
942	struct ovl_fh *fh = NULL;
943	bool to_index = false;
944
945	/*
946	* Indexed non-dir is copied up directly to the index entry and then
947	* hardlinked to upper dir. Indexed dir is copied up to indexdir,
948	* then index entry is created and then copied up dir installed.
949	* Copying dir up to indexdir instead of workdir simplifies locking.
950	*/
951	if (ovl_need_index(dentry: c->dentry)) {
952	c->indexed = true;
953	if (S_ISDIR(c->stat.mode))
954	c->workdir = ovl_indexdir(sb: c->dentry->d_sb);
955	else
956	to_index = true;
957	}
958
959	if (S_ISDIR(c->stat.mode) \|\| c->stat.nlink == `1` \|\| to_index) {
960	fh = ovl_get_origin_fh(ofs, origin);
961	if (IS_ERR(ptr: fh))
962	return PTR_ERR(ptr: fh);
963
964	/ origin_fh may be NULL /
965	c->origin_fh = fh;
966	c->origin = true;
967	}
968
969	if (to_index) {
970	c->destdir = ovl_indexdir(sb: c->dentry->d_sb);
971	err = ovl_get_index_name(ofs, origin, name: &c->destname);
972	if (err)
973	goto out_free_fh;
974	} else if (WARN_ON(!c->parent)) {
975	/ Disconnected dentry must be copied up to index dir /
976	err = -EIO;
977	goto out_free_fh;
978	} else {
979	/*
980	* c->dentry->d_name is stabilzed by ovl_copy_up_start(),
981	* because if we got here, it means that c->dentry has no upper
982	* alias and changing ->d_name means going through ovl_rename()
983	* that will call ovl_copy_up() on source and target dentry.
984	*/
985	c->destname = c->dentry->d_name;
986	/*
987	* Mark parent "impure" because it may now contain non-pure
988	* upper
989	*/
990	ovl_start_write(dentry: c->dentry);
991	err = ovl_set_impure(dentry: c->parent, upperdentry: c->destdir);
992	ovl_end_write(dentry: c->dentry);
993	if (err)
994	goto out_free_fh;
995	}
996
997	/ Should we copyup with O_TMPFILE or with workdir? /
998	if (S_ISREG(c->stat.mode) && ofs->tmpfile)
999	err = ovl_copy_up_tmpfile(c);
1000	else
1001	err = ovl_copy_up_workdir(c);
1002	if (err)
1003	goto out;
1004
1005	if (c->indexed)
1006	ovl_set_flag(flag: OVL_INDEX, inode: d_inode(dentry: c->dentry));
1007
1008	ovl_start_write(dentry: c->dentry);
1009	if (to_index) {
1010	/ Initialize nlink for copy up of disconnected dentry /
1011	err = ovl_set_nlink_upper(dentry: c->dentry);
1012	} else {
1013	struct inode *udir = d_inode(dentry: c->destdir);
1014
1015	/ Restore timestamps on parent (best effort) /
1016	inode_lock(inode: udir);
1017	ovl_set_timestamps(ofs, upperdentry: c->destdir, stat: &c->pstat);
1018	inode_unlock(inode: udir);
1019
1020	ovl_dentry_set_upper_alias(dentry: c->dentry);
1021	ovl_dentry_update_reval(dentry: c->dentry, realdentry: ovl_dentry_upper(dentry: c->dentry));
1022	}
1023	ovl_end_write(dentry: c->dentry);
1024
1025	out:
1026	if (to_index)
1027	kfree(objp: c->destname.name);
1028	out_free_fh:
1029	kfree(objp: fh);
1030	return err;
1031	}
1032
1033	static bool ovl_need_meta_copy_up(struct dentry *dentry, umode_t mode,
1034	int flags)
1035	{
1036	struct ovl_fs *ofs = OVL_FS(sb: dentry->d_sb);
1037
1038	if (!ofs->config.metacopy)
1039	return false;
1040
1041	if (!S_ISREG(mode))
1042	return false;
1043
1044	if (flags && ((OPEN_FMODE(flags) & FMODE_WRITE) \|\| (flags & O_TRUNC)))
1045	return false;
1046
1047	/ Fall back to full copy if no fsverity on source data and we require verity /
1048	if (ofs->config.verity_mode == OVL_VERITY_REQUIRE) {
1049	struct path lowerdata;
1050
1051	ovl_path_lowerdata(dentry, path: &lowerdata);
1052
1053	if (WARN_ON_ONCE(lowerdata.dentry == NULL) \|\|
1054	ovl_ensure_verity_loaded(path: &lowerdata) \|\|
1055	!fsverity_active(inode: d_inode(dentry: lowerdata.dentry))) {
1056	return false;
1057	}
1058	}
1059
1060	return true;
1061	}
1062
1063	static ssize_t ovl_getxattr_value(const struct path path, char* name, char* **value)
1064	{
1065	ssize_t res;
1066	char *buf;
1067
1068	res = ovl_do_getxattr(path, name, NULL, size: `0`);
1069	if (res == -ENODATA \|\| res == -EOPNOTSUPP)
1070	res = `0`;
1071
1072	if (res > `0`) {
1073	buf = kzalloc(res, GFP_KERNEL);
1074	if (!buf)
1075	return -ENOMEM;
1076
1077	res = ovl_do_getxattr(path, name, value: buf, size: res);
1078	if (res < `0`)
1079	kfree(objp: buf);
1080	else
1081	*value = buf;
1082	}
1083	return res;
1084	}
1085
1086	/ Copy up data of an inode which was copied up metadata only in the past. /
1087	static int ovl_copy_up_meta_inode_data(struct ovl_copy_up_ctx *c)
1088	{
1089	struct ovl_fs *ofs = OVL_FS(sb: c->dentry->d_sb);
1090	struct path upperpath;
1091	int err;
1092	char *capability = NULL;
1093	ssize_t cap_size;
1094
1095	ovl_path_upper(dentry: c->dentry, path: &upperpath);
1096	if (WARN_ON(upperpath.dentry == NULL))
1097	return -EIO;
1098
1099	if (c->stat.size) {
1100	err = cap_size = ovl_getxattr_value(path: &upperpath, XATTR_NAME_CAPS,
1101	value: &capability);
1102	if (cap_size < `0`)
1103	goto out;
1104	}
1105
1106	err = ovl_copy_up_data(c, temp: &upperpath);
1107	if (err)
1108	goto out_free;
1109
1110	/*
1111	* Writing to upper file will clear security.capability xattr. We
1112	* don't want that to happen for normal copy-up operation.
1113	*/
1114	ovl_start_write(dentry: c->dentry);
1115	if (capability) {
1116	err = ovl_do_setxattr(ofs, dentry: upperpath.dentry, XATTR_NAME_CAPS,
1117	value: capability, size: cap_size, flags: `0`);
1118	}
1119	if (!err) {
1120	err = ovl_removexattr(ofs, dentry: upperpath.dentry,
1121	ox: OVL_XATTR_METACOPY);
1122	}
1123	ovl_end_write(dentry: c->dentry);
1124	if (err)
1125	goto out_free;
1126
1127	ovl_clear_flag(flag: OVL_HAS_DIGEST, inode: d_inode(dentry: c->dentry));
1128	ovl_clear_flag(flag: OVL_VERIFIED_DIGEST, inode: d_inode(dentry: c->dentry));
1129	ovl_set_upperdata(inode: d_inode(dentry: c->dentry));
1130	out_free:
1131	kfree(objp: capability);
1132	out:
1133	return err;
1134	}
1135
1136	static int ovl_copy_up_one(struct dentry parent, struct* dentry *dentry,
1137	int flags)
1138	{
1139	int err;
1140	DEFINE_DELAYED_CALL(done);
1141	struct path parentpath;
1142	struct ovl_copy_up_ctx ctx = {
1143	.parent = parent,
1144	.dentry = dentry,
1145	.workdir = ovl_workdir(dentry),
1146	};
1147
1148	if (WARN_ON(!ctx.workdir))
1149	return -EROFS;
1150
1151	ovl_path_lower(dentry, path: &ctx.lowerpath);
1152	err = vfs_getattr(&ctx.lowerpath, &ctx.stat,
1153	STATX_BASIC_STATS, AT_STATX_SYNC_AS_STAT);
1154	if (err)
1155	return err;
1156
1157	if (!kuid_has_mapping(current_user_ns(), uid: ctx.stat.uid) \|\|
1158	!kgid_has_mapping(current_user_ns(), gid: ctx.stat.gid))
1159	return -EOVERFLOW;
1160
1161	/*
1162	* With metacopy disabled, we fsync after final metadata copyup, for
1163	* both regular files and directories to get atomic copyup semantics
1164	* on filesystems that do not use strict metadata ordering (e.g. ubifs).
1165	*
1166	* With metacopy enabled we want to avoid fsync on all meta copyup
1167	* that will hurt performance of workloads such as chown -R, so we
1168	* only fsync on data copyup as legacy behavior.
1169	*/
1170	ctx.metadata_fsync = !OVL_FS(sb: dentry->d_sb)->config.metacopy &&
1171	(S_ISREG(ctx.stat.mode) \|\| S_ISDIR(ctx.stat.mode));
1172	ctx.metacopy = ovl_need_meta_copy_up(dentry, mode: ctx.stat.mode, flags);
1173
1174	if (parent) {
1175	ovl_path_upper(dentry: parent, path: &parentpath);
1176	ctx.destdir = parentpath.dentry;
1177
1178	err = vfs_getattr(&parentpath, &ctx.pstat,
1179	STATX_ATIME \| STATX_MTIME,
1180	AT_STATX_SYNC_AS_STAT);
1181	if (err)
1182	return err;
1183	}
1184
1185	/ maybe truncate regular file. this has no effect on dirs /
1186	if (flags & O_TRUNC)
1187	ctx.stat.size = `0`;
1188
1189	if (S_ISLNK(ctx.stat.mode)) {
1190	ctx.link = vfs_get_link(ctx.lowerpath.dentry, &done);
1191	if (IS_ERR(ptr: ctx.link))
1192	return PTR_ERR(ptr: ctx.link);
1193	}
1194
1195	err = ovl_copy_up_start(dentry, flags);
1196	/ err < 0: interrupted, err > 0: raced with another copy-up /
1197	if (unlikely(err)) {
1198	if (err > `0`)
1199	err = `0`;
1200	} else {
1201	if (!ovl_dentry_upper(dentry))
1202	err = ovl_do_copy_up(c: &ctx);
1203	if (!err && parent && !ovl_dentry_has_upper_alias(dentry))
1204	err = ovl_link_up(c: &ctx);
1205	if (!err && ovl_dentry_needs_data_copy_up_locked(dentry, flags))
1206	err = ovl_copy_up_meta_inode_data(c: &ctx);
1207	ovl_copy_up_end(dentry);
1208	}
1209	do_delayed_call(call: &done);
1210
1211	return err;
1212	}
1213
1214	static int ovl_copy_up_flags(struct dentry dentry, int* flags)
1215	{
1216	int err = `0`;
1217	const struct cred *old_cred;
1218	bool disconnected = (dentry->d_flags & DCACHE_DISCONNECTED);
1219
1220	/*
1221	* With NFS export, copy up can get called for a disconnected non-dir.
1222	* In this case, we will copy up lower inode to index dir without
1223	* linking it to upper dir.
1224	*/
1225	if (WARN_ON(disconnected && d_is_dir(dentry)))
1226	return -EIO;
1227
1228	/*
1229	* We may not need lowerdata if we are only doing metacopy up, but it is
1230	* not very important to optimize this case, so do lazy lowerdata lookup
1231	* before any copy up, so we can do it before taking ovl_inode_lock().
1232	*/
1233	err = ovl_verify_lowerdata(dentry);
1234	if (err)
1235	return err;
1236
1237	old_cred = ovl_override_creds(sb: dentry->d_sb);
1238	while (!err) {
1239	struct dentry *next;
1240	struct dentry *parent = NULL;
1241
1242	if (ovl_already_copied_up(dentry, flags))
1243	break;
1244
1245	next = dget(dentry);
1246	/ find the topmost dentry not yet copied up /
1247	for (; !disconnected;) {
1248	parent = dget_parent(dentry: next);
1249
1250	if (ovl_dentry_upper(dentry: parent))
1251	break;
1252
1253	dput(next);
1254	next = parent;
1255	}
1256
1257	err = ovl_copy_up_one(parent, dentry: next, flags);
1258
1259	dput(parent);
1260	dput(next);
1261	}
1262	ovl_revert_creds(old_cred);
1263
1264	return err;
1265	}
1266
1267	static bool ovl_open_need_copy_up(struct dentry dentry, int* flags)
1268	{
1269	/ Copy up of disconnected dentry does not set upper alias /
1270	if (ovl_already_copied_up(dentry, flags))
1271	return false;
1272
1273	if (special_file(d_inode(dentry)->i_mode))
1274	return false;
1275
1276	if (!ovl_open_flags_need_copy_up(flags))
1277	return false;
1278
1279	return true;
1280	}
1281
1282	int ovl_maybe_copy_up(struct dentry dentry, int* flags)
1283	{
1284	if (!ovl_open_need_copy_up(dentry, flags))
1285	return `0`;
1286
1287	return ovl_copy_up_flags(dentry, flags);
1288	}
1289
1290	int ovl_copy_up_with_data(struct dentry *dentry)
1291	{
1292	return ovl_copy_up_flags(dentry, O_WRONLY);
1293	}
1294
1295	int ovl_copy_up(struct dentry *dentry)
1296	{
1297	return ovl_copy_up_flags(dentry, flags: `0`);
1298	}
1299

source code of linux/fs/overlayfs/copy_up.c