Commit e8f9e5b7 authored by Amir Goldstein's avatar Amir Goldstein Committed by Miklos Szeredi

ovl: verify directory index entries on mount

Directory index entries should have 'upper' xattr pointing to the real
upper dir. Verifying that the upper dir file handle is not stale is
expensive, so only verify stale directory index entries on mount if
NFS export feature is enabled.
Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 7db25d36
...@@ -3527,6 +3527,7 @@ bool is_subdir(struct dentry *new_dentry, struct dentry *old_dentry) ...@@ -3527,6 +3527,7 @@ bool is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
return result; return result;
} }
EXPORT_SYMBOL(is_subdir);
static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
{ {
......
...@@ -84,7 +84,19 @@ static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d, ...@@ -84,7 +84,19 @@ static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
static int ovl_acceptable(void *ctx, struct dentry *dentry) static int ovl_acceptable(void *ctx, struct dentry *dentry)
{ {
return 1; /*
* A non-dir origin may be disconnected, which is fine, because
* we only need it for its unique inode number.
*/
if (!d_is_dir(dentry))
return 1;
/* Don't decode a deleted empty directory */
if (d_unhashed(dentry))
return 0;
/* Check if directory belongs to the layer we are decoding from */
return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root);
} }
/* /*
...@@ -160,7 +172,7 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) ...@@ -160,7 +172,7 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name)
static struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt) static struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt)
{ {
struct dentry *origin; struct dentry *real;
int bytes; int bytes;
/* /*
...@@ -171,22 +183,28 @@ static struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt) ...@@ -171,22 +183,28 @@ static struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt)
return NULL; return NULL;
bytes = (fh->len - offsetof(struct ovl_fh, fid)); bytes = (fh->len - offsetof(struct ovl_fh, fid));
origin = exportfs_decode_fh(mnt, (struct fid *)fh->fid, real = exportfs_decode_fh(mnt, (struct fid *)fh->fid,
bytes >> 2, (int)fh->type, bytes >> 2, (int)fh->type,
ovl_acceptable, NULL); ovl_acceptable, mnt);
if (IS_ERR(origin)) { if (IS_ERR(real)) {
/* Treat stale file handle as "origin unknown" */ /*
if (origin == ERR_PTR(-ESTALE)) * Treat stale file handle to lower file as "origin unknown".
origin = NULL; * upper file handle could become stale when upper file is
return origin; * unlinked and this information is needed to handle stale
* index entries correctly.
*/
if (real == ERR_PTR(-ESTALE) &&
!(fh->flags & OVL_FH_FLAG_PATH_UPPER))
real = NULL;
return real;
} }
if (ovl_dentry_weird(origin)) { if (ovl_dentry_weird(real)) {
dput(origin); dput(real);
return NULL; return NULL;
} }
return origin; return real;
} }
static bool ovl_is_opaquedir(struct dentry *dentry) static bool ovl_is_opaquedir(struct dentry *dentry)
...@@ -420,6 +438,35 @@ int ovl_verify_set_fh(struct dentry *dentry, const char *name, ...@@ -420,6 +438,35 @@ int ovl_verify_set_fh(struct dentry *dentry, const char *name,
goto out; goto out;
} }
/* Get upper dentry from index */
static struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index)
{
struct ovl_fh *fh;
struct dentry *upper;
if (!d_is_dir(index))
return dget(index);
fh = ovl_get_fh(index, OVL_XATTR_UPPER);
if (IS_ERR_OR_NULL(fh))
return ERR_CAST(fh);
upper = ovl_decode_fh(fh, ofs->upper_mnt);
kfree(fh);
if (IS_ERR_OR_NULL(upper))
return upper ?: ERR_PTR(-ESTALE);
if (!d_is_dir(upper)) {
pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n",
index, upper);
dput(upper);
return ERR_PTR(-EIO);
}
return upper;
}
/* /*
* Verify that an index entry name matches the origin file handle stored in * Verify that an index entry name matches the origin file handle stored in
* OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path. * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path.
...@@ -431,23 +478,13 @@ int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) ...@@ -431,23 +478,13 @@ int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
size_t len; size_t len;
struct ovl_path origin = { }; struct ovl_path origin = { };
struct ovl_path *stack = &origin; struct ovl_path *stack = &origin;
struct dentry *upper = NULL;
int err; int err;
if (!d_inode(index)) if (!d_inode(index))
return 0; return 0;
/*
* Directory index entries are going to be used for looking up
* redirected upper dirs by lower dir fh when decoding an overlay
* file handle of a merge dir. We don't know the verification rules
* for directory index entries, because they have not been implemented
* yet, so return EINVAL if those entries are found to abort the mount
* and to avoid corrupting an index that was created by a newer kernel.
*/
err = -EINVAL; err = -EINVAL;
if (d_is_dir(index))
goto fail;
if (index->d_name.len < sizeof(struct ovl_fh)*2) if (index->d_name.len < sizeof(struct ovl_fh)*2)
goto fail; goto fail;
...@@ -473,21 +510,45 @@ int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index) ...@@ -473,21 +510,45 @@ int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
if (ovl_is_whiteout(index)) if (ovl_is_whiteout(index))
goto out; goto out;
err = ovl_verify_fh(index, OVL_XATTR_ORIGIN, fh); /*
if (err) * Verifying directory index entries are not stale is expensive, so
* only verify stale dir index if NFS export is enabled.
*/
if (d_is_dir(index) && !ofs->config.nfs_export)
goto out;
/*
* Directory index entries should have 'upper' xattr pointing to the
* real upper dir. Non-dir index entries are hardlinks to the upper
* real inode. For non-dir index, we can read the copy up origin xattr
* directly from the index dentry, but for dir index we first need to
* decode the upper directory.
*/
upper = ovl_index_upper(ofs, index);
if (IS_ERR_OR_NULL(upper)) {
err = PTR_ERR(upper);
if (!err)
err = -ESTALE;
goto fail; goto fail;
}
err = ovl_check_origin_fh(ofs, fh, index, &stack); err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh);
dput(upper);
if (err) if (err)
goto fail; goto fail;
/* Check if index is orphan and don't warn before cleaning it */ /* Check if non-dir index is orphan and don't warn before cleaning it */
if (d_inode(index)->i_nlink == 1 && if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) {
ovl_get_nlink(origin.dentry, index, 0) == 0) err = ovl_check_origin_fh(ofs, fh, index, &stack);
err = -ENOENT; if (err)
goto fail;
if (ovl_get_nlink(origin.dentry, index, 0) == 0)
err = -ENOENT;
}
dput(origin.dentry);
out: out:
dput(origin.dentry);
kfree(fh); kfree(fh);
return err; return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment