1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (C) 2011 Novell Inc.
7 #include <uapi/linux/magic.h>
9 #include <linux/namei.h>
10 #include <linux/xattr.h>
11 #include <linux/mount.h>
12 #include <linux/parser.h>
13 #include <linux/module.h>
14 #include <linux/statfs.h>
15 #include <linux/seq_file.h>
16 #include <linux/posix_acl_xattr.h>
17 #include <linux/exportfs.h>
18 #include <linux/file.h>
19 #include <linux/fs_context.h>
20 #include <linux/fs_parser.h>
21 #include "overlayfs.h"
24 MODULE_AUTHOR("Miklos Szeredi <miklos@szeredi.hu>");
25 MODULE_DESCRIPTION("Overlay filesystem");
26 MODULE_LICENSE("GPL");
31 static struct dentry *ovl_d_real(struct dentry *dentry,
32 const struct inode *inode)
34 struct dentry *real = NULL, *lower;
38 * vfs is only expected to call d_real() with NULL from d_real_inode()
39 * and with overlay inode from file_dentry() on an overlay file.
41 * TODO: remove @inode argument from d_real() API, remove code in this
42 * function that deals with non-NULL @inode and remove d_real() call
45 if (inode && d_inode(dentry) == inode)
50 if (!d_is_reg(dentry)) {
51 /* d_real_inode() is only relevant for regular files */
55 real = ovl_dentry_upper(dentry);
56 if (real && (inode == d_inode(real)))
59 if (real && !inode && ovl_has_upperdata(d_inode(dentry)))
63 * Best effort lazy lookup of lowerdata for !inode case to return
64 * the real lowerdata dentry. The only current caller of d_real() with
65 * NULL inode is d_real_inode() from trace_uprobe and this caller is
66 * likely going to be followed reading from the file, before placing
67 * uprobes on offset within the file, so lowerdata should be available
68 * when setting the uprobe.
70 err = ovl_verify_lowerdata(dentry);
73 lower = ovl_dentry_lowerdata(dentry);
78 /* Handle recursion */
79 real = d_real(real, inode);
81 if (!inode || inode == d_inode(real))
84 WARN(1, "%s(%pd4, %s:%lu): real dentry (%p/%lu) not found\n",
85 __func__, dentry, inode ? inode->i_sb->s_id : "NULL",
86 inode ? inode->i_ino : 0, real,
87 real && d_inode(real) ? d_inode(real)->i_ino : 0);
91 static int ovl_revalidate_real(struct dentry *d, unsigned int flags, bool weak)
99 if (d->d_flags & DCACHE_OP_WEAK_REVALIDATE)
100 ret = d->d_op->d_weak_revalidate(d, flags);
101 } else if (d->d_flags & DCACHE_OP_REVALIDATE) {
102 ret = d->d_op->d_revalidate(d, flags);
104 if (!(flags & LOOKUP_RCU))
112 static int ovl_dentry_revalidate_common(struct dentry *dentry,
113 unsigned int flags, bool weak)
115 struct ovl_entry *oe = OVL_E(dentry);
116 struct ovl_path *lowerstack = ovl_lowerstack(oe);
117 struct inode *inode = d_inode_rcu(dentry);
118 struct dentry *upper;
122 /* Careful in RCU mode */
126 upper = ovl_i_dentry_upper(inode);
128 ret = ovl_revalidate_real(upper, flags, weak);
130 for (i = 0; ret > 0 && i < ovl_numlower(oe); i++)
131 ret = ovl_revalidate_real(lowerstack[i].dentry, flags, weak);
136 static int ovl_dentry_revalidate(struct dentry *dentry, unsigned int flags)
138 return ovl_dentry_revalidate_common(dentry, flags, false);
141 static int ovl_dentry_weak_revalidate(struct dentry *dentry, unsigned int flags)
143 return ovl_dentry_revalidate_common(dentry, flags, true);
146 static const struct dentry_operations ovl_dentry_operations = {
147 .d_real = ovl_d_real,
148 .d_revalidate = ovl_dentry_revalidate,
149 .d_weak_revalidate = ovl_dentry_weak_revalidate,
152 static struct kmem_cache *ovl_inode_cachep;
154 static struct inode *ovl_alloc_inode(struct super_block *sb)
156 struct ovl_inode *oi = alloc_inode_sb(sb, ovl_inode_cachep, GFP_KERNEL);
165 oi->__upperdentry = NULL;
166 oi->lowerdata_redirect = NULL;
168 mutex_init(&oi->lock);
170 return &oi->vfs_inode;
173 static void ovl_free_inode(struct inode *inode)
175 struct ovl_inode *oi = OVL_I(inode);
178 mutex_destroy(&oi->lock);
179 kmem_cache_free(ovl_inode_cachep, oi);
182 static void ovl_destroy_inode(struct inode *inode)
184 struct ovl_inode *oi = OVL_I(inode);
186 dput(oi->__upperdentry);
187 ovl_free_entry(oi->oe);
188 if (S_ISDIR(inode->i_mode))
189 ovl_dir_cache_free(inode);
191 kfree(oi->lowerdata_redirect);
194 static void ovl_put_super(struct super_block *sb)
196 struct ovl_fs *ofs = OVL_FS(sb);
202 /* Sync real dirty inodes in upper filesystem (if it exists) */
203 static int ovl_sync_fs(struct super_block *sb, int wait)
205 struct ovl_fs *ofs = OVL_FS(sb);
206 struct super_block *upper_sb;
209 ret = ovl_sync_status(ofs);
211 * We have to always set the err, because the return value isn't
212 * checked in syncfs, and instead indirectly return an error via
213 * the sb's writeback errseq, which VFS inspects after this call.
216 errseq_set(&sb->s_wb_err, -EIO);
224 * Not called for sync(2) call or an emergency sync (SB_I_SKIP_SYNC).
225 * All the super blocks will be iterated, including upper_sb.
227 * If this is a syncfs(2) call, then we do need to call
228 * sync_filesystem() on upper_sb, but enough if we do it when being
229 * called with wait == 1.
234 upper_sb = ovl_upper_mnt(ofs)->mnt_sb;
236 down_read(&upper_sb->s_umount);
237 ret = sync_filesystem(upper_sb);
238 up_read(&upper_sb->s_umount);
245 * @dentry: The dentry to query
246 * @buf: The struct kstatfs to fill in with stats
248 * Get the filesystem statistics. As writes always target the upper layer
249 * filesystem pass the statfs to the upper filesystem (if it exists)
251 static int ovl_statfs(struct dentry *dentry, struct kstatfs *buf)
253 struct super_block *sb = dentry->d_sb;
254 struct ovl_fs *ofs = OVL_FS(sb);
255 struct dentry *root_dentry = sb->s_root;
259 ovl_path_real(root_dentry, &path);
261 err = vfs_statfs(&path, buf);
263 buf->f_namelen = ofs->namelen;
264 buf->f_type = OVERLAYFS_SUPER_MAGIC;
265 if (ovl_has_fsid(ofs))
266 buf->f_fsid = uuid_to_fsid(sb->s_uuid.b);
272 static const struct super_operations ovl_super_operations = {
273 .alloc_inode = ovl_alloc_inode,
274 .free_inode = ovl_free_inode,
275 .destroy_inode = ovl_destroy_inode,
276 .drop_inode = generic_delete_inode,
277 .put_super = ovl_put_super,
278 .sync_fs = ovl_sync_fs,
279 .statfs = ovl_statfs,
280 .show_options = ovl_show_options,
283 #define OVL_WORKDIR_NAME "work"
284 #define OVL_INDEXDIR_NAME "index"
286 static struct dentry *ovl_workdir_create(struct ovl_fs *ofs,
287 const char *name, bool persist)
289 struct inode *dir = ofs->workbasedir->d_inode;
290 struct vfsmount *mnt = ovl_upper_mnt(ofs);
293 bool retried = false;
295 inode_lock_nested(dir, I_MUTEX_PARENT);
297 work = ovl_lookup_upper(ofs, name, ofs->workbasedir, strlen(name));
300 struct iattr attr = {
301 .ia_valid = ATTR_MODE,
302 .ia_mode = S_IFDIR | 0,
314 err = ovl_workdir_cleanup(ofs, dir, mnt, work, 0);
316 if (err == -EINVAL) {
323 err = ovl_mkdir_real(ofs, dir, &work, attr.ia_mode);
327 /* Weird filesystem returning with hashed negative (kernfs)? */
329 if (d_really_is_negative(work))
333 * Try to remove POSIX ACL xattrs from workdir. We are good if:
335 * a) success (there was a POSIX ACL xattr and was removed)
336 * b) -ENODATA (there was no POSIX ACL xattr)
337 * c) -EOPNOTSUPP (POSIX ACL xattrs are not supported)
339 * There are various other error values that could effectively
340 * mean that the xattr doesn't exist (e.g. -ERANGE is returned
341 * if the xattr name is too long), but the set of filesystems
342 * allowed as upper are limited to "normal" ones, where checking
343 * for the above two errors is sufficient.
345 err = ovl_do_remove_acl(ofs, work, XATTR_NAME_POSIX_ACL_DEFAULT);
346 if (err && err != -ENODATA && err != -EOPNOTSUPP)
349 err = ovl_do_remove_acl(ofs, work, XATTR_NAME_POSIX_ACL_ACCESS);
350 if (err && err != -ENODATA && err != -EOPNOTSUPP)
353 /* Clear any inherited mode bits */
354 inode_lock(work->d_inode);
355 err = ovl_do_notify_change(ofs, work, &attr);
356 inode_unlock(work->d_inode);
370 pr_warn("failed to create directory %s/%s (errno: %i); mounting read-only\n",
371 ofs->config.workdir, name, -err);
376 static int ovl_check_namelen(const struct path *path, struct ovl_fs *ofs,
379 struct kstatfs statfs;
380 int err = vfs_statfs(path, &statfs);
383 pr_err("statfs failed on '%s'\n", name);
385 ofs->namelen = max(ofs->namelen, statfs.f_namelen);
390 static int ovl_lower_dir(const char *name, struct path *path,
391 struct ovl_fs *ofs, int *stack_depth)
396 err = ovl_check_namelen(path, ofs, name);
400 *stack_depth = max(*stack_depth, path->mnt->mnt_sb->s_stack_depth);
403 * The inodes index feature and NFS export need to encode and decode
404 * file handles, so they require that all layers support them.
406 fh_type = ovl_can_decode_fh(path->dentry->d_sb);
407 if ((ofs->config.nfs_export ||
408 (ofs->config.index && ofs->config.upperdir)) && !fh_type) {
409 ofs->config.index = false;
410 ofs->config.nfs_export = false;
411 pr_warn("fs on '%s' does not support file handles, falling back to index=off,nfs_export=off.\n",
414 ofs->nofh |= !fh_type;
416 * Decoding origin file handle is required for persistent st_ino.
417 * Without persistent st_ino, xino=auto falls back to xino=off.
419 if (ofs->config.xino == OVL_XINO_AUTO &&
420 ofs->config.upperdir && !fh_type) {
421 ofs->config.xino = OVL_XINO_OFF;
422 pr_warn("fs on '%s' does not support file handles, falling back to xino=off.\n",
426 /* Check if lower fs has 32bit inode numbers */
427 if (fh_type != FILEID_INO32_GEN)
433 /* Workdir should not be subdir of upperdir and vice versa */
434 static bool ovl_workdir_ok(struct dentry *workdir, struct dentry *upperdir)
438 if (workdir != upperdir) {
439 ok = (lock_rename(workdir, upperdir) == NULL);
440 unlock_rename(workdir, upperdir);
445 static int ovl_own_xattr_get(const struct xattr_handler *handler,
446 struct dentry *dentry, struct inode *inode,
447 const char *name, void *buffer, size_t size)
452 static int ovl_own_xattr_set(const struct xattr_handler *handler,
453 struct mnt_idmap *idmap,
454 struct dentry *dentry, struct inode *inode,
455 const char *name, const void *value,
456 size_t size, int flags)
461 static int ovl_other_xattr_get(const struct xattr_handler *handler,
462 struct dentry *dentry, struct inode *inode,
463 const char *name, void *buffer, size_t size)
465 return ovl_xattr_get(dentry, inode, name, buffer, size);
468 static int ovl_other_xattr_set(const struct xattr_handler *handler,
469 struct mnt_idmap *idmap,
470 struct dentry *dentry, struct inode *inode,
471 const char *name, const void *value,
472 size_t size, int flags)
474 return ovl_xattr_set(dentry, inode, name, value, size, flags);
477 static const struct xattr_handler ovl_own_trusted_xattr_handler = {
478 .prefix = OVL_XATTR_TRUSTED_PREFIX,
479 .get = ovl_own_xattr_get,
480 .set = ovl_own_xattr_set,
483 static const struct xattr_handler ovl_own_user_xattr_handler = {
484 .prefix = OVL_XATTR_USER_PREFIX,
485 .get = ovl_own_xattr_get,
486 .set = ovl_own_xattr_set,
489 static const struct xattr_handler ovl_other_xattr_handler = {
490 .prefix = "", /* catch all */
491 .get = ovl_other_xattr_get,
492 .set = ovl_other_xattr_set,
495 static const struct xattr_handler *ovl_trusted_xattr_handlers[] = {
496 &ovl_own_trusted_xattr_handler,
497 &ovl_other_xattr_handler,
501 static const struct xattr_handler *ovl_user_xattr_handlers[] = {
502 &ovl_own_user_xattr_handler,
503 &ovl_other_xattr_handler,
507 static int ovl_setup_trap(struct super_block *sb, struct dentry *dir,
508 struct inode **ptrap, const char *name)
513 trap = ovl_get_trap_inode(sb, dir);
514 err = PTR_ERR_OR_ZERO(trap);
517 pr_err("conflicting %s path\n", name);
526 * Determine how we treat concurrent use of upperdir/workdir based on the
527 * index feature. This is papering over mount leaks of container runtimes,
528 * for example, an old overlay mount is leaked and now its upperdir is
529 * attempted to be used as a lower layer in a new overlay mount.
531 static int ovl_report_in_use(struct ovl_fs *ofs, const char *name)
533 if (ofs->config.index) {
534 pr_err("%s is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection.\n",
538 pr_warn("%s is in-use as upperdir/workdir of another mount, accessing files from both mounts will result in undefined behavior.\n",
544 static int ovl_get_upper(struct super_block *sb, struct ovl_fs *ofs,
545 struct ovl_layer *upper_layer,
546 const struct path *upperpath)
548 struct vfsmount *upper_mnt;
551 /* Upperdir path should not be r/o */
552 if (__mnt_is_readonly(upperpath->mnt)) {
553 pr_err("upper fs is r/o, try multi-lower layers mount\n");
558 err = ovl_check_namelen(upperpath, ofs, ofs->config.upperdir);
562 err = ovl_setup_trap(sb, upperpath->dentry, &upper_layer->trap,
567 upper_mnt = clone_private_mount(upperpath);
568 err = PTR_ERR(upper_mnt);
569 if (IS_ERR(upper_mnt)) {
570 pr_err("failed to clone upperpath\n");
574 /* Don't inherit atime flags */
575 upper_mnt->mnt_flags &= ~(MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME);
576 upper_layer->mnt = upper_mnt;
577 upper_layer->idx = 0;
578 upper_layer->fsid = 0;
581 upper_layer->name = kstrdup(ofs->config.upperdir, GFP_KERNEL);
582 if (!upper_layer->name)
586 * Inherit SB_NOSEC flag from upperdir.
588 * This optimization changes behavior when a security related attribute
589 * (suid/sgid/security.*) is changed on an underlying layer. This is
590 * okay because we don't yet have guarantees in that case, but it will
591 * need careful treatment once we want to honour changes to underlying
594 if (upper_mnt->mnt_sb->s_flags & SB_NOSEC)
595 sb->s_flags |= SB_NOSEC;
597 if (ovl_inuse_trylock(ovl_upper_mnt(ofs)->mnt_root)) {
598 ofs->upperdir_locked = true;
600 err = ovl_report_in_use(ofs, "upperdir");
611 * Returns 1 if RENAME_WHITEOUT is supported, 0 if not supported and
612 * negative values if error is encountered.
614 static int ovl_check_rename_whiteout(struct ovl_fs *ofs)
616 struct dentry *workdir = ofs->workdir;
617 struct inode *dir = d_inode(workdir);
620 struct dentry *whiteout;
621 struct name_snapshot name;
624 inode_lock_nested(dir, I_MUTEX_PARENT);
626 temp = ovl_create_temp(ofs, workdir, OVL_CATTR(S_IFREG | 0));
631 dest = ovl_lookup_temp(ofs, workdir);
638 /* Name is inline and stable - using snapshot as a copy helper */
639 take_dentry_name_snapshot(&name, temp);
640 err = ovl_do_rename(ofs, dir, temp, dir, dest, RENAME_WHITEOUT);
647 whiteout = ovl_lookup_upper(ofs, name.name.name, workdir, name.name.len);
648 err = PTR_ERR(whiteout);
649 if (IS_ERR(whiteout))
652 err = ovl_is_whiteout(whiteout);
654 /* Best effort cleanup of whiteout and temp file */
656 ovl_cleanup(ofs, dir, whiteout);
660 ovl_cleanup(ofs, dir, temp);
661 release_dentry_name_snapshot(&name);
671 static struct dentry *ovl_lookup_or_create(struct ovl_fs *ofs,
672 struct dentry *parent,
673 const char *name, umode_t mode)
675 size_t len = strlen(name);
676 struct dentry *child;
678 inode_lock_nested(parent->d_inode, I_MUTEX_PARENT);
679 child = ovl_lookup_upper(ofs, name, parent, len);
680 if (!IS_ERR(child) && !child->d_inode)
681 child = ovl_create_real(ofs, parent->d_inode, child,
683 inode_unlock(parent->d_inode);
690 * Creates $workdir/work/incompat/volatile/dirty file if it is not already
693 static int ovl_create_volatile_dirty(struct ovl_fs *ofs)
696 struct dentry *d = dget(ofs->workbasedir);
697 static const char *const volatile_path[] = {
698 OVL_WORKDIR_NAME, "incompat", "volatile", "dirty"
700 const char *const *name = volatile_path;
702 for (ctr = ARRAY_SIZE(volatile_path); ctr; ctr--, name++) {
703 d = ovl_lookup_or_create(ofs, d, *name, ctr > 1 ? S_IFDIR : S_IFREG);
711 static int ovl_make_workdir(struct super_block *sb, struct ovl_fs *ofs,
712 const struct path *workpath)
714 struct vfsmount *mnt = ovl_upper_mnt(ofs);
715 struct dentry *workdir;
716 struct file *tmpfile;
717 bool rename_whiteout;
722 err = mnt_want_write(mnt);
726 workdir = ovl_workdir_create(ofs, OVL_WORKDIR_NAME, false);
727 err = PTR_ERR(workdir);
728 if (IS_ERR_OR_NULL(workdir))
731 ofs->workdir = workdir;
733 err = ovl_setup_trap(sb, ofs->workdir, &ofs->workdir_trap, "workdir");
738 * Upper should support d_type, else whiteouts are visible. Given
739 * workdir and upper are on same fs, we can do iterate_dir() on
740 * workdir. This check requires successful creation of workdir in
743 err = ovl_check_d_type_supported(workpath);
749 pr_warn("upper fs needs to support d_type.\n");
751 /* Check if upper/work fs supports O_TMPFILE */
752 tmpfile = ovl_do_tmpfile(ofs, ofs->workdir, S_IFREG | 0);
753 ofs->tmpfile = !IS_ERR(tmpfile);
757 pr_warn("upper fs does not support tmpfile.\n");
760 /* Check if upper/work fs supports RENAME_WHITEOUT */
761 err = ovl_check_rename_whiteout(ofs);
765 rename_whiteout = err;
766 if (!rename_whiteout)
767 pr_warn("upper fs does not support RENAME_WHITEOUT.\n");
770 * Check if upper/work fs supports (trusted|user).overlay.* xattr
772 err = ovl_setxattr(ofs, ofs->workdir, OVL_XATTR_OPAQUE, "0", 1);
774 pr_warn("failed to set xattr on upper\n");
776 if (ovl_redirect_follow(ofs)) {
777 ofs->config.redirect_mode = OVL_REDIRECT_NOFOLLOW;
778 pr_warn("...falling back to redirect_dir=nofollow.\n");
780 if (ofs->config.metacopy) {
781 ofs->config.metacopy = false;
782 pr_warn("...falling back to metacopy=off.\n");
784 if (ofs->config.index) {
785 ofs->config.index = false;
786 pr_warn("...falling back to index=off.\n");
788 if (ovl_has_fsid(ofs)) {
789 ofs->config.uuid = OVL_UUID_NULL;
790 pr_warn("...falling back to uuid=null.\n");
793 * xattr support is required for persistent st_ino.
794 * Without persistent st_ino, xino=auto falls back to xino=off.
796 if (ofs->config.xino == OVL_XINO_AUTO) {
797 ofs->config.xino = OVL_XINO_OFF;
798 pr_warn("...falling back to xino=off.\n");
800 if (err == -EPERM && !ofs->config.userxattr)
801 pr_info("try mounting with 'userxattr' option\n");
804 ovl_removexattr(ofs, ofs->workdir, OVL_XATTR_OPAQUE);
808 * We allowed sub-optimal upper fs configuration and don't want to break
809 * users over kernel upgrade, but we never allowed remote upper fs, so
810 * we can enforce strict requirements for remote upper fs.
812 if (ovl_dentry_remote(ofs->workdir) &&
813 (!d_type || !rename_whiteout || ofs->noxattr)) {
814 pr_err("upper fs missing required features.\n");
820 * For volatile mount, create a incompat/volatile/dirty file to keep
823 if (ofs->config.ovl_volatile) {
824 err = ovl_create_volatile_dirty(ofs);
826 pr_err("Failed to create volatile/dirty file.\n");
831 /* Check if upper/work fs supports file handles */
832 fh_type = ovl_can_decode_fh(ofs->workdir->d_sb);
833 if (ofs->config.index && !fh_type) {
834 ofs->config.index = false;
835 pr_warn("upper fs does not support file handles, falling back to index=off.\n");
837 ofs->nofh |= !fh_type;
839 /* Check if upper fs has 32bit inode numbers */
840 if (fh_type != FILEID_INO32_GEN)
843 /* NFS export of r/w mount depends on index */
844 if (ofs->config.nfs_export && !ofs->config.index) {
845 pr_warn("NFS export requires \"index=on\", falling back to nfs_export=off.\n");
846 ofs->config.nfs_export = false;
853 static int ovl_get_workdir(struct super_block *sb, struct ovl_fs *ofs,
854 const struct path *upperpath,
855 const struct path *workpath)
860 if (upperpath->mnt != workpath->mnt) {
861 pr_err("workdir and upperdir must reside under the same mount\n");
864 if (!ovl_workdir_ok(workpath->dentry, upperpath->dentry)) {
865 pr_err("workdir and upperdir must be separate subtrees\n");
869 ofs->workbasedir = dget(workpath->dentry);
871 if (ovl_inuse_trylock(ofs->workbasedir)) {
872 ofs->workdir_locked = true;
874 err = ovl_report_in_use(ofs, "workdir");
879 err = ovl_setup_trap(sb, ofs->workbasedir, &ofs->workbasedir_trap,
884 return ovl_make_workdir(sb, ofs, workpath);
887 static int ovl_get_indexdir(struct super_block *sb, struct ovl_fs *ofs,
888 struct ovl_entry *oe, const struct path *upperpath)
890 struct vfsmount *mnt = ovl_upper_mnt(ofs);
891 struct dentry *indexdir;
894 err = mnt_want_write(mnt);
898 /* Verify lower root is upper root origin */
899 err = ovl_verify_origin(ofs, upperpath->dentry,
900 ovl_lowerstack(oe)->dentry, true);
902 pr_err("failed to verify upper root origin\n");
906 /* index dir will act also as workdir */
907 iput(ofs->workdir_trap);
908 ofs->workdir_trap = NULL;
911 indexdir = ovl_workdir_create(ofs, OVL_INDEXDIR_NAME, true);
912 if (IS_ERR(indexdir)) {
913 err = PTR_ERR(indexdir);
914 } else if (indexdir) {
915 ofs->indexdir = indexdir;
916 ofs->workdir = dget(indexdir);
918 err = ovl_setup_trap(sb, ofs->indexdir, &ofs->indexdir_trap,
924 * Verify upper root is exclusively associated with index dir.
925 * Older kernels stored upper fh in ".overlay.origin"
926 * xattr. If that xattr exists, verify that it is a match to
927 * upper dir file handle. In any case, verify or set xattr
928 * ".overlay.upper" to indicate that index may have
931 if (ovl_check_origin_xattr(ofs, ofs->indexdir)) {
932 err = ovl_verify_set_fh(ofs, ofs->indexdir,
934 upperpath->dentry, true, false);
936 pr_err("failed to verify index dir 'origin' xattr\n");
938 err = ovl_verify_upper(ofs, ofs->indexdir, upperpath->dentry,
941 pr_err("failed to verify index dir 'upper' xattr\n");
943 /* Cleanup bad/stale/orphan index entries */
945 err = ovl_indexdir_cleanup(ofs);
947 if (err || !ofs->indexdir)
948 pr_warn("try deleting index dir or mounting with '-o index=off' to disable inodes index.\n");
955 static bool ovl_lower_uuid_ok(struct ovl_fs *ofs, const uuid_t *uuid)
959 if (!ofs->config.nfs_export && !ovl_upper_mnt(ofs))
963 * We allow using single lower with null uuid for index and nfs_export
964 * for example to support those features with single lower squashfs.
965 * To avoid regressions in setups of overlay with re-formatted lower
966 * squashfs, do not allow decoding origin with lower null uuid unless
967 * user opted-in to one of the new features that require following the
968 * lower inode of non-dir upper.
970 if (ovl_allow_offline_changes(ofs) && uuid_is_null(uuid))
973 for (i = 0; i < ofs->numfs; i++) {
975 * We use uuid to associate an overlay lower file handle with a
976 * lower layer, so we can accept lower fs with null uuid as long
977 * as all lower layers with null uuid are on the same fs.
978 * if we detect multiple lower fs with the same uuid, we
979 * disable lower file handle decoding on all of them.
981 if (ofs->fs[i].is_lower &&
982 uuid_equal(&ofs->fs[i].sb->s_uuid, uuid)) {
983 ofs->fs[i].bad_uuid = true;
990 /* Get a unique fsid for the layer */
991 static int ovl_get_fsid(struct ovl_fs *ofs, const struct path *path)
993 struct super_block *sb = path->mnt->mnt_sb;
997 bool bad_uuid = false;
1000 for (i = 0; i < ofs->numfs; i++) {
1001 if (ofs->fs[i].sb == sb)
1005 if (!ovl_lower_uuid_ok(ofs, &sb->s_uuid)) {
1007 if (ofs->config.xino == OVL_XINO_AUTO) {
1008 ofs->config.xino = OVL_XINO_OFF;
1011 if (ofs->config.index || ofs->config.nfs_export) {
1012 ofs->config.index = false;
1013 ofs->config.nfs_export = false;
1017 pr_warn("%s uuid detected in lower fs '%pd2', falling back to xino=%s,index=off,nfs_export=off.\n",
1018 uuid_is_null(&sb->s_uuid) ? "null" :
1020 path->dentry, ovl_xino_mode(&ofs->config));
1024 err = get_anon_bdev(&dev);
1026 pr_err("failed to get anonymous bdev for lowerpath\n");
1030 ofs->fs[ofs->numfs].sb = sb;
1031 ofs->fs[ofs->numfs].pseudo_dev = dev;
1032 ofs->fs[ofs->numfs].bad_uuid = bad_uuid;
1034 return ofs->numfs++;
1038 * The fsid after the last lower fsid is used for the data layers.
1039 * It is a "null fs" with a null sb, null uuid, and no pseudo dev.
1041 static int ovl_get_data_fsid(struct ovl_fs *ofs)
1047 static int ovl_get_layers(struct super_block *sb, struct ovl_fs *ofs,
1048 struct ovl_fs_context *ctx, struct ovl_layer *layers)
1052 size_t nr_merged_lower;
1054 ofs->fs = kcalloc(ctx->nr + 2, sizeof(struct ovl_sb), GFP_KERNEL);
1055 if (ofs->fs == NULL)
1059 * idx/fsid 0 are reserved for upper fs even with lower only overlay
1060 * and the last fsid is reserved for "null fs" of the data layers.
1065 * All lower layers that share the same fs as upper layer, use the same
1066 * pseudo_dev as upper layer. Allocate fs[0].pseudo_dev even for lower
1067 * only overlay to simplify ovl_fs_free().
1068 * is_lower will be set if upper fs is shared with a lower layer.
1070 err = get_anon_bdev(&ofs->fs[0].pseudo_dev);
1072 pr_err("failed to get anonymous bdev for upper fs\n");
1076 if (ovl_upper_mnt(ofs)) {
1077 ofs->fs[0].sb = ovl_upper_mnt(ofs)->mnt_sb;
1078 ofs->fs[0].is_lower = false;
1081 nr_merged_lower = ctx->nr - ctx->nr_data;
1082 for (i = 0; i < ctx->nr; i++) {
1083 struct ovl_fs_context_layer *l = &ctx->lower[i];
1084 struct vfsmount *mnt;
1088 if (i < nr_merged_lower)
1089 fsid = ovl_get_fsid(ofs, &l->path);
1091 fsid = ovl_get_data_fsid(ofs);
1096 * Check if lower root conflicts with this overlay layers before
1097 * checking if it is in-use as upperdir/workdir of "another"
1098 * mount, because we do not bother to check in ovl_is_inuse() if
1099 * the upperdir/workdir is in fact in-use by our
1102 err = ovl_setup_trap(sb, l->path.dentry, &trap, "lowerdir");
1106 if (ovl_is_inuse(l->path.dentry)) {
1107 err = ovl_report_in_use(ofs, "lowerdir");
1114 mnt = clone_private_mount(&l->path);
1117 pr_err("failed to clone lowerpath\n");
1123 * Make lower layers R/O. That way fchmod/fchown on lower file
1124 * will fail instead of modifying lower fs.
1126 mnt->mnt_flags |= MNT_READONLY | MNT_NOATIME;
1128 layers[ofs->numlayer].trap = trap;
1129 layers[ofs->numlayer].mnt = mnt;
1130 layers[ofs->numlayer].idx = ofs->numlayer;
1131 layers[ofs->numlayer].fsid = fsid;
1132 layers[ofs->numlayer].fs = &ofs->fs[fsid];
1133 layers[ofs->numlayer].name = l->name;
1136 ofs->fs[fsid].is_lower = true;
1140 * When all layers on same fs, overlay can use real inode numbers.
1141 * With mount option "xino=<on|auto>", mounter declares that there are
1142 * enough free high bits in underlying fs to hold the unique fsid.
1143 * If overlayfs does encounter underlying inodes using the high xino
1144 * bits reserved for fsid, it emits a warning and uses the original
1145 * inode number or a non persistent inode number allocated from a
1148 if (ofs->numfs - !ovl_upper_mnt(ofs) == 1) {
1149 if (ofs->config.xino == OVL_XINO_ON)
1150 pr_info("\"xino=on\" is useless with all layers on same fs, ignore.\n");
1152 } else if (ofs->config.xino == OVL_XINO_OFF) {
1153 ofs->xino_mode = -1;
1154 } else if (ofs->xino_mode < 0) {
1156 * This is a roundup of number of bits needed for encoding
1157 * fsid, where fsid 0 is reserved for upper fs (even with
1158 * lower only overlay) +1 extra bit is reserved for the non
1159 * persistent inode number range that is used for resolving
1160 * xino lower bits overflow.
1162 BUILD_BUG_ON(ilog2(OVL_MAX_STACK) > 30);
1163 ofs->xino_mode = ilog2(ofs->numfs - 1) + 2;
1166 if (ofs->xino_mode > 0) {
1167 pr_info("\"xino\" feature enabled using %d upper inode bits.\n",
1174 static struct ovl_entry *ovl_get_lowerstack(struct super_block *sb,
1175 struct ovl_fs_context *ctx,
1177 struct ovl_layer *layers)
1181 size_t nr_merged_lower;
1182 struct ovl_entry *oe;
1183 struct ovl_path *lowerstack;
1185 struct ovl_fs_context_layer *l;
1187 if (!ofs->config.upperdir && ctx->nr == 1) {
1188 pr_err("at least 2 lowerdir are needed while upperdir nonexistent\n");
1189 return ERR_PTR(-EINVAL);
1193 for (i = 0; i < ctx->nr; i++) {
1196 err = ovl_lower_dir(l->name, &l->path, ofs, &sb->s_stack_depth);
1198 return ERR_PTR(err);
1202 sb->s_stack_depth++;
1203 if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
1204 pr_err("maximum fs stacking depth exceeded\n");
1205 return ERR_PTR(err);
1208 err = ovl_get_layers(sb, ofs, ctx, layers);
1210 return ERR_PTR(err);
1213 /* Data-only layers are not merged in root directory */
1214 nr_merged_lower = ctx->nr - ctx->nr_data;
1215 oe = ovl_alloc_entry(nr_merged_lower);
1217 return ERR_PTR(err);
1219 lowerstack = ovl_lowerstack(oe);
1220 for (i = 0; i < nr_merged_lower; i++) {
1222 lowerstack[i].dentry = dget(l->path.dentry);
1223 lowerstack[i].layer = &ofs->layers[i + 1];
1225 ofs->numdatalayer = ctx->nr_data;
1231 * Check if this layer root is a descendant of:
1232 * - another layer of this overlayfs instance
1233 * - upper/work dir of any overlayfs instance
1235 static int ovl_check_layer(struct super_block *sb, struct ovl_fs *ofs,
1236 struct dentry *dentry, const char *name,
1239 struct dentry *next = dentry, *parent;
1245 parent = dget_parent(next);
1247 /* Walk back ancestors to root (inclusive) looking for traps */
1248 while (!err && parent != next) {
1249 if (is_lower && ovl_lookup_trap_inode(sb, parent)) {
1251 pr_err("overlapping %s path\n", name);
1252 } else if (ovl_is_inuse(parent)) {
1253 err = ovl_report_in_use(ofs, name);
1256 parent = dget_parent(next);
1266 * Check if any of the layers or work dirs overlap.
1268 static int ovl_check_overlapping_layers(struct super_block *sb,
1273 if (ovl_upper_mnt(ofs)) {
1274 err = ovl_check_layer(sb, ofs, ovl_upper_mnt(ofs)->mnt_root,
1280 * Checking workbasedir avoids hitting ovl_is_inuse(parent) of
1281 * this instance and covers overlapping work and index dirs,
1282 * unless work or index dir have been moved since created inside
1283 * workbasedir. In that case, we already have their traps in
1284 * inode cache and we will catch that case on lookup.
1286 err = ovl_check_layer(sb, ofs, ofs->workbasedir, "workdir",
1292 for (i = 1; i < ofs->numlayer; i++) {
1293 err = ovl_check_layer(sb, ofs,
1294 ofs->layers[i].mnt->mnt_root,
1303 static struct dentry *ovl_get_root(struct super_block *sb,
1304 struct dentry *upperdentry,
1305 struct ovl_entry *oe)
1307 struct dentry *root;
1308 struct ovl_path *lowerpath = ovl_lowerstack(oe);
1309 unsigned long ino = d_inode(lowerpath->dentry)->i_ino;
1310 int fsid = lowerpath->layer->fsid;
1311 struct ovl_inode_params oip = {
1312 .upperdentry = upperdentry,
1316 root = d_make_root(ovl_new_inode(sb, S_IFDIR, 0));
1321 /* Root inode uses upper st_ino/i_ino */
1322 ino = d_inode(upperdentry)->i_ino;
1324 ovl_dentry_set_upper_alias(root);
1325 if (ovl_is_impuredir(sb, upperdentry))
1326 ovl_set_flag(OVL_IMPURE, d_inode(root));
1329 /* Root is always merge -> can have whiteouts */
1330 ovl_set_flag(OVL_WHITEOUTS, d_inode(root));
1331 ovl_dentry_set_flag(OVL_E_CONNECTED, root);
1332 ovl_set_upperdata(d_inode(root));
1333 ovl_inode_init(d_inode(root), &oip, ino, fsid);
1334 ovl_dentry_init_flags(root, upperdentry, oe, DCACHE_OP_WEAK_REVALIDATE);
1335 /* root keeps a reference of upperdentry */
1341 int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
1343 struct ovl_fs *ofs = sb->s_fs_info;
1344 struct ovl_fs_context *ctx = fc->fs_private;
1345 struct dentry *root_dentry;
1346 struct ovl_entry *oe;
1347 struct ovl_layer *layers;
1352 if (WARN_ON(fc->user_ns != current_user_ns()))
1355 sb->s_d_op = &ovl_dentry_operations;
1358 ofs->creator_cred = cred = prepare_creds();
1362 err = ovl_fs_params_verify(ctx, &ofs->config);
1368 if (!(fc->sb_flags & SB_SILENT))
1369 pr_err("missing 'lowerdir'\n");
1374 layers = kcalloc(ctx->nr + 1, sizeof(struct ovl_layer), GFP_KERNEL);
1378 ofs->layers = layers;
1379 /* Layer 0 is reserved for upper even if there's no upper */
1382 sb->s_stack_depth = 0;
1383 sb->s_maxbytes = MAX_LFS_FILESIZE;
1384 atomic_long_set(&ofs->last_ino, 1);
1385 /* Assume underlying fs uses 32bit inodes unless proven otherwise */
1386 if (ofs->config.xino != OVL_XINO_OFF) {
1387 ofs->xino_mode = BITS_PER_LONG - 32;
1388 if (!ofs->xino_mode) {
1389 pr_warn("xino not supported on 32bit kernel, falling back to xino=off.\n");
1390 ofs->config.xino = OVL_XINO_OFF;
1394 /* alloc/destroy_inode needed for setting up traps in inode cache */
1395 sb->s_op = &ovl_super_operations;
1397 if (ofs->config.upperdir) {
1398 struct super_block *upper_sb;
1401 if (!ofs->config.workdir) {
1402 pr_err("missing 'workdir'\n");
1406 err = ovl_get_upper(sb, ofs, &layers[0], &ctx->upper);
1410 upper_sb = ovl_upper_mnt(ofs)->mnt_sb;
1411 if (!ovl_should_sync(ofs)) {
1412 ofs->errseq = errseq_sample(&upper_sb->s_wb_err);
1413 if (errseq_check(&upper_sb->s_wb_err, ofs->errseq)) {
1415 pr_err("Cannot mount volatile when upperdir has an unseen error. Sync upperdir fs to clear state.\n");
1420 err = ovl_get_workdir(sb, ofs, &ctx->upper, &ctx->work);
1425 sb->s_flags |= SB_RDONLY;
1427 sb->s_stack_depth = upper_sb->s_stack_depth;
1428 sb->s_time_gran = upper_sb->s_time_gran;
1430 oe = ovl_get_lowerstack(sb, ctx, ofs, layers);
1435 /* If the upper fs is nonexistent, we mark overlayfs r/o too */
1436 if (!ovl_upper_mnt(ofs))
1437 sb->s_flags |= SB_RDONLY;
1439 if (!ovl_origin_uuid(ofs) && ofs->numfs > 1) {
1440 pr_warn("The uuid=off requires a single fs for lower and upper, falling back to uuid=null.\n");
1441 ofs->config.uuid = OVL_UUID_NULL;
1442 } else if (ovl_has_fsid(ofs) && ovl_upper_mnt(ofs)) {
1443 /* Use per instance persistent uuid/fsid */
1444 ovl_init_uuid_xattr(sb, ofs, &ctx->upper);
1447 if (!ovl_force_readonly(ofs) && ofs->config.index) {
1448 err = ovl_get_indexdir(sb, ofs, oe, &ctx->upper);
1452 /* Force r/o mount with no index dir */
1454 sb->s_flags |= SB_RDONLY;
1457 err = ovl_check_overlapping_layers(sb, ofs);
1461 /* Show index=off in /proc/mounts for forced r/o mount */
1462 if (!ofs->indexdir) {
1463 ofs->config.index = false;
1464 if (ovl_upper_mnt(ofs) && ofs->config.nfs_export) {
1465 pr_warn("NFS export requires an index dir, falling back to nfs_export=off.\n");
1466 ofs->config.nfs_export = false;
1470 if (ofs->config.metacopy && ofs->config.nfs_export) {
1471 pr_warn("NFS export is not supported with metadata only copy up, falling back to nfs_export=off.\n");
1472 ofs->config.nfs_export = false;
1476 * Support encoding decodable file handles with nfs_export=on
1477 * and encoding non-decodable file handles with nfs_export=off
1478 * if all layers support file handles.
1480 if (ofs->config.nfs_export)
1481 sb->s_export_op = &ovl_export_operations;
1482 else if (!ofs->nofh)
1483 sb->s_export_op = &ovl_export_fid_operations;
1485 /* Never override disk quota limits or use reserved space */
1486 cap_lower(cred->cap_effective, CAP_SYS_RESOURCE);
1488 sb->s_magic = OVERLAYFS_SUPER_MAGIC;
1489 sb->s_xattr = ofs->config.userxattr ? ovl_user_xattr_handlers :
1490 ovl_trusted_xattr_handlers;
1491 sb->s_fs_info = ofs;
1492 #ifdef CONFIG_FS_POSIX_ACL
1493 sb->s_flags |= SB_POSIXACL;
1495 sb->s_iflags |= SB_I_SKIP_SYNC | SB_I_IMA_UNVERIFIABLE_SIGNATURE;
1497 * Ensure that umask handling is done by the filesystems used
1498 * for the the upper layer instead of overlayfs as that would
1499 * lead to unexpected results.
1501 sb->s_iflags |= SB_I_NOUMASK;
1504 root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe);
1508 sb->s_root = root_dentry;
1516 sb->s_fs_info = NULL;
1520 struct file_system_type ovl_fs_type = {
1521 .owner = THIS_MODULE,
1523 .init_fs_context = ovl_init_fs_context,
1524 .parameters = ovl_parameter_spec,
1525 .fs_flags = FS_USERNS_MOUNT,
1526 .kill_sb = kill_anon_super,
1528 MODULE_ALIAS_FS("overlay");
1530 static void ovl_inode_init_once(void *foo)
1532 struct ovl_inode *oi = foo;
1534 inode_init_once(&oi->vfs_inode);
1537 static int __init ovl_init(void)
1541 ovl_inode_cachep = kmem_cache_create("ovl_inode",
1542 sizeof(struct ovl_inode), 0,
1543 (SLAB_RECLAIM_ACCOUNT|
1544 SLAB_MEM_SPREAD|SLAB_ACCOUNT),
1545 ovl_inode_init_once);
1546 if (ovl_inode_cachep == NULL)
1549 err = ovl_aio_request_cache_init();
1551 err = register_filesystem(&ovl_fs_type);
1555 ovl_aio_request_cache_destroy();
1557 kmem_cache_destroy(ovl_inode_cachep);
1562 static void __exit ovl_exit(void)
1564 unregister_filesystem(&ovl_fs_type);
1567 * Make sure all delayed rcu free inodes are flushed before we
1571 kmem_cache_destroy(ovl_inode_cachep);
1572 ovl_aio_request_cache_destroy();
1575 module_init(ovl_init);
1576 module_exit(ovl_exit);