1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright (C) 1995 Linus Torvalds
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
25 #include <asm/unaligned.h>
28 * Note the "unsafe_put_user() semantics: we goto a
31 * Also note how we use a "while()" loop here, even though
32 * only the biggest size needs to loop. The compiler (well,
33 * at least gcc) is smart enough to turn the smaller sizes
34 * into just if-statements, and this way we don't need to
35 * care whether 'u64' or 'u32' is the biggest size.
37 #define unsafe_copy_loop(dst, src, len, type, label) \
38 while (len >= sizeof(type)) { \
39 unsafe_put_user(get_unaligned((type *)src), \
40 (type __user *)dst, label); \
41 dst += sizeof(type); \
42 src += sizeof(type); \
43 len -= sizeof(type); \
47 * We avoid doing 64-bit copies on 32-bit architectures. They
48 * might be better, but the component names are mostly small,
49 * and the 64-bit cases can end up being much more complex and
50 * put much more register pressure on the code, so it's likely
51 * not worth the pain of unaligned accesses etc.
53 * So limit the copies to "unsigned long" size. I did verify
54 * that at least the x86-32 case is ok without this limiting,
55 * but I worry about random other legacy 32-bit cases that
56 * might not do as well.
58 #define unsafe_copy_type(dst, src, len, type, label) do { \
59 if (sizeof(type) <= sizeof(unsigned long)) \
60 unsafe_copy_loop(dst, src, len, type, label); \
64 * Copy the dirent name to user space, and NUL-terminate
65 * it. This should not be a function call, since we're doing
66 * the copy inside a "user_access_begin/end()" section.
68 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \
69 char __user *dst = (_dst); \
70 const char *src = (_src); \
71 size_t len = (_len); \
72 unsafe_copy_type(dst, src, len, u64, label); \
73 unsafe_copy_type(dst, src, len, u32, label); \
74 unsafe_copy_type(dst, src, len, u16, label); \
75 unsafe_copy_type(dst, src, len, u8, label); \
76 unsafe_put_user(0, dst, label); \
80 int iterate_dir(struct file *file, struct dir_context *ctx)
82 struct inode *inode = file_inode(file);
85 if (file->f_op->iterate_shared)
87 else if (!file->f_op->iterate)
90 res = security_file_permission(file, MAY_READ);
95 res = down_read_killable(&inode->i_rwsem);
97 res = down_write_killable(&inode->i_rwsem);
102 if (!IS_DEADDIR(inode)) {
103 ctx->pos = file->f_pos;
105 res = file->f_op->iterate_shared(file, ctx);
107 res = file->f_op->iterate(file, ctx);
108 file->f_pos = ctx->pos;
109 fsnotify_access(file);
113 inode_unlock_shared(inode);
119 EXPORT_SYMBOL(iterate_dir);
122 * Traditional linux readdir() handling..
124 * "count=1" is a special case, meaning that the buffer is one
125 * dirent-structure in size and that the code can't handle more
126 * anyway. Thus the special "fillonedir()" function for that
127 * case (the low-level handlers don't need to care about this).
130 #ifdef __ARCH_WANT_OLD_READDIR
132 struct old_linux_dirent {
134 unsigned long d_offset;
135 unsigned short d_namlen;
139 struct readdir_callback {
140 struct dir_context ctx;
141 struct old_linux_dirent __user * dirent;
145 static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
146 loff_t offset, u64 ino, unsigned int d_type)
148 struct readdir_callback *buf =
149 container_of(ctx, struct readdir_callback, ctx);
150 struct old_linux_dirent __user * dirent;
156 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
157 buf->result = -EOVERFLOW;
161 dirent = buf->dirent;
162 if (!access_ok(dirent,
163 (unsigned long)(dirent->d_name + namlen + 1) -
164 (unsigned long)dirent))
166 if ( __put_user(d_ino, &dirent->d_ino) ||
167 __put_user(offset, &dirent->d_offset) ||
168 __put_user(namlen, &dirent->d_namlen) ||
169 __copy_to_user(dirent->d_name, name, namlen) ||
170 __put_user(0, dirent->d_name + namlen))
174 buf->result = -EFAULT;
178 SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
179 struct old_linux_dirent __user *, dirent, unsigned int, count)
182 struct fd f = fdget_pos(fd);
183 struct readdir_callback buf = {
184 .ctx.actor = fillonedir,
191 error = iterate_dir(f.file, &buf.ctx);
199 #endif /* __ARCH_WANT_OLD_READDIR */
202 * New, all-improved, singing, dancing, iBCS2-compliant getdents()
205 struct linux_dirent {
208 unsigned short d_reclen;
212 struct getdents_callback {
213 struct dir_context ctx;
214 struct linux_dirent __user * current_dir;
215 struct linux_dirent __user * previous;
220 static int filldir(struct dir_context *ctx, const char *name, int namlen,
221 loff_t offset, u64 ino, unsigned int d_type)
223 struct linux_dirent __user * dirent;
224 struct getdents_callback *buf =
225 container_of(ctx, struct getdents_callback, ctx);
227 int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
230 buf->error = -EINVAL; /* only used if we fail.. */
231 if (reclen > buf->count)
234 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
235 buf->error = -EOVERFLOW;
238 dirent = buf->previous;
239 if (dirent && signal_pending(current))
243 * Note! This range-checks 'previous' (which may be NULL).
244 * The real range was checked in getdents
246 if (!user_access_begin(dirent, sizeof(*dirent)))
249 unsafe_put_user(offset, &dirent->d_off, efault_end);
250 dirent = buf->current_dir;
251 unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
252 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
253 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
254 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
257 buf->previous = dirent;
258 dirent = (void __user *)dirent + reclen;
259 buf->current_dir = dirent;
260 buf->count -= reclen;
265 buf->error = -EFAULT;
269 SYSCALL_DEFINE3(getdents, unsigned int, fd,
270 struct linux_dirent __user *, dirent, unsigned int, count)
273 struct linux_dirent __user * lastdirent;
274 struct getdents_callback buf = {
275 .ctx.actor = filldir,
277 .current_dir = dirent
281 if (!access_ok(dirent, count))
288 error = iterate_dir(f.file, &buf.ctx);
291 lastdirent = buf.previous;
293 if (put_user(buf.ctx.pos, &lastdirent->d_off))
296 error = count - buf.count;
302 struct getdents_callback64 {
303 struct dir_context ctx;
304 struct linux_dirent64 __user * current_dir;
305 struct linux_dirent64 __user * previous;
310 static int filldir64(struct dir_context *ctx, const char *name, int namlen,
311 loff_t offset, u64 ino, unsigned int d_type)
313 struct linux_dirent64 __user *dirent;
314 struct getdents_callback64 *buf =
315 container_of(ctx, struct getdents_callback64, ctx);
316 int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
319 buf->error = -EINVAL; /* only used if we fail.. */
320 if (reclen > buf->count)
322 dirent = buf->previous;
323 if (dirent && signal_pending(current))
327 * Note! This range-checks 'previous' (which may be NULL).
328 * The real range was checked in getdents
330 if (!user_access_begin(dirent, sizeof(*dirent)))
333 unsafe_put_user(offset, &dirent->d_off, efault_end);
334 dirent = buf->current_dir;
335 unsafe_put_user(ino, &dirent->d_ino, efault_end);
336 unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
337 unsafe_put_user(d_type, &dirent->d_type, efault_end);
338 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
341 buf->previous = dirent;
342 dirent = (void __user *)dirent + reclen;
343 buf->current_dir = dirent;
344 buf->count -= reclen;
349 buf->error = -EFAULT;
353 int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
357 struct linux_dirent64 __user * lastdirent;
358 struct getdents_callback64 buf = {
359 .ctx.actor = filldir64,
361 .current_dir = dirent
365 if (!access_ok(dirent, count))
372 error = iterate_dir(f.file, &buf.ctx);
375 lastdirent = buf.previous;
377 typeof(lastdirent->d_off) d_off = buf.ctx.pos;
378 if (__put_user(d_off, &lastdirent->d_off))
381 error = count - buf.count;
388 SYSCALL_DEFINE3(getdents64, unsigned int, fd,
389 struct linux_dirent64 __user *, dirent, unsigned int, count)
391 return ksys_getdents64(fd, dirent, count);
395 struct compat_old_linux_dirent {
396 compat_ulong_t d_ino;
397 compat_ulong_t d_offset;
398 unsigned short d_namlen;
402 struct compat_readdir_callback {
403 struct dir_context ctx;
404 struct compat_old_linux_dirent __user *dirent;
408 static int compat_fillonedir(struct dir_context *ctx, const char *name,
409 int namlen, loff_t offset, u64 ino,
412 struct compat_readdir_callback *buf =
413 container_of(ctx, struct compat_readdir_callback, ctx);
414 struct compat_old_linux_dirent __user *dirent;
415 compat_ulong_t d_ino;
420 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
421 buf->result = -EOVERFLOW;
425 dirent = buf->dirent;
426 if (!access_ok(dirent,
427 (unsigned long)(dirent->d_name + namlen + 1) -
428 (unsigned long)dirent))
430 if ( __put_user(d_ino, &dirent->d_ino) ||
431 __put_user(offset, &dirent->d_offset) ||
432 __put_user(namlen, &dirent->d_namlen) ||
433 __copy_to_user(dirent->d_name, name, namlen) ||
434 __put_user(0, dirent->d_name + namlen))
438 buf->result = -EFAULT;
442 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
443 struct compat_old_linux_dirent __user *, dirent, unsigned int, count)
446 struct fd f = fdget_pos(fd);
447 struct compat_readdir_callback buf = {
448 .ctx.actor = compat_fillonedir,
455 error = iterate_dir(f.file, &buf.ctx);
463 struct compat_linux_dirent {
464 compat_ulong_t d_ino;
465 compat_ulong_t d_off;
466 unsigned short d_reclen;
470 struct compat_getdents_callback {
471 struct dir_context ctx;
472 struct compat_linux_dirent __user *current_dir;
473 struct compat_linux_dirent __user *previous;
478 static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
479 loff_t offset, u64 ino, unsigned int d_type)
481 struct compat_linux_dirent __user * dirent;
482 struct compat_getdents_callback *buf =
483 container_of(ctx, struct compat_getdents_callback, ctx);
484 compat_ulong_t d_ino;
485 int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
486 namlen + 2, sizeof(compat_long_t));
488 buf->error = -EINVAL; /* only used if we fail.. */
489 if (reclen > buf->count)
492 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
493 buf->error = -EOVERFLOW;
496 dirent = buf->previous;
498 if (signal_pending(current))
500 if (__put_user(offset, &dirent->d_off))
503 dirent = buf->current_dir;
504 if (__put_user(d_ino, &dirent->d_ino))
506 if (__put_user(reclen, &dirent->d_reclen))
508 if (copy_to_user(dirent->d_name, name, namlen))
510 if (__put_user(0, dirent->d_name + namlen))
512 if (__put_user(d_type, (char __user *) dirent + reclen - 1))
514 buf->previous = dirent;
515 dirent = (void __user *)dirent + reclen;
516 buf->current_dir = dirent;
517 buf->count -= reclen;
520 buf->error = -EFAULT;
524 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
525 struct compat_linux_dirent __user *, dirent, unsigned int, count)
528 struct compat_linux_dirent __user * lastdirent;
529 struct compat_getdents_callback buf = {
530 .ctx.actor = compat_filldir,
531 .current_dir = dirent,
536 if (!access_ok(dirent, count))
543 error = iterate_dir(f.file, &buf.ctx);
546 lastdirent = buf.previous;
548 if (put_user(buf.ctx.pos, &lastdirent->d_off))
551 error = count - buf.count;