1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright (C) 1995 Linus Torvalds
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
25 #include <asm/unaligned.h>
28 * Note the "unsafe_put_user() semantics: we goto a
31 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
32 char __user *dst = (_dst); \
33 const char *src = (_src); \
34 size_t len = (_len); \
35 unsafe_put_user(0, dst+len, label); \
36 unsafe_copy_to_user(dst, src, len, label); \
40 int iterate_dir(struct file *file, struct dir_context *ctx)
42 struct inode *inode = file_inode(file);
45 if (file->f_op->iterate_shared)
47 else if (!file->f_op->iterate)
50 res = security_file_permission(file, MAY_READ);
55 res = down_read_killable(&inode->i_rwsem);
57 res = down_write_killable(&inode->i_rwsem);
62 if (!IS_DEADDIR(inode)) {
63 ctx->pos = file->f_pos;
65 res = file->f_op->iterate_shared(file, ctx);
67 res = file->f_op->iterate(file, ctx);
68 file->f_pos = ctx->pos;
69 fsnotify_access(file);
73 inode_unlock_shared(inode);
79 EXPORT_SYMBOL(iterate_dir);
82 * POSIX says that a dirent name cannot contain NULL or a '/'.
84 * It's not 100% clear what we should really do in this case.
85 * The filesystem is clearly corrupted, but returning a hard
86 * error means that you now don't see any of the other names
87 * either, so that isn't a perfect alternative.
89 * And if you return an error, what error do you use? Several
90 * filesystems seem to have decided on EUCLEAN being the error
91 * code for EFSCORRUPTED, and that may be the error to use. Or
92 * just EIO, which is perhaps more obvious to users.
94 * In order to see the other file names in the directory, the
95 * caller might want to make this a "soft" error: skip the
96 * entry, and return the error at the end instead.
98 * Note that this should likely do a "memchr(name, 0, len)"
99 * check too, since that would be filesystem corruption as
100 * well. However, that case can't actually confuse user space,
101 * which has to do a strlen() on the name anyway to find the
102 * filename length, and the above "soft error" worry means
103 * that it's probably better left alone until we have that
106 * Note the PATH_MAX check - it's arbitrary but the real
107 * kernel limit on a possible path component, not NAME_MAX,
108 * which is the technical standard limit.
110 static int verify_dirent_name(const char *name, int len)
112 if (len <= 0 || len >= PATH_MAX)
114 if (memchr(name, '/', len))
120 * Traditional linux readdir() handling..
122 * "count=1" is a special case, meaning that the buffer is one
123 * dirent-structure in size and that the code can't handle more
124 * anyway. Thus the special "fillonedir()" function for that
125 * case (the low-level handlers don't need to care about this).
128 #ifdef __ARCH_WANT_OLD_READDIR
130 struct old_linux_dirent {
132 unsigned long d_offset;
133 unsigned short d_namlen;
137 struct readdir_callback {
138 struct dir_context ctx;
139 struct old_linux_dirent __user * dirent;
143 static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
144 loff_t offset, u64 ino, unsigned int d_type)
146 struct readdir_callback *buf =
147 container_of(ctx, struct readdir_callback, ctx);
148 struct old_linux_dirent __user * dirent;
153 buf->result = verify_dirent_name(name, namlen);
157 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
158 buf->result = -EOVERFLOW;
162 dirent = buf->dirent;
163 if (!access_ok(dirent,
164 (unsigned long)(dirent->d_name + namlen + 1) -
165 (unsigned long)dirent))
167 if ( __put_user(d_ino, &dirent->d_ino) ||
168 __put_user(offset, &dirent->d_offset) ||
169 __put_user(namlen, &dirent->d_namlen) ||
170 __copy_to_user(dirent->d_name, name, namlen) ||
171 __put_user(0, dirent->d_name + namlen))
175 buf->result = -EFAULT;
179 SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
180 struct old_linux_dirent __user *, dirent, unsigned int, count)
183 struct fd f = fdget_pos(fd);
184 struct readdir_callback buf = {
185 .ctx.actor = fillonedir,
192 error = iterate_dir(f.file, &buf.ctx);
200 #endif /* __ARCH_WANT_OLD_READDIR */
203 * New, all-improved, singing, dancing, iBCS2-compliant getdents()
206 struct linux_dirent {
209 unsigned short d_reclen;
213 struct getdents_callback {
214 struct dir_context ctx;
215 struct linux_dirent __user * current_dir;
221 static int filldir(struct dir_context *ctx, const char *name, int namlen,
222 loff_t offset, u64 ino, unsigned int d_type)
224 struct linux_dirent __user *dirent, *prev;
225 struct getdents_callback *buf =
226 container_of(ctx, struct getdents_callback, ctx);
228 int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
232 buf->error = verify_dirent_name(name, namlen);
233 if (unlikely(buf->error))
235 buf->error = -EINVAL; /* only used if we fail.. */
236 if (reclen > buf->count)
239 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
240 buf->error = -EOVERFLOW;
243 prev_reclen = buf->prev_reclen;
244 if (prev_reclen && signal_pending(current))
246 dirent = buf->current_dir;
247 prev = (void __user *) dirent - prev_reclen;
248 if (!user_access_begin(prev, reclen + prev_reclen))
251 /* This might be 'dirent->d_off', but if so it will get overwritten */
252 unsafe_put_user(offset, &prev->d_off, efault_end);
253 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
254 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
255 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
256 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
259 buf->current_dir = (void __user *)dirent + reclen;
260 buf->prev_reclen = reclen;
261 buf->count -= reclen;
266 buf->error = -EFAULT;
270 SYSCALL_DEFINE3(getdents, unsigned int, fd,
271 struct linux_dirent __user *, dirent, unsigned int, count)
274 struct getdents_callback buf = {
275 .ctx.actor = filldir,
277 .current_dir = dirent
281 if (!access_ok(dirent, count))
288 error = iterate_dir(f.file, &buf.ctx);
291 if (buf.prev_reclen) {
292 struct linux_dirent __user * lastdirent;
293 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
295 if (put_user(buf.ctx.pos, &lastdirent->d_off))
298 error = count - buf.count;
304 struct getdents_callback64 {
305 struct dir_context ctx;
306 struct linux_dirent64 __user * current_dir;
312 static int filldir64(struct dir_context *ctx, const char *name, int namlen,
313 loff_t offset, u64 ino, unsigned int d_type)
315 struct linux_dirent64 __user *dirent, *prev;
316 struct getdents_callback64 *buf =
317 container_of(ctx, struct getdents_callback64, ctx);
318 int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
322 buf->error = verify_dirent_name(name, namlen);
323 if (unlikely(buf->error))
325 buf->error = -EINVAL; /* only used if we fail.. */
326 if (reclen > buf->count)
328 prev_reclen = buf->prev_reclen;
329 if (prev_reclen && signal_pending(current))
331 dirent = buf->current_dir;
332 prev = (void __user *)dirent - prev_reclen;
333 if (!user_access_begin(prev, reclen + prev_reclen))
336 /* This might be 'dirent->d_off', but if so it will get overwritten */
337 unsafe_put_user(offset, &prev->d_off, efault_end);
338 unsafe_put_user(ino, &dirent->d_ino, efault_end);
339 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
340 unsafe_put_user(d_type, &dirent->d_type, efault_end);
341 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
344 buf->prev_reclen = reclen;
345 buf->current_dir = (void __user *)dirent + reclen;
346 buf->count -= reclen;
352 buf->error = -EFAULT;
356 int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
360 struct getdents_callback64 buf = {
361 .ctx.actor = filldir64,
363 .current_dir = dirent
367 if (!access_ok(dirent, count))
374 error = iterate_dir(f.file, &buf.ctx);
377 if (buf.prev_reclen) {
378 struct linux_dirent64 __user * lastdirent;
379 typeof(lastdirent->d_off) d_off = buf.ctx.pos;
381 lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
382 if (__put_user(d_off, &lastdirent->d_off))
385 error = count - buf.count;
392 SYSCALL_DEFINE3(getdents64, unsigned int, fd,
393 struct linux_dirent64 __user *, dirent, unsigned int, count)
395 return ksys_getdents64(fd, dirent, count);
399 struct compat_old_linux_dirent {
400 compat_ulong_t d_ino;
401 compat_ulong_t d_offset;
402 unsigned short d_namlen;
406 struct compat_readdir_callback {
407 struct dir_context ctx;
408 struct compat_old_linux_dirent __user *dirent;
412 static int compat_fillonedir(struct dir_context *ctx, const char *name,
413 int namlen, loff_t offset, u64 ino,
416 struct compat_readdir_callback *buf =
417 container_of(ctx, struct compat_readdir_callback, ctx);
418 struct compat_old_linux_dirent __user *dirent;
419 compat_ulong_t d_ino;
423 buf->result = verify_dirent_name(name, namlen);
427 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
428 buf->result = -EOVERFLOW;
432 dirent = buf->dirent;
433 if (!access_ok(dirent,
434 (unsigned long)(dirent->d_name + namlen + 1) -
435 (unsigned long)dirent))
437 if ( __put_user(d_ino, &dirent->d_ino) ||
438 __put_user(offset, &dirent->d_offset) ||
439 __put_user(namlen, &dirent->d_namlen) ||
440 __copy_to_user(dirent->d_name, name, namlen) ||
441 __put_user(0, dirent->d_name + namlen))
445 buf->result = -EFAULT;
449 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
450 struct compat_old_linux_dirent __user *, dirent, unsigned int, count)
453 struct fd f = fdget_pos(fd);
454 struct compat_readdir_callback buf = {
455 .ctx.actor = compat_fillonedir,
462 error = iterate_dir(f.file, &buf.ctx);
470 struct compat_linux_dirent {
471 compat_ulong_t d_ino;
472 compat_ulong_t d_off;
473 unsigned short d_reclen;
477 struct compat_getdents_callback {
478 struct dir_context ctx;
479 struct compat_linux_dirent __user *current_dir;
480 struct compat_linux_dirent __user *previous;
485 static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
486 loff_t offset, u64 ino, unsigned int d_type)
488 struct compat_linux_dirent __user * dirent;
489 struct compat_getdents_callback *buf =
490 container_of(ctx, struct compat_getdents_callback, ctx);
491 compat_ulong_t d_ino;
492 int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
493 namlen + 2, sizeof(compat_long_t));
495 buf->error = -EINVAL; /* only used if we fail.. */
496 if (reclen > buf->count)
499 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
500 buf->error = -EOVERFLOW;
503 dirent = buf->previous;
505 if (signal_pending(current))
507 if (__put_user(offset, &dirent->d_off))
510 dirent = buf->current_dir;
511 if (__put_user(d_ino, &dirent->d_ino))
513 if (__put_user(reclen, &dirent->d_reclen))
515 if (copy_to_user(dirent->d_name, name, namlen))
517 if (__put_user(0, dirent->d_name + namlen))
519 if (__put_user(d_type, (char __user *) dirent + reclen - 1))
521 buf->previous = dirent;
522 dirent = (void __user *)dirent + reclen;
523 buf->current_dir = dirent;
524 buf->count -= reclen;
527 buf->error = -EFAULT;
531 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
532 struct compat_linux_dirent __user *, dirent, unsigned int, count)
535 struct compat_linux_dirent __user * lastdirent;
536 struct compat_getdents_callback buf = {
537 .ctx.actor = compat_filldir,
538 .current_dir = dirent,
543 if (!access_ok(dirent, count))
550 error = iterate_dir(f.file, &buf.ctx);
553 lastdirent = buf.previous;
555 if (put_user(buf.ctx.pos, &lastdirent->d_off))
558 error = count - buf.count;