linux/fs/namei.c
<<
>>
Prefs
   1/*
   2 *  linux/fs/namei.c
   3 *
   4 *  Copyright (C) 1991, 1992  Linus Torvalds
   5 */
   6
   7/*
   8 * Some corrections by tytso.
   9 */
  10
  11/* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname
  12 * lookup logic.
  13 */
  14/* [Feb-Apr 2000, AV] Rewrite to the new namespace architecture.
  15 */
  16
  17#include <linux/init.h>
  18#include <linux/export.h>
  19#include <linux/kernel.h>
  20#include <linux/slab.h>
  21#include <linux/fs.h>
  22#include <linux/namei.h>
  23#include <linux/pagemap.h>
  24#include <linux/fsnotify.h>
  25#include <linux/personality.h>
  26#include <linux/security.h>
  27#include <linux/ima.h>
  28#include <linux/syscalls.h>
  29#include <linux/mount.h>
  30#include <linux/audit.h>
  31#include <linux/capability.h>
  32#include <linux/file.h>
  33#include <linux/fcntl.h>
  34#include <linux/device_cgroup.h>
  35#include <linux/fs_struct.h>
  36#include <linux/posix_acl.h>
  37#include <asm/uaccess.h>
  38
  39#include "internal.h"
  40#include "mount.h"
  41
  42/* [Feb-1997 T. Schoebel-Theuer]
  43 * Fundamental changes in the pathname lookup mechanisms (namei)
  44 * were necessary because of omirr.  The reason is that omirr needs
  45 * to know the _real_ pathname, not the user-supplied one, in case
  46 * of symlinks (and also when transname replacements occur).
  47 *
  48 * The new code replaces the old recursive symlink resolution with
  49 * an iterative one (in case of non-nested symlink chains).  It does
  50 * this with calls to <fs>_follow_link().
  51 * As a side effect, dir_namei(), _namei() and follow_link() are now 
  52 * replaced with a single function lookup_dentry() that can handle all 
  53 * the special cases of the former code.
  54 *
  55 * With the new dcache, the pathname is stored at each inode, at least as
  56 * long as the refcount of the inode is positive.  As a side effect, the
  57 * size of the dcache depends on the inode cache and thus is dynamic.
  58 *
  59 * [29-Apr-1998 C. Scott Ananian] Updated above description of symlink
  60 * resolution to correspond with current state of the code.
  61 *
  62 * Note that the symlink resolution is not *completely* iterative.
  63 * There is still a significant amount of tail- and mid- recursion in
  64 * the algorithm.  Also, note that <fs>_readlink() is not used in
  65 * lookup_dentry(): lookup_dentry() on the result of <fs>_readlink()
  66 * may return different results than <fs>_follow_link().  Many virtual
  67 * filesystems (including /proc) exhibit this behavior.
  68 */
  69
  70/* [24-Feb-97 T. Schoebel-Theuer] Side effects caused by new implementation:
  71 * New symlink semantics: when open() is called with flags O_CREAT | O_EXCL
  72 * and the name already exists in form of a symlink, try to create the new
  73 * name indicated by the symlink. The old code always complained that the
  74 * name already exists, due to not following the symlink even if its target
  75 * is nonexistent.  The new semantics affects also mknod() and link() when
  76 * the name is a symlink pointing to a non-existent name.
  77 *
  78 * I don't know which semantics is the right one, since I have no access
  79 * to standards. But I found by trial that HP-UX 9.0 has the full "new"
  80 * semantics implemented, while SunOS 4.1.1 and Solaris (SunOS 5.4) have the
  81 * "old" one. Personally, I think the new semantics is much more logical.
  82 * Note that "ln old new" where "new" is a symlink pointing to a non-existing
  83 * file does succeed in both HP-UX and SunOs, but not in Solaris
  84 * and in the old Linux semantics.
  85 */
  86
  87/* [16-Dec-97 Kevin Buhr] For security reasons, we change some symlink
  88 * semantics.  See the comments in "open_namei" and "do_link" below.
  89 *
  90 * [10-Sep-98 Alan Modra] Another symlink change.
  91 */
  92
  93/* [Feb-Apr 2000 AV] Complete rewrite. Rules for symlinks:
  94 *      inside the path - always follow.
  95 *      in the last component in creation/removal/renaming - never follow.
  96 *      if LOOKUP_FOLLOW passed - follow.
  97 *      if the pathname has trailing slashes - follow.
  98 *      otherwise - don't follow.
  99 * (applied in that order).
 100 *
 101 * [Jun 2000 AV] Inconsistent behaviour of open() in case if flags==O_CREAT
 102 * restored for 2.4. This is the last surviving part of old 4.2BSD bug.
 103 * During the 2.4 we need to fix the userland stuff depending on it -
 104 * hopefully we will be able to get rid of that wart in 2.5. So far only
 105 * XEmacs seems to be relying on it...
 106 */
 107/*
 108 * [Sep 2001 AV] Single-semaphore locking scheme (kudos to David Holland)
 109 * implemented.  Let's see if raised priority of ->s_vfs_rename_mutex gives
 110 * any extra contention...
 111 */
 112
 113/* In order to reduce some races, while at the same time doing additional
 114 * checking and hopefully speeding things up, we copy filenames to the
 115 * kernel data space before using them..
 116 *
 117 * POSIX.1 2.4: an empty pathname is invalid (ENOENT).
 118 * PATH_MAX includes the nul terminator --RR.
 119 */
 120void final_putname(struct filename *name)
 121{
 122        if (name->separate) {
 123                __putname(name->name);
 124                kfree(name);
 125        } else {
 126                __putname(name);
 127        }
 128}
 129
 130#define EMBEDDED_NAME_MAX       (PATH_MAX - sizeof(struct filename))
 131
 132static struct filename *
 133getname_flags(const char __user *filename, int flags, int *empty)
 134{
 135        struct filename *result, *err;
 136        int len;
 137        long max;
 138        char *kname;
 139
 140        result = audit_reusename(filename);
 141        if (result)
 142                return result;
 143
 144        result = __getname();
 145        if (unlikely(!result))
 146                return ERR_PTR(-ENOMEM);
 147
 148        /*
 149         * First, try to embed the struct filename inside the names_cache
 150         * allocation
 151         */
 152        kname = (char *)result + sizeof(*result);
 153        result->name = kname;
 154        result->separate = false;
 155        max = EMBEDDED_NAME_MAX;
 156
 157recopy:
 158        len = strncpy_from_user(kname, filename, max);
 159        if (unlikely(len < 0)) {
 160                err = ERR_PTR(len);
 161                goto error;
 162        }
 163
 164        /*
 165         * Uh-oh. We have a name that's approaching PATH_MAX. Allocate a
 166         * separate struct filename so we can dedicate the entire
 167         * names_cache allocation for the pathname, and re-do the copy from
 168         * userland.
 169         */
 170        if (len == EMBEDDED_NAME_MAX && max == EMBEDDED_NAME_MAX) {
 171                kname = (char *)result;
 172
 173                result = kzalloc(sizeof(*result), GFP_KERNEL);
 174                if (!result) {
 175                        err = ERR_PTR(-ENOMEM);
 176                        result = (struct filename *)kname;
 177                        goto error;
 178                }
 179                result->name = kname;
 180                result->separate = true;
 181                max = PATH_MAX;
 182                goto recopy;
 183        }
 184
 185        /* The empty path is special. */
 186        if (unlikely(!len)) {
 187                if (empty)
 188                        *empty = 1;
 189                err = ERR_PTR(-ENOENT);
 190                if (!(flags & LOOKUP_EMPTY))
 191                        goto error;
 192        }
 193
 194        err = ERR_PTR(-ENAMETOOLONG);
 195        if (unlikely(len >= PATH_MAX))
 196                goto error;
 197
 198        result->uptr = filename;
 199        audit_getname(result);
 200        return result;
 201
 202error:
 203        final_putname(result);
 204        return err;
 205}
 206
 207struct filename *
 208getname(const char __user * filename)
 209{
 210        return getname_flags(filename, 0, NULL);
 211}
 212EXPORT_SYMBOL(getname);
 213
 214#ifdef CONFIG_AUDITSYSCALL
 215void putname(struct filename *name)
 216{
 217        if (unlikely(!audit_dummy_context()))
 218                return audit_putname(name);
 219        final_putname(name);
 220}
 221#endif
 222
 223static int check_acl(struct inode *inode, int mask)
 224{
 225#ifdef CONFIG_FS_POSIX_ACL
 226        struct posix_acl *acl;
 227
 228        if (mask & MAY_NOT_BLOCK) {
 229                acl = get_cached_acl_rcu(inode, ACL_TYPE_ACCESS);
 230                if (!acl)
 231                        return -EAGAIN;
 232                /* no ->get_acl() calls in RCU mode... */
 233                if (acl == ACL_NOT_CACHED)
 234                        return -ECHILD;
 235                return posix_acl_permission(inode, acl, mask & ~MAY_NOT_BLOCK);
 236        }
 237
 238        acl = get_cached_acl(inode, ACL_TYPE_ACCESS);
 239
 240        /*
 241         * A filesystem can force a ACL callback by just never filling the
 242         * ACL cache. But normally you'd fill the cache either at inode
 243         * instantiation time, or on the first ->get_acl call.
 244         *
 245         * If the filesystem doesn't have a get_acl() function at all, we'll
 246         * just create the negative cache entry.
 247         */
 248        if (acl == ACL_NOT_CACHED) {
 249                if (inode->i_op->get_acl) {
 250                        acl = inode->i_op->get_acl(inode, ACL_TYPE_ACCESS);
 251                        if (IS_ERR(acl))
 252                                return PTR_ERR(acl);
 253                } else {
 254                        set_cached_acl(inode, ACL_TYPE_ACCESS, NULL);
 255                        return -EAGAIN;
 256                }
 257        }
 258
 259        if (acl) {
 260                int error = posix_acl_permission(inode, acl, mask);
 261                posix_acl_release(acl);
 262                return error;
 263        }
 264#endif
 265
 266        return -EAGAIN;
 267}
 268
 269/*
 270 * This does the basic permission checking
 271 */
 272static int acl_permission_check(struct inode *inode, int mask)
 273{
 274        unsigned int mode = inode->i_mode;
 275
 276        if (likely(uid_eq(current_fsuid(), inode->i_uid)))
 277                mode >>= 6;
 278        else {
 279                if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
 280                        int error = check_acl(inode, mask);
 281                        if (error != -EAGAIN)
 282                                return error;
 283                }
 284
 285                if (in_group_p(inode->i_gid))
 286                        mode >>= 3;
 287        }
 288
 289        /*
 290         * If the DACs are ok we don't need any capability check.
 291         */
 292        if ((mask & ~mode & (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0)
 293                return 0;
 294        return -EACCES;
 295}
 296
 297/**
 298 * generic_permission -  check for access rights on a Posix-like filesystem
 299 * @inode:      inode to check access rights for
 300 * @mask:       right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC, ...)
 301 *
 302 * Used to check for read/write/execute permissions on a file.
 303 * We use "fsuid" for this, letting us set arbitrary permissions
 304 * for filesystem access without changing the "normal" uids which
 305 * are used for other things.
 306 *
 307 * generic_permission is rcu-walk aware. It returns -ECHILD in case an rcu-walk
 308 * request cannot be satisfied (eg. requires blocking or too much complexity).
 309 * It would then be called again in ref-walk mode.
 310 */
 311int generic_permission(struct inode *inode, int mask)
 312{
 313        int ret;
 314
 315        /*
 316         * Do the basic permission checks.
 317         */
 318        ret = acl_permission_check(inode, mask);
 319        if (ret != -EACCES)
 320                return ret;
 321
 322        if (S_ISDIR(inode->i_mode)) {
 323                /* DACs are overridable for directories */
 324                if (inode_capable(inode, CAP_DAC_OVERRIDE))
 325                        return 0;
 326                if (!(mask & MAY_WRITE))
 327                        if (inode_capable(inode, CAP_DAC_READ_SEARCH))
 328                                return 0;
 329                return -EACCES;
 330        }
 331        /*
 332         * Read/write DACs are always overridable.
 333         * Executable DACs are overridable when there is
 334         * at least one exec bit set.
 335         */
 336        if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
 337                if (inode_capable(inode, CAP_DAC_OVERRIDE))
 338                        return 0;
 339
 340        /*
 341         * Searching includes executable on directories, else just read.
 342         */
 343        mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
 344        if (mask == MAY_READ)
 345                if (inode_capable(inode, CAP_DAC_READ_SEARCH))
 346                        return 0;
 347
 348        return -EACCES;
 349}
 350
 351/*
 352 * We _really_ want to just do "generic_permission()" without
 353 * even looking at the inode->i_op values. So we keep a cache
 354 * flag in inode->i_opflags, that says "this has not special
 355 * permission function, use the fast case".
 356 */
 357static inline int do_inode_permission(struct inode *inode, int mask)
 358{
 359        if (unlikely(!(inode->i_opflags & IOP_FASTPERM))) {
 360                if (likely(inode->i_op->permission))
 361                        return inode->i_op->permission(inode, mask);
 362
 363                /* This gets set once for the inode lifetime */
 364                spin_lock(&inode->i_lock);
 365                inode->i_opflags |= IOP_FASTPERM;
 366                spin_unlock(&inode->i_lock);
 367        }
 368        return generic_permission(inode, mask);
 369}
 370
 371/**
 372 * __inode_permission - Check for access rights to a given inode
 373 * @inode: Inode to check permission on
 374 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
 375 *
 376 * Check for read/write/execute permissions on an inode.
 377 *
 378 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
 379 *
 380 * This does not check for a read-only file system.  You probably want
 381 * inode_permission().
 382 */
 383int __inode_permission(struct inode *inode, int mask)
 384{
 385        int retval;
 386
 387        if (unlikely(mask & MAY_WRITE)) {
 388                /*
 389                 * Nobody gets write access to an immutable file.
 390                 */
 391                if (IS_IMMUTABLE(inode))
 392                        return -EACCES;
 393        }
 394
 395        retval = do_inode_permission(inode, mask);
 396        if (retval)
 397                return retval;
 398
 399        retval = devcgroup_inode_permission(inode, mask);
 400        if (retval)
 401                return retval;
 402
 403        return security_inode_permission(inode, mask);
 404}
 405
 406/**
 407 * sb_permission - Check superblock-level permissions
 408 * @sb: Superblock of inode to check permission on
 409 * @inode: Inode to check permission on
 410 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
 411 *
 412 * Separate out file-system wide checks from inode-specific permission checks.
 413 */
 414static int sb_permission(struct super_block *sb, struct inode *inode, int mask)
 415{
 416        if (unlikely(mask & MAY_WRITE)) {
 417                umode_t mode = inode->i_mode;
 418
 419                /* Nobody gets write access to a read-only fs. */
 420                if ((sb->s_flags & MS_RDONLY) &&
 421                    (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))
 422                        return -EROFS;
 423        }
 424        return 0;
 425}
 426
 427/**
 428 * inode_permission - Check for access rights to a given inode
 429 * @inode: Inode to check permission on
 430 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
 431 *
 432 * Check for read/write/execute permissions on an inode.  We use fs[ug]id for
 433 * this, letting us set arbitrary permissions for filesystem access without
 434 * changing the "normal" UIDs which are used for other things.
 435 *
 436 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
 437 */
 438int inode_permission(struct inode *inode, int mask)
 439{
 440        int retval;
 441
 442        retval = sb_permission(inode->i_sb, inode, mask);
 443        if (retval)
 444                return retval;
 445        return __inode_permission(inode, mask);
 446}
 447
 448/**
 449 * path_get - get a reference to a path
 450 * @path: path to get the reference to
 451 *
 452 * Given a path increment the reference count to the dentry and the vfsmount.
 453 */
 454void path_get(struct path *path)
 455{
 456        mntget(path->mnt);
 457        dget(path->dentry);
 458}
 459EXPORT_SYMBOL(path_get);
 460
 461/**
 462 * path_put - put a reference to a path
 463 * @path: path to put the reference to
 464 *
 465 * Given a path decrement the reference count to the dentry and the vfsmount.
 466 */
 467void path_put(struct path *path)
 468{
 469        dput(path->dentry);
 470        mntput(path->mnt);
 471}
 472EXPORT_SYMBOL(path_put);
 473
 474/*
 475 * Path walking has 2 modes, rcu-walk and ref-walk (see
 476 * Documentation/filesystems/path-lookup.txt).  In situations when we can't
 477 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab
 478 * normal reference counts on dentries and vfsmounts to transition to rcu-walk
 479 * mode.  Refcounts are grabbed at the last known good point before rcu-walk
 480 * got stuck, so ref-walk may continue from there. If this is not successful
 481 * (eg. a seqcount has changed), then failure is returned and it's up to caller
 482 * to restart the path walk from the beginning in ref-walk mode.
 483 */
 484
 485static inline void lock_rcu_walk(void)
 486{
 487        br_read_lock(&vfsmount_lock);
 488        rcu_read_lock();
 489}
 490
 491static inline void unlock_rcu_walk(void)
 492{
 493        rcu_read_unlock();
 494        br_read_unlock(&vfsmount_lock);
 495}
 496
 497/**
 498 * unlazy_walk - try to switch to ref-walk mode.
 499 * @nd: nameidata pathwalk data
 500 * @dentry: child of nd->path.dentry or NULL
 501 * Returns: 0 on success, -ECHILD on failure
 502 *
 503 * unlazy_walk attempts to legitimize the current nd->path, nd->root and dentry
 504 * for ref-walk mode.  @dentry must be a path found by a do_lookup call on
 505 * @nd or NULL.  Must be called from rcu-walk context.
 506 */
 507static int unlazy_walk(struct nameidata *nd, struct dentry *dentry)
 508{
 509        struct fs_struct *fs = current->fs;
 510        struct dentry *parent = nd->path.dentry;
 511        int want_root = 0;
 512
 513        BUG_ON(!(nd->flags & LOOKUP_RCU));
 514        if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
 515                want_root = 1;
 516                spin_lock(&fs->lock);
 517                if (nd->root.mnt != fs->root.mnt ||
 518                                nd->root.dentry != fs->root.dentry)
 519                        goto err_root;
 520        }
 521        spin_lock(&parent->d_lock);
 522        if (!dentry) {
 523                if (!__d_rcu_to_refcount(parent, nd->seq))
 524                        goto err_parent;
 525                BUG_ON(nd->inode != parent->d_inode);
 526        } else {
 527                if (dentry->d_parent != parent)
 528                        goto err_parent;
 529                spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
 530                if (!__d_rcu_to_refcount(dentry, nd->seq))
 531                        goto err_child;
 532                /*
 533                 * If the sequence check on the child dentry passed, then
 534                 * the child has not been removed from its parent. This
 535                 * means the parent dentry must be valid and able to take
 536                 * a reference at this point.
 537                 */
 538                BUG_ON(!IS_ROOT(dentry) && dentry->d_parent != parent);
 539                BUG_ON(!parent->d_count);
 540                parent->d_count++;
 541                spin_unlock(&dentry->d_lock);
 542        }
 543        spin_unlock(&parent->d_lock);
 544        if (want_root) {
 545                path_get(&nd->root);
 546                spin_unlock(&fs->lock);
 547        }
 548        mntget(nd->path.mnt);
 549
 550        unlock_rcu_walk();
 551        nd->flags &= ~LOOKUP_RCU;
 552        return 0;
 553
 554err_child:
 555        spin_unlock(&dentry->d_lock);
 556err_parent:
 557        spin_unlock(&parent->d_lock);
 558err_root:
 559        if (want_root)
 560                spin_unlock(&fs->lock);
 561        return -ECHILD;
 562}
 563
 564static inline int d_revalidate(struct dentry *dentry, unsigned int flags)
 565{
 566        return dentry->d_op->d_revalidate(dentry, flags);
 567}
 568
 569/**
 570 * complete_walk - successful completion of path walk
 571 * @nd:  pointer nameidata
 572 *
 573 * If we had been in RCU mode, drop out of it and legitimize nd->path.
 574 * Revalidate the final result, unless we'd already done that during
 575 * the path walk or the filesystem doesn't ask for it.  Return 0 on
 576 * success, -error on failure.  In case of failure caller does not
 577 * need to drop nd->path.
 578 */
 579static int complete_walk(struct nameidata *nd)
 580{
 581        struct dentry *dentry = nd->path.dentry;
 582        int status;
 583
 584        if (nd->flags & LOOKUP_RCU) {
 585                nd->flags &= ~LOOKUP_RCU;
 586                if (!(nd->flags & LOOKUP_ROOT))
 587                        nd->root.mnt = NULL;
 588                spin_lock(&dentry->d_lock);
 589                if (unlikely(!__d_rcu_to_refcount(dentry, nd->seq))) {
 590                        spin_unlock(&dentry->d_lock);
 591                        unlock_rcu_walk();
 592                        return -ECHILD;
 593                }
 594                BUG_ON(nd->inode != dentry->d_inode);
 595                spin_unlock(&dentry->d_lock);
 596                mntget(nd->path.mnt);
 597                unlock_rcu_walk();
 598        }
 599
 600        if (likely(!(nd->flags & LOOKUP_JUMPED)))
 601                return 0;
 602
 603        if (likely(!(dentry->d_flags & DCACHE_OP_REVALIDATE)))
 604                return 0;
 605
 606        if (likely(!(dentry->d_sb->s_type->fs_flags & FS_REVAL_DOT)))
 607                return 0;
 608
 609        /* Note: we do not d_invalidate() */
 610        status = d_revalidate(dentry, nd->flags);
 611        if (status > 0)
 612                return 0;
 613
 614        if (!status)
 615                status = -ESTALE;
 616
 617        path_put(&nd->path);
 618        return status;
 619}
 620
 621static __always_inline void set_root(struct nameidata *nd)
 622{
 623        if (!nd->root.mnt)
 624                get_fs_root(current->fs, &nd->root);
 625}
 626
 627static int link_path_walk(const char *, struct nameidata *);
 628
 629static __always_inline void set_root_rcu(struct nameidata *nd)
 630{
 631        if (!nd->root.mnt) {
 632                struct fs_struct *fs = current->fs;
 633                unsigned seq;
 634
 635                do {
 636                        seq = read_seqcount_begin(&fs->seq);
 637                        nd->root = fs->root;
 638                        nd->seq = __read_seqcount_begin(&nd->root.dentry->d_seq);
 639                } while (read_seqcount_retry(&fs->seq, seq));
 640        }
 641}
 642
 643static __always_inline int __vfs_follow_link(struct nameidata *nd, const char *link)
 644{
 645        int ret;
 646
 647        if (IS_ERR(link))
 648                goto fail;
 649
 650        if (*link == '/') {
 651                set_root(nd);
 652                path_put(&nd->path);
 653                nd->path = nd->root;
 654                path_get(&nd->root);
 655                nd->flags |= LOOKUP_JUMPED;
 656        }
 657        nd->inode = nd->path.dentry->d_inode;
 658
 659        ret = link_path_walk(link, nd);
 660        return ret;
 661fail:
 662        path_put(&nd->path);
 663        return PTR_ERR(link);
 664}
 665
 666static void path_put_conditional(struct path *path, struct nameidata *nd)
 667{
 668        dput(path->dentry);
 669        if (path->mnt != nd->path.mnt)
 670                mntput(path->mnt);
 671}
 672
 673static inline void path_to_nameidata(const struct path *path,
 674                                        struct nameidata *nd)
 675{
 676        if (!(nd->flags & LOOKUP_RCU)) {
 677                dput(nd->path.dentry);
 678                if (nd->path.mnt != path->mnt)
 679                        mntput(nd->path.mnt);
 680        }
 681        nd->path.mnt = path->mnt;
 682        nd->path.dentry = path->dentry;
 683}
 684
 685/*
 686 * Helper to directly jump to a known parsed path from ->follow_link,
 687 * caller must have taken a reference to path beforehand.
 688 */
 689void nd_jump_link(struct nameidata *nd, struct path *path)
 690{
 691        path_put(&nd->path);
 692
 693        nd->path = *path;
 694        nd->inode = nd->path.dentry->d_inode;
 695        nd->flags |= LOOKUP_JUMPED;
 696}
 697
 698static inline void put_link(struct nameidata *nd, struct path *link, void *cookie)
 699{
 700        struct inode *inode = link->dentry->d_inode;
 701        if (inode->i_op->put_link)
 702                inode->i_op->put_link(link->dentry, nd, cookie);
 703        path_put(link);
 704}
 705
 706int sysctl_protected_symlinks __read_mostly = 0;
 707int sysctl_protected_hardlinks __read_mostly = 0;
 708
 709/**
 710 * may_follow_link - Check symlink following for unsafe situations
 711 * @link: The path of the symlink
 712 * @nd: nameidata pathwalk data
 713 *
 714 * In the case of the sysctl_protected_symlinks sysctl being enabled,
 715 * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
 716 * in a sticky world-writable directory. This is to protect privileged
 717 * processes from failing races against path names that may change out
 718 * from under them by way of other users creating malicious symlinks.
 719 * It will permit symlinks to be followed only when outside a sticky
 720 * world-writable directory, or when the uid of the symlink and follower
 721 * match, or when the directory owner matches the symlink's owner.
 722 *
 723 * Returns 0 if following the symlink is allowed, -ve on error.
 724 */
 725static inline int may_follow_link(struct path *link, struct nameidata *nd)
 726{
 727        const struct inode *inode;
 728        const struct inode *parent;
 729
 730        if (!sysctl_protected_symlinks)
 731                return 0;
 732
 733        /* Allowed if owner and follower match. */
 734        inode = link->dentry->d_inode;
 735        if (uid_eq(current_cred()->fsuid, inode->i_uid))
 736                return 0;
 737
 738        /* Allowed if parent directory not sticky and world-writable. */
 739        parent = nd->path.dentry->d_inode;
 740        if ((parent->i_mode & (S_ISVTX|S_IWOTH)) != (S_ISVTX|S_IWOTH))
 741                return 0;
 742
 743        /* Allowed if parent directory and link owner match. */
 744        if (uid_eq(parent->i_uid, inode->i_uid))
 745                return 0;
 746
 747        audit_log_link_denied("follow_link", link);
 748        path_put_conditional(link, nd);
 749        path_put(&nd->path);
 750        return -EACCES;
 751}
 752
 753/**
 754 * safe_hardlink_source - Check for safe hardlink conditions
 755 * @inode: the source inode to hardlink from
 756 *
 757 * Return false if at least one of the following conditions:
 758 *    - inode is not a regular file
 759 *    - inode is setuid
 760 *    - inode is setgid and group-exec
 761 *    - access failure for read and write
 762 *
 763 * Otherwise returns true.
 764 */
 765static bool safe_hardlink_source(struct inode *inode)
 766{
 767        umode_t mode = inode->i_mode;
 768
 769        /* Special files should not get pinned to the filesystem. */
 770        if (!S_ISREG(mode))
 771                return false;
 772
 773        /* Setuid files should not get pinned to the filesystem. */
 774        if (mode & S_ISUID)
 775                return false;
 776
 777        /* Executable setgid files should not get pinned to the filesystem. */
 778        if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
 779                return false;
 780
 781        /* Hardlinking to unreadable or unwritable sources is dangerous. */
 782        if (inode_permission(inode, MAY_READ | MAY_WRITE))
 783                return false;
 784
 785        return true;
 786}
 787
 788/**
 789 * may_linkat - Check permissions for creating a hardlink
 790 * @link: the source to hardlink from
 791 *
 792 * Block hardlink when all of:
 793 *  - sysctl_protected_hardlinks enabled
 794 *  - fsuid does not match inode
 795 *  - hardlink source is unsafe (see safe_hardlink_source() above)
 796 *  - not CAP_FOWNER
 797 *
 798 * Returns 0 if successful, -ve on error.
 799 */
 800static int may_linkat(struct path *link)
 801{
 802        const struct cred *cred;
 803        struct inode *inode;
 804
 805        if (!sysctl_protected_hardlinks)
 806                return 0;
 807
 808        cred = current_cred();
 809        inode = link->dentry->d_inode;
 810
 811        /* Source inode owner (or CAP_FOWNER) can hardlink all they like,
 812         * otherwise, it must be a safe source.
 813         */
 814        if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||
 815            capable(CAP_FOWNER))
 816                return 0;
 817
 818        audit_log_link_denied("linkat", link);
 819        return -EPERM;
 820}
 821
 822static __always_inline int
 823follow_link(struct path *link, struct nameidata *nd, void **p)
 824{
 825        struct dentry *dentry = link->dentry;
 826        int error;
 827        char *s;
 828
 829        BUG_ON(nd->flags & LOOKUP_RCU);
 830
 831        if (link->mnt == nd->path.mnt)
 832                mntget(link->mnt);
 833
 834        error = -ELOOP;
 835        if (unlikely(current->total_link_count >= 40))
 836                goto out_put_nd_path;
 837
 838        cond_resched();
 839        current->total_link_count++;
 840
 841        touch_atime(link);
 842        nd_set_link(nd, NULL);
 843
 844        error = security_inode_follow_link(link->dentry, nd);
 845        if (error)
 846                goto out_put_nd_path;
 847
 848        nd->last_type = LAST_BIND;
 849        *p = dentry->d_inode->i_op->follow_link(dentry, nd);
 850        error = PTR_ERR(*p);
 851        if (IS_ERR(*p))
 852                goto out_put_nd_path;
 853
 854        error = 0;
 855        s = nd_get_link(nd);
 856        if (s) {
 857                error = __vfs_follow_link(nd, s);
 858                if (unlikely(error))
 859                        put_link(nd, link, *p);
 860        }
 861
 862        return error;
 863
 864out_put_nd_path:
 865        *p = NULL;
 866        path_put(&nd->path);
 867        path_put(link);
 868        return error;
 869}
 870
 871static int follow_up_rcu(struct path *path)
 872{
 873        struct mount *mnt = real_mount(path->mnt);
 874        struct mount *parent;
 875        struct dentry *mountpoint;
 876
 877        parent = mnt->mnt_parent;
 878        if (&parent->mnt == path->mnt)
 879                return 0;
 880        mountpoint = mnt->mnt_mountpoint;
 881        path->dentry = mountpoint;
 882        path->mnt = &parent->mnt;
 883        return 1;
 884}
 885
 886/*
 887 * follow_up - Find the mountpoint of path's vfsmount
 888 *
 889 * Given a path, find the mountpoint of its source file system.
 890 * Replace @path with the path of the mountpoint in the parent mount.
 891 * Up is towards /.
 892 *
 893 * Return 1 if we went up a level and 0 if we were already at the
 894 * root.
 895 */
 896int follow_up(struct path *path)
 897{
 898        struct mount *mnt = real_mount(path->mnt);
 899        struct mount *parent;
 900        struct dentry *mountpoint;
 901
 902        br_read_lock(&vfsmount_lock);
 903        parent = mnt->mnt_parent;
 904        if (parent == mnt) {
 905                br_read_unlock(&vfsmount_lock);
 906                return 0;
 907        }
 908        mntget(&parent->mnt);
 909        mountpoint = dget(mnt->mnt_mountpoint);
 910        br_read_unlock(&vfsmount_lock);
 911        dput(path->dentry);
 912        path->dentry = mountpoint;
 913        mntput(path->mnt);
 914        path->mnt = &parent->mnt;
 915        return 1;
 916}
 917
 918/*
 919 * Perform an automount
 920 * - return -EISDIR to tell follow_managed() to stop and return the path we
 921 *   were called with.
 922 */
 923static int follow_automount(struct path *path, unsigned flags,
 924                            bool *need_mntput)
 925{
 926        struct vfsmount *mnt;
 927        int err;
 928
 929        if (!path->dentry->d_op || !path->dentry->d_op->d_automount)
 930                return -EREMOTE;
 931
 932        /* We don't want to mount if someone's just doing a stat -
 933         * unless they're stat'ing a directory and appended a '/' to
 934         * the name.
 935         *
 936         * We do, however, want to mount if someone wants to open or
 937         * create a file of any type under the mountpoint, wants to
 938         * traverse through the mountpoint or wants to open the
 939         * mounted directory.  Also, autofs may mark negative dentries
 940         * as being automount points.  These will need the attentions
 941         * of the daemon to instantiate them before they can be used.
 942         */
 943        if (!(flags & (LOOKUP_PARENT | LOOKUP_DIRECTORY |
 944                     LOOKUP_OPEN | LOOKUP_CREATE | LOOKUP_AUTOMOUNT)) &&
 945            path->dentry->d_inode)
 946                return -EISDIR;
 947
 948        current->total_link_count++;
 949        if (current->total_link_count >= 40)
 950                return -ELOOP;
 951
 952        mnt = path->dentry->d_op->d_automount(path);
 953        if (IS_ERR(mnt)) {
 954                /*
 955                 * The filesystem is allowed to return -EISDIR here to indicate
 956                 * it doesn't want to automount.  For instance, autofs would do
 957                 * this so that its userspace daemon can mount on this dentry.
 958                 *
 959                 * However, we can only permit this if it's a terminal point in
 960                 * the path being looked up; if it wasn't then the remainder of
 961                 * the path is inaccessible and we should say so.
 962                 */
 963                if (PTR_ERR(mnt) == -EISDIR && (flags & LOOKUP_PARENT))
 964                        return -EREMOTE;
 965                return PTR_ERR(mnt);
 966        }
 967
 968        if (!mnt) /* mount collision */
 969                return 0;
 970
 971        if (!*need_mntput) {
 972                /* lock_mount() may release path->mnt on error */
 973                mntget(path->mnt);
 974                *need_mntput = true;
 975        }
 976        err = finish_automount(mnt, path);
 977
 978        switch (err) {
 979        case -EBUSY:
 980                /* Someone else made a mount here whilst we were busy */
 981                return 0;
 982        case 0:
 983                path_put(path);
 984                path->mnt = mnt;
 985                path->dentry = dget(mnt->mnt_root);
 986                return 0;
 987        default:
 988                return err;
 989        }
 990
 991}
 992
 993/*
 994 * Handle a dentry that is managed in some way.
 995 * - Flagged for transit management (autofs)
 996 * - Flagged as mountpoint
 997 * - Flagged as automount point
 998 *
 999 * This may only be called in refwalk mode.
1000 *
1001 * Serialization is taken care of in namespace.c
1002 */
1003static int follow_managed(struct path *path, unsigned flags)
1004{
1005        struct vfsmount *mnt = path->mnt; /* held by caller, must be left alone */
1006        unsigned managed;
1007        bool need_mntput = false;
1008        int ret = 0;
1009
1010        /* Given that we're not holding a lock here, we retain the value in a
1011         * local variable for each dentry as we look at it so that we don't see
1012         * the components of that value change under us */
1013        while (managed = ACCESS_ONCE(path->dentry->d_flags),
1014               managed &= DCACHE_MANAGED_DENTRY,
1015               unlikely(managed != 0)) {
1016                /* Allow the filesystem to manage the transit without i_mutex
1017                 * being held. */
1018                if (managed & DCACHE_MANAGE_TRANSIT) {
1019                        BUG_ON(!path->dentry->d_op);
1020                        BUG_ON(!path->dentry->d_op->d_manage);
1021                        ret = path->dentry->d_op->d_manage(path->dentry, false);
1022                        if (ret < 0)
1023                                break;
1024                }
1025
1026                /* Transit to a mounted filesystem. */
1027                if (managed & DCACHE_MOUNTED) {
1028                        struct vfsmount *mounted = lookup_mnt(path);
1029                        if (mounted) {
1030                                dput(path->dentry);
1031                                if (need_mntput)
1032                                        mntput(path->mnt);
1033                                path->mnt = mounted;
1034                                path->dentry = dget(mounted->mnt_root);
1035                                need_mntput = true;
1036                                continue;
1037                        }
1038
1039                        /* Something is mounted on this dentry in another
1040                         * namespace and/or whatever was mounted there in this
1041                         * namespace got unmounted before we managed to get the
1042                         * vfsmount_lock */
1043                }
1044
1045                /* Handle an automount point */
1046                if (managed & DCACHE_NEED_AUTOMOUNT) {
1047                        ret = follow_automount(path, flags, &need_mntput);
1048                        if (ret < 0)
1049                                break;
1050                        continue;
1051                }
1052
1053                /* We didn't change the current path point */
1054                break;
1055        }
1056
1057        if (need_mntput && path->mnt == mnt)
1058                mntput(path->mnt);
1059        if (ret == -EISDIR)
1060                ret = 0;
1061        return ret < 0 ? ret : need_mntput;
1062}
1063
1064int follow_down_one(struct path *path)
1065{
1066        struct vfsmount *mounted;
1067
1068        mounted = lookup_mnt(path);
1069        if (mounted) {
1070                dput(path->dentry);
1071                mntput(path->mnt);
1072                path->mnt = mounted;
1073                path->dentry = dget(mounted->mnt_root);
1074                return 1;
1075        }
1076        return 0;
1077}
1078
1079static inline bool managed_dentry_might_block(struct dentry *dentry)
1080{
1081        return (dentry->d_flags & DCACHE_MANAGE_TRANSIT &&
1082                dentry->d_op->d_manage(dentry, true) < 0);
1083}
1084
1085/*
1086 * Try to skip to top of mountpoint pile in rcuwalk mode.  Fail if
1087 * we meet a managed dentry that would need blocking.
1088 */
1089static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
1090                               struct inode **inode)
1091{
1092        for (;;) {
1093                struct mount *mounted;
1094                /*
1095                 * Don't forget we might have a non-mountpoint managed dentry
1096                 * that wants to block transit.
1097                 */
1098                if (unlikely(managed_dentry_might_block(path->dentry)))
1099                        return false;
1100
1101                if (!d_mountpoint(path->dentry))
1102                        break;
1103
1104                mounted = __lookup_mnt(path->mnt, path->dentry, 1);
1105                if (!mounted)
1106                        break;
1107                path->mnt = &mounted->mnt;
1108                path->dentry = mounted->mnt.mnt_root;
1109                nd->flags |= LOOKUP_JUMPED;
1110                nd->seq = read_seqcount_begin(&path->dentry->d_seq);
1111                /*
1112                 * Update the inode too. We don't need to re-check the
1113                 * dentry sequence number here after this d_inode read,
1114                 * because a mount-point is always pinned.
1115                 */
1116                *inode = path->dentry->d_inode;
1117        }
1118        return true;
1119}
1120
1121static void follow_mount_rcu(struct nameidata *nd)
1122{
1123        while (d_mountpoint(nd->path.dentry)) {
1124                struct mount *mounted;
1125                mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry, 1);
1126                if (!mounted)
1127                        break;
1128                nd->path.mnt = &mounted->mnt;
1129                nd->path.dentry = mounted->mnt.mnt_root;
1130                nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1131        }
1132}
1133
1134static int follow_dotdot_rcu(struct nameidata *nd)
1135{
1136        set_root_rcu(nd);
1137
1138        while (1) {
1139                if (nd->path.dentry == nd->root.dentry &&
1140                    nd->path.mnt == nd->root.mnt) {
1141                        break;
1142                }
1143                if (nd->path.dentry != nd->path.mnt->mnt_root) {
1144                        struct dentry *old = nd->path.dentry;
1145                        struct dentry *parent = old->d_parent;
1146                        unsigned seq;
1147
1148                        seq = read_seqcount_begin(&parent->d_seq);
1149                        if (read_seqcount_retry(&old->d_seq, nd->seq))
1150                                goto failed;
1151                        nd->path.dentry = parent;
1152                        nd->seq = seq;
1153                        break;
1154                }
1155                if (!follow_up_rcu(&nd->path))
1156                        break;
1157                nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1158        }
1159        follow_mount_rcu(nd);
1160        nd->inode = nd->path.dentry->d_inode;
1161        return 0;
1162
1163failed:
1164        nd->flags &= ~LOOKUP_RCU;
1165        if (!(nd->flags & LOOKUP_ROOT))
1166                nd->root.mnt = NULL;
1167        unlock_rcu_walk();
1168        return -ECHILD;
1169}
1170
1171/*
1172 * Follow down to the covering mount currently visible to userspace.  At each
1173 * point, the filesystem owning that dentry may be queried as to whether the
1174 * caller is permitted to proceed or not.
1175 */
1176int follow_down(struct path *path)
1177{
1178        unsigned managed;
1179        int ret;
1180
1181        while (managed = ACCESS_ONCE(path->dentry->d_flags),
1182               unlikely(managed & DCACHE_MANAGED_DENTRY)) {
1183                /* Allow the filesystem to manage the transit without i_mutex
1184                 * being held.
1185                 *
1186                 * We indicate to the filesystem if someone is trying to mount
1187                 * something here.  This gives autofs the chance to deny anyone
1188                 * other than its daemon the right to mount on its
1189                 * superstructure.
1190                 *
1191                 * The filesystem may sleep at this point.
1192                 */
1193                if (managed & DCACHE_MANAGE_TRANSIT) {
1194                        BUG_ON(!path->dentry->d_op);
1195                        BUG_ON(!path->dentry->d_op->d_manage);
1196                        ret = path->dentry->d_op->d_manage(
1197                                path->dentry, false);
1198                        if (ret < 0)
1199                                return ret == -EISDIR ? 0 : ret;
1200                }
1201
1202                /* Transit to a mounted filesystem. */
1203                if (managed & DCACHE_MOUNTED) {
1204                        struct vfsmount *mounted = lookup_mnt(path);
1205                        if (!mounted)
1206                                break;
1207                        dput(path->dentry);
1208                        mntput(path->mnt);
1209                        path->mnt = mounted;
1210                        path->dentry = dget(mounted->mnt_root);
1211                        continue;
1212                }
1213
1214                /* Don't handle automount points here */
1215                break;
1216        }
1217        return 0;
1218}
1219
1220/*
1221 * Skip to top of mountpoint pile in refwalk mode for follow_dotdot()
1222 */
1223static void follow_mount(struct path *path)
1224{
1225        while (d_mountpoint(path->dentry)) {
1226                struct vfsmount *mounted = lookup_mnt(path);
1227                if (!mounted)
1228                        break;
1229                dput(path->dentry);
1230                mntput(path->mnt);
1231                path->mnt = mounted;
1232                path->dentry = dget(mounted->mnt_root);
1233        }
1234}
1235
1236static void follow_dotdot(struct nameidata *nd)
1237{
1238        set_root(nd);
1239
1240        while(1) {
1241                struct dentry *old = nd->path.dentry;
1242
1243                if (nd->path.dentry == nd->root.dentry &&
1244                    nd->path.mnt == nd->root.mnt) {
1245                        break;
1246                }
1247                if (nd->path.dentry != nd->path.mnt->mnt_root) {
1248                        /* rare case of legitimate dget_parent()... */
1249                        nd->path.dentry = dget_parent(nd->path.dentry);
1250                        dput(old);
1251                        break;
1252                }
1253                if (!follow_up(&nd->path))
1254                        break;
1255        }
1256        follow_mount(&nd->path);
1257        nd->inode = nd->path.dentry->d_inode;
1258}
1259
1260/*
1261 * This looks up the name in dcache, possibly revalidates the old dentry and
1262 * allocates a new one if not found or not valid.  In the need_lookup argument
1263 * returns whether i_op->lookup is necessary.
1264 *
1265 * dir->d_inode->i_mutex must be held
1266 */
1267static struct dentry *lookup_dcache(struct qstr *name, struct dentry *dir,
1268                                    unsigned int flags, bool *need_lookup)
1269{
1270        struct dentry *dentry;
1271        int error;
1272
1273        *need_lookup = false;
1274        dentry = d_lookup(dir, name);
1275        if (dentry) {
1276                if (dentry->d_flags & DCACHE_OP_REVALIDATE) {
1277                        error = d_revalidate(dentry, flags);
1278                        if (unlikely(error <= 0)) {
1279                                if (error < 0) {
1280                                        dput(dentry);
1281                                        return ERR_PTR(error);
1282                                } else if (!d_invalidate(dentry)) {
1283                                        dput(dentry);
1284                                        dentry = NULL;
1285                                }
1286                        }
1287                }
1288        }
1289
1290        if (!dentry) {
1291                dentry = d_alloc(dir, name);
1292                if (unlikely(!dentry))
1293                        return ERR_PTR(-ENOMEM);
1294
1295                *need_lookup = true;
1296        }
1297        return dentry;
1298}
1299
1300/*
1301 * Call i_op->lookup on the dentry.  The dentry must be negative but may be
1302 * hashed if it was pouplated with DCACHE_NEED_LOOKUP.
1303 *
1304 * dir->d_inode->i_mutex must be held
1305 */
1306static struct dentry *lookup_real(struct inode *dir, struct dentry *dentry,
1307                                  unsigned int flags)
1308{
1309        struct dentry *old;
1310
1311        /* Don't create child dentry for a dead directory. */
1312        if (unlikely(IS_DEADDIR(dir))) {
1313                dput(dentry);
1314                return ERR_PTR(-ENOENT);
1315        }
1316
1317        old = dir->i_op->lookup(dir, dentry, flags);
1318        if (unlikely(old)) {
1319                dput(dentry);
1320                dentry = old;
1321        }
1322        return dentry;
1323}
1324
1325static struct dentry *__lookup_hash(struct qstr *name,
1326                struct dentry *base, unsigned int flags)
1327{
1328        bool need_lookup;
1329        struct dentry *dentry;
1330
1331        dentry = lookup_dcache(name, base, flags, &need_lookup);
1332        if (!need_lookup)
1333                return dentry;
1334
1335        return lookup_real(base->d_inode, dentry, flags);
1336}
1337
1338/*
1339 *  It's more convoluted than I'd like it to be, but... it's still fairly
1340 *  small and for now I'd prefer to have fast path as straight as possible.
1341 *  It _is_ time-critical.
1342 */
1343static int lookup_fast(struct nameidata *nd, struct qstr *name,
1344                       struct path *path, struct inode **inode)
1345{
1346        struct vfsmount *mnt = nd->path.mnt;
1347        struct dentry *dentry, *parent = nd->path.dentry;
1348        int need_reval = 1;
1349        int status = 1;
1350        int err;
1351
1352        /*
1353         * Rename seqlock is not required here because in the off chance
1354         * of a false negative due to a concurrent rename, we're going to
1355         * do the non-racy lookup, below.
1356         */
1357        if (nd->flags & LOOKUP_RCU) {
1358                unsigned seq;
1359                dentry = __d_lookup_rcu(parent, name, &seq, nd->inode);
1360                if (!dentry)
1361                        goto unlazy;
1362
1363                /*
1364                 * This sequence count validates that the inode matches
1365                 * the dentry name information from lookup.
1366                 */
1367                *inode = dentry->d_inode;
1368                if (read_seqcount_retry(&dentry->d_seq, seq))
1369                        return -ECHILD;
1370
1371                /*
1372                 * This sequence count validates that the parent had no
1373                 * changes while we did the lookup of the dentry above.
1374                 *
1375                 * The memory barrier in read_seqcount_begin of child is
1376                 *  enough, we can use __read_seqcount_retry here.
1377                 */
1378                if (__read_seqcount_retry(&parent->d_seq, nd->seq))
1379                        return -ECHILD;
1380                nd->seq = seq;
1381
1382                if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE)) {
1383                        status = d_revalidate(dentry, nd->flags);
1384                        if (unlikely(status <= 0)) {
1385                                if (status != -ECHILD)
1386                                        need_reval = 0;
1387                                goto unlazy;
1388                        }
1389                }
1390                path->mnt = mnt;
1391                path->dentry = dentry;
1392                if (unlikely(!__follow_mount_rcu(nd, path, inode)))
1393                        goto unlazy;
1394                if (unlikely(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT))
1395                        goto unlazy;
1396                return 0;
1397unlazy:
1398                if (unlazy_walk(nd, dentry))
1399                        return -ECHILD;
1400        } else {
1401                dentry = __d_lookup(parent, name);
1402        }
1403
1404        if (unlikely(!dentry))
1405                goto need_lookup;
1406
1407        if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE) && need_reval)
1408                status = d_revalidate(dentry, nd->flags);
1409        if (unlikely(status <= 0)) {
1410                if (status < 0) {
1411                        dput(dentry);
1412                        return status;
1413                }
1414                if (!d_invalidate(dentry)) {
1415                        dput(dentry);
1416                        goto need_lookup;
1417                }
1418        }
1419
1420        path->mnt = mnt;
1421        path->dentry = dentry;
1422        err = follow_managed(path, nd->flags);
1423        if (unlikely(err < 0)) {
1424                path_put_conditional(path, nd);
1425                return err;
1426        }
1427        if (err)
1428                nd->flags |= LOOKUP_JUMPED;
1429        *inode = path->dentry->d_inode;
1430        return 0;
1431
1432need_lookup:
1433        return 1;
1434}
1435
1436/* Fast lookup failed, do it the slow way */
1437static int lookup_slow(struct nameidata *nd, struct qstr *name,
1438                       struct path *path)
1439{
1440        struct dentry *dentry, *parent;
1441        int err;
1442
1443        parent = nd->path.dentry;
1444        BUG_ON(nd->inode != parent->d_inode);
1445
1446        mutex_lock(&parent->d_inode->i_mutex);
1447        dentry = __lookup_hash(name, parent, nd->flags);
1448        mutex_unlock(&parent->d_inode->i_mutex);
1449        if (IS_ERR(dentry))
1450                return PTR_ERR(dentry);
1451        path->mnt = nd->path.mnt;
1452        path->dentry = dentry;
1453        err = follow_managed(path, nd->flags);
1454        if (unlikely(err < 0)) {
1455                path_put_conditional(path, nd);
1456                return err;
1457        }
1458        if (err)
1459                nd->flags |= LOOKUP_JUMPED;
1460        return 0;
1461}
1462
1463static inline int may_lookup(struct nameidata *nd)
1464{
1465        if (nd->flags & LOOKUP_RCU) {
1466                int err = inode_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK);
1467                if (err != -ECHILD)
1468                        return err;
1469                if (unlazy_walk(nd, NULL))
1470                        return -ECHILD;
1471        }
1472        return inode_permission(nd->inode, MAY_EXEC);
1473}
1474
1475static inline int handle_dots(struct nameidata *nd, int type)
1476{
1477        if (type == LAST_DOTDOT) {
1478                if (nd->flags & LOOKUP_RCU) {
1479                        if (follow_dotdot_rcu(nd))
1480                                return -ECHILD;
1481                } else
1482                        follow_dotdot(nd);
1483        }
1484        return 0;
1485}
1486
1487static void terminate_walk(struct nameidata *nd)
1488{
1489        if (!(nd->flags & LOOKUP_RCU)) {
1490                path_put(&nd->path);
1491        } else {
1492                nd->flags &= ~LOOKUP_RCU;
1493                if (!(nd->flags & LOOKUP_ROOT))
1494                        nd->root.mnt = NULL;
1495                unlock_rcu_walk();
1496        }
1497}
1498
1499/*
1500 * Do we need to follow links? We _really_ want to be able
1501 * to do this check without having to look at inode->i_op,
1502 * so we keep a cache of "no, this doesn't need follow_link"
1503 * for the common case.
1504 */
1505static inline int should_follow_link(struct inode *inode, int follow)
1506{
1507        if (unlikely(!(inode->i_opflags & IOP_NOFOLLOW))) {
1508                if (likely(inode->i_op->follow_link))
1509                        return follow;
1510
1511                /* This gets set once for the inode lifetime */
1512                spin_lock(&inode->i_lock);
1513                inode->i_opflags |= IOP_NOFOLLOW;
1514                spin_unlock(&inode->i_lock);
1515        }
1516        return 0;
1517}
1518
1519static inline int walk_component(struct nameidata *nd, struct path *path,
1520                struct qstr *name, int type, int follow)
1521{
1522        struct inode *inode;
1523        int err;
1524        /*
1525         * "." and ".." are special - ".." especially so because it has
1526         * to be able to know about the current root directory and
1527         * parent relationships.
1528         */
1529        if (unlikely(type != LAST_NORM))
1530                return handle_dots(nd, type);
1531        err = lookup_fast(nd, name, path, &inode);
1532        if (unlikely(err)) {
1533                if (err < 0)
1534                        goto out_err;
1535
1536                err = lookup_slow(nd, name, path);
1537                if (err < 0)
1538                        goto out_err;
1539
1540                inode = path->dentry->d_inode;
1541        }
1542        err = -ENOENT;
1543        if (!inode)
1544                goto out_path_put;
1545
1546        if (should_follow_link(inode, follow)) {
1547                if (nd->flags & LOOKUP_RCU) {
1548                        if (unlikely(unlazy_walk(nd, path->dentry))) {
1549                                err = -ECHILD;
1550                                goto out_err;
1551                        }
1552                }
1553                BUG_ON(inode != path->dentry->d_inode);
1554                return 1;
1555        }
1556        path_to_nameidata(path, nd);
1557        nd->inode = inode;
1558        return 0;
1559
1560out_path_put:
1561        path_to_nameidata(path, nd);
1562out_err:
1563        terminate_walk(nd);
1564        return err;
1565}
1566
1567/*
1568 * This limits recursive symlink follows to 8, while
1569 * limiting consecutive symlinks to 40.
1570 *
1571 * Without that kind of total limit, nasty chains of consecutive
1572 * symlinks can cause almost arbitrarily long lookups.
1573 */
1574static inline int nested_symlink(struct path *path, struct nameidata *nd)
1575{
1576        int res;
1577
1578        if (unlikely(current->link_count >= MAX_NESTED_LINKS)) {
1579                path_put_conditional(path, nd);
1580                path_put(&nd->path);
1581                return -ELOOP;
1582        }
1583        BUG_ON(nd->depth >= MAX_NESTED_LINKS);
1584
1585        nd->depth++;
1586        current->link_count++;
1587
1588        do {
1589                struct path link = *path;
1590                void *cookie;
1591
1592                res = follow_link(&link, nd, &cookie);
1593                if (res)
1594                        break;
1595                res = walk_component(nd, path, &nd->last,
1596                                     nd->last_type, LOOKUP_FOLLOW);
1597                put_link(nd, &link, cookie);
1598        } while (res > 0);
1599
1600        current->link_count--;
1601        nd->depth--;
1602        return res;
1603}
1604
1605/*
1606 * We really don't want to look at inode->i_op->lookup
1607 * when we don't have to. So we keep a cache bit in
1608 * the inode ->i_opflags field that says "yes, we can
1609 * do lookup on this inode".
1610 */
1611static inline int can_lookup(struct inode *inode)
1612{
1613        if (likely(inode->i_opflags & IOP_LOOKUP))
1614                return 1;
1615        if (likely(!inode->i_op->lookup))
1616                return 0;
1617
1618        /* We do this once for the lifetime of the inode */
1619        spin_lock(&inode->i_lock);
1620        inode->i_opflags |= IOP_LOOKUP;
1621        spin_unlock(&inode->i_lock);
1622        return 1;
1623}
1624
1625/*
1626 * We can do the critical dentry name comparison and hashing
1627 * operations one word at a time, but we are limited to:
1628 *
1629 * - Architectures with fast unaligned word accesses. We could
1630 *   do a "get_unaligned()" if this helps and is sufficiently
1631 *   fast.
1632 *
1633 * - Little-endian machines (so that we can generate the mask
1634 *   of low bytes efficiently). Again, we *could* do a byte
1635 *   swapping load on big-endian architectures if that is not
1636 *   expensive enough to make the optimization worthless.
1637 *
1638 * - non-CONFIG_DEBUG_PAGEALLOC configurations (so that we
1639 *   do not trap on the (extremely unlikely) case of a page
1640 *   crossing operation.
1641 *
1642 * - Furthermore, we need an efficient 64-bit compile for the
1643 *   64-bit case in order to generate the "number of bytes in
1644 *   the final mask". Again, that could be replaced with a
1645 *   efficient population count instruction or similar.
1646 */
1647#ifdef CONFIG_DCACHE_WORD_ACCESS
1648
1649#include <asm/word-at-a-time.h>
1650
1651#ifdef CONFIG_64BIT
1652
1653static inline unsigned int fold_hash(unsigned long hash)
1654{
1655        hash += hash >> (8*sizeof(int));
1656        return hash;
1657}
1658
1659#else   /* 32-bit case */
1660
1661#define fold_hash(x) (x)
1662
1663#endif
1664
1665unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1666{
1667        unsigned long a, mask;
1668        unsigned long hash = 0;
1669
1670        for (;;) {
1671                a = load_unaligned_zeropad(name);
1672                if (len < sizeof(unsigned long))
1673                        break;
1674                hash += a;
1675                hash *= 9;
1676                name += sizeof(unsigned long);
1677                len -= sizeof(unsigned long);
1678                if (!len)
1679                        goto done;
1680        }
1681        mask = ~(~0ul << len*8);
1682        hash += mask & a;
1683done:
1684        return fold_hash(hash);
1685}
1686EXPORT_SYMBOL(full_name_hash);
1687
1688/*
1689 * Calculate the length and hash of the path component, and
1690 * return the length of the component;
1691 */
1692static inline unsigned long hash_name(const char *name, unsigned int *hashp)
1693{
1694        unsigned long a, b, adata, bdata, mask, hash, len;
1695        const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
1696
1697        hash = a = 0;
1698        len = -sizeof(unsigned long);
1699        do {
1700                hash = (hash + a) * 9;
1701                len += sizeof(unsigned long);
1702                a = load_unaligned_zeropad(name+len);
1703                b = a ^ REPEAT_BYTE('/');
1704        } while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants)));
1705
1706        adata = prep_zero_mask(a, adata, &constants);
1707        bdata = prep_zero_mask(b, bdata, &constants);
1708
1709        mask = create_zero_mask(adata | bdata);
1710
1711        hash += a & zero_bytemask(mask);
1712        *hashp = fold_hash(hash);
1713
1714        return len + find_zero(mask);
1715}
1716
1717#else
1718
1719unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1720{
1721        unsigned long hash = init_name_hash();
1722        while (len--)
1723                hash = partial_name_hash(*name++, hash);
1724        return end_name_hash(hash);
1725}
1726EXPORT_SYMBOL(full_name_hash);
1727
1728/*
1729 * We know there's a real path component here of at least
1730 * one character.
1731 */
1732static inline unsigned long hash_name(const char *name, unsigned int *hashp)
1733{
1734        unsigned long hash = init_name_hash();
1735        unsigned long len = 0, c;
1736
1737        c = (unsigned char)*name;
1738        do {
1739                len++;
1740                hash = partial_name_hash(c, hash);
1741                c = (unsigned char)name[len];
1742        } while (c && c != '/');
1743        *hashp = end_name_hash(hash);
1744        return len;
1745}
1746
1747#endif
1748
1749/*
1750 * Name resolution.
1751 * This is the basic name resolution function, turning a pathname into
1752 * the final dentry. We expect 'base' to be positive and a directory.
1753 *
1754 * Returns 0 and nd will have valid dentry and mnt on success.
1755 * Returns error and drops reference to input namei data on failure.
1756 */
1757static int link_path_walk(const char *name, struct nameidata *nd)
1758{
1759        struct path next;
1760        int err;
1761        
1762        while (*name=='/')
1763                name++;
1764        if (!*name)
1765                return 0;
1766
1767        /* At this point we know we have a real path component. */
1768        for(;;) {
1769                struct qstr this;
1770                long len;
1771                int type;
1772
1773                err = may_lookup(nd);
1774                if (err)
1775                        break;
1776
1777                len = hash_name(name, &this.hash);
1778                this.name = name;
1779                this.len = len;
1780
1781                type = LAST_NORM;
1782                if (name[0] == '.') switch (len) {
1783                        case 2:
1784                                if (name[1] == '.') {
1785                                        type = LAST_DOTDOT;
1786                                        nd->flags |= LOOKUP_JUMPED;
1787                                }
1788                                break;
1789                        case 1:
1790                                type = LAST_DOT;
1791                }
1792                if (likely(type == LAST_NORM)) {
1793                        struct dentry *parent = nd->path.dentry;
1794                        nd->flags &= ~LOOKUP_JUMPED;
1795                        if (unlikely(parent->d_flags & DCACHE_OP_HASH)) {
1796                                err = parent->d_op->d_hash(parent, nd->inode,
1797                                                           &this);
1798                                if (err < 0)
1799                                        break;
1800                        }
1801                }
1802
1803                if (!name[len])
1804                        goto last_component;
1805                /*
1806                 * If it wasn't NUL, we know it was '/'. Skip that
1807                 * slash, and continue until no more slashes.
1808                 */
1809                do {
1810                        len++;
1811                } while (unlikely(name[len] == '/'));
1812                if (!name[len])
1813                        goto last_component;
1814                name += len;
1815
1816                err = walk_component(nd, &next, &this, type, LOOKUP_FOLLOW);
1817                if (err < 0)
1818                        return err;
1819
1820                if (err) {
1821                        err = nested_symlink(&next, nd);
1822                        if (err)
1823                                return err;
1824                }
1825                if (can_lookup(nd->inode))
1826                        continue;
1827                err = -ENOTDIR; 
1828                break;
1829                /* here ends the main loop */
1830
1831last_component:
1832                nd->last = this;
1833                nd->last_type = type;
1834                return 0;
1835        }
1836        terminate_walk(nd);
1837        return err;
1838}
1839
1840static int path_init(int dfd, const char *name, unsigned int flags,
1841                     struct nameidata *nd, struct file **fp)
1842{
1843        int retval = 0;
1844
1845        nd->last_type = LAST_ROOT; /* if there are only slashes... */
1846        nd->flags = flags | LOOKUP_JUMPED;
1847        nd->depth = 0;
1848        if (flags & LOOKUP_ROOT) {
1849                struct inode *inode = nd->root.dentry->d_inode;
1850                if (*name) {
1851                        if (!can_lookup(inode))
1852                                return -ENOTDIR;
1853                        retval = inode_permission(inode, MAY_EXEC);
1854                        if (retval)
1855                                return retval;
1856                }
1857                nd->path = nd->root;
1858                nd->inode = inode;
1859                if (flags & LOOKUP_RCU) {
1860                        lock_rcu_walk();
1861                        nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1862                } else {
1863                        path_get(&nd->path);
1864                }
1865                return 0;
1866        }
1867
1868        nd->root.mnt = NULL;
1869
1870        if (*name=='/') {
1871                if (flags & LOOKUP_RCU) {
1872                        lock_rcu_walk();
1873                        set_root_rcu(nd);
1874                } else {
1875                        set_root(nd);
1876                        path_get(&nd->root);
1877                }
1878                nd->path = nd->root;
1879        } else if (dfd == AT_FDCWD) {
1880                if (flags & LOOKUP_RCU) {
1881                        struct fs_struct *fs = current->fs;
1882                        unsigned seq;
1883
1884                        lock_rcu_walk();
1885
1886                        do {
1887                                seq = read_seqcount_begin(&fs->seq);
1888                                nd->path = fs->pwd;
1889                                nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1890                        } while (read_seqcount_retry(&fs->seq, seq));
1891                } else {
1892                        get_fs_pwd(current->fs, &nd->path);
1893                }
1894        } else {
1895                /* Caller must check execute permissions on the starting path component */
1896                struct fd f = fdget_raw(dfd);
1897                struct dentry *dentry;
1898
1899                if (!f.file)
1900                        return -EBADF;
1901
1902                dentry = f.file->f_path.dentry;
1903
1904                if (*name) {
1905                        if (!can_lookup(dentry->d_inode)) {
1906                                fdput(f);
1907                                return -ENOTDIR;
1908                        }
1909                }
1910
1911                nd->path = f.file->f_path;
1912                if (flags & LOOKUP_RCU) {
1913                        if (f.need_put)
1914                                *fp = f.file;
1915                        nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1916                        lock_rcu_walk();
1917                } else {
1918                        path_get(&nd->path);
1919                        fdput(f);
1920                }
1921        }
1922
1923        nd->inode = nd->path.dentry->d_inode;
1924        return 0;
1925}
1926
1927static inline int lookup_last(struct nameidata *nd, struct path *path)
1928{
1929        if (nd->last_type == LAST_NORM && nd->last.name[nd->last.len])
1930                nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
1931
1932        nd->flags &= ~LOOKUP_PARENT;
1933        return walk_component(nd, path, &nd->last, nd->last_type,
1934                                        nd->flags & LOOKUP_FOLLOW);
1935}
1936
1937/* Returns 0 and nd will be valid on success; Retuns error, otherwise. */
1938static int path_lookupat(int dfd, const char *name,
1939                                unsigned int flags, struct nameidata *nd)
1940{
1941        struct file *base = NULL;
1942        struct path path;
1943        int err;
1944
1945        /*
1946         * Path walking is largely split up into 2 different synchronisation
1947         * schemes, rcu-walk and ref-walk (explained in
1948         * Documentation/filesystems/path-lookup.txt). These share much of the
1949         * path walk code, but some things particularly setup, cleanup, and
1950         * following mounts are sufficiently divergent that functions are
1951         * duplicated. Typically there is a function foo(), and its RCU
1952         * analogue, foo_rcu().
1953         *
1954         * -ECHILD is the error number of choice (just to avoid clashes) that
1955         * is returned if some aspect of an rcu-walk fails. Such an error must
1956         * be handled by restarting a traditional ref-walk (which will always
1957         * be able to complete).
1958         */
1959        err = path_init(dfd, name, flags | LOOKUP_PARENT, nd, &base);
1960
1961        if (unlikely(err))
1962                return err;
1963
1964        current->total_link_count = 0;
1965        err = link_path_walk(name, nd);
1966
1967        if (!err && !(flags & LOOKUP_PARENT)) {
1968                err = lookup_last(nd, &path);
1969                while (err > 0) {
1970                        void *cookie;
1971                        struct path link = path;
1972                        err = may_follow_link(&link, nd);
1973                        if (unlikely(err))
1974                                break;
1975                        nd->flags |= LOOKUP_PARENT;
1976                        err = follow_link(&link, nd, &cookie);
1977                        if (err)
1978                                break;
1979                        err = lookup_last(nd, &path);
1980                        put_link(nd, &link, cookie);
1981                }
1982        }
1983
1984        if (!err)
1985                err = complete_walk(nd);
1986
1987        if (!err && nd->flags & LOOKUP_DIRECTORY) {
1988                if (!nd->inode->i_op->lookup) {
1989                        path_put(&nd->path);
1990                        err = -ENOTDIR;
1991                }
1992        }
1993
1994        if (base)
1995                fput(base);
1996
1997        if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
1998                path_put(&nd->root);
1999                nd->root.mnt = NULL;
2000        }
2001        return err;
2002}
2003
2004static int filename_lookup(int dfd, struct filename *name,
2005                                unsigned int flags, struct nameidata *nd)
2006{
2007        int retval = path_lookupat(dfd, name->name, flags | LOOKUP_RCU, nd);
2008        if (unlikely(retval == -ECHILD))
2009                retval = path_lookupat(dfd, name->name, flags, nd);
2010        if (unlikely(retval == -ESTALE))
2011                retval = path_lookupat(dfd, name->name,
2012                                                flags | LOOKUP_REVAL, nd);
2013
2014        if (likely(!retval))
2015                audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT);
2016        return retval;
2017}
2018
2019static int do_path_lookup(int dfd, const char *name,
2020                                unsigned int flags, struct nameidata *nd)
2021{
2022        struct filename filename = { .name = name };
2023
2024        return filename_lookup(dfd, &filename, flags, nd);
2025}
2026
2027/* does lookup, returns the object with parent locked */
2028struct dentry *kern_path_locked(const char *name, struct path *path)
2029{
2030        struct nameidata nd;
2031        struct dentry *d;
2032        int err = do_path_lookup(AT_FDCWD, name, LOOKUP_PARENT, &nd);
2033        if (err)
2034                return ERR_PTR(err);
2035        if (nd.last_type != LAST_NORM) {
2036                path_put(&nd.path);
2037                return ERR_PTR(-EINVAL);
2038        }
2039        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
2040        d = __lookup_hash(&nd.last, nd.path.dentry, 0);
2041        if (IS_ERR(d)) {
2042                mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
2043                path_put(&nd.path);
2044                return d;
2045        }
2046        *path = nd.path;
2047        return d;
2048}
2049
2050int kern_path(const char *name, unsigned int flags, struct path *path)
2051{
2052        struct nameidata nd;
2053        int res = do_path_lookup(AT_FDCWD, name, flags, &nd);
2054        if (!res)
2055                *path = nd.path;
2056        return res;
2057}
2058
2059/**
2060 * vfs_path_lookup - lookup a file path relative to a dentry-vfsmount pair
2061 * @dentry:  pointer to dentry of the base directory
2062 * @mnt: pointer to vfs mount of the base directory
2063 * @name: pointer to file name
2064 * @flags: lookup flags
2065 * @path: pointer to struct path to fill
2066 */
2067int vfs_path_lookup(struct dentry *dentry, struct vfsmount *mnt,
2068                    const char *name, unsigned int flags,
2069                    struct path *path)
2070{
2071        struct nameidata nd;
2072        int err;
2073        nd.root.dentry = dentry;
2074        nd.root.mnt = mnt;
2075        BUG_ON(flags & LOOKUP_PARENT);
2076        /* the first argument of do_path_lookup() is ignored with LOOKUP_ROOT */
2077        err = do_path_lookup(AT_FDCWD, name, flags | LOOKUP_ROOT, &nd);
2078        if (!err)
2079                *path = nd.path;
2080        return err;
2081}
2082
2083/*
2084 * Restricted form of lookup. Doesn't follow links, single-component only,
2085 * needs parent already locked. Doesn't follow mounts.
2086 * SMP-safe.
2087 */
2088static struct dentry *lookup_hash(struct nameidata *nd)
2089{
2090        return __lookup_hash(&nd->last, nd->path.dentry, nd->flags);
2091}
2092
2093/**
2094 * lookup_one_len - filesystem helper to lookup single pathname component
2095 * @name:       pathname component to lookup
2096 * @base:       base directory to lookup from
2097 * @len:        maximum length @len should be interpreted to
2098 *
2099 * Note that this routine is purely a helper for filesystem usage and should
2100 * not be called by generic code.  Also note that by using this function the
2101 * nameidata argument is passed to the filesystem methods and a filesystem
2102 * using this helper needs to be prepared for that.
2103 */
2104struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2105{
2106        struct qstr this;
2107        unsigned int c;
2108        int err;
2109
2110        WARN_ON_ONCE(!mutex_is_locked(&base->d_inode->i_mutex));
2111
2112        this.name = name;
2113        this.len = len;
2114        this.hash = full_name_hash(name, len);
2115        if (!len)
2116                return ERR_PTR(-EACCES);
2117
2118        if (unlikely(name[0] == '.')) {
2119                if (len < 2 || (len == 2 && name[1] == '.'))
2120                        return ERR_PTR(-EACCES);
2121        }
2122
2123        while (len--) {
2124                c = *(const unsigned char *)name++;
2125                if (c == '/' || c == '\0')
2126                        return ERR_PTR(-EACCES);
2127        }
2128        /*
2129         * See if the low-level filesystem might want
2130         * to use its own hash..
2131         */
2132        if (base->d_flags & DCACHE_OP_HASH) {
2133                int err = base->d_op->d_hash(base, base->d_inode, &this);
2134                if (err < 0)
2135                        return ERR_PTR(err);
2136        }
2137
2138        err = inode_permission(base->d_inode, MAY_EXEC);
2139        if (err)
2140                return ERR_PTR(err);
2141
2142        return __lookup_hash(&this, base, 0);
2143}
2144
2145int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
2146                 struct path *path, int *empty)
2147{
2148        struct nameidata nd;
2149        struct filename *tmp = getname_flags(name, flags, empty);
2150        int err = PTR_ERR(tmp);
2151        if (!IS_ERR(tmp)) {
2152
2153                BUG_ON(flags & LOOKUP_PARENT);
2154
2155                err = filename_lookup(dfd, tmp, flags, &nd);
2156                putname(tmp);
2157                if (!err)
2158                        *path = nd.path;
2159        }
2160        return err;
2161}
2162
2163int user_path_at(int dfd, const char __user *name, unsigned flags,
2164                 struct path *path)
2165{
2166        return user_path_at_empty(dfd, name, flags, path, NULL);
2167}
2168
2169/*
2170 * NB: most callers don't do anything directly with the reference to the
2171 *     to struct filename, but the nd->last pointer points into the name string
2172 *     allocated by getname. So we must hold the reference to it until all
2173 *     path-walking is complete.
2174 */
2175static struct filename *
2176user_path_parent(int dfd, const char __user *path, struct nameidata *nd,
2177                 unsigned int flags)
2178{
2179        struct filename *s = getname(path);
2180        int error;
2181
2182        /* only LOOKUP_REVAL is allowed in extra flags */
2183        flags &= LOOKUP_REVAL;
2184
2185        if (IS_ERR(s))
2186                return s;
2187
2188        error = filename_lookup(dfd, s, flags | LOOKUP_PARENT, nd);
2189        if (error) {
2190                putname(s);
2191                return ERR_PTR(error);
2192        }
2193
2194        return s;
2195}
2196
2197/*
2198 * It's inline, so penalty for filesystems that don't use sticky bit is
2199 * minimal.
2200 */
2201static inline int check_sticky(struct inode *dir, struct inode *inode)
2202{
2203        kuid_t fsuid = current_fsuid();
2204
2205        if (!(dir->i_mode & S_ISVTX))
2206                return 0;
2207        if (uid_eq(inode->i_uid, fsuid))
2208                return 0;
2209        if (uid_eq(dir->i_uid, fsuid))
2210                return 0;
2211        return !inode_capable(inode, CAP_FOWNER);
2212}
2213
2214/*
2215 *      Check whether we can remove a link victim from directory dir, check
2216 *  whether the type of victim is right.
2217 *  1. We can't do it if dir is read-only (done in permission())
2218 *  2. We should have write and exec permissions on dir
2219 *  3. We can't remove anything from append-only dir
2220 *  4. We can't do anything with immutable dir (done in permission())
2221 *  5. If the sticky bit on dir is set we should either
2222 *      a. be owner of dir, or
2223 *      b. be owner of victim, or
2224 *      c. have CAP_FOWNER capability
2225 *  6. If the victim is append-only or immutable we can't do antyhing with
2226 *     links pointing to it.
2227 *  7. If we were asked to remove a directory and victim isn't one - ENOTDIR.
2228 *  8. If we were asked to remove a non-directory and victim isn't one - EISDIR.
2229 *  9. We can't remove a root or mountpoint.
2230 * 10. We don't allow removal of NFS sillyrenamed files; it's handled by
2231 *     nfs_async_unlink().
2232 */
2233static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
2234{
2235        int error;
2236
2237        if (!victim->d_inode)
2238                return -ENOENT;
2239
2240        BUG_ON(victim->d_parent->d_inode != dir);
2241        audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
2242
2243        error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
2244        if (error)
2245                return error;
2246        if (IS_APPEND(dir))
2247                return -EPERM;
2248        if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)||
2249            IS_IMMUTABLE(victim->d_inode) || IS_SWAPFILE(victim->d_inode))
2250                return -EPERM;
2251        if (isdir) {
2252                if (!S_ISDIR(victim->d_inode->i_mode))
2253                        return -ENOTDIR;
2254                if (IS_ROOT(victim))
2255                        return -EBUSY;
2256        } else if (S_ISDIR(victim->d_inode->i_mode))
2257                return -EISDIR;
2258        if (IS_DEADDIR(dir))
2259                return -ENOENT;
2260        if (victim->d_flags & DCACHE_NFSFS_RENAMED)
2261                return -EBUSY;
2262        return 0;
2263}
2264
2265/*      Check whether we can create an object with dentry child in directory
2266 *  dir.
2267 *  1. We can't do it if child already exists (open has special treatment for
2268 *     this case, but since we are inlined it's OK)
2269 *  2. We can't do it if dir is read-only (done in permission())
2270 *  3. We should have write and exec permissions on dir
2271 *  4. We can't do it if dir is immutable (done in permission())
2272 */
2273static inline int may_create(struct inode *dir, struct dentry *child)
2274{
2275        if (child->d_inode)
2276                return -EEXIST;
2277        if (IS_DEADDIR(dir))
2278                return -ENOENT;
2279        return inode_permission(dir, MAY_WRITE | MAY_EXEC);
2280}
2281
2282/*
2283 * p1 and p2 should be directories on the same fs.
2284 */
2285struct dentry *lock_rename(struct dentry *p1, struct dentry *p2)
2286{
2287        struct dentry *p;
2288
2289        if (p1 == p2) {
2290                mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2291                return NULL;
2292        }
2293
2294        mutex_lock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2295
2296        p = d_ancestor(p2, p1);
2297        if (p) {
2298                mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_PARENT);
2299                mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_CHILD);
2300                return p;
2301        }
2302
2303        p = d_ancestor(p1, p2);
2304        if (p) {
2305                mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2306                mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_CHILD);
2307                return p;
2308        }
2309
2310        mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2311        mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_CHILD);
2312        return NULL;
2313}
2314
2315void unlock_rename(struct dentry *p1, struct dentry *p2)
2316{
2317        mutex_unlock(&p1->d_inode->i_mutex);
2318        if (p1 != p2) {
2319                mutex_unlock(&p2->d_inode->i_mutex);
2320                mutex_unlock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2321        }
2322}
2323
2324int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
2325                bool want_excl)
2326{
2327        int error = may_create(dir, dentry);
2328        if (error)
2329                return error;
2330
2331        if (!dir->i_op->create)
2332                return -EACCES; /* shouldn't it be ENOSYS? */
2333        mode &= S_IALLUGO;
2334        mode |= S_IFREG;
2335        error = security_inode_create(dir, dentry, mode);
2336        if (error)
2337                return error;
2338        error = dir->i_op->create(dir, dentry, mode, want_excl);
2339        if (!error)
2340                fsnotify_create(dir, dentry);
2341        return error;
2342}
2343
2344static int may_open(struct path *path, int acc_mode, int flag)
2345{
2346        struct dentry *dentry = path->dentry;
2347        struct inode *inode = dentry->d_inode;
2348        int error;
2349
2350        /* O_PATH? */
2351        if (!acc_mode)
2352                return 0;
2353
2354        if (!inode)
2355                return -ENOENT;
2356
2357        switch (inode->i_mode & S_IFMT) {
2358        case S_IFLNK:
2359                return -ELOOP;
2360        case S_IFDIR:
2361                if (acc_mode & MAY_WRITE)
2362                        return -EISDIR;
2363                break;
2364        case S_IFBLK:
2365        case S_IFCHR:
2366                if (path->mnt->mnt_flags & MNT_NODEV)
2367                        return -EACCES;
2368                /*FALLTHRU*/
2369        case S_IFIFO:
2370        case S_IFSOCK:
2371                flag &= ~O_TRUNC;
2372                break;
2373        }
2374
2375        error = inode_permission(inode, acc_mode);
2376        if (error)
2377                return error;
2378
2379        /*
2380         * An append-only file must be opened in append mode for writing.
2381         */
2382        if (IS_APPEND(inode)) {
2383                if  ((flag & O_ACCMODE) != O_RDONLY && !(flag & O_APPEND))
2384                        return -EPERM;
2385                if (flag & O_TRUNC)
2386                        return -EPERM;
2387        }
2388
2389        /* O_NOATIME can only be set by the owner or superuser */
2390        if (flag & O_NOATIME && !inode_owner_or_capable(inode))
2391                return -EPERM;
2392
2393        return 0;
2394}
2395
2396static int handle_truncate(struct file *filp)
2397{
2398        struct path *path = &filp->f_path;
2399        struct inode *inode = path->dentry->d_inode;
2400        int error = get_write_access(inode);
2401        if (error)
2402                return error;
2403        /*
2404         * Refuse to truncate files with mandatory locks held on them.
2405         */
2406        error = locks_verify_locked(inode);
2407        if (!error)
2408                error = security_path_truncate(path);
2409        if (!error) {
2410                error = do_truncate(path->dentry, 0,
2411                                    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
2412                                    filp);
2413        }
2414        put_write_access(inode);
2415        return error;
2416}
2417
2418static inline int open_to_namei_flags(int flag)
2419{
2420        if ((flag & O_ACCMODE) == 3)
2421                flag--;
2422        return flag;
2423}
2424
2425static int may_o_create(struct path *dir, struct dentry *dentry, umode_t mode)
2426{
2427        int error = security_path_mknod(dir, dentry, mode, 0);
2428        if (error)
2429                return error;
2430
2431        error = inode_permission(dir->dentry->d_inode, MAY_WRITE | MAY_EXEC);
2432        if (error)
2433                return error;
2434
2435        return security_inode_create(dir->dentry->d_inode, dentry, mode);
2436}
2437
2438/*
2439 * Attempt to atomically look up, create and open a file from a negative
2440 * dentry.
2441 *
2442 * Returns 0 if successful.  The file will have been created and attached to
2443 * @file by the filesystem calling finish_open().
2444 *
2445 * Returns 1 if the file was looked up only or didn't need creating.  The
2446 * caller will need to perform the open themselves.  @path will have been
2447 * updated to point to the new dentry.  This may be negative.
2448 *
2449 * Returns an error code otherwise.
2450 */
2451static int atomic_open(struct nameidata *nd, struct dentry *dentry,
2452                        struct path *path, struct file *file,
2453                        const struct open_flags *op,
2454                        bool got_write, bool need_lookup,
2455                        int *opened)
2456{
2457        struct inode *dir =  nd->path.dentry->d_inode;
2458        unsigned open_flag = open_to_namei_flags(op->open_flag);
2459        umode_t mode;
2460        int error;
2461        int acc_mode;
2462        int create_error = 0;
2463        struct dentry *const DENTRY_NOT_SET = (void *) -1UL;
2464
2465        BUG_ON(dentry->d_inode);
2466
2467        /* Don't create child dentry for a dead directory. */
2468        if (unlikely(IS_DEADDIR(dir))) {
2469                error = -ENOENT;
2470                goto out;
2471        }
2472
2473        mode = op->mode;
2474        if ((open_flag & O_CREAT) && !IS_POSIXACL(dir))
2475                mode &= ~current_umask();
2476
2477        if ((open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT)) {
2478                open_flag &= ~O_TRUNC;
2479                *opened |= FILE_CREATED;
2480        }
2481
2482        /*
2483         * Checking write permission is tricky, bacuse we don't know if we are
2484         * going to actually need it: O_CREAT opens should work as long as the
2485         * file exists.  But checking existence breaks atomicity.  The trick is
2486         * to check access and if not granted clear O_CREAT from the flags.
2487         *
2488         * Another problem is returing the "right" error value (e.g. for an
2489         * O_EXCL open we want to return EEXIST not EROFS).
2490         */
2491        if (((open_flag & (O_CREAT | O_TRUNC)) ||
2492            (open_flag & O_ACCMODE) != O_RDONLY) && unlikely(!got_write)) {
2493                if (!(open_flag & O_CREAT)) {
2494                        /*
2495                         * No O_CREATE -> atomicity not a requirement -> fall
2496                         * back to lookup + open
2497                         */
2498                        goto no_open;
2499                } else if (open_flag & (O_EXCL | O_TRUNC)) {
2500                        /* Fall back and fail with the right error */
2501                        create_error = -EROFS;
2502                        goto no_open;
2503                } else {
2504                        /* No side effects, safe to clear O_CREAT */
2505                        create_error = -EROFS;
2506                        open_flag &= ~O_CREAT;
2507                }
2508        }
2509
2510        if (open_flag & O_CREAT) {
2511                error = may_o_create(&nd->path, dentry, mode);
2512                if (error) {
2513                        create_error = error;
2514                        if (open_flag & O_EXCL)
2515                                goto no_open;
2516                        open_flag &= ~O_CREAT;
2517                }
2518        }
2519
2520        if (nd->flags & LOOKUP_DIRECTORY)
2521                open_flag |= O_DIRECTORY;
2522
2523        file->f_path.dentry = DENTRY_NOT_SET;
2524        file->f_path.mnt = nd->path.mnt;
2525        error = dir->i_op->atomic_open(dir, dentry, file, open_flag, mode,
2526                                      opened);
2527        if (error < 0) {
2528                if (create_error && error == -ENOENT)
2529                        error = create_error;
2530                goto out;
2531        }
2532
2533        acc_mode = op->acc_mode;
2534        if (*opened & FILE_CREATED) {
2535                fsnotify_create(dir, dentry);
2536                acc_mode = MAY_OPEN;
2537        }
2538
2539        if (error) {    /* returned 1, that is */
2540                if (WARN_ON(file->f_path.dentry == DENTRY_NOT_SET)) {
2541                        error = -EIO;
2542                        goto out;
2543                }
2544                if (file->f_path.dentry) {
2545                        dput(dentry);
2546                        dentry = file->f_path.dentry;
2547                }
2548                if (create_error && dentry->d_inode == NULL) {
2549                        error = create_error;
2550                        goto out;
2551                }
2552                goto looked_up;
2553        }
2554
2555        /*
2556         * We didn't have the inode before the open, so check open permission
2557         * here.
2558         */
2559        error = may_open(&file->f_path, acc_mode, open_flag);
2560        if (error)
2561                fput(file);
2562
2563out:
2564        dput(dentry);
2565        return error;
2566
2567no_open:
2568        if (need_lookup) {
2569                dentry = lookup_real(dir, dentry, nd->flags);
2570                if (IS_ERR(dentry))
2571                        return PTR_ERR(dentry);
2572
2573                if (create_error) {
2574                        int open_flag = op->open_flag;
2575
2576                        error = create_error;
2577                        if ((open_flag & O_EXCL)) {
2578                                if (!dentry->d_inode)
2579                                        goto out;
2580                        } else if (!dentry->d_inode) {
2581                                goto out;
2582                        } else if ((open_flag & O_TRUNC) &&
2583                                   S_ISREG(dentry->d_inode->i_mode)) {
2584                                goto out;
2585                        }
2586                        /* will fail later, go on to get the right error */
2587                }
2588        }
2589looked_up:
2590        path->dentry = dentry;
2591        path->mnt = nd->path.mnt;
2592        return 1;
2593}
2594
2595/*
2596 * Look up and maybe create and open the last component.
2597 *
2598 * Must be called with i_mutex held on parent.
2599 *
2600 * Returns 0 if the file was successfully atomically created (if necessary) and
2601 * opened.  In this case the file will be returned attached to @file.
2602 *
2603 * Returns 1 if the file was not completely opened at this time, though lookups
2604 * and creations will have been performed and the dentry returned in @path will
2605 * be positive upon return if O_CREAT was specified.  If O_CREAT wasn't
2606 * specified then a negative dentry may be returned.
2607 *
2608 * An error code is returned otherwise.
2609 *
2610 * FILE_CREATE will be set in @*opened if the dentry was created and will be
2611 * cleared otherwise prior to returning.
2612 */
2613static int lookup_open(struct nameidata *nd, struct path *path,
2614                        struct file *file,
2615                        const struct open_flags *op,
2616                        bool got_write, int *opened)
2617{
2618        struct dentry *dir = nd->path.dentry;
2619        struct inode *dir_inode = dir->d_inode;
2620        struct dentry *dentry;
2621        int error;
2622        bool need_lookup;
2623
2624        *opened &= ~FILE_CREATED;
2625        dentry = lookup_dcache(&nd->last, dir, nd->flags, &need_lookup);
2626        if (IS_ERR(dentry))
2627                return PTR_ERR(dentry);
2628
2629        /* Cached positive dentry: will open in f_op->open */
2630        if (!need_lookup && dentry->d_inode)
2631                goto out_no_open;
2632
2633        if ((nd->flags & LOOKUP_OPEN) && dir_inode->i_op->atomic_open) {
2634                return atomic_open(nd, dentry, path, file, op, got_write,
2635                                   need_lookup, opened);
2636        }
2637
2638        if (need_lookup) {
2639                BUG_ON(dentry->d_inode);
2640
2641                dentry = lookup_real(dir_inode, dentry, nd->flags);
2642                if (IS_ERR(dentry))
2643                        return PTR_ERR(dentry);
2644        }
2645
2646        /* Negative dentry, just create the file */
2647        if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
2648                umode_t mode = op->mode;
2649                if (!IS_POSIXACL(dir->d_inode))
2650                        mode &= ~current_umask();
2651                /*
2652                 * This write is needed to ensure that a
2653                 * rw->ro transition does not occur between
2654                 * the time when the file is created and when
2655                 * a permanent write count is taken through
2656                 * the 'struct file' in finish_open().
2657                 */
2658                if (!got_write) {
2659                        error = -EROFS;
2660                        goto out_dput;
2661                }
2662                *opened |= FILE_CREATED;
2663                error = security_path_mknod(&nd->path, dentry, mode, 0);
2664                if (error)
2665                        goto out_dput;
2666                error = vfs_create(dir->d_inode, dentry, mode,
2667                                   nd->flags & LOOKUP_EXCL);
2668                if (error)
2669                        goto out_dput;
2670        }
2671out_no_open:
2672        path->dentry = dentry;
2673        path->mnt = nd->path.mnt;
2674        return 1;
2675
2676out_dput:
2677        dput(dentry);
2678        return error;
2679}
2680
2681/*
2682 * Handle the last step of open()
2683 */
2684static int do_last(struct nameidata *nd, struct path *path,
2685                   struct file *file, const struct open_flags *op,
2686                   int *opened, struct filename *name)
2687{
2688        struct dentry *dir = nd->path.dentry;
2689        int open_flag = op->open_flag;
2690        bool will_truncate = (open_flag & O_TRUNC) != 0;
2691        bool got_write = false;
2692        int acc_mode = op->acc_mode;
2693        struct inode *inode;
2694        bool symlink_ok = false;
2695        struct path save_parent = { .dentry = NULL, .mnt = NULL };
2696        bool retried = false;
2697        int error;
2698
2699        nd->flags &= ~LOOKUP_PARENT;
2700        nd->flags |= op->intent;
2701
2702        switch (nd->last_type) {
2703        case LAST_DOTDOT:
2704        case LAST_DOT:
2705                error = handle_dots(nd, nd->last_type);
2706                if (error)
2707                        return error;
2708                /* fallthrough */
2709        case LAST_ROOT:
2710                error = complete_walk(nd);
2711                if (error)
2712                        return error;
2713                audit_inode(name, nd->path.dentry, 0);
2714                if (open_flag & O_CREAT) {
2715                        error = -EISDIR;
2716                        goto out;
2717                }
2718                goto finish_open;
2719        case LAST_BIND:
2720                error = complete_walk(nd);
2721                if (error)
2722                        return error;
2723                audit_inode(name, dir, 0);
2724                goto finish_open;
2725        }
2726
2727        if (!(open_flag & O_CREAT)) {
2728                if (nd->last.name[nd->last.len])
2729                        nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
2730                if (open_flag & O_PATH && !(nd->flags & LOOKUP_FOLLOW))
2731                        symlink_ok = true;
2732                /* we _can_ be in RCU mode here */
2733                error = lookup_fast(nd, &nd->last, path, &inode);
2734                if (likely(!error))
2735                        goto finish_lookup;
2736
2737                if (error < 0)
2738                        goto out;
2739
2740                BUG_ON(nd->inode != dir->d_inode);
2741        } else {
2742                /* create side of things */
2743                /*
2744                 * This will *only* deal with leaving RCU mode - LOOKUP_JUMPED
2745                 * has been cleared when we got to the last component we are
2746                 * about to look up
2747                 */
2748                error = complete_walk(nd);
2749                if (error)
2750                        return error;
2751
2752                audit_inode(name, dir, 0);
2753                error = -EISDIR;
2754                /* trailing slashes? */
2755                if (nd->last.name[nd->last.len])
2756                        goto out;
2757        }
2758
2759retry_lookup:
2760        if (op->open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {
2761                error = mnt_want_write(nd->path.mnt);
2762                if (!error)
2763                        got_write = true;
2764                /*
2765                 * do _not_ fail yet - we might not need that or fail with
2766                 * a different error; let lookup_open() decide; we'll be
2767                 * dropping this one anyway.
2768                 */
2769        }
2770        mutex_lock(&dir->d_inode->i_mutex);
2771        error = lookup_open(nd, path, file, op, got_write, opened);
2772        mutex_unlock(&dir->d_inode->i_mutex);
2773
2774        if (error <= 0) {
2775                if (error)
2776                        goto out;
2777
2778                if ((*opened & FILE_CREATED) ||
2779                    !S_ISREG(file->f_path.dentry->d_inode->i_mode))
2780                        will_truncate = false;
2781
2782                audit_inode(name, file->f_path.dentry, 0);
2783                goto opened;
2784        }
2785
2786        if (*opened & FILE_CREATED) {
2787                /* Don't check for write permission, don't truncate */
2788                open_flag &= ~O_TRUNC;
2789                will_truncate = false;
2790                acc_mode = MAY_OPEN;
2791                path_to_nameidata(path, nd);
2792                goto finish_open_created;
2793        }
2794
2795        /*
2796         * create/update audit record if it already exists.
2797         */
2798        if (path->dentry->d_inode)
2799                audit_inode(name, path->dentry, 0);
2800
2801        /*
2802         * If atomic_open() acquired write access it is dropped now due to
2803         * possible mount and symlink following (this might be optimized away if
2804         * necessary...)
2805         */
2806        if (got_write) {
2807                mnt_drop_write(nd->path.mnt);
2808                got_write = false;
2809        }
2810
2811        error = -EEXIST;
2812        if ((open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT))
2813                goto exit_dput;
2814
2815        error = follow_managed(path, nd->flags);
2816        if (error < 0)
2817                goto exit_dput;
2818
2819        if (error)
2820                nd->flags |= LOOKUP_JUMPED;
2821
2822        BUG_ON(nd->flags & LOOKUP_RCU);
2823        inode = path->dentry->d_inode;
2824finish_lookup:
2825        /* we _can_ be in RCU mode here */
2826        error = -ENOENT;
2827        if (!inode) {
2828                path_to_nameidata(path, nd);
2829                goto out;
2830        }
2831
2832        if (should_follow_link(inode, !symlink_ok)) {
2833                if (nd->flags & LOOKUP_RCU) {
2834                        if (unlikely(unlazy_walk(nd, path->dentry))) {
2835                                error = -ECHILD;
2836                                goto out;
2837                        }
2838                }
2839                BUG_ON(inode != path->dentry->d_inode);
2840                return 1;
2841        }
2842
2843        if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path->mnt) {
2844                path_to_nameidata(path, nd);
2845        } else {
2846                save_parent.dentry = nd->path.dentry;
2847                save_parent.mnt = mntget(path->mnt);
2848                nd->path.dentry = path->dentry;
2849
2850        }
2851        nd->inode = inode;
2852        /* Why this, you ask?  _Now_ we might have grown LOOKUP_JUMPED... */
2853        error = complete_walk(nd);
2854        if (error) {
2855                path_put(&save_parent);
2856                return error;
2857        }
2858        error = -EISDIR;
2859        if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode))
2860                goto out;
2861        error = -ENOTDIR;
2862        if ((nd->flags & LOOKUP_DIRECTORY) && !nd->inode->i_op->lookup)
2863                goto out;
2864        audit_inode(name, nd->path.dentry, 0);
2865finish_open:
2866        if (!S_ISREG(nd->inode->i_mode))
2867                will_truncate = false;
2868
2869        if (will_truncate) {
2870                error = mnt_want_write(nd->path.mnt);
2871                if (error)
2872                        goto out;
2873                got_write = true;
2874        }
2875finish_open_created:
2876        error = may_open(&nd->path, acc_mode, open_flag);
2877        if (error)
2878                goto out;
2879        file->f_path.mnt = nd->path.mnt;
2880        error = finish_open(file, nd->path.dentry, NULL, opened);
2881        if (error) {
2882                if (error == -EOPENSTALE)
2883                        goto stale_open;
2884                goto out;
2885        }
2886opened:
2887        error = open_check_o_direct(file);
2888        if (error)
2889                goto exit_fput;
2890        error = ima_file_check(file, op->acc_mode);
2891        if (error)
2892                goto exit_fput;
2893
2894        if (will_truncate) {
2895                error = handle_truncate(file);
2896                if (error)
2897                        goto exit_fput;
2898        }
2899out:
2900        if (got_write)
2901                mnt_drop_write(nd->path.mnt);
2902        path_put(&save_parent);
2903        terminate_walk(nd);
2904        return error;
2905
2906exit_dput:
2907        path_put_conditional(path, nd);
2908        goto out;
2909exit_fput:
2910        fput(file);
2911        goto out;
2912
2913stale_open:
2914        /* If no saved parent or already retried then can't retry */
2915        if (!save_parent.dentry || retried)
2916                goto out;
2917
2918        BUG_ON(save_parent.dentry != dir);
2919        path_put(&nd->path);
2920        nd->path = save_parent;
2921        nd->inode = dir->d_inode;
2922        save_parent.mnt = NULL;
2923        save_parent.dentry = NULL;
2924        if (got_write) {
2925                mnt_drop_write(nd->path.mnt);
2926                got_write = false;
2927        }
2928        retried = true;
2929        goto retry_lookup;
2930}
2931
2932static struct file *path_openat(int dfd, struct filename *pathname,
2933                struct nameidata *nd, const struct open_flags *op, int flags)
2934{
2935        struct file *base = NULL;
2936        struct file *file;
2937        struct path path;
2938        int opened = 0;
2939        int error;
2940
2941        file = get_empty_filp();
2942        if (!file)
2943                return ERR_PTR(-ENFILE);
2944
2945        file->f_flags = op->open_flag;
2946
2947        error = path_init(dfd, pathname->name, flags | LOOKUP_PARENT, nd, &base);
2948        if (unlikely(error))
2949                goto out;
2950
2951        current->total_link_count = 0;
2952        error = link_path_walk(pathname->name, nd);
2953        if (unlikely(error))
2954                goto out;
2955
2956        error = do_last(nd, &path, file, op, &opened, pathname);
2957        while (unlikely(error > 0)) { /* trailing symlink */
2958                struct path link = path;
2959                void *cookie;
2960                if (!(nd->flags & LOOKUP_FOLLOW)) {
2961                        path_put_conditional(&path, nd);
2962                        path_put(&nd->path);
2963                        error = -ELOOP;
2964                        break;
2965                }
2966                error = may_follow_link(&link, nd);
2967                if (unlikely(error))
2968                        break;
2969                nd->flags |= LOOKUP_PARENT;
2970                nd->flags &= ~(LOOKUP_OPEN|LOOKUP_CREATE|LOOKUP_EXCL);
2971                error = follow_link(&link, nd, &cookie);
2972                if (unlikely(error))
2973                        break;
2974                error = do_last(nd, &path, file, op, &opened, pathname);
2975                put_link(nd, &link, cookie);
2976        }
2977out:
2978        if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT))
2979                path_put(&nd->root);
2980        if (base)
2981                fput(base);
2982        if (!(opened & FILE_OPENED)) {
2983                BUG_ON(!error);
2984                put_filp(file);
2985        }
2986        if (unlikely(error)) {
2987                if (error == -EOPENSTALE) {
2988                        if (flags & LOOKUP_RCU)
2989                                error = -ECHILD;
2990                        else
2991                                error = -ESTALE;
2992                }
2993                file = ERR_PTR(error);
2994        }
2995        return file;
2996}
2997
2998struct file *do_filp_open(int dfd, struct filename *pathname,
2999                const struct open_flags *op, int flags)
3000{
3001        struct nameidata nd;
3002        struct file *filp;
3003
3004        filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_RCU);
3005        if (unlikely(filp == ERR_PTR(-ECHILD)))
3006                filp = path_openat(dfd, pathname, &nd, op, flags);
3007        if (unlikely(filp == ERR_PTR(-ESTALE)))
3008                filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_REVAL);
3009        return filp;
3010}
3011
3012struct file *do_file_open_root(struct dentry *dentry, struct vfsmount *mnt,
3013                const char *name, const struct open_flags *op, int flags)
3014{
3015        struct nameidata nd;
3016        struct file *file;
3017        struct filename filename = { .name = name };
3018
3019        nd.root.mnt = mnt;
3020        nd.root.dentry = dentry;
3021
3022        flags |= LOOKUP_ROOT;
3023
3024        if (dentry->d_inode->i_op->follow_link && op->intent & LOOKUP_OPEN)
3025                return ERR_PTR(-ELOOP);
3026
3027        file = path_openat(-1, &filename, &nd, op, flags | LOOKUP_RCU);
3028        if (unlikely(file == ERR_PTR(-ECHILD)))
3029                file = path_openat(-1, &filename, &nd, op, flags);
3030        if (unlikely(file == ERR_PTR(-ESTALE)))
3031                file = path_openat(-1, &filename, &nd, op, flags | LOOKUP_REVAL);
3032        return file;
3033}
3034
3035struct dentry *kern_path_create(int dfd, const char *pathname,
3036                                struct path *path, unsigned int lookup_flags)
3037{
3038        struct dentry *dentry = ERR_PTR(-EEXIST);
3039        struct nameidata nd;
3040        int err2;
3041        int error;
3042        bool is_dir = (lookup_flags & LOOKUP_DIRECTORY);
3043
3044        /*
3045         * Note that only LOOKUP_REVAL and LOOKUP_DIRECTORY matter here. Any
3046         * other flags passed in are ignored!
3047         */
3048        lookup_flags &= LOOKUP_REVAL;
3049
3050        error = do_path_lookup(dfd, pathname, LOOKUP_PARENT|lookup_flags, &nd);
3051        if (error)
3052                return ERR_PTR(error);
3053
3054        /*
3055         * Yucky last component or no last component at all?
3056         * (foo/., foo/.., /////)
3057         */
3058        if (nd.last_type != LAST_NORM)
3059                goto out;
3060        nd.flags &= ~LOOKUP_PARENT;
3061        nd.flags |= LOOKUP_CREATE | LOOKUP_EXCL;
3062
3063        /* don't fail immediately if it's r/o, at least try to report other errors */
3064        err2 = mnt_want_write(nd.path.mnt);
3065        /*
3066         * Do the final lookup.
3067         */
3068        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3069        dentry = lookup_hash(&nd);
3070        if (IS_ERR(dentry))
3071                goto unlock;
3072
3073        error = -EEXIST;
3074        if (dentry->d_inode)
3075                goto fail;
3076        /*
3077         * Special case - lookup gave negative, but... we had foo/bar/
3078         * From the vfs_mknod() POV we just have a negative dentry -
3079         * all is fine. Let's be bastards - you had / on the end, you've
3080         * been asking for (non-existent) directory. -ENOENT for you.
3081         */
3082        if (unlikely(!is_dir && nd.last.name[nd.last.len])) {
3083                error = -ENOENT;
3084                goto fail;
3085        }
3086        if (unlikely(err2)) {
3087                error = err2;
3088                goto fail;
3089        }
3090        *path = nd.path;
3091        return dentry;
3092fail:
3093        dput(dentry);
3094        dentry = ERR_PTR(error);
3095unlock:
3096        mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3097        if (!err2)
3098                mnt_drop_write(nd.path.mnt);
3099out:
3100        path_put(&nd.path);
3101        return dentry;
3102}
3103EXPORT_SYMBOL(kern_path_create);
3104
3105void done_path_create(struct path *path, struct dentry *dentry)
3106{
3107        dput(dentry);
3108        mutex_unlock(&path->dentry->d_inode->i_mutex);
3109        mnt_drop_write(path->mnt);
3110        path_put(path);
3111}
3112EXPORT_SYMBOL(done_path_create);
3113
3114struct dentry *user_path_create(int dfd, const char __user *pathname,
3115                                struct path *path, unsigned int lookup_flags)
3116{
3117        struct filename *tmp = getname(pathname);
3118        struct dentry *res;
3119        if (IS_ERR(tmp))
3120                return ERR_CAST(tmp);
3121        res = kern_path_create(dfd, tmp->name, path, lookup_flags);
3122        putname(tmp);
3123        return res;
3124}
3125EXPORT_SYMBOL(user_path_create);
3126
3127int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3128{
3129        int error = may_create(dir, dentry);
3130
3131        if (error)
3132                return error;
3133
3134        if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
3135                return -EPERM;
3136
3137        if (!dir->i_op->mknod)
3138                return -EPERM;
3139
3140        error = devcgroup_inode_mknod(mode, dev);
3141        if (error)
3142                return error;
3143
3144        error = security_inode_mknod(dir, dentry, mode, dev);
3145        if (error)
3146                return error;
3147
3148        error = dir->i_op->mknod(dir, dentry, mode, dev);
3149        if (!error)
3150                fsnotify_create(dir, dentry);
3151        return error;
3152}
3153
3154static int may_mknod(umode_t mode)
3155{
3156        switch (mode & S_IFMT) {
3157        case S_IFREG:
3158        case S_IFCHR:
3159        case S_IFBLK:
3160        case S_IFIFO:
3161        case S_IFSOCK:
3162        case 0: /* zero mode translates to S_IFREG */
3163                return 0;
3164        case S_IFDIR:
3165                return -EPERM;
3166        default:
3167                return -EINVAL;
3168        }
3169}
3170
3171SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
3172                unsigned, dev)
3173{
3174        struct dentry *dentry;
3175        struct path path;
3176        int error;
3177        unsigned int lookup_flags = 0;
3178
3179        error = may_mknod(mode);
3180        if (error)
3181                return error;
3182retry:
3183        dentry = user_path_create(dfd, filename, &path, lookup_flags);
3184        if (IS_ERR(dentry))
3185                return PTR_ERR(dentry);
3186
3187        if (!IS_POSIXACL(path.dentry->d_inode))
3188                mode &= ~current_umask();
3189        error = security_path_mknod(&path, dentry, mode, dev);
3190        if (error)
3191                goto out;
3192        switch (mode & S_IFMT) {
3193                case 0: case S_IFREG:
3194                        error = vfs_create(path.dentry->d_inode,dentry,mode,true);
3195                        break;
3196                case S_IFCHR: case S_IFBLK:
3197                        error = vfs_mknod(path.dentry->d_inode,dentry,mode,
3198                                        new_decode_dev(dev));
3199                        break;
3200                case S_IFIFO: case S_IFSOCK:
3201                        error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
3202                        break;
3203        }
3204out:
3205        done_path_create(&path, dentry);
3206        if (retry_estale(error, lookup_flags)) {
3207                lookup_flags |= LOOKUP_REVAL;
3208                goto retry;
3209        }
3210        return error;
3211}
3212
3213SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, dev)
3214{
3215        return sys_mknodat(AT_FDCWD, filename, mode, dev);
3216}
3217
3218int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
3219{
3220        int error = may_create(dir, dentry);
3221        unsigned max_links = dir->i_sb->s_max_links;
3222
3223        if (error)
3224                return error;
3225
3226        if (!dir->i_op->mkdir)
3227                return -EPERM;
3228
3229        mode &= (S_IRWXUGO|S_ISVTX);
3230        error = security_inode_mkdir(dir, dentry, mode);
3231        if (error)
3232                return error;
3233
3234        if (max_links && dir->i_nlink >= max_links)
3235                return -EMLINK;
3236
3237        error = dir->i_op->mkdir(dir, dentry, mode);
3238        if (!error)
3239                fsnotify_mkdir(dir, dentry);
3240        return error;
3241}
3242
3243SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)
3244{
3245        struct dentry *dentry;
3246        struct path path;
3247        int error;
3248        unsigned int lookup_flags = LOOKUP_DIRECTORY;
3249
3250retry:
3251        dentry = user_path_create(dfd, pathname, &path, lookup_flags);
3252        if (IS_ERR(dentry))
3253                return PTR_ERR(dentry);
3254
3255        if (!IS_POSIXACL(path.dentry->d_inode))
3256                mode &= ~current_umask();
3257        error = security_path_mkdir(&path, dentry, mode);
3258        if (!error)
3259                error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
3260        done_path_create(&path, dentry);
3261        if (retry_estale(error, lookup_flags)) {
3262                lookup_flags |= LOOKUP_REVAL;
3263                goto retry;
3264        }
3265        return error;
3266}
3267
3268SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode)
3269{
3270        return sys_mkdirat(AT_FDCWD, pathname, mode);
3271}
3272
3273/*
3274 * The dentry_unhash() helper will try to drop the dentry early: we
3275 * should have a usage count of 1 if we're the only user of this
3276 * dentry, and if that is true (possibly after pruning the dcache),
3277 * then we drop the dentry now.
3278 *
3279 * A low-level filesystem can, if it choses, legally
3280 * do a
3281 *
3282 *      if (!d_unhashed(dentry))
3283 *              return -EBUSY;
3284 *
3285 * if it cannot handle the case of removing a directory
3286 * that is still in use by something else..
3287 */
3288void dentry_unhash(struct dentry *dentry)
3289{
3290        shrink_dcache_parent(dentry);
3291        spin_lock(&dentry->d_lock);
3292        if (dentry->d_count == 1)
3293                __d_drop(dentry);
3294        spin_unlock(&dentry->d_lock);
3295}
3296
3297int vfs_rmdir(struct inode *dir, struct dentry *dentry)
3298{
3299        int error = may_delete(dir, dentry, 1);
3300
3301        if (error)
3302                return error;
3303
3304        if (!dir->i_op->rmdir)
3305                return -EPERM;
3306
3307        dget(dentry);
3308        mutex_lock(&dentry->d_inode->i_mutex);
3309
3310        error = -EBUSY;
3311        if (d_mountpoint(dentry))
3312                goto out;
3313
3314        error = security_inode_rmdir(dir, dentry);
3315        if (error)
3316                goto out;
3317
3318        shrink_dcache_parent(dentry);
3319        error = dir->i_op->rmdir(dir, dentry);
3320        if (error)
3321                goto out;
3322
3323        dentry->d_inode->i_flags |= S_DEAD;
3324        dont_mount(dentry);
3325
3326out:
3327        mutex_unlock(&dentry->d_inode->i_mutex);
3328        dput(dentry);
3329        if (!error)
3330                d_delete(dentry);
3331        return error;
3332}
3333
3334static long do_rmdir(int dfd, const char __user *pathname)
3335{
3336        int error = 0;
3337        struct filename *name;
3338        struct dentry *dentry;
3339        struct nameidata nd;
3340        unsigned int lookup_flags = 0;
3341retry:
3342        name = user_path_parent(dfd, pathname, &nd, lookup_flags);
3343        if (IS_ERR(name))
3344                return PTR_ERR(name);
3345
3346        switch(nd.last_type) {
3347        case LAST_DOTDOT:
3348                error = -ENOTEMPTY;
3349                goto exit1;
3350        case LAST_DOT:
3351                error = -EINVAL;
3352                goto exit1;
3353        case LAST_ROOT:
3354                error = -EBUSY;
3355                goto exit1;
3356        }
3357
3358        nd.flags &= ~LOOKUP_PARENT;
3359        error = mnt_want_write(nd.path.mnt);
3360        if (error)
3361                goto exit1;
3362
3363        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3364        dentry = lookup_hash(&nd);
3365        error = PTR_ERR(dentry);
3366        if (IS_ERR(dentry))
3367                goto exit2;
3368        if (!dentry->d_inode) {
3369                error = -ENOENT;
3370                goto exit3;
3371        }
3372        error = security_path_rmdir(&nd.path, dentry);
3373        if (error)
3374                goto exit3;
3375        error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
3376exit3:
3377        dput(dentry);
3378exit2:
3379        mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3380        mnt_drop_write(nd.path.mnt);
3381exit1:
3382        path_put(&nd.path);
3383        putname(name);
3384        if (retry_estale(error, lookup_flags)) {
3385                lookup_flags |= LOOKUP_REVAL;
3386                goto retry;
3387        }
3388        return error;
3389}
3390
3391SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
3392{
3393        return do_rmdir(AT_FDCWD, pathname);
3394}
3395
3396int vfs_unlink(struct inode *dir, struct dentry *dentry)
3397{
3398        int error = may_delete(dir, dentry, 0);
3399
3400        if (error)
3401                return error;
3402
3403        if (!dir->i_op->unlink)
3404                return -EPERM;
3405
3406        mutex_lock(&dentry->d_inode->i_mutex);
3407        if (d_mountpoint(dentry))
3408                error = -EBUSY;
3409        else {
3410                error = security_inode_unlink(dir, dentry);
3411                if (!error) {
3412                        error = dir->i_op->unlink(dir, dentry);
3413                        if (!error)
3414                                dont_mount(dentry);
3415                }
3416        }
3417        mutex_unlock(&dentry->d_inode->i_mutex);
3418
3419        /* We don't d_delete() NFS sillyrenamed files--they still exist. */
3420        if (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) {
3421                fsnotify_link_count(dentry->d_inode);
3422                d_delete(dentry);
3423        }
3424
3425        return error;
3426}
3427
3428/*
3429 * Make sure that the actual truncation of the file will occur outside its
3430 * directory's i_mutex.  Truncate can take a long time if there is a lot of
3431 * writeout happening, and we don't want to prevent access to the directory
3432 * while waiting on the I/O.
3433 */
3434static long do_unlinkat(int dfd, const char __user *pathname)
3435{
3436        int error;
3437        struct filename *name;
3438        struct dentry *dentry;
3439        struct nameidata nd;
3440        struct inode *inode = NULL;
3441        unsigned int lookup_flags = 0;
3442retry:
3443        name = user_path_parent(dfd, pathname, &nd, lookup_flags);
3444        if (IS_ERR(name))
3445                return PTR_ERR(name);
3446
3447        error = -EISDIR;
3448        if (nd.last_type != LAST_NORM)
3449                goto exit1;
3450
3451        nd.flags &= ~LOOKUP_PARENT;
3452        error = mnt_want_write(nd.path.mnt);
3453        if (error)
3454                goto exit1;
3455
3456        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3457        dentry = lookup_hash(&nd);
3458        error = PTR_ERR(dentry);
3459        if (!IS_ERR(dentry)) {
3460                /* Why not before? Because we want correct error value */
3461                if (nd.last.name[nd.last.len])
3462                        goto slashes;
3463                inode = dentry->d_inode;
3464                if (!inode)
3465                        goto slashes;
3466                ihold(inode);
3467                error = security_path_unlink(&nd.path, dentry);
3468                if (error)
3469                        goto exit2;
3470                error = vfs_unlink(nd.path.dentry->d_inode, dentry);
3471exit2:
3472                dput(dentry);
3473        }
3474        mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3475        if (inode)
3476                iput(inode);    /* truncate the inode here */
3477        mnt_drop_write(nd.path.mnt);
3478exit1:
3479        path_put(&nd.path);
3480        putname(name);
3481        if (retry_estale(error, lookup_flags)) {
3482                lookup_flags |= LOOKUP_REVAL;
3483                inode = NULL;
3484                goto retry;
3485        }
3486        return error;
3487
3488slashes:
3489        error = !dentry->d_inode ? -ENOENT :
3490                S_ISDIR(dentry->d_inode->i_mode) ? -EISDIR : -ENOTDIR;
3491        goto exit2;
3492}
3493
3494SYSCALL_DEFINE3(unlinkat, int, dfd, const char __user *, pathname, int, flag)
3495{
3496        if ((flag & ~AT_REMOVEDIR) != 0)
3497                return -EINVAL;
3498
3499        if (flag & AT_REMOVEDIR)
3500                return do_rmdir(dfd, pathname);
3501
3502        return do_unlinkat(dfd, pathname);
3503}
3504
3505SYSCALL_DEFINE1(unlink, const char __user *, pathname)
3506{
3507        return do_unlinkat(AT_FDCWD, pathname);
3508}
3509
3510int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
3511{
3512        int error = may_create(dir, dentry);
3513
3514        if (error)
3515                return error;
3516
3517        if (!dir->i_op->symlink)
3518                return -EPERM;
3519
3520        error = security_inode_symlink(dir, dentry, oldname);
3521        if (error)
3522                return error;
3523
3524        error = dir->i_op->symlink(dir, dentry, oldname);
3525        if (!error)
3526                fsnotify_create(dir, dentry);
3527        return error;
3528}
3529
3530SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
3531                int, newdfd, const char __user *, newname)
3532{
3533        int error;
3534        struct filename *from;
3535        struct dentry *dentry;
3536        struct path path;
3537        unsigned int lookup_flags = 0;
3538
3539        from = getname(oldname);
3540        if (IS_ERR(from))
3541                return PTR_ERR(from);
3542retry:
3543        dentry = user_path_create(newdfd, newname, &path, lookup_flags);
3544        error = PTR_ERR(dentry);
3545        if (IS_ERR(dentry))
3546                goto out_putname;
3547
3548        error = security_path_symlink(&path, dentry, from->name);
3549        if (!error)
3550                error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
3551        done_path_create(&path, dentry);
3552        if (retry_estale(error, lookup_flags)) {
3553                lookup_flags |= LOOKUP_REVAL;
3554                goto retry;
3555        }
3556out_putname:
3557        putname(from);
3558        return error;
3559}
3560
3561SYSCALL_DEFINE2(symlink, const char __user *, oldname, const char __user *, newname)
3562{
3563        return sys_symlinkat(oldname, AT_FDCWD, newname);
3564}
3565
3566int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3567{
3568        struct inode *inode = old_dentry->d_inode;
3569        unsigned max_links = dir->i_sb->s_max_links;
3570        int error;
3571
3572        if (!inode)
3573                return -ENOENT;
3574
3575        error = may_create(dir, new_dentry);
3576        if (error)
3577                return error;
3578
3579        if (dir->i_sb != inode->i_sb)
3580                return -EXDEV;
3581
3582        /*
3583         * A link to an append-only or immutable file cannot be created.
3584         */
3585        if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
3586                return -EPERM;
3587        if (!dir->i_op->link)
3588                return -EPERM;
3589        if (S_ISDIR(inode->i_mode))
3590                return -EPERM;
3591
3592        error = security_inode_link(old_dentry, dir, new_dentry);
3593        if (error)
3594                return error;
3595
3596        mutex_lock(&inode->i_mutex);
3597        /* Make sure we don't allow creating hardlink to an unlinked file */
3598        if (inode->i_nlink == 0)
3599                error =  -ENOENT;
3600        else if (max_links && inode->i_nlink >= max_links)
3601                error = -EMLINK;
3602        else
3603                error = dir->i_op->link(old_dentry, dir, new_dentry);
3604        mutex_unlock(&inode->i_mutex);
3605        if (!error)
3606                fsnotify_link(dir, inode, new_dentry);
3607        return error;
3608}
3609
3610/*
3611 * Hardlinks are often used in delicate situations.  We avoid
3612 * security-related surprises by not following symlinks on the
3613 * newname.  --KAB
3614 *
3615 * We don't follow them on the oldname either to be compatible
3616 * with linux 2.0, and to avoid hard-linking to directories
3617 * and other special files.  --ADM
3618 */
3619SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
3620                int, newdfd, const char __user *, newname, int, flags)
3621{
3622        struct dentry *new_dentry;
3623        struct path old_path, new_path;
3624        int how = 0;
3625        int error;
3626
3627        if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)
3628                return -EINVAL;
3629        /*
3630         * To use null names we require CAP_DAC_READ_SEARCH
3631         * This ensures that not everyone will be able to create
3632         * handlink using the passed filedescriptor.
3633         */
3634        if (flags & AT_EMPTY_PATH) {
3635                if (!capable(CAP_DAC_READ_SEARCH))
3636                        return -ENOENT;
3637                how = LOOKUP_EMPTY;
3638        }
3639
3640        if (flags & AT_SYMLINK_FOLLOW)
3641                how |= LOOKUP_FOLLOW;
3642retry:
3643        error = user_path_at(olddfd, oldname, how, &old_path);
3644        if (error)
3645                return error;
3646
3647        new_dentry = user_path_create(newdfd, newname, &new_path,
3648                                        (how & LOOKUP_REVAL));
3649        error = PTR_ERR(new_dentry);
3650        if (IS_ERR(new_dentry))
3651                goto out;
3652
3653        error = -EXDEV;
3654        if (old_path.mnt != new_path.mnt)
3655                goto out_dput;
3656        error = may_linkat(&old_path);
3657        if (unlikely(error))
3658                goto out_dput;
3659        error = security_path_link(old_path.dentry, &new_path, new_dentry);
3660        if (error)
3661                goto out_dput;
3662        error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry);
3663out_dput:
3664        done_path_create(&new_path, new_dentry);
3665        if (retry_estale(error, how)) {
3666                how |= LOOKUP_REVAL;
3667                goto retry;
3668        }
3669out:
3670        path_put(&old_path);
3671
3672        return error;
3673}
3674
3675SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname)
3676{
3677        return sys_linkat(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
3678}
3679
3680/*
3681 * The worst of all namespace operations - renaming directory. "Perverted"
3682 * doesn't even start to describe it. Somebody in UCB had a heck of a trip...
3683 * Problems:
3684 *      a) we can get into loop creation. Check is done in is_subdir().
3685 *      b) race potential - two innocent renames can create a loop together.
3686 *         That's where 4.4 screws up. Current fix: serialization on
3687 *         sb->s_vfs_rename_mutex. We might be more accurate, but that's another
3688 *         story.
3689 *      c) we have to lock _three_ objects - parents and victim (if it exists).
3690 *         And that - after we got ->i_mutex on parents (until then we don't know
3691 *         whether the target exists).  Solution: try to be smart with locking
3692 *         order for inodes.  We rely on the fact that tree topology may change
3693 *         only under ->s_vfs_rename_mutex _and_ that parent of the object we
3694 *         move will be locked.  Thus we can rank directories by the tree
3695 *         (ancestors first) and rank all non-directories after them.
3696 *         That works since everybody except rename does "lock parent, lookup,
3697 *         lock child" and rename is under ->s_vfs_rename_mutex.
3698 *         HOWEVER, it relies on the assumption that any object with ->lookup()
3699 *         has no more than 1 dentry.  If "hybrid" objects will ever appear,
3700 *         we'd better make sure that there's no link(2) for them.
3701 *      d) conversion from fhandle to dentry may come in the wrong moment - when
3702 *         we are removing the target. Solution: we will have to grab ->i_mutex
3703 *         in the fhandle_to_dentry code. [FIXME - current nfsfh.c relies on
3704 *         ->i_mutex on parents, which works but leads to some truly excessive
3705 *         locking].
3706 */
3707static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
3708                          struct inode *new_dir, struct dentry *new_dentry)
3709{
3710        int error = 0;
3711        struct inode *target = new_dentry->d_inode;
3712        unsigned max_links = new_dir->i_sb->s_max_links;
3713
3714        /*
3715         * If we are going to change the parent - check write permissions,
3716         * we'll need to flip '..'.
3717         */
3718        if (new_dir != old_dir) {
3719                error = inode_permission(old_dentry->d_inode, MAY_WRITE);
3720                if (error)
3721                        return error;
3722        }
3723
3724        error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry);
3725        if (error)
3726                return error;
3727
3728        dget(new_dentry);
3729        if (target)
3730                mutex_lock(&target->i_mutex);
3731
3732        error = -EBUSY;
3733        if (d_mountpoint(old_dentry) || d_mountpoint(new_dentry))
3734                goto out;
3735
3736        error = -EMLINK;
3737        if (max_links && !target && new_dir != old_dir &&
3738            new_dir->i_nlink >= max_links)
3739                goto out;
3740
3741        if (target)
3742                shrink_dcache_parent(new_dentry);
3743        error = old_dir->i_op->rename(old_dir, old_dentry, new_dir, new_dentry);
3744        if (error)
3745                goto out;
3746
3747        if (target) {
3748                target->i_flags |= S_DEAD;
3749                dont_mount(new_dentry);
3750        }
3751out:
3752        if (target)
3753                mutex_unlock(&target->i_mutex);
3754        dput(new_dentry);
3755        if (!error)
3756                if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE))
3757                        d_move(old_dentry,new_dentry);
3758        return error;
3759}
3760
3761static int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry,
3762                            struct inode *new_dir, struct dentry *new_dentry)
3763{
3764        struct inode *target = new_dentry->d_inode;
3765        int error;
3766
3767        error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry);
3768        if (error)
3769                return error;
3770
3771        dget(new_dentry);
3772        if (target)
3773                mutex_lock(&target->i_mutex);
3774
3775        error = -EBUSY;
3776        if (d_mountpoint(old_dentry)||d_mountpoint(new_dentry))
3777                goto out;
3778
3779        error = old_dir->i_op->rename(old_dir, old_dentry, new_dir, new_dentry);
3780        if (error)
3781                goto out;
3782
3783        if (target)
3784                dont_mount(new_dentry);
3785        if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE))
3786                d_move(old_dentry, new_dentry);
3787out:
3788        if (target)
3789                mutex_unlock(&target->i_mutex);
3790        dput(new_dentry);
3791        return error;
3792}
3793
3794int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
3795               struct inode *new_dir, struct dentry *new_dentry)
3796{
3797        int error;
3798        int is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
3799        const unsigned char *old_name;
3800
3801        if (old_dentry->d_inode == new_dentry->d_inode)
3802                return 0;
3803 
3804        error = may_delete(old_dir, old_dentry, is_dir);
3805        if (error)
3806                return error;
3807
3808        if (!new_dentry->d_inode)
3809                error = may_create(new_dir, new_dentry);
3810        else
3811                error = may_delete(new_dir, new_dentry, is_dir);
3812        if (error)
3813                return error;
3814
3815        if (!old_dir->i_op->rename)
3816                return -EPERM;
3817
3818        old_name = fsnotify_oldname_init(old_dentry->d_name.name);
3819
3820        if (is_dir)
3821                error = vfs_rename_dir(old_dir,old_dentry,new_dir,new_dentry);
3822        else
3823                error = vfs_rename_other(old_dir,old_dentry,new_dir,new_dentry);
3824        if (!error)
3825                fsnotify_move(old_dir, new_dir, old_name, is_dir,
3826                              new_dentry->d_inode, old_dentry);
3827        fsnotify_oldname_free(old_name);
3828
3829        return error;
3830}
3831
3832SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
3833                int, newdfd, const char __user *, newname)
3834{
3835        struct dentry *old_dir, *new_dir;
3836        struct dentry *old_dentry, *new_dentry;
3837        struct dentry *trap;
3838        struct nameidata oldnd, newnd;
3839        struct filename *from;
3840        struct filename *to;
3841        unsigned int lookup_flags = 0;
3842        bool should_retry = false;
3843        int error;
3844retry:
3845        from = user_path_parent(olddfd, oldname, &oldnd, lookup_flags);
3846        if (IS_ERR(from)) {
3847                error = PTR_ERR(from);
3848                goto exit;
3849        }
3850
3851        to = user_path_parent(newdfd, newname, &newnd, lookup_flags);
3852        if (IS_ERR(to)) {
3853                error = PTR_ERR(to);
3854                goto exit1;
3855        }
3856
3857        error = -EXDEV;
3858        if (oldnd.path.mnt != newnd.path.mnt)
3859                goto exit2;
3860
3861        old_dir = oldnd.path.dentry;
3862        error = -EBUSY;
3863        if (oldnd.last_type != LAST_NORM)
3864                goto exit2;
3865
3866        new_dir = newnd.path.dentry;
3867        if (newnd.last_type != LAST_NORM)
3868                goto exit2;
3869
3870        error = mnt_want_write(oldnd.path.mnt);
3871        if (error)
3872                goto exit2;
3873
3874        oldnd.flags &= ~LOOKUP_PARENT;
3875        newnd.flags &= ~LOOKUP_PARENT;
3876        newnd.flags |= LOOKUP_RENAME_TARGET;
3877
3878        trap = lock_rename(new_dir, old_dir);
3879
3880        old_dentry = lookup_hash(&oldnd);
3881        error = PTR_ERR(old_dentry);
3882        if (IS_ERR(old_dentry))
3883                goto exit3;
3884        /* source must exist */
3885        error = -ENOENT;
3886        if (!old_dentry->d_inode)
3887                goto exit4;
3888        /* unless the source is a directory trailing slashes give -ENOTDIR */
3889        if (!S_ISDIR(old_dentry->d_inode->i_mode)) {
3890                error = -ENOTDIR;
3891                if (oldnd.last.name[oldnd.last.len])
3892                        goto exit4;
3893                if (newnd.last.name[newnd.last.len])
3894                        goto exit4;
3895        }
3896        /* source should not be ancestor of target */
3897        error = -EINVAL;
3898        if (old_dentry == trap)
3899                goto exit4;
3900        new_dentry = lookup_hash(&newnd);
3901        error = PTR_ERR(new_dentry);
3902        if (IS_ERR(new_dentry))
3903                goto exit4;
3904        /* target should not be an ancestor of source */
3905        error = -ENOTEMPTY;
3906        if (new_dentry == trap)
3907                goto exit5;
3908
3909        error = security_path_rename(&oldnd.path, old_dentry,
3910                                     &newnd.path, new_dentry);
3911        if (error)
3912                goto exit5;
3913        error = vfs_rename(old_dir->d_inode, old_dentry,
3914                                   new_dir->d_inode, new_dentry);
3915exit5:
3916        dput(new_dentry);
3917exit4:
3918        dput(old_dentry);
3919exit3:
3920        unlock_rename(new_dir, old_dir);
3921        mnt_drop_write(oldnd.path.mnt);
3922exit2:
3923        if (retry_estale(error, lookup_flags))
3924                should_retry = true;
3925        path_put(&newnd.path);
3926        putname(to);
3927exit1:
3928        path_put(&oldnd.path);
3929        putname(from);
3930        if (should_retry) {
3931                should_retry = false;
3932                lookup_flags |= LOOKUP_REVAL;
3933                goto retry;
3934        }
3935exit:
3936        return error;
3937}
3938
3939SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newname)
3940{
3941        return sys_renameat(AT_FDCWD, oldname, AT_FDCWD, newname);
3942}
3943
3944int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
3945{
3946        int len;
3947
3948        len = PTR_ERR(link);
3949        if (IS_ERR(link))
3950                goto out;
3951
3952        len = strlen(link);
3953        if (len > (unsigned) buflen)
3954                len = buflen;
3955        if (copy_to_user(buffer, link, len))
3956                len = -EFAULT;
3957out:
3958        return len;
3959}
3960
3961/*
3962 * A helper for ->readlink().  This should be used *ONLY* for symlinks that
3963 * have ->follow_link() touching nd only in nd_set_link().  Using (or not
3964 * using) it for any given inode is up to filesystem.
3965 */
3966int generic_readlink(struct dentry *dentry, char __user *buffer, int buflen)
3967{
3968        struct nameidata nd;
3969        void *cookie;
3970        int res;
3971
3972        nd.depth = 0;
3973        cookie = dentry->d_inode->i_op->follow_link(dentry, &nd);
3974        if (IS_ERR(cookie))
3975                return PTR_ERR(cookie);
3976
3977        res = vfs_readlink(dentry, buffer, buflen, nd_get_link(&nd));
3978        if (dentry->d_inode->i_op->put_link)
3979                dentry->d_inode->i_op->put_link(dentry, &nd, cookie);
3980        return res;
3981}
3982
3983int vfs_follow_link(struct nameidata *nd, const char *link)
3984{
3985        return __vfs_follow_link(nd, link);
3986}
3987
3988/* get the link contents into pagecache */
3989static char *page_getlink(struct dentry * dentry, struct page **ppage)
3990{
3991        char *kaddr;
3992        struct page *page;
3993        struct address_space *mapping = dentry->d_inode->i_mapping;
3994        page = read_mapping_page(mapping, 0, NULL);
3995        if (IS_ERR(page))
3996                return (char*)page;
3997        *ppage = page;
3998        kaddr = kmap(page);
3999        nd_terminate_link(kaddr, dentry->d_inode->i_size, PAGE_SIZE - 1);
4000        return kaddr;
4001}
4002
4003int page_readlink(struct dentry *dentry, char __user *buffer, int buflen)
4004{
4005        struct page *page = NULL;
4006        char *s = page_getlink(dentry, &page);
4007        int res = vfs_readlink(dentry,buffer,buflen,s);
4008        if (page) {
4009                kunmap(page);
4010                page_cache_release(page);
4011        }
4012        return res;
4013}
4014
4015void *page_follow_link_light(struct dentry *dentry, struct nameidata *nd)
4016{
4017        struct page *page = NULL;
4018        nd_set_link(nd, page_getlink(dentry, &page));
4019        return page;
4020}
4021
4022void page_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
4023{
4024        struct page *page = cookie;
4025
4026        if (page) {
4027                kunmap(page);
4028                page_cache_release(page);
4029        }
4030}
4031
4032/*
4033 * The nofs argument instructs pagecache_write_begin to pass AOP_FLAG_NOFS
4034 */
4035int __page_symlink(struct inode *inode, const char *symname, int len, int nofs)
4036{
4037        struct address_space *mapping = inode->i_mapping;
4038        struct page *page;
4039        void *fsdata;
4040        int err;
4041        char *kaddr;
4042        unsigned int flags = AOP_FLAG_UNINTERRUPTIBLE;
4043        if (nofs)
4044                flags |= AOP_FLAG_NOFS;
4045
4046retry:
4047        err = pagecache_write_begin(NULL, mapping, 0, len-1,
4048                                flags, &page, &fsdata);
4049        if (err)
4050                goto fail;
4051
4052        kaddr = kmap_atomic(page);
4053        memcpy(kaddr, symname, len-1);
4054        kunmap_atomic(kaddr);
4055
4056        err = pagecache_write_end(NULL, mapping, 0, len-1, len-1,
4057                                                        page, fsdata);
4058        if (err < 0)
4059                goto fail;
4060        if (err < len-1)
4061                goto retry;
4062
4063        mark_inode_dirty(inode);
4064        return 0;
4065fail:
4066        return err;
4067}
4068
4069int page_symlink(struct inode *inode, const char *symname, int len)
4070{
4071        return __page_symlink(inode, symname, len,
4072                        !(mapping_gfp_mask(inode->i_mapping) & __GFP_FS));
4073}
4074
4075const struct inode_operations page_symlink_inode_operations = {
4076        .readlink       = generic_readlink,
4077        .follow_link    = page_follow_link_light,
4078        .put_link       = page_put_link,
4079};
4080
4081EXPORT_SYMBOL(user_path_at);
4082EXPORT_SYMBOL(follow_down_one);
4083EXPORT_SYMBOL(follow_down);
4084EXPORT_SYMBOL(follow_up);
4085EXPORT_SYMBOL(get_write_access); /* nfsd */
4086EXPORT_SYMBOL(lock_rename);
4087EXPORT_SYMBOL(lookup_one_len);
4088EXPORT_SYMBOL(page_follow_link_light);
4089EXPORT_SYMBOL(page_put_link);
4090EXPORT_SYMBOL(page_readlink);
4091EXPORT_SYMBOL(__page_symlink);
4092EXPORT_SYMBOL(page_symlink);
4093EXPORT_SYMBOL(page_symlink_inode_operations);
4094EXPORT_SYMBOL(kern_path);
4095EXPORT_SYMBOL(vfs_path_lookup);
4096EXPORT_SYMBOL(inode_permission);
4097EXPORT_SYMBOL(unlock_rename);
4098EXPORT_SYMBOL(vfs_create);
4099EXPORT_SYMBOL(vfs_follow_link);
4100EXPORT_SYMBOL(vfs_link);
4101EXPORT_SYMBOL(vfs_mkdir);
4102EXPORT_SYMBOL(vfs_mknod);
4103EXPORT_SYMBOL(generic_permission);
4104EXPORT_SYMBOL(vfs_readlink);
4105EXPORT_SYMBOL(vfs_rename);
4106EXPORT_SYMBOL(vfs_rmdir);
4107EXPORT_SYMBOL(vfs_symlink);
4108EXPORT_SYMBOL(vfs_unlink);
4109EXPORT_SYMBOL(dentry_unhash);
4110EXPORT_SYMBOL(generic_readlink);
4111
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.