1 /*- 2 * Copyright (c) 1982, 1986, 1989, 1993 3 * The Regents of the University of California. All rights reserved. 4 * (c) UNIX System Laboratories, Inc. 5 * All or some portions of this file are derived from material licensed 6 * to the University of California by American Telephone and Telegraph 7 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 8 * the permission of UNIX System Laboratories, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * @(#)vfs_lookup.c 8.4 (Berkeley) 2/16/94 35 */ 36 37 #include <sys/cdefs.h> 38 __FBSDID("$FreeBSD$"); 39 40 #include "opt_capsicum.h" 41 #include "opt_ktrace.h" 42 43 #include <sys/param.h> 44 #include <sys/systm.h> 45 #include <sys/kernel.h> 46 #include <sys/capsicum.h> 47 #include <sys/fcntl.h> 48 #include <sys/jail.h> 49 #include <sys/lock.h> 50 #include <sys/mutex.h> 51 #include <sys/namei.h> 52 #include <sys/vnode.h> 53 #include <sys/mount.h> 54 #include <sys/filedesc.h> 55 #include <sys/proc.h> 56 #include <sys/sdt.h> 57 #include <sys/syscallsubr.h> 58 #include <sys/sysctl.h> 59 #ifdef KTRACE 60 #include <sys/ktrace.h> 61 #endif 62 63 #include <security/audit/audit.h> 64 #include <security/mac/mac_framework.h> 65 66 #include <vm/uma.h> 67 68 #define NAMEI_DIAGNOSTIC 1 69 #undef NAMEI_DIAGNOSTIC 70 71 SDT_PROVIDER_DECLARE(vfs); 72 SDT_PROBE_DEFINE3(vfs, namei, lookup, entry, "struct vnode *", "char *", 73 "unsigned long"); 74 SDT_PROBE_DEFINE2(vfs, namei, lookup, return, "int", "struct vnode *"); 75 76 /* 77 * Allocation zone for namei 78 */ 79 uma_zone_t namei_zone; 80 /* 81 * Placeholder vnode for mp traversal 82 */ 83 static struct vnode *vp_crossmp; 84 85 static void 86 nameiinit(void *dummy __unused) 87 { 88 89 namei_zone = uma_zcreate("NAMEI", MAXPATHLEN, NULL, NULL, NULL, NULL, 90 UMA_ALIGN_PTR, 0); 91 getnewvnode("crossmp", NULL, &dead_vnodeops, &vp_crossmp); 92 vn_lock(vp_crossmp, LK_EXCLUSIVE); 93 VN_LOCK_ASHARE(vp_crossmp); 94 VOP_UNLOCK(vp_crossmp, 0); 95 } 96 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_SECOND, nameiinit, NULL); 97 98 static int lookup_shared = 1; 99 SYSCTL_INT(_vfs, OID_AUTO, lookup_shared, CTLFLAG_RWTUN, &lookup_shared, 0, 100 "Enables/Disables shared locks for path name translation"); 101 102 static void 103 namei_cleanup_cnp(struct componentname *cnp) 104 { 105 uma_zfree(namei_zone, cnp->cn_pnbuf); 106 #ifdef DIAGNOSTIC 107 cnp->cn_pnbuf = NULL; 108 cnp->cn_nameptr = NULL; 109 #endif 110 } 111 112 static int 113 namei_handle_root(struct nameidata *ndp, struct vnode **dpp) 114 { 115 struct componentname *cnp; 116 117 cnp = &ndp->ni_cnd; 118 if (ndp->ni_strictrelative != 0) { 119 #ifdef KTRACE 120 if (KTRPOINT(curthread, KTR_CAPFAIL)) 121 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); 122 #endif 123 return (ENOTCAPABLE); 124 } 125 while (*(cnp->cn_nameptr) == '/') { 126 cnp->cn_nameptr++; 127 ndp->ni_pathlen--; 128 } 129 *dpp = ndp->ni_rootdir; 130 VREF(*dpp); 131 return (0); 132 } 133 134 /* 135 * Convert a pathname into a pointer to a locked vnode. 136 * 137 * The FOLLOW flag is set when symbolic links are to be followed 138 * when they occur at the end of the name translation process. 139 * Symbolic links are always followed for all other pathname 140 * components other than the last. 141 * 142 * The segflg defines whether the name is to be copied from user 143 * space or kernel space. 144 * 145 * Overall outline of namei: 146 * 147 * copy in name 148 * get starting directory 149 * while (!done && !error) { 150 * call lookup to search path. 151 * if symbolic link, massage name in buffer and continue 152 * } 153 */ 154 int 155 namei(struct nameidata *ndp) 156 { 157 struct filedesc *fdp; /* pointer to file descriptor state */ 158 char *cp; /* pointer into pathname argument */ 159 struct vnode *dp; /* the directory we are searching */ 160 struct iovec aiov; /* uio for reading symbolic links */ 161 struct uio auio; 162 int error, linklen, startdir_used; 163 struct componentname *cnp = &ndp->ni_cnd; 164 struct thread *td = cnp->cn_thread; 165 struct proc *p = td->td_proc; 166 167 ndp->ni_cnd.cn_cred = ndp->ni_cnd.cn_thread->td_ucred; 168 KASSERT(cnp->cn_cred && p, ("namei: bad cred/proc")); 169 KASSERT((cnp->cn_nameiop & (~OPMASK)) == 0, 170 ("namei: nameiop contaminated with flags")); 171 KASSERT((cnp->cn_flags & OPMASK) == 0, 172 ("namei: flags contaminated with nameiops")); 173 MPASS(ndp->ni_startdir == NULL || ndp->ni_startdir->v_type == VDIR || 174 ndp->ni_startdir->v_type == VBAD); 175 if (!lookup_shared) 176 cnp->cn_flags &= ~LOCKSHARED; 177 fdp = p->p_fd; 178 179 /* We will set this ourselves if we need it. */ 180 cnp->cn_flags &= ~TRAILINGSLASH; 181 182 /* 183 * Get a buffer for the name to be translated, and copy the 184 * name into the buffer. 185 */ 186 if ((cnp->cn_flags & HASBUF) == 0) 187 cnp->cn_pnbuf = uma_zalloc(namei_zone, M_WAITOK); 188 if (ndp->ni_segflg == UIO_SYSSPACE) 189 error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, 190 MAXPATHLEN, (size_t *)&ndp->ni_pathlen); 191 else 192 error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, 193 MAXPATHLEN, (size_t *)&ndp->ni_pathlen); 194 195 /* 196 * Don't allow empty pathnames. 197 */ 198 if (error == 0 && *cnp->cn_pnbuf == '\0') 199 error = ENOENT; 200 201 #ifdef CAPABILITY_MODE 202 /* 203 * In capability mode, lookups must be "strictly relative" (i.e. 204 * not an absolute path, and not containing '..' components) to 205 * a real file descriptor, not the pseudo-descriptor AT_FDCWD. 206 */ 207 if (error == 0 && IN_CAPABILITY_MODE(td) && 208 (cnp->cn_flags & NOCAPCHECK) == 0) { 209 ndp->ni_strictrelative = 1; 210 if (ndp->ni_dirfd == AT_FDCWD) { 211 #ifdef KTRACE 212 if (KTRPOINT(td, KTR_CAPFAIL)) 213 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); 214 #endif 215 error = ECAPMODE; 216 } 217 } 218 #endif 219 if (error != 0) { 220 namei_cleanup_cnp(cnp); 221 ndp->ni_vp = NULL; 222 return (error); 223 } 224 ndp->ni_loopcnt = 0; 225 #ifdef KTRACE 226 if (KTRPOINT(td, KTR_NAMEI)) { 227 KASSERT(cnp->cn_thread == curthread, 228 ("namei not using curthread")); 229 ktrnamei(cnp->cn_pnbuf); 230 } 231 #endif 232 /* 233 * Get starting point for the translation. 234 */ 235 FILEDESC_SLOCK(fdp); 236 ndp->ni_rootdir = fdp->fd_rdir; 237 VREF(ndp->ni_rootdir); 238 ndp->ni_topdir = fdp->fd_jdir; 239 240 /* 241 * If we are auditing the kernel pathname, save the user pathname. 242 */ 243 if (cnp->cn_flags & AUDITVNODE1) 244 AUDIT_ARG_UPATH1(td, ndp->ni_dirfd, cnp->cn_pnbuf); 245 if (cnp->cn_flags & AUDITVNODE2) 246 AUDIT_ARG_UPATH2(td, ndp->ni_dirfd, cnp->cn_pnbuf); 247 248 startdir_used = 0; 249 dp = NULL; 250 cnp->cn_nameptr = cnp->cn_pnbuf; 251 if (cnp->cn_pnbuf[0] == '/') { 252 error = namei_handle_root(ndp, &dp); 253 } else { 254 if (ndp->ni_startdir != NULL) { 255 dp = ndp->ni_startdir; 256 startdir_used = 1; 257 } else if (ndp->ni_dirfd == AT_FDCWD) { 258 dp = fdp->fd_cdir; 259 VREF(dp); 260 } else { 261 cap_rights_t rights; 262 263 rights = ndp->ni_rightsneeded; 264 cap_rights_set(&rights, CAP_LOOKUP); 265 266 if (cnp->cn_flags & AUDITVNODE1) 267 AUDIT_ARG_ATFD1(ndp->ni_dirfd); 268 if (cnp->cn_flags & AUDITVNODE2) 269 AUDIT_ARG_ATFD2(ndp->ni_dirfd); 270 error = fgetvp_rights(td, ndp->ni_dirfd, 271 &rights, &ndp->ni_filecaps, &dp); 272 if (error == EINVAL) 273 error = ENOTDIR; 274 #ifdef CAPABILITIES 275 /* 276 * If file descriptor doesn't have all rights, 277 * all lookups relative to it must also be 278 * strictly relative. 279 */ 280 CAP_ALL(&rights); 281 if (!cap_rights_contains(&ndp->ni_filecaps.fc_rights, 282 &rights) || 283 ndp->ni_filecaps.fc_fcntls != CAP_FCNTL_ALL || 284 ndp->ni_filecaps.fc_nioctls != -1) { 285 ndp->ni_strictrelative = 1; 286 } 287 #endif 288 } 289 if (error == 0 && dp->v_type != VDIR) 290 error = ENOTDIR; 291 } 292 FILEDESC_SUNLOCK(fdp); 293 if (ndp->ni_startdir != NULL && !startdir_used) 294 vrele(ndp->ni_startdir); 295 if (error != 0) { 296 if (dp != NULL) 297 vrele(dp); 298 goto out; 299 } 300 SDT_PROBE3(vfs, namei, lookup, entry, dp, cnp->cn_pnbuf, 301 cnp->cn_flags); 302 for (;;) { 303 ndp->ni_startdir = dp; 304 error = lookup(ndp); 305 if (error != 0) 306 goto out; 307 /* 308 * If not a symbolic link, we're done. 309 */ 310 if ((cnp->cn_flags & ISSYMLINK) == 0) { 311 vrele(ndp->ni_rootdir); 312 if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { 313 namei_cleanup_cnp(cnp); 314 } else 315 cnp->cn_flags |= HASBUF; 316 317 SDT_PROBE2(vfs, namei, lookup, return, 0, ndp->ni_vp); 318 return (0); 319 } 320 if (ndp->ni_loopcnt++ >= MAXSYMLINKS) { 321 error = ELOOP; 322 break; 323 } 324 #ifdef MAC 325 if ((cnp->cn_flags & NOMACCHECK) == 0) { 326 error = mac_vnode_check_readlink(td->td_ucred, 327 ndp->ni_vp); 328 if (error != 0) 329 break; 330 } 331 #endif 332 if (ndp->ni_pathlen > 1) 333 cp = uma_zalloc(namei_zone, M_WAITOK); 334 else 335 cp = cnp->cn_pnbuf; 336 aiov.iov_base = cp; 337 aiov.iov_len = MAXPATHLEN; 338 auio.uio_iov = &aiov; 339 auio.uio_iovcnt = 1; 340 auio.uio_offset = 0; 341 auio.uio_rw = UIO_READ; 342 auio.uio_segflg = UIO_SYSSPACE; 343 auio.uio_td = td; 344 auio.uio_resid = MAXPATHLEN; 345 error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred); 346 if (error != 0) { 347 if (ndp->ni_pathlen > 1) 348 uma_zfree(namei_zone, cp); 349 break; 350 } 351 linklen = MAXPATHLEN - auio.uio_resid; 352 if (linklen == 0) { 353 if (ndp->ni_pathlen > 1) 354 uma_zfree(namei_zone, cp); 355 error = ENOENT; 356 break; 357 } 358 if (linklen + ndp->ni_pathlen >= MAXPATHLEN) { 359 if (ndp->ni_pathlen > 1) 360 uma_zfree(namei_zone, cp); 361 error = ENAMETOOLONG; 362 break; 363 } 364 if (ndp->ni_pathlen > 1) { 365 bcopy(ndp->ni_next, cp + linklen, ndp->ni_pathlen); 366 uma_zfree(namei_zone, cnp->cn_pnbuf); 367 cnp->cn_pnbuf = cp; 368 } else 369 cnp->cn_pnbuf[linklen] = '\0'; 370 ndp->ni_pathlen += linklen; 371 vput(ndp->ni_vp); 372 dp = ndp->ni_dvp; 373 /* 374 * Check if root directory should replace current directory. 375 */ 376 cnp->cn_nameptr = cnp->cn_pnbuf; 377 if (*(cnp->cn_nameptr) == '/') { 378 vrele(dp); 379 error = namei_handle_root(ndp, &dp); 380 if (error != 0) 381 goto out; 382 } 383 } 384 vput(ndp->ni_vp); 385 ndp->ni_vp = NULL; 386 vrele(ndp->ni_dvp); 387 out: 388 vrele(ndp->ni_rootdir); 389 namei_cleanup_cnp(cnp); 390 SDT_PROBE2(vfs, namei, lookup, return, error, NULL); 391 return (error); 392 } 393 394 static int 395 compute_cn_lkflags(struct mount *mp, int lkflags, int cnflags) 396 { 397 398 if (mp == NULL || ((lkflags & LK_SHARED) && 399 (!(mp->mnt_kern_flag & MNTK_LOOKUP_SHARED) || 400 ((cnflags & ISDOTDOT) && 401 (mp->mnt_kern_flag & MNTK_LOOKUP_EXCL_DOTDOT))))) { 402 lkflags &= ~LK_SHARED; 403 lkflags |= LK_EXCLUSIVE; 404 } 405 lkflags |= LK_NODDLKTREAT; 406 return (lkflags); 407 } 408 409 static __inline int 410 needs_exclusive_leaf(struct mount *mp, int flags) 411 { 412 413 /* 414 * Intermediate nodes can use shared locks, we only need to 415 * force an exclusive lock for leaf nodes. 416 */ 417 if ((flags & (ISLASTCN | LOCKLEAF)) != (ISLASTCN | LOCKLEAF)) 418 return (0); 419 420 /* Always use exclusive locks if LOCKSHARED isn't set. */ 421 if (!(flags & LOCKSHARED)) 422 return (1); 423 424 /* 425 * For lookups during open(), if the mount point supports 426 * extended shared operations, then use a shared lock for the 427 * leaf node, otherwise use an exclusive lock. 428 */ 429 if ((flags & ISOPEN) != 0) 430 return (!MNT_EXTENDED_SHARED(mp)); 431 432 /* 433 * Lookup requests outside of open() that specify LOCKSHARED 434 * only need a shared lock on the leaf vnode. 435 */ 436 return (0); 437 } 438 439 /* 440 * Search a pathname. 441 * This is a very central and rather complicated routine. 442 * 443 * The pathname is pointed to by ni_ptr and is of length ni_pathlen. 444 * The starting directory is taken from ni_startdir. The pathname is 445 * descended until done, or a symbolic link is encountered. The variable 446 * ni_more is clear if the path is completed; it is set to one if a 447 * symbolic link needing interpretation is encountered. 448 * 449 * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on 450 * whether the name is to be looked up, created, renamed, or deleted. 451 * When CREATE, RENAME, or DELETE is specified, information usable in 452 * creating, renaming, or deleting a directory entry may be calculated. 453 * If flag has LOCKPARENT or'ed into it, the parent directory is returned 454 * locked. If flag has WANTPARENT or'ed into it, the parent directory is 455 * returned unlocked. Otherwise the parent directory is not returned. If 456 * the target of the pathname exists and LOCKLEAF is or'ed into the flag 457 * the target is returned locked, otherwise it is returned unlocked. 458 * When creating or renaming and LOCKPARENT is specified, the target may not 459 * be ".". When deleting and LOCKPARENT is specified, the target may be ".". 460 * 461 * Overall outline of lookup: 462 * 463 * dirloop: 464 * identify next component of name at ndp->ni_ptr 465 * handle degenerate case where name is null string 466 * if .. and crossing mount points and on mounted filesys, find parent 467 * call VOP_LOOKUP routine for next component name 468 * directory vnode returned in ni_dvp, unlocked unless LOCKPARENT set 469 * component vnode returned in ni_vp (if it exists), locked. 470 * if result vnode is mounted on and crossing mount points, 471 * find mounted on vnode 472 * if more components of name, do next level at dirloop 473 * return the answer in ni_vp, locked if LOCKLEAF set 474 * if LOCKPARENT set, return locked parent in ni_dvp 475 * if WANTPARENT set, return unlocked parent in ni_dvp 476 */ 477 int 478 lookup(struct nameidata *ndp) 479 { 480 char *cp; /* pointer into pathname argument */ 481 struct vnode *dp = NULL; /* the directory we are searching */ 482 struct vnode *tdp; /* saved dp */ 483 struct mount *mp; /* mount table entry */ 484 struct prison *pr; 485 int docache; /* == 0 do not cache last component */ 486 int wantparent; /* 1 => wantparent or lockparent flag */ 487 int rdonly; /* lookup read-only flag bit */ 488 int error = 0; 489 int dpunlocked = 0; /* dp has already been unlocked */ 490 int relookup = 0; /* do not consume the path component */ 491 struct componentname *cnp = &ndp->ni_cnd; 492 int lkflags_save; 493 int ni_dvp_unlocked; 494 495 /* 496 * Setup: break out flag bits into variables. 497 */ 498 ni_dvp_unlocked = 0; 499 wantparent = cnp->cn_flags & (LOCKPARENT | WANTPARENT); 500 KASSERT(cnp->cn_nameiop == LOOKUP || wantparent, 501 ("CREATE, DELETE, RENAME require LOCKPARENT or WANTPARENT.")); 502 docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE; 503 if (cnp->cn_nameiop == DELETE || 504 (wantparent && cnp->cn_nameiop != CREATE && 505 cnp->cn_nameiop != LOOKUP)) 506 docache = 0; 507 rdonly = cnp->cn_flags & RDONLY; 508 cnp->cn_flags &= ~ISSYMLINK; 509 ndp->ni_dvp = NULL; 510 /* 511 * We use shared locks until we hit the parent of the last cn then 512 * we adjust based on the requesting flags. 513 */ 514 if (lookup_shared) 515 cnp->cn_lkflags = LK_SHARED; 516 else 517 cnp->cn_lkflags = LK_EXCLUSIVE; 518 dp = ndp->ni_startdir; 519 ndp->ni_startdir = NULLVP; 520 vn_lock(dp, 521 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY, 522 cnp->cn_flags)); 523 524 dirloop: 525 /* 526 * Search a new directory. 527 * 528 * The last component of the filename is left accessible via 529 * cnp->cn_nameptr for callers that need the name. Callers needing 530 * the name set the SAVENAME flag. When done, they assume 531 * responsibility for freeing the pathname buffer. 532 */ 533 for (cp = cnp->cn_nameptr; *cp != 0 && *cp != '/'; cp++) 534 continue; 535 cnp->cn_namelen = cp - cnp->cn_nameptr; 536 if (cnp->cn_namelen > NAME_MAX) { 537 error = ENAMETOOLONG; 538 goto bad; 539 } 540 #ifdef NAMEI_DIAGNOSTIC 541 { char c = *cp; 542 *cp = '\0'; 543 printf("{%s}: ", cnp->cn_nameptr); 544 *cp = c; } 545 #endif 546 ndp->ni_pathlen -= cnp->cn_namelen; 547 ndp->ni_next = cp; 548 549 /* 550 * Replace multiple slashes by a single slash and trailing slashes 551 * by a null. This must be done before VOP_LOOKUP() because some 552 * fs's don't know about trailing slashes. Remember if there were 553 * trailing slashes to handle symlinks, existing non-directories 554 * and non-existing files that won't be directories specially later. 555 */ 556 while (*cp == '/' && (cp[1] == '/' || cp[1] == '\0')) { 557 cp++; 558 ndp->ni_pathlen--; 559 if (*cp == '\0') { 560 *ndp->ni_next = '\0'; 561 cnp->cn_flags |= TRAILINGSLASH; 562 } 563 } 564 ndp->ni_next = cp; 565 566 cnp->cn_flags |= MAKEENTRY; 567 if (*cp == '\0' && docache == 0) 568 cnp->cn_flags &= ~MAKEENTRY; 569 if (cnp->cn_namelen == 2 && 570 cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.') 571 cnp->cn_flags |= ISDOTDOT; 572 else 573 cnp->cn_flags &= ~ISDOTDOT; 574 if (*ndp->ni_next == 0) 575 cnp->cn_flags |= ISLASTCN; 576 else 577 cnp->cn_flags &= ~ISLASTCN; 578 579 if ((cnp->cn_flags & ISLASTCN) != 0 && 580 cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.' && 581 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { 582 error = EINVAL; 583 goto bad; 584 } 585 586 /* 587 * Check for degenerate name (e.g. / or "") 588 * which is a way of talking about a directory, 589 * e.g. like "/." or ".". 590 */ 591 if (cnp->cn_nameptr[0] == '\0') { 592 if (dp->v_type != VDIR) { 593 error = ENOTDIR; 594 goto bad; 595 } 596 if (cnp->cn_nameiop != LOOKUP) { 597 error = EISDIR; 598 goto bad; 599 } 600 if (wantparent) { 601 ndp->ni_dvp = dp; 602 VREF(dp); 603 } 604 ndp->ni_vp = dp; 605 606 if (cnp->cn_flags & AUDITVNODE1) 607 AUDIT_ARG_VNODE1(dp); 608 else if (cnp->cn_flags & AUDITVNODE2) 609 AUDIT_ARG_VNODE2(dp); 610 611 if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF))) 612 VOP_UNLOCK(dp, 0); 613 /* XXX This should probably move to the top of function. */ 614 if (cnp->cn_flags & SAVESTART) 615 panic("lookup: SAVESTART"); 616 goto success; 617 } 618 619 /* 620 * Handle "..": five special cases. 621 * 0. If doing a capability lookup, return ENOTCAPABLE (this is a 622 * fairly conservative design choice, but it's the only one that we 623 * are satisfied guarantees the property we're looking for). 624 * 1. Return an error if this is the last component of 625 * the name and the operation is DELETE or RENAME. 626 * 2. If at root directory (e.g. after chroot) 627 * or at absolute root directory 628 * then ignore it so can't get out. 629 * 3. If this vnode is the root of a mounted 630 * filesystem, then replace it with the 631 * vnode which was mounted on so we take the 632 * .. in the other filesystem. 633 * 4. If the vnode is the top directory of 634 * the jail or chroot, don't let them out. 635 */ 636 if (cnp->cn_flags & ISDOTDOT) { 637 if (ndp->ni_strictrelative != 0) { 638 #ifdef KTRACE 639 if (KTRPOINT(curthread, KTR_CAPFAIL)) 640 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); 641 #endif 642 error = ENOTCAPABLE; 643 goto bad; 644 } 645 if ((cnp->cn_flags & ISLASTCN) != 0 && 646 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { 647 error = EINVAL; 648 goto bad; 649 } 650 for (;;) { 651 for (pr = cnp->cn_cred->cr_prison; pr != NULL; 652 pr = pr->pr_parent) 653 if (dp == pr->pr_root) 654 break; 655 if (dp == ndp->ni_rootdir || 656 dp == ndp->ni_topdir || 657 dp == rootvnode || 658 pr != NULL || 659 ((dp->v_vflag & VV_ROOT) != 0 && 660 (cnp->cn_flags & NOCROSSMOUNT) != 0)) { 661 ndp->ni_dvp = dp; 662 ndp->ni_vp = dp; 663 VREF(dp); 664 goto nextname; 665 } 666 if ((dp->v_vflag & VV_ROOT) == 0) 667 break; 668 if (dp->v_iflag & VI_DOOMED) { /* forced unmount */ 669 error = ENOENT; 670 goto bad; 671 } 672 tdp = dp; 673 dp = dp->v_mount->mnt_vnodecovered; 674 VREF(dp); 675 vput(tdp); 676 vn_lock(dp, 677 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | 678 LK_RETRY, ISDOTDOT)); 679 } 680 } 681 682 /* 683 * We now have a segment name to search for, and a directory to search. 684 */ 685 unionlookup: 686 #ifdef MAC 687 if ((cnp->cn_flags & NOMACCHECK) == 0) { 688 error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp, 689 cnp); 690 if (error) 691 goto bad; 692 } 693 #endif 694 ndp->ni_dvp = dp; 695 ndp->ni_vp = NULL; 696 ASSERT_VOP_LOCKED(dp, "lookup"); 697 /* 698 * If we have a shared lock we may need to upgrade the lock for the 699 * last operation. 700 */ 701 if (dp != vp_crossmp && 702 VOP_ISLOCKED(dp) == LK_SHARED && 703 (cnp->cn_flags & ISLASTCN) && (cnp->cn_flags & LOCKPARENT)) 704 vn_lock(dp, LK_UPGRADE|LK_RETRY); 705 if ((dp->v_iflag & VI_DOOMED) != 0) { 706 error = ENOENT; 707 goto bad; 708 } 709 /* 710 * If we're looking up the last component and we need an exclusive 711 * lock, adjust our lkflags. 712 */ 713 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags)) 714 cnp->cn_lkflags = LK_EXCLUSIVE; 715 #ifdef NAMEI_DIAGNOSTIC 716 vn_printf(dp, "lookup in "); 717 #endif 718 lkflags_save = cnp->cn_lkflags; 719 cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags, 720 cnp->cn_flags); 721 error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp); 722 cnp->cn_lkflags = lkflags_save; 723 if (error != 0) { 724 KASSERT(ndp->ni_vp == NULL, ("leaf should be empty")); 725 #ifdef NAMEI_DIAGNOSTIC 726 printf("not found\n"); 727 #endif 728 if ((error == ENOENT) && 729 (dp->v_vflag & VV_ROOT) && (dp->v_mount != NULL) && 730 (dp->v_mount->mnt_flag & MNT_UNION)) { 731 tdp = dp; 732 dp = dp->v_mount->mnt_vnodecovered; 733 VREF(dp); 734 vput(tdp); 735 vn_lock(dp, 736 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | 737 LK_RETRY, cnp->cn_flags)); 738 goto unionlookup; 739 } 740 741 if (error == ERELOOKUP) { 742 vref(dp); 743 ndp->ni_vp = dp; 744 error = 0; 745 relookup = 1; 746 goto good; 747 } 748 749 if (error != EJUSTRETURN) 750 goto bad; 751 /* 752 * At this point, we know we're at the end of the 753 * pathname. If creating / renaming, we can consider 754 * allowing the file or directory to be created / renamed, 755 * provided we're not on a read-only filesystem. 756 */ 757 if (rdonly) { 758 error = EROFS; 759 goto bad; 760 } 761 /* trailing slash only allowed for directories */ 762 if ((cnp->cn_flags & TRAILINGSLASH) && 763 !(cnp->cn_flags & WILLBEDIR)) { 764 error = ENOENT; 765 goto bad; 766 } 767 if ((cnp->cn_flags & LOCKPARENT) == 0) 768 VOP_UNLOCK(dp, 0); 769 /* 770 * We return with ni_vp NULL to indicate that the entry 771 * doesn't currently exist, leaving a pointer to the 772 * (possibly locked) directory vnode in ndp->ni_dvp. 773 */ 774 if (cnp->cn_flags & SAVESTART) { 775 ndp->ni_startdir = ndp->ni_dvp; 776 VREF(ndp->ni_startdir); 777 } 778 goto success; 779 } 780 781 good: 782 #ifdef NAMEI_DIAGNOSTIC 783 printf("found\n"); 784 #endif 785 dp = ndp->ni_vp; 786 787 /* 788 * Check to see if the vnode has been mounted on; 789 * if so find the root of the mounted filesystem. 790 */ 791 while (dp->v_type == VDIR && (mp = dp->v_mountedhere) && 792 (cnp->cn_flags & NOCROSSMOUNT) == 0) { 793 if (vfs_busy(mp, 0)) 794 continue; 795 vput(dp); 796 if (dp != ndp->ni_dvp) 797 vput(ndp->ni_dvp); 798 else 799 vrele(ndp->ni_dvp); 800 vref(vp_crossmp); 801 ndp->ni_dvp = vp_crossmp; 802 error = VFS_ROOT(mp, compute_cn_lkflags(mp, cnp->cn_lkflags, 803 cnp->cn_flags), &tdp); 804 vfs_unbusy(mp); 805 if (vn_lock(vp_crossmp, LK_SHARED | LK_NOWAIT)) 806 panic("vp_crossmp exclusively locked or reclaimed"); 807 if (error) { 808 dpunlocked = 1; 809 goto bad2; 810 } 811 ndp->ni_vp = dp = tdp; 812 } 813 814 /* 815 * Check for symbolic link 816 */ 817 if ((dp->v_type == VLNK) && 818 ((cnp->cn_flags & FOLLOW) || (cnp->cn_flags & TRAILINGSLASH) || 819 *ndp->ni_next == '/')) { 820 cnp->cn_flags |= ISSYMLINK; 821 if (dp->v_iflag & VI_DOOMED) { 822 /* 823 * We can't know whether the directory was mounted with 824 * NOSYMFOLLOW, so we can't follow safely. 825 */ 826 error = ENOENT; 827 goto bad2; 828 } 829 if (dp->v_mount->mnt_flag & MNT_NOSYMFOLLOW) { 830 error = EACCES; 831 goto bad2; 832 } 833 /* 834 * Symlink code always expects an unlocked dvp. 835 */ 836 if (ndp->ni_dvp != ndp->ni_vp) { 837 VOP_UNLOCK(ndp->ni_dvp, 0); 838 ni_dvp_unlocked = 1; 839 } 840 goto success; 841 } 842 843 nextname: 844 /* 845 * Not a symbolic link that we will follow. Continue with the 846 * next component if there is any; otherwise, we're done. 847 */ 848 KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/', 849 ("lookup: invalid path state.")); 850 if (relookup) { 851 relookup = 0; 852 if (ndp->ni_dvp != dp) 853 vput(ndp->ni_dvp); 854 else 855 vrele(ndp->ni_dvp); 856 goto dirloop; 857 } 858 if (*ndp->ni_next == '/') { 859 cnp->cn_nameptr = ndp->ni_next; 860 while (*cnp->cn_nameptr == '/') { 861 cnp->cn_nameptr++; 862 ndp->ni_pathlen--; 863 } 864 if (ndp->ni_dvp != dp) 865 vput(ndp->ni_dvp); 866 else 867 vrele(ndp->ni_dvp); 868 goto dirloop; 869 } 870 /* 871 * If we're processing a path with a trailing slash, 872 * check that the end result is a directory. 873 */ 874 if ((cnp->cn_flags & TRAILINGSLASH) && dp->v_type != VDIR) { 875 error = ENOTDIR; 876 goto bad2; 877 } 878 /* 879 * Disallow directory write attempts on read-only filesystems. 880 */ 881 if (rdonly && 882 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { 883 error = EROFS; 884 goto bad2; 885 } 886 if (cnp->cn_flags & SAVESTART) { 887 ndp->ni_startdir = ndp->ni_dvp; 888 VREF(ndp->ni_startdir); 889 } 890 if (!wantparent) { 891 ni_dvp_unlocked = 2; 892 if (ndp->ni_dvp != dp) 893 vput(ndp->ni_dvp); 894 else 895 vrele(ndp->ni_dvp); 896 } else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp) { 897 VOP_UNLOCK(ndp->ni_dvp, 0); 898 ni_dvp_unlocked = 1; 899 } 900 901 if (cnp->cn_flags & AUDITVNODE1) 902 AUDIT_ARG_VNODE1(dp); 903 else if (cnp->cn_flags & AUDITVNODE2) 904 AUDIT_ARG_VNODE2(dp); 905 906 if ((cnp->cn_flags & LOCKLEAF) == 0) 907 VOP_UNLOCK(dp, 0); 908 success: 909 /* 910 * Because of lookup_shared we may have the vnode shared locked, but 911 * the caller may want it to be exclusively locked. 912 */ 913 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags) && 914 VOP_ISLOCKED(dp) != LK_EXCLUSIVE) { 915 vn_lock(dp, LK_UPGRADE | LK_RETRY); 916 if (dp->v_iflag & VI_DOOMED) { 917 error = ENOENT; 918 goto bad2; 919 } 920 } 921 return (0); 922 923 bad2: 924 if (ni_dvp_unlocked != 2) { 925 if (dp != ndp->ni_dvp && !ni_dvp_unlocked) 926 vput(ndp->ni_dvp); 927 else 928 vrele(ndp->ni_dvp); 929 } 930 bad: 931 if (!dpunlocked) 932 vput(dp); 933 ndp->ni_vp = NULL; 934 return (error); 935 } 936 937 /* 938 * relookup - lookup a path name component 939 * Used by lookup to re-acquire things. 940 */ 941 int 942 relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp) 943 { 944 struct vnode *dp = NULL; /* the directory we are searching */ 945 int wantparent; /* 1 => wantparent or lockparent flag */ 946 int rdonly; /* lookup read-only flag bit */ 947 int error = 0; 948 949 KASSERT(cnp->cn_flags & ISLASTCN, 950 ("relookup: Not given last component.")); 951 /* 952 * Setup: break out flag bits into variables. 953 */ 954 wantparent = cnp->cn_flags & (LOCKPARENT|WANTPARENT); 955 KASSERT(wantparent, ("relookup: parent not wanted.")); 956 rdonly = cnp->cn_flags & RDONLY; 957 cnp->cn_flags &= ~ISSYMLINK; 958 dp = dvp; 959 cnp->cn_lkflags = LK_EXCLUSIVE; 960 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY); 961 962 /* 963 * Search a new directory. 964 * 965 * The last component of the filename is left accessible via 966 * cnp->cn_nameptr for callers that need the name. Callers needing 967 * the name set the SAVENAME flag. When done, they assume 968 * responsibility for freeing the pathname buffer. 969 */ 970 #ifdef NAMEI_DIAGNOSTIC 971 printf("{%s}: ", cnp->cn_nameptr); 972 #endif 973 974 /* 975 * Check for "" which represents the root directory after slash 976 * removal. 977 */ 978 if (cnp->cn_nameptr[0] == '\0') { 979 /* 980 * Support only LOOKUP for "/" because lookup() 981 * can't succeed for CREATE, DELETE and RENAME. 982 */ 983 KASSERT(cnp->cn_nameiop == LOOKUP, ("nameiop must be LOOKUP")); 984 KASSERT(dp->v_type == VDIR, ("dp is not a directory")); 985 986 if (!(cnp->cn_flags & LOCKLEAF)) 987 VOP_UNLOCK(dp, 0); 988 *vpp = dp; 989 /* XXX This should probably move to the top of function. */ 990 if (cnp->cn_flags & SAVESTART) 991 panic("lookup: SAVESTART"); 992 return (0); 993 } 994 995 if (cnp->cn_flags & ISDOTDOT) 996 panic ("relookup: lookup on dot-dot"); 997 998 /* 999 * We now have a segment name to search for, and a directory to search. 1000 */ 1001 #ifdef NAMEI_DIAGNOSTIC 1002 vn_printf(dp, "search in "); 1003 #endif 1004 if ((error = VOP_LOOKUP(dp, vpp, cnp)) != 0) { 1005 KASSERT(*vpp == NULL, ("leaf should be empty")); 1006 if (error != EJUSTRETURN) 1007 goto bad; 1008 /* 1009 * If creating and at end of pathname, then can consider 1010 * allowing file to be created. 1011 */ 1012 if (rdonly) { 1013 error = EROFS; 1014 goto bad; 1015 } 1016 /* ASSERT(dvp == ndp->ni_startdir) */ 1017 if (cnp->cn_flags & SAVESTART) 1018 VREF(dvp); 1019 if ((cnp->cn_flags & LOCKPARENT) == 0) 1020 VOP_UNLOCK(dp, 0); 1021 /* 1022 * We return with ni_vp NULL to indicate that the entry 1023 * doesn't currently exist, leaving a pointer to the 1024 * (possibly locked) directory vnode in ndp->ni_dvp. 1025 */ 1026 return (0); 1027 } 1028 1029 dp = *vpp; 1030 1031 /* 1032 * Disallow directory write attempts on read-only filesystems. 1033 */ 1034 if (rdonly && 1035 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) { 1036 if (dvp == dp) 1037 vrele(dvp); 1038 else 1039 vput(dvp); 1040 error = EROFS; 1041 goto bad; 1042 } 1043 /* 1044 * Set the parent lock/ref state to the requested state. 1045 */ 1046 if ((cnp->cn_flags & LOCKPARENT) == 0 && dvp != dp) { 1047 if (wantparent) 1048 VOP_UNLOCK(dvp, 0); 1049 else 1050 vput(dvp); 1051 } else if (!wantparent) 1052 vrele(dvp); 1053 /* 1054 * Check for symbolic link 1055 */ 1056 KASSERT(dp->v_type != VLNK || !(cnp->cn_flags & FOLLOW), 1057 ("relookup: symlink found.\n")); 1058 1059 /* ASSERT(dvp == ndp->ni_startdir) */ 1060 if (cnp->cn_flags & SAVESTART) 1061 VREF(dvp); 1062 1063 if ((cnp->cn_flags & LOCKLEAF) == 0) 1064 VOP_UNLOCK(dp, 0); 1065 return (0); 1066 bad: 1067 vput(dp); 1068 *vpp = NULL; 1069 return (error); 1070 } 1071 1072 void 1073 NDINIT_ALL(struct nameidata *ndp, u_long op, u_long flags, enum uio_seg segflg, 1074 const char *namep, int dirfd, struct vnode *startdir, cap_rights_t *rightsp, 1075 struct thread *td) 1076 { 1077 1078 ndp->ni_cnd.cn_nameiop = op; 1079 ndp->ni_cnd.cn_flags = flags; 1080 ndp->ni_segflg = segflg; 1081 ndp->ni_dirp = namep; 1082 ndp->ni_dirfd = dirfd; 1083 ndp->ni_startdir = startdir; 1084 ndp->ni_strictrelative = 0; 1085 if (rightsp != NULL) 1086 ndp->ni_rightsneeded = *rightsp; 1087 else 1088 cap_rights_init(&ndp->ni_rightsneeded); 1089 filecaps_init(&ndp->ni_filecaps); 1090 ndp->ni_cnd.cn_thread = td; 1091 } 1092 1093 /* 1094 * Free data allocated by namei(); see namei(9) for details. 1095 */ 1096 void 1097 NDFREE(struct nameidata *ndp, const u_int flags) 1098 { 1099 int unlock_dvp; 1100 int unlock_vp; 1101 1102 unlock_dvp = 0; 1103 unlock_vp = 0; 1104 1105 if (!(flags & NDF_NO_FREE_PNBUF) && 1106 (ndp->ni_cnd.cn_flags & HASBUF)) { 1107 uma_zfree(namei_zone, ndp->ni_cnd.cn_pnbuf); 1108 ndp->ni_cnd.cn_flags &= ~HASBUF; 1109 } 1110 if (!(flags & NDF_NO_VP_UNLOCK) && 1111 (ndp->ni_cnd.cn_flags & LOCKLEAF) && ndp->ni_vp) 1112 unlock_vp = 1; 1113 if (!(flags & NDF_NO_VP_RELE) && ndp->ni_vp) { 1114 if (unlock_vp) { 1115 vput(ndp->ni_vp); 1116 unlock_vp = 0; 1117 } else 1118 vrele(ndp->ni_vp); 1119 ndp->ni_vp = NULL; 1120 } 1121 if (unlock_vp) 1122 VOP_UNLOCK(ndp->ni_vp, 0); 1123 if (!(flags & NDF_NO_DVP_UNLOCK) && 1124 (ndp->ni_cnd.cn_flags & LOCKPARENT) && 1125 ndp->ni_dvp != ndp->ni_vp) 1126 unlock_dvp = 1; 1127 if (!(flags & NDF_NO_DVP_RELE) && 1128 (ndp->ni_cnd.cn_flags & (LOCKPARENT|WANTPARENT))) { 1129 if (unlock_dvp) { 1130 vput(ndp->ni_dvp); 1131 unlock_dvp = 0; 1132 } else 1133 vrele(ndp->ni_dvp); 1134 ndp->ni_dvp = NULL; 1135 } 1136 if (unlock_dvp) 1137 VOP_UNLOCK(ndp->ni_dvp, 0); 1138 if (!(flags & NDF_NO_STARTDIR_RELE) && 1139 (ndp->ni_cnd.cn_flags & SAVESTART)) { 1140 vrele(ndp->ni_startdir); 1141 ndp->ni_startdir = NULL; 1142 } 1143 } 1144 1145 /* 1146 * Determine if there is a suitable alternate filename under the specified 1147 * prefix for the specified path. If the create flag is set, then the 1148 * alternate prefix will be used so long as the parent directory exists. 1149 * This is used by the various compatibility ABIs so that Linux binaries prefer 1150 * files under /compat/linux for example. The chosen path (whether under 1151 * the prefix or under /) is returned in a kernel malloc'd buffer pointed 1152 * to by pathbuf. The caller is responsible for free'ing the buffer from 1153 * the M_TEMP bucket if one is returned. 1154 */ 1155 int 1156 kern_alternate_path(struct thread *td, const char *prefix, const char *path, 1157 enum uio_seg pathseg, char **pathbuf, int create, int dirfd) 1158 { 1159 struct nameidata nd, ndroot; 1160 char *ptr, *buf, *cp; 1161 size_t len, sz; 1162 int error; 1163 1164 buf = (char *) malloc(MAXPATHLEN, M_TEMP, M_WAITOK); 1165 *pathbuf = buf; 1166 1167 /* Copy the prefix into the new pathname as a starting point. */ 1168 len = strlcpy(buf, prefix, MAXPATHLEN); 1169 if (len >= MAXPATHLEN) { 1170 *pathbuf = NULL; 1171 free(buf, M_TEMP); 1172 return (EINVAL); 1173 } 1174 sz = MAXPATHLEN - len; 1175 ptr = buf + len; 1176 1177 /* Append the filename to the prefix. */ 1178 if (pathseg == UIO_SYSSPACE) 1179 error = copystr(path, ptr, sz, &len); 1180 else 1181 error = copyinstr(path, ptr, sz, &len); 1182 1183 if (error) { 1184 *pathbuf = NULL; 1185 free(buf, M_TEMP); 1186 return (error); 1187 } 1188 1189 /* Only use a prefix with absolute pathnames. */ 1190 if (*ptr != '/') { 1191 error = EINVAL; 1192 goto keeporig; 1193 } 1194 1195 if (dirfd != AT_FDCWD) { 1196 /* 1197 * We want the original because the "prefix" is 1198 * included in the already opened dirfd. 1199 */ 1200 bcopy(ptr, buf, len); 1201 return (0); 1202 } 1203 1204 /* 1205 * We know that there is a / somewhere in this pathname. 1206 * Search backwards for it, to find the file's parent dir 1207 * to see if it exists in the alternate tree. If it does, 1208 * and we want to create a file (cflag is set). We don't 1209 * need to worry about the root comparison in this case. 1210 */ 1211 1212 if (create) { 1213 for (cp = &ptr[len] - 1; *cp != '/'; cp--); 1214 *cp = '\0'; 1215 1216 NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, td); 1217 error = namei(&nd); 1218 *cp = '/'; 1219 if (error != 0) 1220 goto keeporig; 1221 } else { 1222 NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, td); 1223 1224 error = namei(&nd); 1225 if (error != 0) 1226 goto keeporig; 1227 1228 /* 1229 * We now compare the vnode of the prefix to the one 1230 * vnode asked. If they resolve to be the same, then we 1231 * ignore the match so that the real root gets used. 1232 * This avoids the problem of traversing "../.." to find the 1233 * root directory and never finding it, because "/" resolves 1234 * to the emulation root directory. This is expensive :-( 1235 */ 1236 NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix, 1237 td); 1238 1239 /* We shouldn't ever get an error from this namei(). */ 1240 error = namei(&ndroot); 1241 if (error == 0) { 1242 if (nd.ni_vp == ndroot.ni_vp) 1243 error = ENOENT; 1244 1245 NDFREE(&ndroot, NDF_ONLY_PNBUF); 1246 vrele(ndroot.ni_vp); 1247 } 1248 } 1249 1250 NDFREE(&nd, NDF_ONLY_PNBUF); 1251 vrele(nd.ni_vp); 1252 1253 keeporig: 1254 /* If there was an error, use the original path name. */ 1255 if (error) 1256 bcopy(ptr, buf, len); 1257 return (error); 1258 } 1259