1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/fs/readdir.c 4 * 5 * Copyright (C) 1995 Linus Torvalds 6 */ 7 8 #include <linux/stddef.h> 9 #include <linux/kernel.h> 10 #include <linux/export.h> 11 #include <linux/time.h> 12 #include <linux/mm.h> 13 #include <linux/errno.h> 14 #include <linux/stat.h> 15 #include <linux/file.h> 16 #include <linux/fs.h> 17 #include <linux/fsnotify.h> 18 #include <linux/dirent.h> 19 #include <linux/security.h> 20 #include <linux/syscalls.h> 21 #include <linux/unistd.h> 22 #include <linux/compat.h> 23 #include <linux/uaccess.h> 24 25 #include <asm/unaligned.h> 26 27 /* 28 * Some filesystems were never converted to '->iterate_shared()' 29 * and their directory iterators want the inode lock held for 30 * writing. This wrapper allows for converting from the shared 31 * semantics to the exclusive inode use. 32 */ 33 int wrap_directory_iterator(struct file *file, 34 struct dir_context *ctx, 35 int (*iter)(struct file *, struct dir_context *)) 36 { 37 struct inode *inode = file_inode(file); 38 int ret; 39 40 /* 41 * We'd love to have an 'inode_upgrade_trylock()' operation, 42 * see the comment in mmap_upgrade_trylock() in mm/memory.c. 43 * 44 * But considering this is for "filesystems that never got 45 * converted", it really doesn't matter. 46 * 47 * Also note that since we have to return with the lock held 48 * for reading, we can't use the "killable()" locking here, 49 * since we do need to get the lock even if we're dying. 50 * 51 * We could do the write part killably and then get the read 52 * lock unconditionally if it mattered, but see above on why 53 * this does the very simplistic conversion. 54 */ 55 up_read(&inode->i_rwsem); 56 down_write(&inode->i_rwsem); 57 58 /* 59 * Since we dropped the inode lock, we should do the 60 * DEADDIR test again. See 'iterate_dir()' below. 61 * 62 * Note that we don't need to re-do the f_pos games, 63 * since the file must be locked wrt f_pos anyway. 64 */ 65 ret = -ENOENT; 66 if (!IS_DEADDIR(inode)) 67 ret = iter(file, ctx); 68 69 downgrade_write(&inode->i_rwsem); 70 return ret; 71 } 72 EXPORT_SYMBOL(wrap_directory_iterator); 73 74 /* 75 * Note the "unsafe_put_user() semantics: we goto a 76 * label for errors. 77 */ 78 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \ 79 char __user *dst = (_dst); \ 80 const char *src = (_src); \ 81 size_t len = (_len); \ 82 unsafe_put_user(0, dst+len, label); \ 83 unsafe_copy_to_user(dst, src, len, label); \ 84 } while (0) 85 86 87 int iterate_dir(struct file *file, struct dir_context *ctx) 88 { 89 struct inode *inode = file_inode(file); 90 int res = -ENOTDIR; 91 92 if (!file->f_op->iterate_shared) 93 goto out; 94 95 res = security_file_permission(file, MAY_READ); 96 if (res) 97 goto out; 98 99 res = fsnotify_file_perm(file, MAY_READ); 100 if (res) 101 goto out; 102 103 res = down_read_killable(&inode->i_rwsem); 104 if (res) 105 goto out; 106 107 res = -ENOENT; 108 if (!IS_DEADDIR(inode)) { 109 ctx->pos = file->f_pos; 110 res = file->f_op->iterate_shared(file, ctx); 111 file->f_pos = ctx->pos; 112 fsnotify_access(file); 113 file_accessed(file); 114 } 115 inode_unlock_shared(inode); 116 out: 117 return res; 118 } 119 EXPORT_SYMBOL(iterate_dir); 120 121 /* 122 * POSIX says that a dirent name cannot contain NULL or a '/'. 123 * 124 * It's not 100% clear what we should really do in this case. 125 * The filesystem is clearly corrupted, but returning a hard 126 * error means that you now don't see any of the other names 127 * either, so that isn't a perfect alternative. 128 * 129 * And if you return an error, what error do you use? Several 130 * filesystems seem to have decided on EUCLEAN being the error 131 * code for EFSCORRUPTED, and that may be the error to use. Or 132 * just EIO, which is perhaps more obvious to users. 133 * 134 * In order to see the other file names in the directory, the 135 * caller might want to make this a "soft" error: skip the 136 * entry, and return the error at the end instead. 137 * 138 * Note that this should likely do a "memchr(name, 0, len)" 139 * check too, since that would be filesystem corruption as 140 * well. However, that case can't actually confuse user space, 141 * which has to do a strlen() on the name anyway to find the 142 * filename length, and the above "soft error" worry means 143 * that it's probably better left alone until we have that 144 * issue clarified. 145 * 146 * Note the PATH_MAX check - it's arbitrary but the real 147 * kernel limit on a possible path component, not NAME_MAX, 148 * which is the technical standard limit. 149 */ 150 static int verify_dirent_name(const char *name, int len) 151 { 152 if (len <= 0 || len >= PATH_MAX) 153 return -EIO; 154 if (memchr(name, '/', len)) 155 return -EIO; 156 return 0; 157 } 158 159 /* 160 * Traditional linux readdir() handling.. 161 * 162 * "count=1" is a special case, meaning that the buffer is one 163 * dirent-structure in size and that the code can't handle more 164 * anyway. Thus the special "fillonedir()" function for that 165 * case (the low-level handlers don't need to care about this). 166 */ 167 168 #ifdef __ARCH_WANT_OLD_READDIR 169 170 struct old_linux_dirent { 171 unsigned long d_ino; 172 unsigned long d_offset; 173 unsigned short d_namlen; 174 char d_name[]; 175 }; 176 177 struct readdir_callback { 178 struct dir_context ctx; 179 struct old_linux_dirent __user * dirent; 180 int result; 181 }; 182 183 static bool fillonedir(struct dir_context *ctx, const char *name, int namlen, 184 loff_t offset, u64 ino, unsigned int d_type) 185 { 186 struct readdir_callback *buf = 187 container_of(ctx, struct readdir_callback, ctx); 188 struct old_linux_dirent __user * dirent; 189 unsigned long d_ino; 190 191 if (buf->result) 192 return false; 193 buf->result = verify_dirent_name(name, namlen); 194 if (buf->result) 195 return false; 196 d_ino = ino; 197 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 198 buf->result = -EOVERFLOW; 199 return false; 200 } 201 buf->result++; 202 dirent = buf->dirent; 203 if (!user_write_access_begin(dirent, 204 (unsigned long)(dirent->d_name + namlen + 1) - 205 (unsigned long)dirent)) 206 goto efault; 207 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 208 unsafe_put_user(offset, &dirent->d_offset, efault_end); 209 unsafe_put_user(namlen, &dirent->d_namlen, efault_end); 210 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 211 user_write_access_end(); 212 return true; 213 efault_end: 214 user_write_access_end(); 215 efault: 216 buf->result = -EFAULT; 217 return false; 218 } 219 220 SYSCALL_DEFINE3(old_readdir, unsigned int, fd, 221 struct old_linux_dirent __user *, dirent, unsigned int, count) 222 { 223 int error; 224 struct fd f = fdget_pos(fd); 225 struct readdir_callback buf = { 226 .ctx.actor = fillonedir, 227 .dirent = dirent 228 }; 229 230 if (!f.file) 231 return -EBADF; 232 233 error = iterate_dir(f.file, &buf.ctx); 234 if (buf.result) 235 error = buf.result; 236 237 fdput_pos(f); 238 return error; 239 } 240 241 #endif /* __ARCH_WANT_OLD_READDIR */ 242 243 /* 244 * New, all-improved, singing, dancing, iBCS2-compliant getdents() 245 * interface. 246 */ 247 struct linux_dirent { 248 unsigned long d_ino; 249 unsigned long d_off; 250 unsigned short d_reclen; 251 char d_name[]; 252 }; 253 254 struct getdents_callback { 255 struct dir_context ctx; 256 struct linux_dirent __user * current_dir; 257 int prev_reclen; 258 int count; 259 int error; 260 }; 261 262 static bool filldir(struct dir_context *ctx, const char *name, int namlen, 263 loff_t offset, u64 ino, unsigned int d_type) 264 { 265 struct linux_dirent __user *dirent, *prev; 266 struct getdents_callback *buf = 267 container_of(ctx, struct getdents_callback, ctx); 268 unsigned long d_ino; 269 int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2, 270 sizeof(long)); 271 int prev_reclen; 272 273 buf->error = verify_dirent_name(name, namlen); 274 if (unlikely(buf->error)) 275 return false; 276 buf->error = -EINVAL; /* only used if we fail.. */ 277 if (reclen > buf->count) 278 return false; 279 d_ino = ino; 280 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 281 buf->error = -EOVERFLOW; 282 return false; 283 } 284 prev_reclen = buf->prev_reclen; 285 if (prev_reclen && signal_pending(current)) 286 return false; 287 dirent = buf->current_dir; 288 prev = (void __user *) dirent - prev_reclen; 289 if (!user_write_access_begin(prev, reclen + prev_reclen)) 290 goto efault; 291 292 /* This might be 'dirent->d_off', but if so it will get overwritten */ 293 unsafe_put_user(offset, &prev->d_off, efault_end); 294 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 295 unsafe_put_user(reclen, &dirent->d_reclen, efault_end); 296 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end); 297 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 298 user_write_access_end(); 299 300 buf->current_dir = (void __user *)dirent + reclen; 301 buf->prev_reclen = reclen; 302 buf->count -= reclen; 303 return true; 304 efault_end: 305 user_write_access_end(); 306 efault: 307 buf->error = -EFAULT; 308 return false; 309 } 310 311 SYSCALL_DEFINE3(getdents, unsigned int, fd, 312 struct linux_dirent __user *, dirent, unsigned int, count) 313 { 314 struct fd f; 315 struct getdents_callback buf = { 316 .ctx.actor = filldir, 317 .count = count, 318 .current_dir = dirent 319 }; 320 int error; 321 322 f = fdget_pos(fd); 323 if (!f.file) 324 return -EBADF; 325 326 error = iterate_dir(f.file, &buf.ctx); 327 if (error >= 0) 328 error = buf.error; 329 if (buf.prev_reclen) { 330 struct linux_dirent __user * lastdirent; 331 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen; 332 333 if (put_user(buf.ctx.pos, &lastdirent->d_off)) 334 error = -EFAULT; 335 else 336 error = count - buf.count; 337 } 338 fdput_pos(f); 339 return error; 340 } 341 342 struct getdents_callback64 { 343 struct dir_context ctx; 344 struct linux_dirent64 __user * current_dir; 345 int prev_reclen; 346 int count; 347 int error; 348 }; 349 350 static bool filldir64(struct dir_context *ctx, const char *name, int namlen, 351 loff_t offset, u64 ino, unsigned int d_type) 352 { 353 struct linux_dirent64 __user *dirent, *prev; 354 struct getdents_callback64 *buf = 355 container_of(ctx, struct getdents_callback64, ctx); 356 int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1, 357 sizeof(u64)); 358 int prev_reclen; 359 360 buf->error = verify_dirent_name(name, namlen); 361 if (unlikely(buf->error)) 362 return false; 363 buf->error = -EINVAL; /* only used if we fail.. */ 364 if (reclen > buf->count) 365 return false; 366 prev_reclen = buf->prev_reclen; 367 if (prev_reclen && signal_pending(current)) 368 return false; 369 dirent = buf->current_dir; 370 prev = (void __user *)dirent - prev_reclen; 371 if (!user_write_access_begin(prev, reclen + prev_reclen)) 372 goto efault; 373 374 /* This might be 'dirent->d_off', but if so it will get overwritten */ 375 unsafe_put_user(offset, &prev->d_off, efault_end); 376 unsafe_put_user(ino, &dirent->d_ino, efault_end); 377 unsafe_put_user(reclen, &dirent->d_reclen, efault_end); 378 unsafe_put_user(d_type, &dirent->d_type, efault_end); 379 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 380 user_write_access_end(); 381 382 buf->prev_reclen = reclen; 383 buf->current_dir = (void __user *)dirent + reclen; 384 buf->count -= reclen; 385 return true; 386 387 efault_end: 388 user_write_access_end(); 389 efault: 390 buf->error = -EFAULT; 391 return false; 392 } 393 394 SYSCALL_DEFINE3(getdents64, unsigned int, fd, 395 struct linux_dirent64 __user *, dirent, unsigned int, count) 396 { 397 struct fd f; 398 struct getdents_callback64 buf = { 399 .ctx.actor = filldir64, 400 .count = count, 401 .current_dir = dirent 402 }; 403 int error; 404 405 f = fdget_pos(fd); 406 if (!f.file) 407 return -EBADF; 408 409 error = iterate_dir(f.file, &buf.ctx); 410 if (error >= 0) 411 error = buf.error; 412 if (buf.prev_reclen) { 413 struct linux_dirent64 __user * lastdirent; 414 typeof(lastdirent->d_off) d_off = buf.ctx.pos; 415 416 lastdirent = (void __user *) buf.current_dir - buf.prev_reclen; 417 if (put_user(d_off, &lastdirent->d_off)) 418 error = -EFAULT; 419 else 420 error = count - buf.count; 421 } 422 fdput_pos(f); 423 return error; 424 } 425 426 #ifdef CONFIG_COMPAT 427 struct compat_old_linux_dirent { 428 compat_ulong_t d_ino; 429 compat_ulong_t d_offset; 430 unsigned short d_namlen; 431 char d_name[]; 432 }; 433 434 struct compat_readdir_callback { 435 struct dir_context ctx; 436 struct compat_old_linux_dirent __user *dirent; 437 int result; 438 }; 439 440 static bool compat_fillonedir(struct dir_context *ctx, const char *name, 441 int namlen, loff_t offset, u64 ino, 442 unsigned int d_type) 443 { 444 struct compat_readdir_callback *buf = 445 container_of(ctx, struct compat_readdir_callback, ctx); 446 struct compat_old_linux_dirent __user *dirent; 447 compat_ulong_t d_ino; 448 449 if (buf->result) 450 return false; 451 buf->result = verify_dirent_name(name, namlen); 452 if (buf->result) 453 return false; 454 d_ino = ino; 455 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 456 buf->result = -EOVERFLOW; 457 return false; 458 } 459 buf->result++; 460 dirent = buf->dirent; 461 if (!user_write_access_begin(dirent, 462 (unsigned long)(dirent->d_name + namlen + 1) - 463 (unsigned long)dirent)) 464 goto efault; 465 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 466 unsafe_put_user(offset, &dirent->d_offset, efault_end); 467 unsafe_put_user(namlen, &dirent->d_namlen, efault_end); 468 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 469 user_write_access_end(); 470 return true; 471 efault_end: 472 user_write_access_end(); 473 efault: 474 buf->result = -EFAULT; 475 return false; 476 } 477 478 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd, 479 struct compat_old_linux_dirent __user *, dirent, unsigned int, count) 480 { 481 int error; 482 struct fd f = fdget_pos(fd); 483 struct compat_readdir_callback buf = { 484 .ctx.actor = compat_fillonedir, 485 .dirent = dirent 486 }; 487 488 if (!f.file) 489 return -EBADF; 490 491 error = iterate_dir(f.file, &buf.ctx); 492 if (buf.result) 493 error = buf.result; 494 495 fdput_pos(f); 496 return error; 497 } 498 499 struct compat_linux_dirent { 500 compat_ulong_t d_ino; 501 compat_ulong_t d_off; 502 unsigned short d_reclen; 503 char d_name[]; 504 }; 505 506 struct compat_getdents_callback { 507 struct dir_context ctx; 508 struct compat_linux_dirent __user *current_dir; 509 int prev_reclen; 510 int count; 511 int error; 512 }; 513 514 static bool compat_filldir(struct dir_context *ctx, const char *name, int namlen, 515 loff_t offset, u64 ino, unsigned int d_type) 516 { 517 struct compat_linux_dirent __user *dirent, *prev; 518 struct compat_getdents_callback *buf = 519 container_of(ctx, struct compat_getdents_callback, ctx); 520 compat_ulong_t d_ino; 521 int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) + 522 namlen + 2, sizeof(compat_long_t)); 523 int prev_reclen; 524 525 buf->error = verify_dirent_name(name, namlen); 526 if (unlikely(buf->error)) 527 return false; 528 buf->error = -EINVAL; /* only used if we fail.. */ 529 if (reclen > buf->count) 530 return false; 531 d_ino = ino; 532 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 533 buf->error = -EOVERFLOW; 534 return false; 535 } 536 prev_reclen = buf->prev_reclen; 537 if (prev_reclen && signal_pending(current)) 538 return false; 539 dirent = buf->current_dir; 540 prev = (void __user *) dirent - prev_reclen; 541 if (!user_write_access_begin(prev, reclen + prev_reclen)) 542 goto efault; 543 544 unsafe_put_user(offset, &prev->d_off, efault_end); 545 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 546 unsafe_put_user(reclen, &dirent->d_reclen, efault_end); 547 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end); 548 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 549 user_write_access_end(); 550 551 buf->prev_reclen = reclen; 552 buf->current_dir = (void __user *)dirent + reclen; 553 buf->count -= reclen; 554 return true; 555 efault_end: 556 user_write_access_end(); 557 efault: 558 buf->error = -EFAULT; 559 return false; 560 } 561 562 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd, 563 struct compat_linux_dirent __user *, dirent, unsigned int, count) 564 { 565 struct fd f; 566 struct compat_getdents_callback buf = { 567 .ctx.actor = compat_filldir, 568 .current_dir = dirent, 569 .count = count 570 }; 571 int error; 572 573 f = fdget_pos(fd); 574 if (!f.file) 575 return -EBADF; 576 577 error = iterate_dir(f.file, &buf.ctx); 578 if (error >= 0) 579 error = buf.error; 580 if (buf.prev_reclen) { 581 struct compat_linux_dirent __user * lastdirent; 582 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen; 583 584 if (put_user(buf.ctx.pos, &lastdirent->d_off)) 585 error = -EFAULT; 586 else 587 error = count - buf.count; 588 } 589 fdput_pos(f); 590 return error; 591 } 592 #endif 593