1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright (C) 1995 Linus Torvalds
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
25 #include <asm/unaligned.h>
28 * Note the "unsafe_put_user() semantics: we goto a
31 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
32 char __user *dst = (_dst); \
33 const char *src = (_src); \
34 size_t len = (_len); \
35 unsafe_put_user(0, dst+len, label); \
36 unsafe_copy_to_user(dst, src, len, label); \
40 int iterate_dir(struct file *file, struct dir_context *ctx)
42 struct inode *inode = file_inode(file);
45 if (file->f_op->iterate_shared)
47 else if (!file->f_op->iterate)
50 res = security_file_permission(file, MAY_READ);
55 res = down_read_killable(&inode->i_rwsem);
57 res = down_write_killable(&inode->i_rwsem);
62 if (!IS_DEADDIR(inode)) {
63 ctx->pos = file->f_pos;
65 res = file->f_op->iterate_shared(file, ctx);
67 res = file->f_op->iterate(file, ctx);
68 file->f_pos = ctx->pos;
69 fsnotify_access(file);
73 inode_unlock_shared(inode);
79 EXPORT_SYMBOL(iterate_dir);
82 * POSIX says that a dirent name cannot contain NULL or a '/'.
84 * It's not 100% clear what we should really do in this case.
85 * The filesystem is clearly corrupted, but returning a hard
86 * error means that you now don't see any of the other names
87 * either, so that isn't a perfect alternative.
89 * And if you return an error, what error do you use? Several
90 * filesystems seem to have decided on EUCLEAN being the error
91 * code for EFSCORRUPTED, and that may be the error to use. Or
92 * just EIO, which is perhaps more obvious to users.
94 * In order to see the other file names in the directory, the
95 * caller might want to make this a "soft" error: skip the
96 * entry, and return the error at the end instead.
98 * Note that this should likely do a "memchr(name, 0, len)"
99 * check too, since that would be filesystem corruption as
100 * well. However, that case can't actually confuse user space,
101 * which has to do a strlen() on the name anyway to find the
102 * filename length, and the above "soft error" worry means
103 * that it's probably better left alone until we have that
106 * Note the PATH_MAX check - it's arbitrary but the real
107 * kernel limit on a possible path component, not NAME_MAX,
108 * which is the technical standard limit.
110 static int verify_dirent_name(const char *name, int len)
112 if (len <= 0 || len >= PATH_MAX)
114 if (memchr(name, '/', len))
120 * Traditional linux readdir() handling..
122 * "count=1" is a special case, meaning that the buffer is one
123 * dirent-structure in size and that the code can't handle more
124 * anyway. Thus the special "fillonedir()" function for that
125 * case (the low-level handlers don't need to care about this).
128 #ifdef __ARCH_WANT_OLD_READDIR
130 struct old_linux_dirent {
132 unsigned long d_offset;
133 unsigned short d_namlen;
137 struct readdir_callback {
138 struct dir_context ctx;
139 struct old_linux_dirent __user * dirent;
143 static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
144 loff_t offset, u64 ino, unsigned int d_type)
146 struct readdir_callback *buf =
147 container_of(ctx, struct readdir_callback, ctx);
148 struct old_linux_dirent __user * dirent;
154 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
155 buf->result = -EOVERFLOW;
159 dirent = buf->dirent;
160 if (!user_write_access_begin(dirent,
161 (unsigned long)(dirent->d_name + namlen + 1) -
162 (unsigned long)dirent))
164 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
165 unsafe_put_user(offset, &dirent->d_offset, efault_end);
166 unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
167 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
168 user_write_access_end();
171 user_write_access_end();
173 buf->result = -EFAULT;
177 SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
178 struct old_linux_dirent __user *, dirent, unsigned int, count)
181 struct fd f = fdget_pos(fd);
182 struct readdir_callback buf = {
183 .ctx.actor = fillonedir,
190 error = iterate_dir(f.file, &buf.ctx);
198 #endif /* __ARCH_WANT_OLD_READDIR */
201 * New, all-improved, singing, dancing, iBCS2-compliant getdents()
204 struct linux_dirent {
207 unsigned short d_reclen;
211 struct getdents_callback {
212 struct dir_context ctx;
213 struct linux_dirent __user * current_dir;
219 static int filldir(struct dir_context *ctx, const char *name, int namlen,
220 loff_t offset, u64 ino, unsigned int d_type)
222 struct linux_dirent __user *dirent, *prev;
223 struct getdents_callback *buf =
224 container_of(ctx, struct getdents_callback, ctx);
226 int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
230 buf->error = verify_dirent_name(name, namlen);
231 if (unlikely(buf->error))
233 buf->error = -EINVAL; /* only used if we fail.. */
234 if (reclen > buf->count)
237 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
238 buf->error = -EOVERFLOW;
241 prev_reclen = buf->prev_reclen;
242 if (prev_reclen && signal_pending(current))
244 dirent = buf->current_dir;
245 prev = (void __user *) dirent - prev_reclen;
246 if (!user_write_access_begin(prev, reclen + prev_reclen))
249 /* This might be 'dirent->d_off', but if so it will get overwritten */
250 unsafe_put_user(offset, &prev->d_off, efault_end);
251 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
252 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
253 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
254 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
255 user_write_access_end();
257 buf->current_dir = (void __user *)dirent + reclen;
258 buf->prev_reclen = reclen;
259 buf->count -= reclen;
262 user_write_access_end();
264 buf->error = -EFAULT;
268 SYSCALL_DEFINE3(getdents, unsigned int, fd,
269 struct linux_dirent __user *, dirent, unsigned int, count)
272 struct getdents_callback buf = {
273 .ctx.actor = filldir,
275 .current_dir = dirent
279 if (!access_ok(dirent, count))
286 error = iterate_dir(f.file, &buf.ctx);
289 if (buf.prev_reclen) {
290 struct linux_dirent __user * lastdirent;
291 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
293 if (put_user(buf.ctx.pos, &lastdirent->d_off))
296 error = count - buf.count;
302 struct getdents_callback64 {
303 struct dir_context ctx;
304 struct linux_dirent64 __user * current_dir;
310 static int filldir64(struct dir_context *ctx, const char *name, int namlen,
311 loff_t offset, u64 ino, unsigned int d_type)
313 struct linux_dirent64 __user *dirent, *prev;
314 struct getdents_callback64 *buf =
315 container_of(ctx, struct getdents_callback64, ctx);
316 int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
320 buf->error = verify_dirent_name(name, namlen);
321 if (unlikely(buf->error))
323 buf->error = -EINVAL; /* only used if we fail.. */
324 if (reclen > buf->count)
326 prev_reclen = buf->prev_reclen;
327 if (prev_reclen && signal_pending(current))
329 dirent = buf->current_dir;
330 prev = (void __user *)dirent - prev_reclen;
331 if (!user_write_access_begin(prev, reclen + prev_reclen))
334 /* This might be 'dirent->d_off', but if so it will get overwritten */
335 unsafe_put_user(offset, &prev->d_off, efault_end);
336 unsafe_put_user(ino, &dirent->d_ino, efault_end);
337 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
338 unsafe_put_user(d_type, &dirent->d_type, efault_end);
339 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
340 user_write_access_end();
342 buf->prev_reclen = reclen;
343 buf->current_dir = (void __user *)dirent + reclen;
344 buf->count -= reclen;
348 user_write_access_end();
350 buf->error = -EFAULT;
354 int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
358 struct getdents_callback64 buf = {
359 .ctx.actor = filldir64,
361 .current_dir = dirent
365 if (!access_ok(dirent, count))
372 error = iterate_dir(f.file, &buf.ctx);
375 if (buf.prev_reclen) {
376 struct linux_dirent64 __user * lastdirent;
377 typeof(lastdirent->d_off) d_off = buf.ctx.pos;
379 lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
380 if (__put_user(d_off, &lastdirent->d_off))
383 error = count - buf.count;
390 SYSCALL_DEFINE3(getdents64, unsigned int, fd,
391 struct linux_dirent64 __user *, dirent, unsigned int, count)
393 return ksys_getdents64(fd, dirent, count);
397 struct compat_old_linux_dirent {
398 compat_ulong_t d_ino;
399 compat_ulong_t d_offset;
400 unsigned short d_namlen;
404 struct compat_readdir_callback {
405 struct dir_context ctx;
406 struct compat_old_linux_dirent __user *dirent;
410 static int compat_fillonedir(struct dir_context *ctx, const char *name,
411 int namlen, loff_t offset, u64 ino,
414 struct compat_readdir_callback *buf =
415 container_of(ctx, struct compat_readdir_callback, ctx);
416 struct compat_old_linux_dirent __user *dirent;
417 compat_ulong_t d_ino;
422 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
423 buf->result = -EOVERFLOW;
427 dirent = buf->dirent;
428 if (!user_write_access_begin(dirent,
429 (unsigned long)(dirent->d_name + namlen + 1) -
430 (unsigned long)dirent))
432 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
433 unsafe_put_user(offset, &dirent->d_offset, efault_end);
434 unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
435 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
436 user_write_access_end();
439 user_write_access_end();
441 buf->result = -EFAULT;
445 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
446 struct compat_old_linux_dirent __user *, dirent, unsigned int, count)
449 struct fd f = fdget_pos(fd);
450 struct compat_readdir_callback buf = {
451 .ctx.actor = compat_fillonedir,
458 error = iterate_dir(f.file, &buf.ctx);
466 struct compat_linux_dirent {
467 compat_ulong_t d_ino;
468 compat_ulong_t d_off;
469 unsigned short d_reclen;
473 struct compat_getdents_callback {
474 struct dir_context ctx;
475 struct compat_linux_dirent __user *current_dir;
476 struct compat_linux_dirent __user *previous;
481 static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
482 loff_t offset, u64 ino, unsigned int d_type)
484 struct compat_linux_dirent __user * dirent;
485 struct compat_getdents_callback *buf =
486 container_of(ctx, struct compat_getdents_callback, ctx);
487 compat_ulong_t d_ino;
488 int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
489 namlen + 2, sizeof(compat_long_t));
491 buf->error = -EINVAL; /* only used if we fail.. */
492 if (reclen > buf->count)
495 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
496 buf->error = -EOVERFLOW;
499 dirent = buf->previous;
501 if (signal_pending(current))
503 if (__put_user(offset, &dirent->d_off))
506 dirent = buf->current_dir;
507 if (__put_user(d_ino, &dirent->d_ino))
509 if (__put_user(reclen, &dirent->d_reclen))
511 if (copy_to_user(dirent->d_name, name, namlen))
513 if (__put_user(0, dirent->d_name + namlen))
515 if (__put_user(d_type, (char __user *) dirent + reclen - 1))
517 buf->previous = dirent;
518 dirent = (void __user *)dirent + reclen;
519 buf->current_dir = dirent;
520 buf->count -= reclen;
523 buf->error = -EFAULT;
527 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
528 struct compat_linux_dirent __user *, dirent, unsigned int, count)
531 struct compat_linux_dirent __user * lastdirent;
532 struct compat_getdents_callback buf = {
533 .ctx.actor = compat_filldir,
534 .current_dir = dirent,
539 if (!access_ok(dirent, count))
546 error = iterate_dir(f.file, &buf.ctx);
549 lastdirent = buf.previous;
551 if (put_user(buf.ctx.pos, &lastdirent->d_off))
554 error = count - buf.count;