1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright (C) 1995 Linus Torvalds
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
25 #include <asm/unaligned.h>
28 * Some filesystems were never converted to '->iterate_shared()'
29 * and their directory iterators want the inode lock held for
30 * writing. This wrapper allows for converting from the shared
31 * semantics to the exclusive inode use.
33 int wrap_directory_iterator(struct file *file,
34 struct dir_context *ctx,
35 int (*iter)(struct file *, struct dir_context *))
37 struct inode *inode = file_inode(file);
41 * We'd love to have an 'inode_upgrade_trylock()' operation,
42 * see the comment in mmap_upgrade_trylock() in mm/memory.c.
44 * But considering this is for "filesystems that never got
45 * converted", it really doesn't matter.
47 * Also note that since we have to return with the lock held
48 * for reading, we can't use the "killable()" locking here,
49 * since we do need to get the lock even if we're dying.
51 * We could do the write part killably and then get the read
52 * lock unconditionally if it mattered, but see above on why
53 * this does the very simplistic conversion.
55 up_read(&inode->i_rwsem);
56 down_write(&inode->i_rwsem);
59 * Since we dropped the inode lock, we should do the
60 * DEADDIR test again. See 'iterate_dir()' below.
62 * Note that we don't need to re-do the f_pos games,
63 * since the file must be locked wrt f_pos anyway.
66 if (!IS_DEADDIR(inode))
67 ret = iter(file, ctx);
69 downgrade_write(&inode->i_rwsem);
72 EXPORT_SYMBOL(wrap_directory_iterator);
75 * Note the "unsafe_put_user() semantics: we goto a
78 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
79 char __user *dst = (_dst); \
80 const char *src = (_src); \
81 size_t len = (_len); \
82 unsafe_put_user(0, dst+len, label); \
83 unsafe_copy_to_user(dst, src, len, label); \
87 int iterate_dir(struct file *file, struct dir_context *ctx)
89 struct inode *inode = file_inode(file);
92 if (!file->f_op->iterate_shared)
95 res = security_file_permission(file, MAY_READ);
99 res = down_read_killable(&inode->i_rwsem);
104 if (!IS_DEADDIR(inode)) {
105 ctx->pos = file->f_pos;
106 res = file->f_op->iterate_shared(file, ctx);
107 file->f_pos = ctx->pos;
108 fsnotify_access(file);
111 inode_unlock_shared(inode);
115 EXPORT_SYMBOL(iterate_dir);
118 * POSIX says that a dirent name cannot contain NULL or a '/'.
120 * It's not 100% clear what we should really do in this case.
121 * The filesystem is clearly corrupted, but returning a hard
122 * error means that you now don't see any of the other names
123 * either, so that isn't a perfect alternative.
125 * And if you return an error, what error do you use? Several
126 * filesystems seem to have decided on EUCLEAN being the error
127 * code for EFSCORRUPTED, and that may be the error to use. Or
128 * just EIO, which is perhaps more obvious to users.
130 * In order to see the other file names in the directory, the
131 * caller might want to make this a "soft" error: skip the
132 * entry, and return the error at the end instead.
134 * Note that this should likely do a "memchr(name, 0, len)"
135 * check too, since that would be filesystem corruption as
136 * well. However, that case can't actually confuse user space,
137 * which has to do a strlen() on the name anyway to find the
138 * filename length, and the above "soft error" worry means
139 * that it's probably better left alone until we have that
142 * Note the PATH_MAX check - it's arbitrary but the real
143 * kernel limit on a possible path component, not NAME_MAX,
144 * which is the technical standard limit.
146 static int verify_dirent_name(const char *name, int len)
148 if (len <= 0 || len >= PATH_MAX)
150 if (memchr(name, '/', len))
156 * Traditional linux readdir() handling..
158 * "count=1" is a special case, meaning that the buffer is one
159 * dirent-structure in size and that the code can't handle more
160 * anyway. Thus the special "fillonedir()" function for that
161 * case (the low-level handlers don't need to care about this).
164 #ifdef __ARCH_WANT_OLD_READDIR
166 struct old_linux_dirent {
168 unsigned long d_offset;
169 unsigned short d_namlen;
173 struct readdir_callback {
174 struct dir_context ctx;
175 struct old_linux_dirent __user * dirent;
179 static bool fillonedir(struct dir_context *ctx, const char *name, int namlen,
180 loff_t offset, u64 ino, unsigned int d_type)
182 struct readdir_callback *buf =
183 container_of(ctx, struct readdir_callback, ctx);
184 struct old_linux_dirent __user * dirent;
189 buf->result = verify_dirent_name(name, namlen);
193 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
194 buf->result = -EOVERFLOW;
198 dirent = buf->dirent;
199 if (!user_write_access_begin(dirent,
200 (unsigned long)(dirent->d_name + namlen + 1) -
201 (unsigned long)dirent))
203 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
204 unsafe_put_user(offset, &dirent->d_offset, efault_end);
205 unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
206 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
207 user_write_access_end();
210 user_write_access_end();
212 buf->result = -EFAULT;
216 SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
217 struct old_linux_dirent __user *, dirent, unsigned int, count)
220 struct fd f = fdget_pos(fd);
221 struct readdir_callback buf = {
222 .ctx.actor = fillonedir,
229 error = iterate_dir(f.file, &buf.ctx);
237 #endif /* __ARCH_WANT_OLD_READDIR */
240 * New, all-improved, singing, dancing, iBCS2-compliant getdents()
243 struct linux_dirent {
246 unsigned short d_reclen;
250 struct getdents_callback {
251 struct dir_context ctx;
252 struct linux_dirent __user * current_dir;
258 static bool filldir(struct dir_context *ctx, const char *name, int namlen,
259 loff_t offset, u64 ino, unsigned int d_type)
261 struct linux_dirent __user *dirent, *prev;
262 struct getdents_callback *buf =
263 container_of(ctx, struct getdents_callback, ctx);
265 int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
269 buf->error = verify_dirent_name(name, namlen);
270 if (unlikely(buf->error))
272 buf->error = -EINVAL; /* only used if we fail.. */
273 if (reclen > buf->count)
276 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
277 buf->error = -EOVERFLOW;
280 prev_reclen = buf->prev_reclen;
281 if (prev_reclen && signal_pending(current))
283 dirent = buf->current_dir;
284 prev = (void __user *) dirent - prev_reclen;
285 if (!user_write_access_begin(prev, reclen + prev_reclen))
288 /* This might be 'dirent->d_off', but if so it will get overwritten */
289 unsafe_put_user(offset, &prev->d_off, efault_end);
290 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
291 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
292 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
293 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
294 user_write_access_end();
296 buf->current_dir = (void __user *)dirent + reclen;
297 buf->prev_reclen = reclen;
298 buf->count -= reclen;
301 user_write_access_end();
303 buf->error = -EFAULT;
307 SYSCALL_DEFINE3(getdents, unsigned int, fd,
308 struct linux_dirent __user *, dirent, unsigned int, count)
311 struct getdents_callback buf = {
312 .ctx.actor = filldir,
314 .current_dir = dirent
322 error = iterate_dir(f.file, &buf.ctx);
325 if (buf.prev_reclen) {
326 struct linux_dirent __user * lastdirent;
327 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
329 if (put_user(buf.ctx.pos, &lastdirent->d_off))
332 error = count - buf.count;
338 struct getdents_callback64 {
339 struct dir_context ctx;
340 struct linux_dirent64 __user * current_dir;
346 static bool filldir64(struct dir_context *ctx, const char *name, int namlen,
347 loff_t offset, u64 ino, unsigned int d_type)
349 struct linux_dirent64 __user *dirent, *prev;
350 struct getdents_callback64 *buf =
351 container_of(ctx, struct getdents_callback64, ctx);
352 int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
356 buf->error = verify_dirent_name(name, namlen);
357 if (unlikely(buf->error))
359 buf->error = -EINVAL; /* only used if we fail.. */
360 if (reclen > buf->count)
362 prev_reclen = buf->prev_reclen;
363 if (prev_reclen && signal_pending(current))
365 dirent = buf->current_dir;
366 prev = (void __user *)dirent - prev_reclen;
367 if (!user_write_access_begin(prev, reclen + prev_reclen))
370 /* This might be 'dirent->d_off', but if so it will get overwritten */
371 unsafe_put_user(offset, &prev->d_off, efault_end);
372 unsafe_put_user(ino, &dirent->d_ino, efault_end);
373 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
374 unsafe_put_user(d_type, &dirent->d_type, efault_end);
375 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
376 user_write_access_end();
378 buf->prev_reclen = reclen;
379 buf->current_dir = (void __user *)dirent + reclen;
380 buf->count -= reclen;
384 user_write_access_end();
386 buf->error = -EFAULT;
390 SYSCALL_DEFINE3(getdents64, unsigned int, fd,
391 struct linux_dirent64 __user *, dirent, unsigned int, count)
394 struct getdents_callback64 buf = {
395 .ctx.actor = filldir64,
397 .current_dir = dirent
405 error = iterate_dir(f.file, &buf.ctx);
408 if (buf.prev_reclen) {
409 struct linux_dirent64 __user * lastdirent;
410 typeof(lastdirent->d_off) d_off = buf.ctx.pos;
412 lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
413 if (put_user(d_off, &lastdirent->d_off))
416 error = count - buf.count;
423 struct compat_old_linux_dirent {
424 compat_ulong_t d_ino;
425 compat_ulong_t d_offset;
426 unsigned short d_namlen;
430 struct compat_readdir_callback {
431 struct dir_context ctx;
432 struct compat_old_linux_dirent __user *dirent;
436 static bool compat_fillonedir(struct dir_context *ctx, const char *name,
437 int namlen, loff_t offset, u64 ino,
440 struct compat_readdir_callback *buf =
441 container_of(ctx, struct compat_readdir_callback, ctx);
442 struct compat_old_linux_dirent __user *dirent;
443 compat_ulong_t d_ino;
447 buf->result = verify_dirent_name(name, namlen);
451 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
452 buf->result = -EOVERFLOW;
456 dirent = buf->dirent;
457 if (!user_write_access_begin(dirent,
458 (unsigned long)(dirent->d_name + namlen + 1) -
459 (unsigned long)dirent))
461 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
462 unsafe_put_user(offset, &dirent->d_offset, efault_end);
463 unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
464 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
465 user_write_access_end();
468 user_write_access_end();
470 buf->result = -EFAULT;
474 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
475 struct compat_old_linux_dirent __user *, dirent, unsigned int, count)
478 struct fd f = fdget_pos(fd);
479 struct compat_readdir_callback buf = {
480 .ctx.actor = compat_fillonedir,
487 error = iterate_dir(f.file, &buf.ctx);
495 struct compat_linux_dirent {
496 compat_ulong_t d_ino;
497 compat_ulong_t d_off;
498 unsigned short d_reclen;
502 struct compat_getdents_callback {
503 struct dir_context ctx;
504 struct compat_linux_dirent __user *current_dir;
510 static bool compat_filldir(struct dir_context *ctx, const char *name, int namlen,
511 loff_t offset, u64 ino, unsigned int d_type)
513 struct compat_linux_dirent __user *dirent, *prev;
514 struct compat_getdents_callback *buf =
515 container_of(ctx, struct compat_getdents_callback, ctx);
516 compat_ulong_t d_ino;
517 int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
518 namlen + 2, sizeof(compat_long_t));
521 buf->error = verify_dirent_name(name, namlen);
522 if (unlikely(buf->error))
524 buf->error = -EINVAL; /* only used if we fail.. */
525 if (reclen > buf->count)
528 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
529 buf->error = -EOVERFLOW;
532 prev_reclen = buf->prev_reclen;
533 if (prev_reclen && signal_pending(current))
535 dirent = buf->current_dir;
536 prev = (void __user *) dirent - prev_reclen;
537 if (!user_write_access_begin(prev, reclen + prev_reclen))
540 unsafe_put_user(offset, &prev->d_off, efault_end);
541 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
542 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
543 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
544 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
545 user_write_access_end();
547 buf->prev_reclen = reclen;
548 buf->current_dir = (void __user *)dirent + reclen;
549 buf->count -= reclen;
552 user_write_access_end();
554 buf->error = -EFAULT;
558 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
559 struct compat_linux_dirent __user *, dirent, unsigned int, count)
562 struct compat_getdents_callback buf = {
563 .ctx.actor = compat_filldir,
564 .current_dir = dirent,
573 error = iterate_dir(f.file, &buf.ctx);
576 if (buf.prev_reclen) {
577 struct compat_linux_dirent __user * lastdirent;
578 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
580 if (put_user(buf.ctx.pos, &lastdirent->d_off))
583 error = count - buf.count;