readdir.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * linux/fs/readdir.c
  4. *
  5. * Copyright (C) 1995 Linus Torvalds
  6. */
  7. #include <linux/stddef.h>
  8. #include <linux/kernel.h>
  9. #include <linux/export.h>
  10. #include <linux/time.h>
  11. #include <linux/mm.h>
  12. #include <linux/errno.h>
  13. #include <linux/stat.h>
  14. #include <linux/file.h>
  15. #include <linux/fs.h>
  16. #include <linux/fsnotify.h>
  17. #include <linux/dirent.h>
  18. #include <linux/security.h>
  19. #include <linux/syscalls.h>
  20. #include <linux/unistd.h>
  21. #include <linux/compat.h>
  22. #include <linux/uaccess.h>
  23. /*
  24. * Some filesystems were never converted to '->iterate_shared()'
  25. * and their directory iterators want the inode lock held for
  26. * writing. This wrapper allows for converting from the shared
  27. * semantics to the exclusive inode use.
  28. */
  29. int wrap_directory_iterator(struct file *file,
  30. struct dir_context *ctx,
  31. int (*iter)(struct file *, struct dir_context *))
  32. {
  33. struct inode *inode = file_inode(file);
  34. int ret;
  35. /*
  36. * We'd love to have an 'inode_upgrade_trylock()' operation,
  37. * see the comment in mmap_upgrade_trylock() in mm/memory.c.
  38. *
  39. * But considering this is for "filesystems that never got
  40. * converted", it really doesn't matter.
  41. *
  42. * Also note that since we have to return with the lock held
  43. * for reading, we can't use the "killable()" locking here,
  44. * since we do need to get the lock even if we're dying.
  45. *
  46. * We could do the write part killably and then get the read
  47. * lock unconditionally if it mattered, but see above on why
  48. * this does the very simplistic conversion.
  49. */
  50. up_read(&inode->i_rwsem);
  51. down_write(&inode->i_rwsem);
  52. /*
  53. * Since we dropped the inode lock, we should do the
  54. * DEADDIR test again. See 'iterate_dir()' below.
  55. *
  56. * Note that we don't need to re-do the f_pos games,
  57. * since the file must be locked wrt f_pos anyway.
  58. */
  59. ret = -ENOENT;
  60. if (!IS_DEADDIR(inode))
  61. ret = iter(file, ctx);
  62. downgrade_write(&inode->i_rwsem);
  63. return ret;
  64. }
  65. EXPORT_SYMBOL(wrap_directory_iterator);
  66. /*
  67. * Note the "unsafe_put_user()" semantics: we goto a
  68. * label for errors.
  69. */
  70. #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
  71. char __user *dst = (_dst); \
  72. const char *src = (_src); \
  73. size_t len = (_len); \
  74. unsafe_put_user(0, dst+len, label); \
  75. unsafe_copy_to_user(dst, src, len, label); \
  76. } while (0)
  77. int iterate_dir(struct file *file, struct dir_context *ctx)
  78. {
  79. struct inode *inode = file_inode(file);
  80. int res = -ENOTDIR;
  81. if (!file->f_op->iterate_shared)
  82. goto out;
  83. res = security_file_permission(file, MAY_READ);
  84. if (res)
  85. goto out;
  86. res = fsnotify_file_perm(file, MAY_READ);
  87. if (res)
  88. goto out;
  89. res = down_read_killable(&inode->i_rwsem);
  90. if (res)
  91. goto out;
  92. res = -ENOENT;
  93. if (!IS_DEADDIR(inode)) {
  94. ctx->pos = file->f_pos;
  95. res = file->f_op->iterate_shared(file, ctx);
  96. file->f_pos = ctx->pos;
  97. fsnotify_access(file);
  98. file_accessed(file);
  99. }
  100. inode_unlock_shared(inode);
  101. out:
  102. return res;
  103. }
  104. EXPORT_SYMBOL(iterate_dir);
  105. /*
  106. * POSIX says that a dirent name cannot contain NULL or a '/'.
  107. *
  108. * It's not 100% clear what we should really do in this case.
  109. * The filesystem is clearly corrupted, but returning a hard
  110. * error means that you now don't see any of the other names
  111. * either, so that isn't a perfect alternative.
  112. *
  113. * And if you return an error, what error do you use? Several
  114. * filesystems seem to have decided on EUCLEAN being the error
  115. * code for EFSCORRUPTED, and that may be the error to use. Or
  116. * just EIO, which is perhaps more obvious to users.
  117. *
  118. * In order to see the other file names in the directory, the
  119. * caller might want to make this a "soft" error: skip the
  120. * entry, and return the error at the end instead.
  121. *
  122. * Note that this should likely do a "memchr(name, 0, len)"
  123. * check too, since that would be filesystem corruption as
  124. * well. However, that case can't actually confuse user space,
  125. * which has to do a strlen() on the name anyway to find the
  126. * filename length, and the above "soft error" worry means
  127. * that it's probably better left alone until we have that
  128. * issue clarified.
  129. *
  130. * Note the PATH_MAX check - it's arbitrary but the real
  131. * kernel limit on a possible path component, not NAME_MAX,
  132. * which is the technical standard limit.
  133. */
  134. static int verify_dirent_name(const char *name, int len)
  135. {
  136. if (len <= 0 || len >= PATH_MAX)
  137. return -EIO;
  138. if (memchr(name, '/', len))
  139. return -EIO;
  140. return 0;
  141. }
  142. /*
  143. * Traditional linux readdir() handling..
  144. *
  145. * "count=1" is a special case, meaning that the buffer is one
  146. * dirent-structure in size and that the code can't handle more
  147. * anyway. Thus the special "fillonedir()" function for that
  148. * case (the low-level handlers don't need to care about this).
  149. */
  150. #ifdef __ARCH_WANT_OLD_READDIR
  151. struct old_linux_dirent {
  152. unsigned long d_ino;
  153. unsigned long d_offset;
  154. unsigned short d_namlen;
  155. char d_name[];
  156. };
  157. struct readdir_callback {
  158. struct dir_context ctx;
  159. struct old_linux_dirent __user * dirent;
  160. int result;
  161. };
  162. static bool fillonedir(struct dir_context *ctx, const char *name, int namlen,
  163. loff_t offset, u64 ino, unsigned int d_type)
  164. {
  165. struct readdir_callback *buf =
  166. container_of(ctx, struct readdir_callback, ctx);
  167. struct old_linux_dirent __user * dirent;
  168. unsigned long d_ino;
  169. if (buf->result)
  170. return false;
  171. buf->result = verify_dirent_name(name, namlen);
  172. if (buf->result)
  173. return false;
  174. d_ino = ino;
  175. if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
  176. buf->result = -EOVERFLOW;
  177. return false;
  178. }
  179. buf->result++;
  180. dirent = buf->dirent;
  181. if (!user_write_access_begin(dirent,
  182. (unsigned long)(dirent->d_name + namlen + 1) -
  183. (unsigned long)dirent))
  184. goto efault;
  185. unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
  186. unsafe_put_user(offset, &dirent->d_offset, efault_end);
  187. unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
  188. unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
  189. user_write_access_end();
  190. return true;
  191. efault_end:
  192. user_write_access_end();
  193. efault:
  194. buf->result = -EFAULT;
  195. return false;
  196. }
  197. SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
  198. struct old_linux_dirent __user *, dirent, unsigned int, count)
  199. {
  200. int error;
  201. CLASS(fd_pos, f)(fd);
  202. struct readdir_callback buf = {
  203. .ctx.actor = fillonedir,
  204. .ctx.count = 1, /* Hint to fs: just one entry. */
  205. .dirent = dirent
  206. };
  207. if (fd_empty(f))
  208. return -EBADF;
  209. error = iterate_dir(fd_file(f), &buf.ctx);
  210. if (buf.result)
  211. error = buf.result;
  212. return error;
  213. }
  214. #endif /* __ARCH_WANT_OLD_READDIR */
  215. /*
  216. * New, all-improved, singing, dancing, iBCS2-compliant getdents()
  217. * interface.
  218. */
  219. struct linux_dirent {
  220. unsigned long d_ino;
  221. unsigned long d_off;
  222. unsigned short d_reclen;
  223. char d_name[];
  224. };
  225. struct getdents_callback {
  226. struct dir_context ctx;
  227. struct linux_dirent __user * current_dir;
  228. int prev_reclen;
  229. int error;
  230. };
  231. static bool filldir(struct dir_context *ctx, const char *name, int namlen,
  232. loff_t offset, u64 ino, unsigned int d_type)
  233. {
  234. struct linux_dirent __user *dirent, *prev;
  235. struct getdents_callback *buf =
  236. container_of(ctx, struct getdents_callback, ctx);
  237. unsigned long d_ino;
  238. int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
  239. sizeof(long));
  240. int prev_reclen;
  241. unsigned int flags = d_type;
  242. BUILD_BUG_ON(FILLDIR_FLAG_NOINTR & S_DT_MASK);
  243. d_type &= S_DT_MASK;
  244. buf->error = verify_dirent_name(name, namlen);
  245. if (unlikely(buf->error))
  246. return false;
  247. buf->error = -EINVAL; /* only used if we fail.. */
  248. if (reclen > ctx->count)
  249. return false;
  250. d_ino = ino;
  251. if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
  252. buf->error = -EOVERFLOW;
  253. return false;
  254. }
  255. prev_reclen = buf->prev_reclen;
  256. if (!(flags & FILLDIR_FLAG_NOINTR) && prev_reclen && signal_pending(current))
  257. return false;
  258. dirent = buf->current_dir;
  259. prev = (void __user *) dirent - prev_reclen;
  260. if (!user_write_access_begin(prev, reclen + prev_reclen))
  261. goto efault;
  262. /* This might be 'dirent->d_off', but if so it will get overwritten */
  263. unsafe_put_user(offset, &prev->d_off, efault_end);
  264. unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
  265. unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
  266. unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
  267. unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
  268. user_write_access_end();
  269. buf->current_dir = (void __user *)dirent + reclen;
  270. buf->prev_reclen = reclen;
  271. ctx->count -= reclen;
  272. return true;
  273. efault_end:
  274. user_write_access_end();
  275. efault:
  276. buf->error = -EFAULT;
  277. return false;
  278. }
  279. SYSCALL_DEFINE3(getdents, unsigned int, fd,
  280. struct linux_dirent __user *, dirent, unsigned int, count)
  281. {
  282. CLASS(fd_pos, f)(fd);
  283. struct getdents_callback buf = {
  284. .ctx.actor = filldir,
  285. .ctx.count = count,
  286. .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR,
  287. .current_dir = dirent
  288. };
  289. int error;
  290. if (fd_empty(f))
  291. return -EBADF;
  292. error = iterate_dir(fd_file(f), &buf.ctx);
  293. if (error >= 0)
  294. error = buf.error;
  295. if (buf.prev_reclen) {
  296. struct linux_dirent __user * lastdirent;
  297. lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
  298. if (put_user(buf.ctx.pos, &lastdirent->d_off))
  299. error = -EFAULT;
  300. else
  301. error = count - buf.ctx.count;
  302. }
  303. return error;
  304. }
  305. struct getdents_callback64 {
  306. struct dir_context ctx;
  307. struct linux_dirent64 __user * current_dir;
  308. int prev_reclen;
  309. int error;
  310. };
  311. static bool filldir64(struct dir_context *ctx, const char *name, int namlen,
  312. loff_t offset, u64 ino, unsigned int d_type)
  313. {
  314. struct linux_dirent64 __user *dirent, *prev;
  315. struct getdents_callback64 *buf =
  316. container_of(ctx, struct getdents_callback64, ctx);
  317. int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
  318. sizeof(u64));
  319. int prev_reclen;
  320. unsigned int flags = d_type;
  321. BUILD_BUG_ON(FILLDIR_FLAG_NOINTR & S_DT_MASK);
  322. d_type &= S_DT_MASK;
  323. buf->error = verify_dirent_name(name, namlen);
  324. if (unlikely(buf->error))
  325. return false;
  326. buf->error = -EINVAL; /* only used if we fail.. */
  327. if (reclen > ctx->count)
  328. return false;
  329. prev_reclen = buf->prev_reclen;
  330. if (!(flags & FILLDIR_FLAG_NOINTR) && prev_reclen && signal_pending(current))
  331. return false;
  332. dirent = buf->current_dir;
  333. prev = (void __user *)dirent - prev_reclen;
  334. if (!user_write_access_begin(prev, reclen + prev_reclen))
  335. goto efault;
  336. /* This might be 'dirent->d_off', but if so it will get overwritten */
  337. unsafe_put_user(offset, &prev->d_off, efault_end);
  338. unsafe_put_user(ino, &dirent->d_ino, efault_end);
  339. unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
  340. unsafe_put_user(d_type, &dirent->d_type, efault_end);
  341. unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
  342. user_write_access_end();
  343. buf->prev_reclen = reclen;
  344. buf->current_dir = (void __user *)dirent + reclen;
  345. ctx->count -= reclen;
  346. return true;
  347. efault_end:
  348. user_write_access_end();
  349. efault:
  350. buf->error = -EFAULT;
  351. return false;
  352. }
  353. SYSCALL_DEFINE3(getdents64, unsigned int, fd,
  354. struct linux_dirent64 __user *, dirent, unsigned int, count)
  355. {
  356. CLASS(fd_pos, f)(fd);
  357. struct getdents_callback64 buf = {
  358. .ctx.actor = filldir64,
  359. .ctx.count = count,
  360. .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR,
  361. .current_dir = dirent
  362. };
  363. int error;
  364. if (fd_empty(f))
  365. return -EBADF;
  366. error = iterate_dir(fd_file(f), &buf.ctx);
  367. if (error >= 0)
  368. error = buf.error;
  369. if (buf.prev_reclen) {
  370. struct linux_dirent64 __user * lastdirent;
  371. typeof(lastdirent->d_off) d_off = buf.ctx.pos;
  372. lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
  373. if (put_user(d_off, &lastdirent->d_off))
  374. error = -EFAULT;
  375. else
  376. error = count - buf.ctx.count;
  377. }
  378. return error;
  379. }
  380. #ifdef CONFIG_COMPAT
  381. struct compat_old_linux_dirent {
  382. compat_ulong_t d_ino;
  383. compat_ulong_t d_offset;
  384. unsigned short d_namlen;
  385. char d_name[];
  386. };
  387. struct compat_readdir_callback {
  388. struct dir_context ctx;
  389. struct compat_old_linux_dirent __user *dirent;
  390. int result;
  391. };
  392. static bool compat_fillonedir(struct dir_context *ctx, const char *name,
  393. int namlen, loff_t offset, u64 ino,
  394. unsigned int d_type)
  395. {
  396. struct compat_readdir_callback *buf =
  397. container_of(ctx, struct compat_readdir_callback, ctx);
  398. struct compat_old_linux_dirent __user *dirent;
  399. compat_ulong_t d_ino;
  400. if (buf->result)
  401. return false;
  402. buf->result = verify_dirent_name(name, namlen);
  403. if (buf->result)
  404. return false;
  405. d_ino = ino;
  406. if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
  407. buf->result = -EOVERFLOW;
  408. return false;
  409. }
  410. buf->result++;
  411. dirent = buf->dirent;
  412. if (!user_write_access_begin(dirent,
  413. (unsigned long)(dirent->d_name + namlen + 1) -
  414. (unsigned long)dirent))
  415. goto efault;
  416. unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
  417. unsafe_put_user(offset, &dirent->d_offset, efault_end);
  418. unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
  419. unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
  420. user_write_access_end();
  421. return true;
  422. efault_end:
  423. user_write_access_end();
  424. efault:
  425. buf->result = -EFAULT;
  426. return false;
  427. }
  428. COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
  429. struct compat_old_linux_dirent __user *, dirent, unsigned int, count)
  430. {
  431. int error;
  432. CLASS(fd_pos, f)(fd);
  433. struct compat_readdir_callback buf = {
  434. .ctx.actor = compat_fillonedir,
  435. .ctx.count = 1, /* Hint to fs: just one entry. */
  436. .dirent = dirent
  437. };
  438. if (fd_empty(f))
  439. return -EBADF;
  440. error = iterate_dir(fd_file(f), &buf.ctx);
  441. if (buf.result)
  442. error = buf.result;
  443. return error;
  444. }
  445. struct compat_linux_dirent {
  446. compat_ulong_t d_ino;
  447. compat_ulong_t d_off;
  448. unsigned short d_reclen;
  449. char d_name[];
  450. };
  451. struct compat_getdents_callback {
  452. struct dir_context ctx;
  453. struct compat_linux_dirent __user *current_dir;
  454. int prev_reclen;
  455. int error;
  456. };
  457. static bool compat_filldir(struct dir_context *ctx, const char *name, int namlen,
  458. loff_t offset, u64 ino, unsigned int d_type)
  459. {
  460. struct compat_linux_dirent __user *dirent, *prev;
  461. struct compat_getdents_callback *buf =
  462. container_of(ctx, struct compat_getdents_callback, ctx);
  463. compat_ulong_t d_ino;
  464. int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
  465. namlen + 2, sizeof(compat_long_t));
  466. int prev_reclen;
  467. unsigned int flags = d_type;
  468. BUILD_BUG_ON(FILLDIR_FLAG_NOINTR & S_DT_MASK);
  469. d_type &= S_DT_MASK;
  470. buf->error = verify_dirent_name(name, namlen);
  471. if (unlikely(buf->error))
  472. return false;
  473. buf->error = -EINVAL; /* only used if we fail.. */
  474. if (reclen > ctx->count)
  475. return false;
  476. d_ino = ino;
  477. if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
  478. buf->error = -EOVERFLOW;
  479. return false;
  480. }
  481. prev_reclen = buf->prev_reclen;
  482. if (!(flags & FILLDIR_FLAG_NOINTR) && prev_reclen && signal_pending(current))
  483. return false;
  484. dirent = buf->current_dir;
  485. prev = (void __user *) dirent - prev_reclen;
  486. if (!user_write_access_begin(prev, reclen + prev_reclen))
  487. goto efault;
  488. unsafe_put_user(offset, &prev->d_off, efault_end);
  489. unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
  490. unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
  491. unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
  492. unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
  493. user_write_access_end();
  494. buf->prev_reclen = reclen;
  495. buf->current_dir = (void __user *)dirent + reclen;
  496. ctx->count -= reclen;
  497. return true;
  498. efault_end:
  499. user_write_access_end();
  500. efault:
  501. buf->error = -EFAULT;
  502. return false;
  503. }
  504. COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
  505. struct compat_linux_dirent __user *, dirent, unsigned int, count)
  506. {
  507. CLASS(fd_pos, f)(fd);
  508. struct compat_getdents_callback buf = {
  509. .ctx.actor = compat_filldir,
  510. .ctx.count = count,
  511. .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR,
  512. .current_dir = dirent,
  513. };
  514. int error;
  515. if (fd_empty(f))
  516. return -EBADF;
  517. error = iterate_dir(fd_file(f), &buf.ctx);
  518. if (error >= 0)
  519. error = buf.error;
  520. if (buf.prev_reclen) {
  521. struct compat_linux_dirent __user * lastdirent;
  522. lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
  523. if (put_user(buf.ctx.pos, &lastdirent->d_off))
  524. error = -EFAULT;
  525. else
  526. error = count - buf.ctx.count;
  527. }
  528. return error;
  529. }
  530. #endif