1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright (C) 1995 Linus Torvalds
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
25 #include <asm/unaligned.h>
28 * Some filesystems were never converted to '->iterate_shared()'
29 * and their directory iterators want the inode lock held for
30 * writing. This wrapper allows for converting from the shared
31 * semantics to the exclusive inode use.
33 int wrap_directory_iterator(struct file
*file
,
34 struct dir_context
*ctx
,
35 int (*iter
)(struct file
*, struct dir_context
*))
37 struct inode
*inode
= file_inode(file
);
41 * We'd love to have an 'inode_upgrade_trylock()' operation,
42 * see the comment in mmap_upgrade_trylock() in mm/memory.c.
44 * But considering this is for "filesystems that never got
45 * converted", it really doesn't matter.
47 * Also note that since we have to return with the lock held
48 * for reading, we can't use the "killable()" locking here,
49 * since we do need to get the lock even if we're dying.
51 * We could do the write part killably and then get the read
52 * lock unconditionally if it mattered, but see above on why
53 * this does the very simplistic conversion.
55 up_read(&inode
->i_rwsem
);
56 down_write(&inode
->i_rwsem
);
59 * Since we dropped the inode lock, we should do the
60 * DEADDIR test again. See 'iterate_dir()' below.
62 * Note that we don't need to re-do the f_pos games,
63 * since the file must be locked wrt f_pos anyway.
66 if (!IS_DEADDIR(inode
))
67 ret
= iter(file
, ctx
);
69 downgrade_write(&inode
->i_rwsem
);
72 EXPORT_SYMBOL(wrap_directory_iterator
);
75 * Note the "unsafe_put_user() semantics: we goto a
78 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
79 char __user *dst = (_dst); \
80 const char *src = (_src); \
81 size_t len = (_len); \
82 unsafe_put_user(0, dst+len, label); \
83 unsafe_copy_to_user(dst, src, len, label); \
87 int iterate_dir(struct file
*file
, struct dir_context
*ctx
)
89 struct inode
*inode
= file_inode(file
);
92 if (!file
->f_op
->iterate_shared
)
95 res
= security_file_permission(file
, MAY_READ
);
99 res
= down_read_killable(&inode
->i_rwsem
);
104 if (!IS_DEADDIR(inode
)) {
105 ctx
->pos
= file
->f_pos
;
106 res
= file
->f_op
->iterate_shared(file
, ctx
);
107 file
->f_pos
= ctx
->pos
;
108 fsnotify_access(file
);
111 inode_unlock_shared(inode
);
115 EXPORT_SYMBOL(iterate_dir
);
118 * POSIX says that a dirent name cannot contain NULL or a '/'.
120 * It's not 100% clear what we should really do in this case.
121 * The filesystem is clearly corrupted, but returning a hard
122 * error means that you now don't see any of the other names
123 * either, so that isn't a perfect alternative.
125 * And if you return an error, what error do you use? Several
126 * filesystems seem to have decided on EUCLEAN being the error
127 * code for EFSCORRUPTED, and that may be the error to use. Or
128 * just EIO, which is perhaps more obvious to users.
130 * In order to see the other file names in the directory, the
131 * caller might want to make this a "soft" error: skip the
132 * entry, and return the error at the end instead.
134 * Note that this should likely do a "memchr(name, 0, len)"
135 * check too, since that would be filesystem corruption as
136 * well. However, that case can't actually confuse user space,
137 * which has to do a strlen() on the name anyway to find the
138 * filename length, and the above "soft error" worry means
139 * that it's probably better left alone until we have that
142 * Note the PATH_MAX check - it's arbitrary but the real
143 * kernel limit on a possible path component, not NAME_MAX,
144 * which is the technical standard limit.
146 static int verify_dirent_name(const char *name
, int len
)
148 if (len
<= 0 || len
>= PATH_MAX
)
150 if (memchr(name
, '/', len
))
156 * Traditional linux readdir() handling..
158 * "count=1" is a special case, meaning that the buffer is one
159 * dirent-structure in size and that the code can't handle more
160 * anyway. Thus the special "fillonedir()" function for that
161 * case (the low-level handlers don't need to care about this).
164 #ifdef __ARCH_WANT_OLD_READDIR
166 struct old_linux_dirent
{
168 unsigned long d_offset
;
169 unsigned short d_namlen
;
173 struct readdir_callback
{
174 struct dir_context ctx
;
175 struct old_linux_dirent __user
* dirent
;
179 static bool fillonedir(struct dir_context
*ctx
, const char *name
, int namlen
,
180 loff_t offset
, u64 ino
, unsigned int d_type
)
182 struct readdir_callback
*buf
=
183 container_of(ctx
, struct readdir_callback
, ctx
);
184 struct old_linux_dirent __user
* dirent
;
189 buf
->result
= verify_dirent_name(name
, namlen
);
193 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
194 buf
->result
= -EOVERFLOW
;
198 dirent
= buf
->dirent
;
199 if (!user_write_access_begin(dirent
,
200 (unsigned long)(dirent
->d_name
+ namlen
+ 1) -
201 (unsigned long)dirent
))
203 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
204 unsafe_put_user(offset
, &dirent
->d_offset
, efault_end
);
205 unsafe_put_user(namlen
, &dirent
->d_namlen
, efault_end
);
206 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
207 user_write_access_end();
210 user_write_access_end();
212 buf
->result
= -EFAULT
;
216 SYSCALL_DEFINE3(old_readdir
, unsigned int, fd
,
217 struct old_linux_dirent __user
*, dirent
, unsigned int, count
)
220 struct fd f
= fdget_pos(fd
);
221 struct readdir_callback buf
= {
222 .ctx
.actor
= fillonedir
,
229 error
= iterate_dir(f
.file
, &buf
.ctx
);
237 #endif /* __ARCH_WANT_OLD_READDIR */
240 * New, all-improved, singing, dancing, iBCS2-compliant getdents()
243 struct linux_dirent
{
246 unsigned short d_reclen
;
250 struct getdents_callback
{
251 struct dir_context ctx
;
252 struct linux_dirent __user
* current_dir
;
258 static bool filldir(struct dir_context
*ctx
, const char *name
, int namlen
,
259 loff_t offset
, u64 ino
, unsigned int d_type
)
261 struct linux_dirent __user
*dirent
, *prev
;
262 struct getdents_callback
*buf
=
263 container_of(ctx
, struct getdents_callback
, ctx
);
265 int reclen
= ALIGN(offsetof(struct linux_dirent
, d_name
) + namlen
+ 2,
269 buf
->error
= verify_dirent_name(name
, namlen
);
270 if (unlikely(buf
->error
))
272 buf
->error
= -EINVAL
; /* only used if we fail.. */
273 if (reclen
> buf
->count
)
276 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
277 buf
->error
= -EOVERFLOW
;
280 prev_reclen
= buf
->prev_reclen
;
281 if (prev_reclen
&& signal_pending(current
))
283 dirent
= buf
->current_dir
;
284 prev
= (void __user
*) dirent
- prev_reclen
;
285 if (!user_write_access_begin(prev
, reclen
+ prev_reclen
))
288 /* This might be 'dirent->d_off', but if so it will get overwritten */
289 unsafe_put_user(offset
, &prev
->d_off
, efault_end
);
290 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
291 unsafe_put_user(reclen
, &dirent
->d_reclen
, efault_end
);
292 unsafe_put_user(d_type
, (char __user
*) dirent
+ reclen
- 1, efault_end
);
293 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
294 user_write_access_end();
296 buf
->current_dir
= (void __user
*)dirent
+ reclen
;
297 buf
->prev_reclen
= reclen
;
298 buf
->count
-= reclen
;
301 user_write_access_end();
303 buf
->error
= -EFAULT
;
307 SYSCALL_DEFINE3(getdents
, unsigned int, fd
,
308 struct linux_dirent __user
*, dirent
, unsigned int, count
)
311 struct getdents_callback buf
= {
312 .ctx
.actor
= filldir
,
314 .current_dir
= dirent
322 error
= iterate_dir(f
.file
, &buf
.ctx
);
325 if (buf
.prev_reclen
) {
326 struct linux_dirent __user
* lastdirent
;
327 lastdirent
= (void __user
*)buf
.current_dir
- buf
.prev_reclen
;
329 if (put_user(buf
.ctx
.pos
, &lastdirent
->d_off
))
332 error
= count
- buf
.count
;
338 struct getdents_callback64
{
339 struct dir_context ctx
;
340 struct linux_dirent64 __user
* current_dir
;
346 static bool filldir64(struct dir_context
*ctx
, const char *name
, int namlen
,
347 loff_t offset
, u64 ino
, unsigned int d_type
)
349 struct linux_dirent64 __user
*dirent
, *prev
;
350 struct getdents_callback64
*buf
=
351 container_of(ctx
, struct getdents_callback64
, ctx
);
352 int reclen
= ALIGN(offsetof(struct linux_dirent64
, d_name
) + namlen
+ 1,
356 buf
->error
= verify_dirent_name(name
, namlen
);
357 if (unlikely(buf
->error
))
359 buf
->error
= -EINVAL
; /* only used if we fail.. */
360 if (reclen
> buf
->count
)
362 prev_reclen
= buf
->prev_reclen
;
363 if (prev_reclen
&& signal_pending(current
))
365 dirent
= buf
->current_dir
;
366 prev
= (void __user
*)dirent
- prev_reclen
;
367 if (!user_write_access_begin(prev
, reclen
+ prev_reclen
))
370 /* This might be 'dirent->d_off', but if so it will get overwritten */
371 unsafe_put_user(offset
, &prev
->d_off
, efault_end
);
372 unsafe_put_user(ino
, &dirent
->d_ino
, efault_end
);
373 unsafe_put_user(reclen
, &dirent
->d_reclen
, efault_end
);
374 unsafe_put_user(d_type
, &dirent
->d_type
, efault_end
);
375 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
376 user_write_access_end();
378 buf
->prev_reclen
= reclen
;
379 buf
->current_dir
= (void __user
*)dirent
+ reclen
;
380 buf
->count
-= reclen
;
384 user_write_access_end();
386 buf
->error
= -EFAULT
;
390 SYSCALL_DEFINE3(getdents64
, unsigned int, fd
,
391 struct linux_dirent64 __user
*, dirent
, unsigned int, count
)
394 struct getdents_callback64 buf
= {
395 .ctx
.actor
= filldir64
,
397 .current_dir
= dirent
405 error
= iterate_dir(f
.file
, &buf
.ctx
);
408 if (buf
.prev_reclen
) {
409 struct linux_dirent64 __user
* lastdirent
;
410 typeof(lastdirent
->d_off
) d_off
= buf
.ctx
.pos
;
412 lastdirent
= (void __user
*) buf
.current_dir
- buf
.prev_reclen
;
413 if (put_user(d_off
, &lastdirent
->d_off
))
416 error
= count
- buf
.count
;
423 struct compat_old_linux_dirent
{
424 compat_ulong_t d_ino
;
425 compat_ulong_t d_offset
;
426 unsigned short d_namlen
;
430 struct compat_readdir_callback
{
431 struct dir_context ctx
;
432 struct compat_old_linux_dirent __user
*dirent
;
436 static bool compat_fillonedir(struct dir_context
*ctx
, const char *name
,
437 int namlen
, loff_t offset
, u64 ino
,
440 struct compat_readdir_callback
*buf
=
441 container_of(ctx
, struct compat_readdir_callback
, ctx
);
442 struct compat_old_linux_dirent __user
*dirent
;
443 compat_ulong_t d_ino
;
447 buf
->result
= verify_dirent_name(name
, namlen
);
451 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
452 buf
->result
= -EOVERFLOW
;
456 dirent
= buf
->dirent
;
457 if (!user_write_access_begin(dirent
,
458 (unsigned long)(dirent
->d_name
+ namlen
+ 1) -
459 (unsigned long)dirent
))
461 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
462 unsafe_put_user(offset
, &dirent
->d_offset
, efault_end
);
463 unsafe_put_user(namlen
, &dirent
->d_namlen
, efault_end
);
464 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
465 user_write_access_end();
468 user_write_access_end();
470 buf
->result
= -EFAULT
;
474 COMPAT_SYSCALL_DEFINE3(old_readdir
, unsigned int, fd
,
475 struct compat_old_linux_dirent __user
*, dirent
, unsigned int, count
)
478 struct fd f
= fdget_pos(fd
);
479 struct compat_readdir_callback buf
= {
480 .ctx
.actor
= compat_fillonedir
,
487 error
= iterate_dir(f
.file
, &buf
.ctx
);
495 struct compat_linux_dirent
{
496 compat_ulong_t d_ino
;
497 compat_ulong_t d_off
;
498 unsigned short d_reclen
;
502 struct compat_getdents_callback
{
503 struct dir_context ctx
;
504 struct compat_linux_dirent __user
*current_dir
;
510 static bool compat_filldir(struct dir_context
*ctx
, const char *name
, int namlen
,
511 loff_t offset
, u64 ino
, unsigned int d_type
)
513 struct compat_linux_dirent __user
*dirent
, *prev
;
514 struct compat_getdents_callback
*buf
=
515 container_of(ctx
, struct compat_getdents_callback
, ctx
);
516 compat_ulong_t d_ino
;
517 int reclen
= ALIGN(offsetof(struct compat_linux_dirent
, d_name
) +
518 namlen
+ 2, sizeof(compat_long_t
));
521 buf
->error
= verify_dirent_name(name
, namlen
);
522 if (unlikely(buf
->error
))
524 buf
->error
= -EINVAL
; /* only used if we fail.. */
525 if (reclen
> buf
->count
)
528 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
529 buf
->error
= -EOVERFLOW
;
532 prev_reclen
= buf
->prev_reclen
;
533 if (prev_reclen
&& signal_pending(current
))
535 dirent
= buf
->current_dir
;
536 prev
= (void __user
*) dirent
- prev_reclen
;
537 if (!user_write_access_begin(prev
, reclen
+ prev_reclen
))
540 unsafe_put_user(offset
, &prev
->d_off
, efault_end
);
541 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
542 unsafe_put_user(reclen
, &dirent
->d_reclen
, efault_end
);
543 unsafe_put_user(d_type
, (char __user
*) dirent
+ reclen
- 1, efault_end
);
544 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
545 user_write_access_end();
547 buf
->prev_reclen
= reclen
;
548 buf
->current_dir
= (void __user
*)dirent
+ reclen
;
549 buf
->count
-= reclen
;
552 user_write_access_end();
554 buf
->error
= -EFAULT
;
558 COMPAT_SYSCALL_DEFINE3(getdents
, unsigned int, fd
,
559 struct compat_linux_dirent __user
*, dirent
, unsigned int, count
)
562 struct compat_getdents_callback buf
= {
563 .ctx
.actor
= compat_filldir
,
564 .current_dir
= dirent
,
573 error
= iterate_dir(f
.file
, &buf
.ctx
);
576 if (buf
.prev_reclen
) {
577 struct compat_linux_dirent __user
* lastdirent
;
578 lastdirent
= (void __user
*)buf
.current_dir
- buf
.prev_reclen
;
580 if (put_user(buf
.ctx
.pos
, &lastdirent
->d_off
))
583 error
= count
- buf
.count
;