readdir.c source code [linux/fs/readdir.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* linux/fs/readdir.c
4	*
5	* Copyright (C) 1995 Linus Torvalds
6	*/
7
8	#include <linux/stddef.h>
9	#include <linux/kernel.h>
10	#include <linux/export.h>
11	#include <linux/time.h>
12	#include <linux/mm.h>
13	#include <linux/errno.h>
14	#include <linux/stat.h>
15	#include <linux/file.h>
16	#include <linux/fs.h>
17	#include <linux/fsnotify.h>
18	#include <linux/dirent.h>
19	#include <linux/security.h>
20	#include <linux/syscalls.h>
21	#include <linux/unistd.h>
22	#include <linux/compat.h>
23	#include <linux/uaccess.h>
24
25	#include <asm/unaligned.h>
26
27	/*
28	* Some filesystems were never converted to '->iterate_shared()'
29	* and their directory iterators want the inode lock held for
30	* writing. This wrapper allows for converting from the shared
31	* semantics to the exclusive inode use.
32	*/
33	int wrap_directory_iterator(struct file *file,
34	struct dir_context *ctx,
35	int (iter)(struct* file , struct* dir_context *))
36	{
37	struct inode *inode = file_inode(f: file);
38	int ret;
39
40	/*
41	* We'd love to have an 'inode_upgrade_trylock()' operation,
42	* see the comment in mmap_upgrade_trylock() in mm/memory.c.
43	*
44	* But considering this is for "filesystems that never got
45	* converted", it really doesn't matter.
46	*
47	* Also note that since we have to return with the lock held
48	* for reading, we can't use the "killable()" locking here,
49	* since we do need to get the lock even if we're dying.
50	*
51	* We could do the write part killably and then get the read
52	* lock unconditionally if it mattered, but see above on why
53	* this does the very simplistic conversion.
54	*/
55	up_read(sem: &inode->i_rwsem);
56	down_write(sem: &inode->i_rwsem);
57
58	/*
59	* Since we dropped the inode lock, we should do the
60	* DEADDIR test again. See 'iterate_dir()' below.
61	*
62	* Note that we don't need to re-do the f_pos games,
63	* since the file must be locked wrt f_pos anyway.
64	*/
65	ret = -ENOENT;
66	if (!IS_DEADDIR(inode))
67	ret = iter(file, ctx);
68
69	downgrade_write(sem: &inode->i_rwsem);
70	return ret;
71	}
72	EXPORT_SYMBOL(wrap_directory_iterator);
73
74	/*
75	* Note the "unsafe_put_user() semantics: we goto a
76	* label for errors.
77	*/
78	#define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
79	char __user *dst = (_dst); \
80	const char *src = (_src); \
81	size_t len = (_len); \
82	unsafe_put_user(0, dst+len, label); \
83	unsafe_copy_to_user(dst, src, len, label); \
84	} while (0)
85
86
87	int iterate_dir(struct file file, struct* dir_context *ctx)
88	{
89	struct inode *inode = file_inode(f: file);
90	int res = -ENOTDIR;
91
92	if (!file->f_op->iterate_shared)
93	goto out;
94
95	res = security_file_permission(file, MAY_READ);
96	if (res)
97	goto out;
98
99	res = down_read_killable(sem: &inode->i_rwsem);
100	if (res)
101	goto out;
102
103	res = -ENOENT;
104	if (!IS_DEADDIR(inode)) {
105	ctx->pos = file->f_pos;
106	res = file->f_op->iterate_shared(file, ctx);
107	file->f_pos = ctx->pos;
108	fsnotify_access(file);
109	file_accessed(file);
110	}
111	inode_unlock_shared(inode);
112	out:
113	return res;
114	}
115	EXPORT_SYMBOL(iterate_dir);
116
117	/*
118	* POSIX says that a dirent name cannot contain NULL or a '/'.
119	*
120	* It's not 100% clear what we should really do in this case.
121	* The filesystem is clearly corrupted, but returning a hard
122	* error means that you now don't see any of the other names
123	* either, so that isn't a perfect alternative.
124	*
125	* And if you return an error, what error do you use? Several
126	* filesystems seem to have decided on EUCLEAN being the error
127	* code for EFSCORRUPTED, and that may be the error to use. Or
128	* just EIO, which is perhaps more obvious to users.
129	*
130	* In order to see the other file names in the directory, the
131	* caller might want to make this a "soft" error: skip the
132	* entry, and return the error at the end instead.
133	*
134	* Note that this should likely do a "memchr(name, 0, len)"
135	* check too, since that would be filesystem corruption as
136	* well. However, that case can't actually confuse user space,
137	* which has to do a strlen() on the name anyway to find the
138	* filename length, and the above "soft error" worry means
139	* that it's probably better left alone until we have that
140	* issue clarified.
141	*
142	* Note the PATH_MAX check - it's arbitrary but the real
143	* kernel limit on a possible path component, not NAME_MAX,
144	* which is the technical standard limit.
145	*/
146	static int verify_dirent_name(const char name, int* len)
147	{
148	if (len <= `0` \|\| len >= PATH_MAX)
149	return -EIO;
150	if (memchr(p: name, c: `'/'`, size: len))
151	return -EIO;
152	return `0`;
153	}
154
155	/*
156	* Traditional linux readdir() handling..
157	*
158	* "count=1" is a special case, meaning that the buffer is one
159	* dirent-structure in size and that the code can't handle more
160	* anyway. Thus the special "fillonedir()" function for that
161	* case (the low-level handlers don't need to care about this).
162	*/
163
164	#ifdef __ARCH_WANT_OLD_READDIR
165
166	struct old_linux_dirent {
167	unsigned long d_ino;
168	unsigned long d_offset;
169	unsigned short d_namlen;
170	char d_name[];
171	};
172
173	struct readdir_callback {
174	struct dir_context ctx;
175	struct old_linux_dirent __user * dirent;
176	int result;
177	};
178
179	static bool fillonedir(struct dir_context ctx, const* char name, int* namlen,
180	loff_t offset, u64 ino, unsigned int d_type)
181	{
182	struct readdir_callback *buf =
183	container_of(ctx, struct readdir_callback, ctx);
184	struct old_linux_dirent __user * dirent;
185	unsigned long d_ino;
186
187	if (buf->result)
188	return false;
189	buf->result = verify_dirent_name(name, len: namlen);
190	if (buf->result)
191	return false;
192	d_ino = ino;
193	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
194	buf->result = -EOVERFLOW;
195	return false;
196	}
197	buf->result++;
198	dirent = buf->dirent;
199	if (!user_write_access_begin(dirent,
200	(unsigned long)(dirent->d_name + namlen + `1`) -
201	(unsigned long)dirent))
202	goto efault;
203	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
204	unsafe_put_user(offset, &dirent->d_offset, efault_end);
205	unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
206	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
207	user_write_access_end();
208	return true;
209	efault_end:
210	user_write_access_end();
211	efault:
212	buf->result = -EFAULT;
213	return false;
214	}
215
216	SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
217	struct old_linux_dirent __user , dirent, unsigned* int, count)
218	{
219	int error;
220	struct fd f = fdget_pos(fd);
221	struct readdir_callback buf = {
222	.ctx.actor = fillonedir,
223	.dirent = dirent
224	};
225
226	if (!f.file)
227	return -EBADF;
228
229	error = iterate_dir(f.file, &buf.ctx);
230	if (buf.result)
231	error = buf.result;
232
233	fdput_pos(f);
234	return error;
235	}
236
237	#endif /* __ARCH_WANT_OLD_READDIR */
238
239	/*
240	* New, all-improved, singing, dancing, iBCS2-compliant getdents()
241	* interface.
242	*/
243	struct linux_dirent {
244	unsigned long d_ino;
245	unsigned long d_off;
246	unsigned short d_reclen;
247	char d_name[];
248	};
249
250	struct getdents_callback {
251	struct dir_context ctx;
252	struct linux_dirent __user * current_dir;
253	int prev_reclen;
254	int count;
255	int error;
256	};
257
258	static bool filldir(struct dir_context ctx, const* char name, int* namlen,
259	loff_t offset, u64 ino, unsigned int d_type)
260	{
261	struct linux_dirent __user dirent, prev;
262	struct getdents_callback *buf =
263	container_of(ctx, struct getdents_callback, ctx);
264	unsigned long d_ino;
265	int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + `2`,
266	sizeof(long));
267	int prev_reclen;
268
269	buf->error = verify_dirent_name(name, len: namlen);
270	if (unlikely(buf->error))
271	return false;
272	buf->error = -EINVAL; / only used if we fail.. /
273	if (reclen > buf->count)
274	return false;
275	d_ino = ino;
276	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
277	buf->error = -EOVERFLOW;
278	return false;
279	}
280	prev_reclen = buf->prev_reclen;
281	if (prev_reclen && signal_pending(current))
282	return false;
283	dirent = buf->current_dir;
284	prev = (void __user *) dirent - prev_reclen;
285	if (!user_write_access_begin(prev, reclen + prev_reclen))
286	goto efault;
287
288	/ This might be 'dirent->d_off', but if so it will get overwritten /
289	unsafe_put_user(offset, &prev->d_off, efault_end);
290	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
291	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
292	unsafe_put_user(d_type, (char __user *) dirent + reclen - `1`, efault_end);
293	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
294	user_write_access_end();
295
296	buf->current_dir = (void __user *)dirent + reclen;
297	buf->prev_reclen = reclen;
298	buf->count -= reclen;
299	return true;
300	efault_end:
301	user_write_access_end();
302	efault:
303	buf->error = -EFAULT;
304	return false;
305	}
306
307	SYSCALL_DEFINE3(getdents, unsigned int, fd,
308	struct linux_dirent __user , dirent, unsigned* int, count)
309	{
310	struct fd f;
311	struct getdents_callback buf = {
312	.ctx.actor = filldir,
313	.count = count,
314	.current_dir = dirent
315	};
316	int error;
317
318	f = fdget_pos(fd);
319	if (!f.file)
320	return -EBADF;
321
322	error = iterate_dir(f.file, &buf.ctx);
323	if (error >= `0`)
324	error = buf.error;
325	if (buf.prev_reclen) {
326	struct linux_dirent __user * lastdirent;
327	lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
328
329	if (put_user(buf.ctx.pos, &lastdirent->d_off))
330	error = -EFAULT;
331	else
332	error = count - buf.count;
333	}
334	fdput_pos(f);
335	return error;
336	}
337
338	struct getdents_callback64 {
339	struct dir_context ctx;
340	struct linux_dirent64 __user * current_dir;
341	int prev_reclen;
342	int count;
343	int error;
344	};
345
346	static bool filldir64(struct dir_context ctx, const* char name, int* namlen,
347	loff_t offset, u64 ino, unsigned int d_type)
348	{
349	struct linux_dirent64 __user dirent, prev;
350	struct getdents_callback64 *buf =
351	container_of(ctx, struct getdents_callback64, ctx);
352	int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + `1`,
353	sizeof(u64));
354	int prev_reclen;
355
356	buf->error = verify_dirent_name(name, len: namlen);
357	if (unlikely(buf->error))
358	return false;
359	buf->error = -EINVAL; / only used if we fail.. /
360	if (reclen > buf->count)
361	return false;
362	prev_reclen = buf->prev_reclen;
363	if (prev_reclen && signal_pending(current))
364	return false;
365	dirent = buf->current_dir;
366	prev = (void __user *)dirent - prev_reclen;
367	if (!user_write_access_begin(prev, reclen + prev_reclen))
368	goto efault;
369
370	/ This might be 'dirent->d_off', but if so it will get overwritten /
371	unsafe_put_user(offset, &prev->d_off, efault_end);
372	unsafe_put_user(ino, &dirent->d_ino, efault_end);
373	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
374	unsafe_put_user(d_type, &dirent->d_type, efault_end);
375	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
376	user_write_access_end();
377
378	buf->prev_reclen = reclen;
379	buf->current_dir = (void __user *)dirent + reclen;
380	buf->count -= reclen;
381	return true;
382
383	efault_end:
384	user_write_access_end();
385	efault:
386	buf->error = -EFAULT;
387	return false;
388	}
389
390	SYSCALL_DEFINE3(getdents64, unsigned int, fd,
391	struct linux_dirent64 __user , dirent, unsigned* int, count)
392	{
393	struct fd f;
394	struct getdents_callback64 buf = {
395	.ctx.actor = filldir64,
396	.count = count,
397	.current_dir = dirent
398	};
399	int error;
400
401	f = fdget_pos(fd);
402	if (!f.file)
403	return -EBADF;
404
405	error = iterate_dir(f.file, &buf.ctx);
406	if (error >= `0`)
407	error = buf.error;
408	if (buf.prev_reclen) {
409	struct linux_dirent64 __user * lastdirent;
410	typeof(lastdirent->d_off) d_off = buf.ctx.pos;
411
412	lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
413	if (put_user(d_off, &lastdirent->d_off))
414	error = -EFAULT;
415	else
416	error = count - buf.count;
417	}
418	fdput_pos(f);
419	return error;
420	}
421
422	#ifdef CONFIG_COMPAT
423	struct compat_old_linux_dirent {
424	compat_ulong_t d_ino;
425	compat_ulong_t d_offset;
426	unsigned short d_namlen;
427	char d_name[];
428	};
429
430	struct compat_readdir_callback {
431	struct dir_context ctx;
432	struct compat_old_linux_dirent __user *dirent;
433	int result;
434	};
435
436	static bool compat_fillonedir(struct dir_context ctx, const* char *name,
437	int namlen, loff_t offset, u64 ino,
438	unsigned int d_type)
439	{
440	struct compat_readdir_callback *buf =
441	container_of(ctx, struct compat_readdir_callback, ctx);
442	struct compat_old_linux_dirent __user *dirent;
443	compat_ulong_t d_ino;
444
445	if (buf->result)
446	return false;
447	buf->result = verify_dirent_name(name, len: namlen);
448	if (buf->result)
449	return false;
450	d_ino = ino;
451	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
452	buf->result = -EOVERFLOW;
453	return false;
454	}
455	buf->result++;
456	dirent = buf->dirent;
457	if (!user_write_access_begin(dirent,
458	(unsigned long)(dirent->d_name + namlen + `1`) -
459	(unsigned long)dirent))
460	goto efault;
461	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
462	unsafe_put_user(offset, &dirent->d_offset, efault_end);
463	unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
464	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
465	user_write_access_end();
466	return true;
467	efault_end:
468	user_write_access_end();
469	efault:
470	buf->result = -EFAULT;
471	return false;
472	}
473
474	COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
475	struct compat_old_linux_dirent __user , dirent, unsigned* int, count)
476	{
477	int error;
478	struct fd f = fdget_pos(fd);
479	struct compat_readdir_callback buf = {
480	.ctx.actor = compat_fillonedir,
481	.dirent = dirent
482	};
483
484	if (!f.file)
485	return -EBADF;
486
487	error = iterate_dir(f.file, &buf.ctx);
488	if (buf.result)
489	error = buf.result;
490
491	fdput_pos(f);
492	return error;
493	}
494
495	struct compat_linux_dirent {
496	compat_ulong_t d_ino;
497	compat_ulong_t d_off;
498	unsigned short d_reclen;
499	char d_name[];
500	};
501
502	struct compat_getdents_callback {
503	struct dir_context ctx;
504	struct compat_linux_dirent __user *current_dir;
505	int prev_reclen;
506	int count;
507	int error;
508	};
509
510	static bool compat_filldir(struct dir_context ctx, const* char name, int* namlen,
511	loff_t offset, u64 ino, unsigned int d_type)
512	{
513	struct compat_linux_dirent __user dirent, prev;
514	struct compat_getdents_callback *buf =
515	container_of(ctx, struct compat_getdents_callback, ctx);
516	compat_ulong_t d_ino;
517	int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
518	namlen + `2`, sizeof(compat_long_t));
519	int prev_reclen;
520
521	buf->error = verify_dirent_name(name, len: namlen);
522	if (unlikely(buf->error))
523	return false;
524	buf->error = -EINVAL; / only used if we fail.. /
525	if (reclen > buf->count)
526	return false;
527	d_ino = ino;
528	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
529	buf->error = -EOVERFLOW;
530	return false;
531	}
532	prev_reclen = buf->prev_reclen;
533	if (prev_reclen && signal_pending(current))
534	return false;
535	dirent = buf->current_dir;
536	prev = (void __user *) dirent - prev_reclen;
537	if (!user_write_access_begin(prev, reclen + prev_reclen))
538	goto efault;
539
540	unsafe_put_user(offset, &prev->d_off, efault_end);
541	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
542	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
543	unsafe_put_user(d_type, (char __user *) dirent + reclen - `1`, efault_end);
544	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
545	user_write_access_end();
546
547	buf->prev_reclen = reclen;
548	buf->current_dir = (void __user *)dirent + reclen;
549	buf->count -= reclen;
550	return true;
551	efault_end:
552	user_write_access_end();
553	efault:
554	buf->error = -EFAULT;
555	return false;
556	}
557
558	COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
559	struct compat_linux_dirent __user , dirent, unsigned* int, count)
560	{
561	struct fd f;
562	struct compat_getdents_callback buf = {
563	.ctx.actor = compat_filldir,
564	.current_dir = dirent,
565	.count = count
566	};
567	int error;
568
569	f = fdget_pos(fd);
570	if (!f.file)
571	return -EBADF;
572
573	error = iterate_dir(f.file, &buf.ctx);
574	if (error >= `0`)
575	error = buf.error;
576	if (buf.prev_reclen) {
577	struct compat_linux_dirent __user * lastdirent;
578	lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
579
580	if (put_user(buf.ctx.pos, &lastdirent->d_off))
581	error = -EFAULT;
582	else
583	error = count - buf.count;
584	}
585	fdput_pos(f);
586	return error;
587	}
588	#endif
589

source code of linux/fs/readdir.c