Merge tag 'ovl-update-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs

  mount -t overlay overlay -olowerdir=/a\:lower\:\:dir /merged

Since kernel version v6.5, directory names containing colons can also

be provided as lower layer using the fsconfig syscall from new mount api:

Since kernel version v6.8, directory names containing colons can also

be configured as lower layer using the "lowerdir+" mount options and the

fsconfig syscall from new mount api.  For example:

  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir", "/a:lower::dir", 0);

  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/a:lower::dir", 0);

In the latter case, colons in lower layer directory names will be escaped

as an octal characters (\072) when displayed in /proc/self/mountinfo.

when a "metacopy" file in one of the lower layers above it, has a "redirect"

to the absolute path of the "lower data" file in the "data-only" lower layer.

Since kernel version v6.8, "data-only" lower layers can also be added using

the "datadir+" mount options and the fsconfig syscall from new mount api.

For example:

  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l1", 0);

  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l2", 0);

  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l3", 0);

  fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do1", 0);

  fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do2", 0);

fs-verity support

----------------------

to a different machine.  With the "inodes index" feature, trying to mount

the copied layers will fail the verification of the lower root file handle.

Nesting overlayfs mounts

------------------------

It is possible to use a lower directory that is stored on an overlayfs

mount. For regular files this does not need any special care. However, files

that have overlayfs attributes, such as whiteouts or "overlay.*" xattrs will be

interpreted by the underlying overlayfs mount and stripped out. In order to

allow the second overlayfs mount to see the attributes they must be escaped.

Overlayfs specific xattrs are escaped by using a special prefix of

"overlay.overlay.". So, a file with a "trusted.overlay.overlay.metacopy" xattr

in the lower dir will be exposed as a regular file with a

"trusted.overlay.metacopy" xattr in the overlayfs mount. This can be nested by

repeating the prefix multiple time, as each instance only removes one prefix.

A lower dir with a regular whiteout will always be handled by the overlayfs

mount, so to support storing an effective whiteout file in an overlayfs mount an

alternative form of whiteout is supported. This form is a regular, zero-size

file with the "overlay.whiteout" xattr set, inside a directory with the

"overlay.whiteouts" xattr set. Such whiteouts are never created by overlayfs,

but can be used by userspace tools (like containers) that generate lower layers.

These alternative whiteouts can be escaped using the standard xattr escape

mechanism in order to properly nest to any depth.

Non-standard behavior

---------------------

obj-$(CONFIG_OVERLAY_FS) += overlay.o

overlay-objs := super.o namei.o util.o inode.o file.o dir.o readdir.o \

		copy_up.o export.o params.o

		copy_up.o export.o params.o xattrs.o

		return PTR_ERR(old_file);

	/* Try to use clone_file_range to clone up within the same fs */

	ovl_start_write(dentry);

	cloned = do_clone_file_range(old_file, 0, new_file, 0, len, 0);

	ovl_end_write(dentry);

	if (cloned == len)

		goto out_fput;

	/* Couldn't clone, so now we try to copy the data */

		 * it may not recognize all kind of holes and sometimes

		 * only skips partial of hole area. However, it will be

		 * enough for most of the use cases.

		 *

		 * We do not hold upper sb_writers throughout the loop to avert

		 * lockdep warning with llseek of lower file in nested overlay:

		 * - upper sb_writers

		 * -- lower ovl_inode_lock (ovl_llseek)

		 */

		if (skip_hole && data_pos < old_pos) {

			data_pos = vfs_llseek(old_file, old_pos, SEEK_DATA);

			if (data_pos > old_pos) {

			}

		}

		ovl_start_write(dentry);

		bytes = do_splice_direct(old_file, &old_pos,

					 new_file, &new_pos,

					 this_len, SPLICE_F_MOVE);

		ovl_end_write(dentry);

		if (bytes <= 0) {

			error = bytes;

			break;

	return ERR_PTR(err);

}

int ovl_set_origin(struct ovl_fs *ofs, struct dentry *lower,

		   struct dentry *upper)

struct ovl_fh *ovl_get_origin_fh(struct ovl_fs *ofs, struct dentry *origin)

{

	const struct ovl_fh *fh = NULL;

	int err;

	/*

	 * When lower layer doesn't support export operations store a 'null' fh,

	 * so we can use the overlay.origin xattr to distignuish between a copy

	 * up and a pure upper inode.

	 */

	if (ovl_can_decode_fh(lower->d_sb)) {

		fh = ovl_encode_real_fh(ofs, lower, false);

		if (IS_ERR(fh))

			return PTR_ERR(fh);

	if (!ovl_can_decode_fh(origin->d_sb))

		return NULL;

	return ovl_encode_real_fh(ofs, origin, false);

}

int ovl_set_origin_fh(struct ovl_fs *ofs, const struct ovl_fh *fh,

		      struct dentry *upper)

{

	int err;

	/*

	 * Do not fail when upper doesn't support xattrs.

	 */

	err = ovl_check_setxattr(ofs, upper, OVL_XATTR_ORIGIN, fh->buf,

				 fh ? fh->fb.len : 0, 0);

	kfree(fh);

	/* Ignore -EPERM from setting "user.*" on symlink/special */

	return err == -EPERM ? 0 : err;

 *

 * Caller must hold i_mutex on indexdir.

 */

static int ovl_create_index(struct dentry *dentry, struct dentry *origin,

static int ovl_create_index(struct dentry *dentry, const struct ovl_fh *fh,

			    struct dentry *upper)

{

	struct ovl_fs *ofs = OVL_FS(dentry->d_sb);

	if (WARN_ON(ovl_test_flag(OVL_INDEX, d_inode(dentry))))

		return -EIO;

	err = ovl_get_index_name(ofs, origin, &name);

	err = ovl_get_index_name_fh(fh, &name);

	if (err)

		return err;

	struct dentry *destdir;

	struct qstr destname;

	struct dentry *workdir;

	const struct ovl_fh *origin_fh;

	bool origin;

	bool indexed;

	bool metacopy;

	struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);

	struct inode *udir = d_inode(upperdir);

	ovl_start_write(c->dentry);

	/* Mark parent "impure" because it may now contain non-pure upper */

	err = ovl_set_impure(c->parent, upperdir);

	if (err)

		return err;

		goto out;

	err = ovl_set_nlink_lower(c->dentry);

	if (err)

		return err;

		goto out;

	inode_lock_nested(udir, I_MUTEX_PARENT);

	upper = ovl_lookup_upper(ofs, c->dentry->d_name.name, upperdir,

	}

	inode_unlock(udir);

	if (err)

		return err;

		goto out;

	err = ovl_set_nlink_upper(c->dentry);

out:

	ovl_end_write(c->dentry);

	return err;

}

	 * hard link.

	 */

	if (c->origin) {

		err = ovl_set_origin(ofs, c->lowerpath.dentry, temp);

		err = ovl_set_origin_fh(ofs, c->origin_fh, temp);

		if (err)

			return err;

	}

		.link = c->link

	};

	/* workdir and destdir could be the same when copying up to indexdir */

	err = -EIO;

	if (lock_rename(c->workdir, c->destdir) != NULL)

		goto unlock;

	err = ovl_prep_cu_creds(c->dentry, &cc);

	if (err)

		goto unlock;

		return err;

	ovl_start_write(c->dentry);

	inode_lock(wdir);

	temp = ovl_create_temp(ofs, c->workdir, &cattr);

	inode_unlock(wdir);

	ovl_end_write(c->dentry);

	ovl_revert_cu_creds(&cc);

	err = PTR_ERR(temp);

	if (IS_ERR(temp))

		goto unlock;

		return PTR_ERR(temp);

	/*

	 * Copy up data first and then xattrs. Writing data after

	 */

	path.dentry = temp;

	err = ovl_copy_up_data(c, &path);

	if (err)

	/*

	 * We cannot hold lock_rename() throughout this helper, because or

	 * lock ordering with sb_writers, which shouldn't be held when calling

	 * ovl_copy_up_data(), so lock workdir and destdir and make sure that

	 * temp wasn't moved before copy up completion or cleanup.

	 * If temp was moved, abort without the cleanup.

	 */

	ovl_start_write(c->dentry);

	if (lock_rename(c->workdir, c->destdir) != NULL ||

	    temp->d_parent != c->workdir) {

		err = -EIO;

		goto unlock;

	} else if (err) {

		goto cleanup;

	}

	err = ovl_copy_up_metadata(c, temp);

	if (err)

		goto cleanup;

	if (S_ISDIR(c->stat.mode) && c->indexed) {

		err = ovl_create_index(c->dentry, c->lowerpath.dentry, temp);

		err = ovl_create_index(c->dentry, c->origin_fh, temp);

		if (err)

			goto cleanup;

	}

		ovl_set_flag(OVL_WHITEOUTS, inode);

unlock:

	unlock_rename(c->workdir, c->destdir);

	ovl_end_write(c->dentry);

	return err;

	if (err)

		return err;

	ovl_start_write(c->dentry);

	tmpfile = ovl_do_tmpfile(ofs, c->workdir, c->stat.mode);

	ovl_end_write(c->dentry);

	ovl_revert_cu_creds(&cc);

	if (IS_ERR(tmpfile))

		return PTR_ERR(tmpfile);

			goto out_fput;

	}

	ovl_start_write(c->dentry);

	err = ovl_copy_up_metadata(c, temp);

	if (err)

		goto out_fput;

		goto out;

	inode_lock_nested(udir, I_MUTEX_PARENT);

	inode_unlock(udir);

	if (err)

		goto out_fput;

		goto out;

	if (c->metacopy_digest)

		ovl_set_flag(OVL_HAS_DIGEST, d_inode(c->dentry));

		ovl_set_upperdata(d_inode(c->dentry));

	ovl_inode_update(d_inode(c->dentry), dget(temp));

out:

	ovl_end_write(c->dentry);

out_fput:

	fput(tmpfile);

	return err;

{

	int err;

	struct ovl_fs *ofs = OVL_FS(c->dentry->d_sb);

	struct dentry *origin = c->lowerpath.dentry;

	struct ovl_fh *fh = NULL;

	bool to_index = false;

	/*

			to_index = true;

	}

	if (S_ISDIR(c->stat.mode) || c->stat.nlink == 1 || to_index)

	if (S_ISDIR(c->stat.mode) || c->stat.nlink == 1 || to_index) {

		fh = ovl_get_origin_fh(ofs, origin);

		if (IS_ERR(fh))

			return PTR_ERR(fh);

		/* origin_fh may be NULL */

		c->origin_fh = fh;

		c->origin = true;

	}

	if (to_index) {

		c->destdir = ovl_indexdir(c->dentry->d_sb);

		err = ovl_get_index_name(ofs, c->lowerpath.dentry, &c->destname);

		err = ovl_get_index_name(ofs, origin, &c->destname);

		if (err)

			return err;

			goto out_free_fh;

	} else if (WARN_ON(!c->parent)) {

		/* Disconnected dentry must be copied up to index dir */

		return -EIO;

		err = -EIO;

		goto out_free_fh;

	} else {

		/*

		 * Mark parent "impure" because it may now contain non-pure

		 * upper

		 */

		ovl_start_write(c->dentry);

		err = ovl_set_impure(c->parent, c->destdir);

		ovl_end_write(c->dentry);

		if (err)

			return err;

			goto out_free_fh;

	}

	/* Should we copyup with O_TMPFILE or with workdir? */

	if (c->indexed)

		ovl_set_flag(OVL_INDEX, d_inode(c->dentry));

	ovl_start_write(c->dentry);

	if (to_index) {

		/* Initialize nlink for copy up of disconnected dentry */

		err = ovl_set_nlink_upper(c->dentry);

		ovl_dentry_set_upper_alias(c->dentry);

		ovl_dentry_update_reval(c->dentry, ovl_dentry_upper(c->dentry));

	}

	ovl_end_write(c->dentry);

out:

	if (to_index)

		kfree(c->destname.name);

out_free_fh:

	kfree(fh);

	return err;

}

	 * Writing to upper file will clear security.capability xattr. We

	 * don't want that to happen for normal copy-up operation.

	 */

	ovl_start_write(c->dentry);

	if (capability) {

		err = ovl_do_setxattr(ofs, upperpath.dentry, XATTR_NAME_CAPS,

				      capability, cap_size, 0);

		if (err)

			goto out_free;

	}

	err = ovl_removexattr(ofs, upperpath.dentry, OVL_XATTR_METACOPY);

	if (!err) {

		err = ovl_removexattr(ofs, upperpath.dentry,

				      OVL_XATTR_METACOPY);

	}

	ovl_end_write(c->dentry);

	if (err)

		goto out_free;

int ovl_maybe_copy_up(struct dentry *dentry, int flags)

{

	int err = 0;

	if (ovl_open_need_copy_up(dentry, flags)) {

		err = ovl_want_write(dentry);

		if (!err) {

			err = ovl_copy_up_flags(dentry, flags);

			ovl_drop_write(dentry);

		}

	}

	if (!ovl_open_need_copy_up(dentry, flags))

		return 0;

	return err;

	return ovl_copy_up_flags(dentry, flags);

}

int ovl_copy_up_with_data(struct dentry *dentry)

		goto out_unlock;

	err = -ESTALE;

	if (d_is_negative(upper) || !IS_WHITEOUT(d_inode(upper)))

	if (d_is_negative(upper) || !ovl_upper_is_whiteout(ofs, upper))

		goto out_dput;

	newdentry = ovl_create_temp(ofs, workdir, cattr);

	struct cred *override_cred;

	struct dentry *parent = dentry->d_parent;

	err = ovl_copy_up(parent);

	if (err)

		return err;

	old_cred = ovl_override_creds(dentry->d_sb);

	/*

		.link = link,

	};

	err = ovl_copy_up(dentry->d_parent);

	if (err)

		return err;

	err = ovl_want_write(dentry);

	if (err)

		goto out;

	int err;

	struct inode *inode;

	err = ovl_want_write(old);

	err = ovl_copy_up(old);

	if (err)

		goto out;

	err = ovl_copy_up(old);

	err = ovl_copy_up(new->d_parent);

	if (err)

		goto out_drop_write;

		goto out;

	err = ovl_copy_up(new->d_parent);

	err = ovl_nlink_start(old);

	if (err)

		goto out_drop_write;

		goto out;

	if (ovl_is_metacopy_dentry(old)) {

		err = ovl_set_link_redirect(old);

		if (err)

			goto out_drop_write;

			goto out_nlink_end;

	}

	err = ovl_nlink_start(old);

	if (err)

		goto out_drop_write;

	inode = d_inode(old);

	ihold(inode);

	if (err)

		iput(inode);

out_nlink_end:

	ovl_nlink_end(old);

out_drop_write:

	ovl_drop_write(old);

out:

	return err;

}

			goto out;

	}

	err = ovl_want_write(dentry);

	if (err)

		goto out;

	err = ovl_copy_up(dentry->d_parent);

	if (err)

		goto out_drop_write;

		goto out;

	err = ovl_nlink_start(dentry);

	if (err)

		goto out_drop_write;

		goto out;

	old_cred = ovl_override_creds(dentry->d_sb);

	if (!lower_positive)

	if (ovl_dentry_upper(dentry))

		ovl_copyattr(d_inode(dentry));

out_drop_write:

	ovl_drop_write(dentry);

out:

	ovl_cache_free(&list);

	return err;

		}

	}

	err = ovl_want_write(old);

	if (err)

		goto out;

	err = ovl_copy_up(old);

	if (err)

		goto out_drop_write;

		goto out;

	err = ovl_copy_up(new->d_parent);

	if (err)

		goto out_drop_write;

		goto out;

	if (!overwrite) {

		err = ovl_copy_up(new);

		if (err)

			goto out_drop_write;

			goto out;

	} else if (d_inode(new)) {

		err = ovl_nlink_start(new);

		if (err)

			goto out_drop_write;

			goto out;

		update_nlink = true;

	}

	if (!update_nlink) {

		/* ovl_nlink_start() took ovl_want_write() */

		err = ovl_want_write(old);

		if (err)

			goto out;

	}

	old_cred = ovl_override_creds(old->d_sb);

	if (!list_empty(&list)) {

		}

	} else {

		if (!d_is_negative(newdentry)) {

			if (!new_opaque || !ovl_is_whiteout(newdentry))

			if (!new_opaque || !ovl_upper_is_whiteout(ofs, newdentry))

				goto out_dput;

		} else {

			if (flags & RENAME_EXCHANGE)

	revert_creds(old_cred);

	if (update_nlink)

		ovl_nlink_end(new);

out_drop_write:

	else

		ovl_drop_write(old);

out:

	dput(opaquedir);

	if (ovl_dentry_upper(dentry))

		return 0;

	err = ovl_want_write(dentry);

	if (!err) {

	err = ovl_copy_up(dentry);

		ovl_drop_write(dentry);

	}

	if (err) {

		pr_warn_ratelimited("failed to copy up on encode (%pd2, err=%i)\n",

				    dentry, err);