1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright (C) 1995 Linus Torvalds
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
25 #include <asm/unaligned.h>
28 * Note the "unsafe_put_user() semantics: we goto a
31 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
32 char __user *dst = (_dst); \
33 const char *src = (_src); \
34 size_t len = (_len); \
35 unsafe_put_user(0, dst+len, label); \
36 unsafe_copy_to_user(dst, src, len, label); \
40 int iterate_dir(struct file
*file
, struct dir_context
*ctx
)
42 struct inode
*inode
= file_inode(file
);
45 if (file
->f_op
->iterate_shared
)
47 else if (!file
->f_op
->iterate
)
50 res
= security_file_permission(file
, MAY_READ
);
55 res
= down_read_killable(&inode
->i_rwsem
);
57 res
= down_write_killable(&inode
->i_rwsem
);
62 if (!IS_DEADDIR(inode
)) {
63 ctx
->pos
= file
->f_pos
;
65 res
= file
->f_op
->iterate_shared(file
, ctx
);
67 res
= file
->f_op
->iterate(file
, ctx
);
68 file
->f_pos
= ctx
->pos
;
69 fsnotify_access(file
);
73 inode_unlock_shared(inode
);
79 EXPORT_SYMBOL(iterate_dir
);
82 * POSIX says that a dirent name cannot contain NULL or a '/'.
84 * It's not 100% clear what we should really do in this case.
85 * The filesystem is clearly corrupted, but returning a hard
86 * error means that you now don't see any of the other names
87 * either, so that isn't a perfect alternative.
89 * And if you return an error, what error do you use? Several
90 * filesystems seem to have decided on EUCLEAN being the error
91 * code for EFSCORRUPTED, and that may be the error to use. Or
92 * just EIO, which is perhaps more obvious to users.
94 * In order to see the other file names in the directory, the
95 * caller might want to make this a "soft" error: skip the
96 * entry, and return the error at the end instead.
98 * Note that this should likely do a "memchr(name, 0, len)"
99 * check too, since that would be filesystem corruption as
100 * well. However, that case can't actually confuse user space,
101 * which has to do a strlen() on the name anyway to find the
102 * filename length, and the above "soft error" worry means
103 * that it's probably better left alone until we have that
106 * Note the PATH_MAX check - it's arbitrary but the real
107 * kernel limit on a possible path component, not NAME_MAX,
108 * which is the technical standard limit.
110 static int verify_dirent_name(const char *name
, int len
)
112 if (len
<= 0 || len
>= PATH_MAX
)
114 if (memchr(name
, '/', len
))
120 * Traditional linux readdir() handling..
122 * "count=1" is a special case, meaning that the buffer is one
123 * dirent-structure in size and that the code can't handle more
124 * anyway. Thus the special "fillonedir()" function for that
125 * case (the low-level handlers don't need to care about this).
128 #ifdef __ARCH_WANT_OLD_READDIR
130 struct old_linux_dirent
{
132 unsigned long d_offset
;
133 unsigned short d_namlen
;
137 struct readdir_callback
{
138 struct dir_context ctx
;
139 struct old_linux_dirent __user
* dirent
;
143 static int fillonedir(struct dir_context
*ctx
, const char *name
, int namlen
,
144 loff_t offset
, u64 ino
, unsigned int d_type
)
146 struct readdir_callback
*buf
=
147 container_of(ctx
, struct readdir_callback
, ctx
);
148 struct old_linux_dirent __user
* dirent
;
154 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
155 buf
->result
= -EOVERFLOW
;
159 dirent
= buf
->dirent
;
160 if (!user_write_access_begin(dirent
,
161 (unsigned long)(dirent
->d_name
+ namlen
+ 1) -
162 (unsigned long)dirent
))
164 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
165 unsafe_put_user(offset
, &dirent
->d_offset
, efault_end
);
166 unsafe_put_user(namlen
, &dirent
->d_namlen
, efault_end
);
167 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
168 user_write_access_end();
171 user_write_access_end();
173 buf
->result
= -EFAULT
;
177 SYSCALL_DEFINE3(old_readdir
, unsigned int, fd
,
178 struct old_linux_dirent __user
*, dirent
, unsigned int, count
)
181 struct fd f
= fdget_pos(fd
);
182 struct readdir_callback buf
= {
183 .ctx
.actor
= fillonedir
,
190 error
= iterate_dir(f
.file
, &buf
.ctx
);
198 #endif /* __ARCH_WANT_OLD_READDIR */
201 * New, all-improved, singing, dancing, iBCS2-compliant getdents()
204 struct linux_dirent
{
207 unsigned short d_reclen
;
211 struct getdents_callback
{
212 struct dir_context ctx
;
213 struct linux_dirent __user
* current_dir
;
219 static int filldir(struct dir_context
*ctx
, const char *name
, int namlen
,
220 loff_t offset
, u64 ino
, unsigned int d_type
)
222 struct linux_dirent __user
*dirent
, *prev
;
223 struct getdents_callback
*buf
=
224 container_of(ctx
, struct getdents_callback
, ctx
);
226 int reclen
= ALIGN(offsetof(struct linux_dirent
, d_name
) + namlen
+ 2,
230 buf
->error
= verify_dirent_name(name
, namlen
);
231 if (unlikely(buf
->error
))
233 buf
->error
= -EINVAL
; /* only used if we fail.. */
234 if (reclen
> buf
->count
)
237 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
238 buf
->error
= -EOVERFLOW
;
241 prev_reclen
= buf
->prev_reclen
;
242 if (prev_reclen
&& signal_pending(current
))
244 dirent
= buf
->current_dir
;
245 prev
= (void __user
*) dirent
- prev_reclen
;
246 if (!user_write_access_begin(prev
, reclen
+ prev_reclen
))
249 /* This might be 'dirent->d_off', but if so it will get overwritten */
250 unsafe_put_user(offset
, &prev
->d_off
, efault_end
);
251 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
252 unsafe_put_user(reclen
, &dirent
->d_reclen
, efault_end
);
253 unsafe_put_user(d_type
, (char __user
*) dirent
+ reclen
- 1, efault_end
);
254 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
255 user_write_access_end();
257 buf
->current_dir
= (void __user
*)dirent
+ reclen
;
258 buf
->prev_reclen
= reclen
;
259 buf
->count
-= reclen
;
262 user_write_access_end();
264 buf
->error
= -EFAULT
;
268 SYSCALL_DEFINE3(getdents
, unsigned int, fd
,
269 struct linux_dirent __user
*, dirent
, unsigned int, count
)
272 struct getdents_callback buf
= {
273 .ctx
.actor
= filldir
,
275 .current_dir
= dirent
283 error
= iterate_dir(f
.file
, &buf
.ctx
);
286 if (buf
.prev_reclen
) {
287 struct linux_dirent __user
* lastdirent
;
288 lastdirent
= (void __user
*)buf
.current_dir
- buf
.prev_reclen
;
290 if (put_user(buf
.ctx
.pos
, &lastdirent
->d_off
))
293 error
= count
- buf
.count
;
299 struct getdents_callback64
{
300 struct dir_context ctx
;
301 struct linux_dirent64 __user
* current_dir
;
307 static int filldir64(struct dir_context
*ctx
, const char *name
, int namlen
,
308 loff_t offset
, u64 ino
, unsigned int d_type
)
310 struct linux_dirent64 __user
*dirent
, *prev
;
311 struct getdents_callback64
*buf
=
312 container_of(ctx
, struct getdents_callback64
, ctx
);
313 int reclen
= ALIGN(offsetof(struct linux_dirent64
, d_name
) + namlen
+ 1,
317 buf
->error
= verify_dirent_name(name
, namlen
);
318 if (unlikely(buf
->error
))
320 buf
->error
= -EINVAL
; /* only used if we fail.. */
321 if (reclen
> buf
->count
)
323 prev_reclen
= buf
->prev_reclen
;
324 if (prev_reclen
&& signal_pending(current
))
326 dirent
= buf
->current_dir
;
327 prev
= (void __user
*)dirent
- prev_reclen
;
328 if (!user_write_access_begin(prev
, reclen
+ prev_reclen
))
331 /* This might be 'dirent->d_off', but if so it will get overwritten */
332 unsafe_put_user(offset
, &prev
->d_off
, efault_end
);
333 unsafe_put_user(ino
, &dirent
->d_ino
, efault_end
);
334 unsafe_put_user(reclen
, &dirent
->d_reclen
, efault_end
);
335 unsafe_put_user(d_type
, &dirent
->d_type
, efault_end
);
336 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
337 user_write_access_end();
339 buf
->prev_reclen
= reclen
;
340 buf
->current_dir
= (void __user
*)dirent
+ reclen
;
341 buf
->count
-= reclen
;
345 user_write_access_end();
347 buf
->error
= -EFAULT
;
351 int ksys_getdents64(unsigned int fd
, struct linux_dirent64 __user
*dirent
,
355 struct getdents_callback64 buf
= {
356 .ctx
.actor
= filldir64
,
358 .current_dir
= dirent
366 error
= iterate_dir(f
.file
, &buf
.ctx
);
369 if (buf
.prev_reclen
) {
370 struct linux_dirent64 __user
* lastdirent
;
371 typeof(lastdirent
->d_off
) d_off
= buf
.ctx
.pos
;
373 lastdirent
= (void __user
*) buf
.current_dir
- buf
.prev_reclen
;
374 if (put_user(d_off
, &lastdirent
->d_off
))
377 error
= count
- buf
.count
;
384 SYSCALL_DEFINE3(getdents64
, unsigned int, fd
,
385 struct linux_dirent64 __user
*, dirent
, unsigned int, count
)
387 return ksys_getdents64(fd
, dirent
, count
);
391 struct compat_old_linux_dirent
{
392 compat_ulong_t d_ino
;
393 compat_ulong_t d_offset
;
394 unsigned short d_namlen
;
398 struct compat_readdir_callback
{
399 struct dir_context ctx
;
400 struct compat_old_linux_dirent __user
*dirent
;
404 static int compat_fillonedir(struct dir_context
*ctx
, const char *name
,
405 int namlen
, loff_t offset
, u64 ino
,
408 struct compat_readdir_callback
*buf
=
409 container_of(ctx
, struct compat_readdir_callback
, ctx
);
410 struct compat_old_linux_dirent __user
*dirent
;
411 compat_ulong_t d_ino
;
416 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
417 buf
->result
= -EOVERFLOW
;
421 dirent
= buf
->dirent
;
422 if (!user_write_access_begin(dirent
,
423 (unsigned long)(dirent
->d_name
+ namlen
+ 1) -
424 (unsigned long)dirent
))
426 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
427 unsafe_put_user(offset
, &dirent
->d_offset
, efault_end
);
428 unsafe_put_user(namlen
, &dirent
->d_namlen
, efault_end
);
429 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
430 user_write_access_end();
433 user_write_access_end();
435 buf
->result
= -EFAULT
;
439 COMPAT_SYSCALL_DEFINE3(old_readdir
, unsigned int, fd
,
440 struct compat_old_linux_dirent __user
*, dirent
, unsigned int, count
)
443 struct fd f
= fdget_pos(fd
);
444 struct compat_readdir_callback buf
= {
445 .ctx
.actor
= compat_fillonedir
,
452 error
= iterate_dir(f
.file
, &buf
.ctx
);
460 struct compat_linux_dirent
{
461 compat_ulong_t d_ino
;
462 compat_ulong_t d_off
;
463 unsigned short d_reclen
;
467 struct compat_getdents_callback
{
468 struct dir_context ctx
;
469 struct compat_linux_dirent __user
*current_dir
;
475 static int compat_filldir(struct dir_context
*ctx
, const char *name
, int namlen
,
476 loff_t offset
, u64 ino
, unsigned int d_type
)
478 struct compat_linux_dirent __user
*dirent
, *prev
;
479 struct compat_getdents_callback
*buf
=
480 container_of(ctx
, struct compat_getdents_callback
, ctx
);
481 compat_ulong_t d_ino
;
482 int reclen
= ALIGN(offsetof(struct compat_linux_dirent
, d_name
) +
483 namlen
+ 2, sizeof(compat_long_t
));
486 buf
->error
= verify_dirent_name(name
, namlen
);
487 if (unlikely(buf
->error
))
489 buf
->error
= -EINVAL
; /* only used if we fail.. */
490 if (reclen
> buf
->count
)
493 if (sizeof(d_ino
) < sizeof(ino
) && d_ino
!= ino
) {
494 buf
->error
= -EOVERFLOW
;
497 prev_reclen
= buf
->prev_reclen
;
498 if (prev_reclen
&& signal_pending(current
))
500 dirent
= buf
->current_dir
;
501 prev
= (void __user
*) dirent
- prev_reclen
;
502 if (!user_write_access_begin(prev
, reclen
+ prev_reclen
))
505 unsafe_put_user(offset
, &prev
->d_off
, efault_end
);
506 unsafe_put_user(d_ino
, &dirent
->d_ino
, efault_end
);
507 unsafe_put_user(reclen
, &dirent
->d_reclen
, efault_end
);
508 unsafe_put_user(d_type
, (char __user
*) dirent
+ reclen
- 1, efault_end
);
509 unsafe_copy_dirent_name(dirent
->d_name
, name
, namlen
, efault_end
);
510 user_write_access_end();
512 buf
->prev_reclen
= reclen
;
513 buf
->current_dir
= (void __user
*)dirent
+ reclen
;
514 buf
->count
-= reclen
;
517 user_write_access_end();
519 buf
->error
= -EFAULT
;
523 COMPAT_SYSCALL_DEFINE3(getdents
, unsigned int, fd
,
524 struct compat_linux_dirent __user
*, dirent
, unsigned int, count
)
527 struct compat_getdents_callback buf
= {
528 .ctx
.actor
= compat_filldir
,
529 .current_dir
= dirent
,
538 error
= iterate_dir(f
.file
, &buf
.ctx
);
541 if (buf
.prev_reclen
) {
542 struct compat_linux_dirent __user
* lastdirent
;
543 lastdirent
= (void __user
*)buf
.current_dir
- buf
.prev_reclen
;
545 if (put_user(buf
.ctx
.pos
, &lastdirent
->d_off
))
548 error
= count
- buf
.count
;