Merge tag 'ovl-update-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs

requirement that the root of a filesystem be given for either upper or

lower.

The lower filesystem can be any filesystem supported by Linux and does

not need to be writable.  The lower filesystem can even be another

overlayfs.  The upper filesystem will normally be writable and if it

is it must support the creation of trusted.* extended attributes, and

must provide valid d_type in readdir responses, so NFS is not suitable.

A wide range of filesystems supported by Linux can be the lower filesystem,

but not all filesystems that are mountable by Linux have the features

needed for OverlayFS to work.  The lower filesystem does not need to be

writable.  The lower filesystem can even be another overlayfs.  The upper

filesystem will normally be writable and if it is it must support the

creation of trusted.* and/or user.* extended attributes, and must provide

valid d_type in readdir responses, so NFS is not suitable.

A read-only overlay of two read-only filesystems may use any

filesystem type.

Changes to underlying filesystems

---------------------------------

Offline changes, when the overlay is not mounted, are allowed to either

the upper or the lower trees.

Changes to the underlying filesystems while part of a mounted overlay

filesystem are not allowed.  If the underlying filesystem is changed,

the behavior of the overlay is undefined, though it will not result in

a crash or deadlock.

Offline changes, when the overlay is not mounted, are allowed to the

upper tree.  Offline changes to the lower tree are only allowed if the

"metadata only copy up", "inode index", and "redirect_dir" features

have not been used.  If the lower tree is modified and any of these

features has been used, the behavior of the overlay is undefined,

though it will not result in a crash or deadlock.

When the overlay NFS export feature is enabled, overlay filesystems

behavior on offline changes of the underlying lower layer is different

than the behavior when NFS export is disabled.

Note: the mount options index=off,nfs_export=on are conflicting for a

read-write mount and will result in an error.

Note: the mount option uuid=off can be used to replace UUID of the underlying

filesystem in file handles with null, and effectively disable UUID checks. This

can be useful in case the underlying disk is copied and the UUID of this copy

is changed. This is only applicable if all lower/upper/work directories are on

the same filesystem, otherwise it will fallback to normal behaviour.

Volatile mount

--------------

not crashed and contents of upperdir are intact, The "volatile" directory

can be removed.

User xattr

----------

The the "-o userxattr" mount option forces overlayfs to use the

"user.overlay." xattr namespace instead of "trusted.overlay.".  This is

useful for unprivileged mounting of overlayfs.

Testsuite

---------

	return err;

}

struct ovl_fh *ovl_encode_real_fh(struct dentry *real, bool is_upper)

struct ovl_fh *ovl_encode_real_fh(struct ovl_fs *ofs, struct dentry *real,

				  bool is_upper)

{

	struct ovl_fh *fh;

	int fh_type, dwords;

	if (is_upper)

		fh->fb.flags |= OVL_FH_FLAG_PATH_UPPER;

	fh->fb.len = sizeof(fh->fb) + buflen;

	if (ofs->config.uuid)

		fh->fb.uuid = *uuid;

	return fh;

	return ERR_PTR(err);

}

int ovl_set_origin(struct dentry *dentry, struct dentry *lower,

		   struct dentry *upper)

int ovl_set_origin(struct ovl_fs *ofs, struct dentry *dentry,

		   struct dentry *lower, struct dentry *upper)

{

	const struct ovl_fh *fh = NULL;

	int err;

	 * up and a pure upper inode.

	 */

	if (ovl_can_decode_fh(lower->d_sb)) {

		fh = ovl_encode_real_fh(lower, false);

		fh = ovl_encode_real_fh(ofs, lower, false);

		if (IS_ERR(fh))

			return PTR_ERR(fh);

	}

				 fh ? fh->fb.len : 0, 0);

	kfree(fh);

	return err;

	/* Ignore -EPERM from setting "user.*" on symlink/special */

	return err == -EPERM ? 0 : err;

}

/* Store file handle of @upper dir in @index dir entry */

	const struct ovl_fh *fh;

	int err;

	fh = ovl_encode_real_fh(upper, true);

	fh = ovl_encode_real_fh(ofs, upper, true);

	if (IS_ERR(fh))

		return PTR_ERR(fh);

static int ovl_create_index(struct dentry *dentry, struct dentry *origin,

			    struct dentry *upper)

{

	struct ovl_fs *ofs = OVL_FS(dentry->d_sb);

	struct dentry *indexdir = ovl_indexdir(dentry->d_sb);

	struct inode *dir = d_inode(indexdir);

	struct dentry *index = NULL;

	if (WARN_ON(ovl_test_flag(OVL_INDEX, d_inode(dentry))))

		return -EIO;

	err = ovl_get_index_name(origin, &name);

	err = ovl_get_index_name(ofs, origin, &name);

	if (err)

		return err;

	if (IS_ERR(temp))

		goto free_name;

	err = ovl_set_upper_fh(OVL_FS(dentry->d_sb), upper, temp);

	err = ovl_set_upper_fh(ofs, upper, temp);

	if (err)

		goto out;

	 * hard link.

	 */

	if (c->origin) {

		err = ovl_set_origin(c->dentry, c->lowerpath.dentry, temp);

		err = ovl_set_origin(ofs, c->dentry, c->lowerpath.dentry, temp);

		if (err)

			return err;

	}

static int ovl_do_copy_up(struct ovl_copy_up_ctx *c)

{

	int err;

	struct ovl_fs *ofs = c->dentry->d_sb->s_fs_info;

	struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);

	bool to_index = false;

	/*

	if (to_index) {

		c->destdir = ovl_indexdir(c->dentry->d_sb);

		err = ovl_get_index_name(c->lowerpath.dentry, &c->destname);

		err = ovl_get_index_name(ofs, c->lowerpath.dentry, &c->destname);

		if (err)

			return err;

	} else if (WARN_ON(!c->parent)) {

	return 1;

}

static int ovl_dentry_to_fid(struct dentry *dentry, u32 *fid, int buflen)

static int ovl_dentry_to_fid(struct ovl_fs *ofs, struct dentry *dentry,

			     u32 *fid, int buflen)

{

	struct ovl_fh *fh = NULL;

	int err, enc_lower;

		goto fail;

	/* Encode an upper or lower file handle */

	fh = ovl_encode_real_fh(enc_lower ? ovl_dentry_lower(dentry) :

	fh = ovl_encode_real_fh(ofs, enc_lower ? ovl_dentry_lower(dentry) :

				ovl_dentry_upper(dentry), !enc_lower);

	if (IS_ERR(fh))

		return PTR_ERR(fh);

static int ovl_encode_fh(struct inode *inode, u32 *fid, int *max_len,

			 struct inode *parent)

{

	struct ovl_fs *ofs = OVL_FS(inode->i_sb);

	struct dentry *dentry;

	int bytes, buflen = *max_len << 2;

	if (WARN_ON(!dentry))

		return FILEID_INVALID;

	bytes = ovl_dentry_to_fid(dentry, fid, buflen);

	bytes = ovl_dentry_to_fid(ofs, dentry, fid, buflen);

	dput(dentry);

	if (bytes <= 0)

		return FILEID_INVALID;

	if (!ovl_upper_mnt(ofs))

		return ERR_PTR(-EACCES);

	upper = ovl_decode_real_fh(fh, ovl_upper_mnt(ofs), true);

	upper = ovl_decode_real_fh(ofs, fh, ovl_upper_mnt(ofs), true);

	if (IS_ERR_OR_NULL(upper))

		return upper;

	err = inode_permission(realinode, MAY_OPEN | acc_mode);

	if (err) {

		realfile = ERR_PTR(err);

	} else if (!inode_owner_or_capable(realinode)) {

		realfile = ERR_PTR(-EPERM);

	} else {

		if (!inode_owner_or_capable(realinode))

			flags &= ~O_NOATIME;

		realfile = open_with_fake_path(&file->f_path, flags, realinode,

					       current_cred());

	}

	struct inode *inode = file_inode(file);

	int err;

	flags |= OVL_OPEN_FLAGS;

	/* If some flag changed that cannot be changed then something's amiss */

	if (WARN_ON((file->f_flags ^ flags) & ~OVL_SETFL_MASK))

		return -EIO;

	flags &= OVL_SETFL_MASK;

	if (((flags ^ file->f_flags) & O_APPEND) && IS_APPEND(inode))

	return ret;

}

static ssize_t ovl_splice_read(struct file *in, loff_t *ppos,

			 struct pipe_inode_info *pipe, size_t len,

			 unsigned int flags)

{

	ssize_t ret;

	struct fd real;

	const struct cred *old_cred;

	ret = ovl_real_fdget(in, &real);

	if (ret)

		return ret;

	old_cred = ovl_override_creds(file_inode(in)->i_sb);

	ret = generic_file_splice_read(real.file, ppos, pipe, len, flags);

	revert_creds(old_cred);

	ovl_file_accessed(in);

	fdput(real);

	return ret;

}

static ssize_t

ovl_splice_write(struct pipe_inode_info *pipe, struct file *out,

			  loff_t *ppos, size_t len, unsigned int flags)

{

	struct fd real;

	const struct cred *old_cred;

	ssize_t ret;

	ret = ovl_real_fdget(out, &real);

	if (ret)

		return ret;

	old_cred = ovl_override_creds(file_inode(out)->i_sb);

	ret = iter_file_splice_write(pipe, real.file, ppos, len, flags);

	revert_creds(old_cred);

	ovl_file_accessed(out);

	fdput(real);

	return ret;

}

static int ovl_fsync(struct file *file, loff_t start, loff_t end, int datasync)

{

	struct fd real;

			   unsigned long arg)

{

	struct fd real;

	const struct cred *old_cred;

	long ret;

	ret = ovl_real_fdget(file, &real);

	if (ret)

		return ret;

	old_cred = ovl_override_creds(file_inode(file)->i_sb);

	ret = security_file_ioctl(real.file, cmd, arg);

	if (!ret)

	if (!ret) {

		/*

		 * Don't override creds, since we currently can't safely check

		 * permissions before doing so.

		 */

		ret = vfs_ioctl(real.file, cmd, arg);

	revert_creds(old_cred);

	}

	fdput(real);

	return ret;

}

static unsigned int ovl_iflags_to_fsflags(unsigned int iflags)

{

	unsigned int flags = 0;

	if (iflags & S_SYNC)

		flags |= FS_SYNC_FL;

	if (iflags & S_APPEND)

		flags |= FS_APPEND_FL;

	if (iflags & S_IMMUTABLE)

		flags |= FS_IMMUTABLE_FL;

	if (iflags & S_NOATIME)

		flags |= FS_NOATIME_FL;

	return flags;

}

static long ovl_ioctl_set_flags(struct file *file, unsigned int cmd,

				unsigned long arg, unsigned int flags)

				unsigned long arg)

{

	long ret;

	struct inode *inode = file_inode(file);

	unsigned int oldflags;

	if (!inode_owner_or_capable(inode))

		return -EACCES;

	inode_lock(inode);

	/* Check the capability before cred override */

	oldflags = ovl_iflags_to_fsflags(READ_ONCE(inode->i_flags));

	ret = vfs_ioc_setflags_prepare(inode, oldflags, flags);

	if (ret)

	/*

	 * Prevent copy up if immutable and has no CAP_LINUX_IMMUTABLE

	 * capability.

	 */

	ret = -EPERM;

	if (!ovl_has_upperdata(inode) && IS_IMMUTABLE(inode) &&

	    !capable(CAP_LINUX_IMMUTABLE))

		goto unlock;

	ret = ovl_maybe_copy_up(file_dentry(file), O_WRONLY);

}

static long ovl_ioctl_set_fsflags(struct file *file, unsigned int cmd,

				  unsigned long arg)

{

	unsigned int flags;

	if (get_user(flags, (int __user *) arg))

		return -EFAULT;

	return ovl_ioctl_set_flags(file, cmd, arg, flags);

}

static unsigned int ovl_fsxflags_to_fsflags(unsigned int xflags)

{

	unsigned int flags = 0;

	if (xflags & FS_XFLAG_SYNC)

		flags |= FS_SYNC_FL;

	if (xflags & FS_XFLAG_APPEND)

		flags |= FS_APPEND_FL;

	if (xflags & FS_XFLAG_IMMUTABLE)

		flags |= FS_IMMUTABLE_FL;

	if (xflags & FS_XFLAG_NOATIME)

		flags |= FS_NOATIME_FL;

	return flags;

}

static long ovl_ioctl_set_fsxflags(struct file *file, unsigned int cmd,

				   unsigned long arg)

{

	struct fsxattr fa;

	memset(&fa, 0, sizeof(fa));

	if (copy_from_user(&fa, (void __user *) arg, sizeof(fa)))

		return -EFAULT;

	return ovl_ioctl_set_flags(file, cmd, arg,

				   ovl_fsxflags_to_fsflags(fa.fsx_xflags));

}

long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)

{

	long ret;

		ret = ovl_real_ioctl(file, cmd, arg);

		break;

	case FS_IOC_SETFLAGS:

		ret = ovl_ioctl_set_fsflags(file, cmd, arg);

		break;

	case FS_IOC_FSSETXATTR:

		ret = ovl_ioctl_set_fsxflags(file, cmd, arg);

	case FS_IOC_SETFLAGS:

		ret = ovl_ioctl_set_flags(file, cmd, arg);

		break;

	default:

#ifdef CONFIG_COMPAT

	.compat_ioctl	= ovl_compat_ioctl,

#endif

	.splice_read    = ovl_splice_read,

	.splice_write   = ovl_splice_write,

	.splice_read    = generic_file_splice_read,

	.splice_write   = iter_file_splice_write,

	.copy_file_range	= ovl_copy_file_range,

	.remap_file_range	= ovl_remap_file_range,

bool ovl_is_private_xattr(struct super_block *sb, const char *name)

{

	return strncmp(name, OVL_XATTR_PREFIX,

		       sizeof(OVL_XATTR_PREFIX) - 1) == 0;

	struct ovl_fs *ofs = sb->s_fs_info;

	if (ofs->config.userxattr)

		return strncmp(name, OVL_XATTR_USER_PREFIX,

			       sizeof(OVL_XATTR_USER_PREFIX) - 1) == 0;

	else

		return strncmp(name, OVL_XATTR_TRUSTED_PREFIX,

			       sizeof(OVL_XATTR_TRUSTED_PREFIX) - 1) == 0;

}

int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,

		      u64 start, u64 len)

{

	int err;

	struct inode *realinode = ovl_inode_real(inode);

	struct inode *realinode = ovl_inode_realdata(inode);

	const struct cred *old_cred;

	if (!realinode->i_op->fiemap)

 * For the first, copy up case, the union nlink does not change, whether the

 * operation succeeds or fails, but the upper inode nlink may change.

 * Therefore, before copy up, we store the union nlink value relative to the

 * lower inode nlink in the index inode xattr trusted.overlay.nlink.

 * lower inode nlink in the index inode xattr .overlay.nlink.

 *

 * For the second, upper hardlink case, the union nlink should be incremented

 * or decremented IFF the operation succeeds, aligned with nlink change of the