ovl: Fix nested backing file paths

[PATCH] ovl: Fix nested backing file paths

Posted by André Almeida 9 months, 2 weeks ago

When the lowerdir of an overlayfs is a merged directory of another
overlayfs, ovl_open_realfile() will fail to open the real file and point
to a lower dentry copy, without the proper parent path. After this,
d_path() will then display the path incorrectly as if the file is placed
in the root directory.

This bug can be triggered with the following setup:

 mkdir -p ovl-A/lower ovl-A/upper ovl-A/merge ovl-A/work
 mkdir -p ovl-B/upper ovl-B/merge ovl-B/work

 cp /bin/cat ovl-A/lower/

 mount -t overlay overlay -o \
 lowerdir=ovl-A/lower,upperdir=ovl-A/upper,workdir=ovl-A/work \
 ovl-A/merge

 mount -t overlay overlay -o \
 lowerdir=ovl-A/merge,upperdir=ovl-B/upper,workdir=ovl-B/work \
 ovl-B/merge

 ovl-A/merge/cat /proc/self/maps | grep --color cat
 ovl-B/merge/cat /proc/self/maps | grep --color cat

The first cat will correctly show `/ovl-A/merge/cat`, while the second
one shows just `/cat`.

To fix that, uses file_user_path() inside of backing_file_open() to get
the correct file path for the dentry.

Co-developed-by: John Schoenick <johns@valvesoftware.com>
Signed-off-by: John Schoenick <johns@valvesoftware.com>
Signed-off-by: André Almeida <andrealmeid@igalia.com>
---
 fs/overlayfs/file.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 969b458100fe..dfea7bd800cb 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -48,8 +48,8 @@ static struct file *ovl_open_realfile(const struct file *file,
 		if (!inode_owner_or_capable(real_idmap, realinode))
 			flags &= ~O_NOATIME;
 
-		realfile = backing_file_open(&file->f_path, flags, realpath,
-					     current_cred());
+		realfile = backing_file_open(file_user_path((struct file *) file),
+					     flags, realpath, current_cred());
 	}
 	ovl_revert_creds(old_cred);
 
-- 
2.49.0

Re: [PATCH] ovl: Fix nested backing file paths

Posted by Miklos Szeredi 9 months, 1 week ago

On Tue, 29 Apr 2025 at 20:39, André Almeida <andrealmeid@igalia.com> wrote:
>
> When the lowerdir of an overlayfs is a merged directory of another
> overlayfs, ovl_open_realfile() will fail to open the real file and point
> to a lower dentry copy, without the proper parent path. After this,
> d_path() will then display the path incorrectly as if the file is placed
> in the root directory.
>
> This bug can be triggered with the following setup:
>
>  mkdir -p ovl-A/lower ovl-A/upper ovl-A/merge ovl-A/work
>  mkdir -p ovl-B/upper ovl-B/merge ovl-B/work
>
>  cp /bin/cat ovl-A/lower/
>
>  mount -t overlay overlay -o \
>  lowerdir=ovl-A/lower,upperdir=ovl-A/upper,workdir=ovl-A/work \
>  ovl-A/merge
>
>  mount -t overlay overlay -o \
>  lowerdir=ovl-A/merge,upperdir=ovl-B/upper,workdir=ovl-B/work \
>  ovl-B/merge
>
>  ovl-A/merge/cat /proc/self/maps | grep --color cat
>  ovl-B/merge/cat /proc/self/maps | grep --color cat
>
> The first cat will correctly show `/ovl-A/merge/cat`, while the second
> one shows just `/cat`.
>
> To fix that, uses file_user_path() inside of backing_file_open() to get
> the correct file path for the dentry.
>
> Co-developed-by: John Schoenick <johns@valvesoftware.com>
> Signed-off-by: John Schoenick <johns@valvesoftware.com>
> Signed-off-by: André Almeida <andrealmeid@igalia.com>

Perfect, thanks!

Added these:

    Fixes: def3ae83da02 ("fs: store real path instead of fake path in
backing file f_path")
    Cc: <stable@vger.kernel.org> # v6.7

and pushed to ovl-next.

Thanks,
Miklos