4 * Copyright (C) 1991, 1992 Linus Torvalds
8 * Some corrections by tytso.
11 /* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname
14 /* [Feb-Apr 2000, AV] Rewrite to the new namespace architecture.
17 #include <linux/init.h>
18 #include <linux/export.h>
19 #include <linux/kernel.h>
20 #include <linux/slab.h>
22 #include <linux/namei.h>
23 #include <linux/pagemap.h>
24 #include <linux/fsnotify.h>
25 #include <linux/personality.h>
26 #include <linux/security.h>
27 #include <linux/ima.h>
28 #include <linux/syscalls.h>
29 #include <linux/mount.h>
30 #include <linux/audit.h>
31 #include <linux/capability.h>
32 #include <linux/file.h>
33 #include <linux/fcntl.h>
34 #include <linux/device_cgroup.h>
35 #include <linux/fs_struct.h>
36 #include <linux/posix_acl.h>
37 #include <linux/hash.h>
38 #include <asm/uaccess.h>
43 /* [Feb-1997 T. Schoebel-Theuer]
44 * Fundamental changes in the pathname lookup mechanisms (namei)
45 * were necessary because of omirr. The reason is that omirr needs
46 * to know the _real_ pathname, not the user-supplied one, in case
47 * of symlinks (and also when transname replacements occur).
49 * The new code replaces the old recursive symlink resolution with
50 * an iterative one (in case of non-nested symlink chains). It does
51 * this with calls to <fs>_follow_link().
52 * As a side effect, dir_namei(), _namei() and follow_link() are now
53 * replaced with a single function lookup_dentry() that can handle all
54 * the special cases of the former code.
56 * With the new dcache, the pathname is stored at each inode, at least as
57 * long as the refcount of the inode is positive. As a side effect, the
58 * size of the dcache depends on the inode cache and thus is dynamic.
60 * [29-Apr-1998 C. Scott Ananian] Updated above description of symlink
61 * resolution to correspond with current state of the code.
63 * Note that the symlink resolution is not *completely* iterative.
64 * There is still a significant amount of tail- and mid- recursion in
65 * the algorithm. Also, note that <fs>_readlink() is not used in
66 * lookup_dentry(): lookup_dentry() on the result of <fs>_readlink()
67 * may return different results than <fs>_follow_link(). Many virtual
68 * filesystems (including /proc) exhibit this behavior.
71 /* [24-Feb-97 T. Schoebel-Theuer] Side effects caused by new implementation:
72 * New symlink semantics: when open() is called with flags O_CREAT | O_EXCL
73 * and the name already exists in form of a symlink, try to create the new
74 * name indicated by the symlink. The old code always complained that the
75 * name already exists, due to not following the symlink even if its target
76 * is nonexistent. The new semantics affects also mknod() and link() when
77 * the name is a symlink pointing to a non-existent name.
79 * I don't know which semantics is the right one, since I have no access
80 * to standards. But I found by trial that HP-UX 9.0 has the full "new"
81 * semantics implemented, while SunOS 4.1.1 and Solaris (SunOS 5.4) have the
82 * "old" one. Personally, I think the new semantics is much more logical.
83 * Note that "ln old new" where "new" is a symlink pointing to a non-existing
84 * file does succeed in both HP-UX and SunOs, but not in Solaris
85 * and in the old Linux semantics.
88 /* [16-Dec-97 Kevin Buhr] For security reasons, we change some symlink
89 * semantics. See the comments in "open_namei" and "do_link" below.
91 * [10-Sep-98 Alan Modra] Another symlink change.
94 /* [Feb-Apr 2000 AV] Complete rewrite. Rules for symlinks:
95 * inside the path - always follow.
96 * in the last component in creation/removal/renaming - never follow.
97 * if LOOKUP_FOLLOW passed - follow.
98 * if the pathname has trailing slashes - follow.
99 * otherwise - don't follow.
100 * (applied in that order).
102 * [Jun 2000 AV] Inconsistent behaviour of open() in case if flags==O_CREAT
103 * restored for 2.4. This is the last surviving part of old 4.2BSD bug.
104 * During the 2.4 we need to fix the userland stuff depending on it -
105 * hopefully we will be able to get rid of that wart in 2.5. So far only
106 * XEmacs seems to be relying on it...
109 * [Sep 2001 AV] Single-semaphore locking scheme (kudos to David Holland)
110 * implemented. Let's see if raised priority of ->s_vfs_rename_mutex gives
111 * any extra contention...
114 /* In order to reduce some races, while at the same time doing additional
115 * checking and hopefully speeding things up, we copy filenames to the
116 * kernel data space before using them..
118 * POSIX.1 2.4: an empty pathname is invalid (ENOENT).
119 * PATH_MAX includes the nul terminator --RR.
122 #define EMBEDDED_NAME_MAX (PATH_MAX - offsetof(struct filename, iname))
125 getname_flags(const char __user *filename, int flags, int *empty)
127 struct filename *result;
131 result = audit_reusename(filename);
135 result = __getname();
136 if (unlikely(!result))
137 return ERR_PTR(-ENOMEM);
140 * First, try to embed the struct filename inside the names_cache
143 kname = (char *)result->iname;
144 result->name = kname;
146 len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
147 if (unlikely(len < 0)) {
153 * Uh-oh. We have a name that's approaching PATH_MAX. Allocate a
154 * separate struct filename so we can dedicate the entire
155 * names_cache allocation for the pathname, and re-do the copy from
158 if (unlikely(len == EMBEDDED_NAME_MAX)) {
159 kname = (char *)result;
161 result = kzalloc(sizeof(*result), GFP_KERNEL);
162 if (unlikely(!result)) {
164 return ERR_PTR(-ENOMEM);
166 result->name = kname;
167 len = strncpy_from_user(kname, filename, PATH_MAX);
168 if (unlikely(len < 0)) {
173 if (unlikely(len == PATH_MAX)) {
176 return ERR_PTR(-ENAMETOOLONG);
181 /* The empty path is special. */
182 if (unlikely(!len)) {
185 if (!(flags & LOOKUP_EMPTY)) {
187 return ERR_PTR(-ENOENT);
191 result->uptr = filename;
192 result->aname = NULL;
193 audit_getname(result);
198 getname(const char __user * filename)
200 return getname_flags(filename, 0, NULL);
204 getname_kernel(const char * filename)
206 struct filename *result;
207 int len = strlen(filename) + 1;
209 result = __getname();
210 if (unlikely(!result))
211 return ERR_PTR(-ENOMEM);
213 if (len <= EMBEDDED_NAME_MAX) {
214 result->name = (char *)result->iname;
215 } else if (len <= PATH_MAX) {
216 struct filename *tmp;
218 tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
219 if (unlikely(!tmp)) {
221 return ERR_PTR(-ENOMEM);
223 tmp->name = (char *)result;
227 return ERR_PTR(-ENAMETOOLONG);
229 memcpy((char *)result->name, filename, len);
231 result->aname = NULL;
233 audit_getname(result);
238 void putname(struct filename *name)
240 BUG_ON(name->refcnt <= 0);
242 if (--name->refcnt > 0)
245 if (name->name != name->iname) {
246 __putname(name->name);
252 static int check_acl(struct inode *inode, int mask)
254 #ifdef CONFIG_FS_POSIX_ACL
255 struct posix_acl *acl;
257 if (mask & MAY_NOT_BLOCK) {
258 acl = get_cached_acl_rcu(inode, ACL_TYPE_ACCESS);
261 /* no ->get_acl() calls in RCU mode... */
262 if (acl == ACL_NOT_CACHED)
264 return posix_acl_permission(inode, acl, mask & ~MAY_NOT_BLOCK);
267 acl = get_acl(inode, ACL_TYPE_ACCESS);
271 int error = posix_acl_permission(inode, acl, mask);
272 posix_acl_release(acl);
281 * This does the basic permission checking
283 static int acl_permission_check(struct inode *inode, int mask)
285 unsigned int mode = inode->i_mode;
287 if (likely(uid_eq(current_fsuid(), inode->i_uid)))
290 if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
291 int error = check_acl(inode, mask);
292 if (error != -EAGAIN)
296 if (in_group_p(inode->i_gid))
301 * If the DACs are ok we don't need any capability check.
303 if ((mask & ~mode & (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0)
309 * generic_permission - check for access rights on a Posix-like filesystem
310 * @inode: inode to check access rights for
311 * @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC, ...)
313 * Used to check for read/write/execute permissions on a file.
314 * We use "fsuid" for this, letting us set arbitrary permissions
315 * for filesystem access without changing the "normal" uids which
316 * are used for other things.
318 * generic_permission is rcu-walk aware. It returns -ECHILD in case an rcu-walk
319 * request cannot be satisfied (eg. requires blocking or too much complexity).
320 * It would then be called again in ref-walk mode.
322 int generic_permission(struct inode *inode, int mask)
327 * Do the basic permission checks.
329 ret = acl_permission_check(inode, mask);
333 if (S_ISDIR(inode->i_mode)) {
334 /* DACs are overridable for directories */
335 if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
337 if (!(mask & MAY_WRITE))
338 if (capable_wrt_inode_uidgid(inode,
339 CAP_DAC_READ_SEARCH))
344 * Read/write DACs are always overridable.
345 * Executable DACs are overridable when there is
346 * at least one exec bit set.
348 if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
349 if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
353 * Searching includes executable on directories, else just read.
355 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
356 if (mask == MAY_READ)
357 if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
362 EXPORT_SYMBOL(generic_permission);
365 * We _really_ want to just do "generic_permission()" without
366 * even looking at the inode->i_op values. So we keep a cache
367 * flag in inode->i_opflags, that says "this has not special
368 * permission function, use the fast case".
370 static inline int do_inode_permission(struct inode *inode, int mask)
372 if (unlikely(!(inode->i_opflags & IOP_FASTPERM))) {
373 if (likely(inode->i_op->permission))
374 return inode->i_op->permission(inode, mask);
376 /* This gets set once for the inode lifetime */
377 spin_lock(&inode->i_lock);
378 inode->i_opflags |= IOP_FASTPERM;
379 spin_unlock(&inode->i_lock);
381 return generic_permission(inode, mask);
385 * __inode_permission - Check for access rights to a given inode
386 * @inode: Inode to check permission on
387 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
389 * Check for read/write/execute permissions on an inode.
391 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
393 * This does not check for a read-only file system. You probably want
394 * inode_permission().
396 int __inode_permission(struct inode *inode, int mask)
400 if (unlikely(mask & MAY_WRITE)) {
402 * Nobody gets write access to an immutable file.
404 if (IS_IMMUTABLE(inode))
408 retval = do_inode_permission(inode, mask);
412 retval = devcgroup_inode_permission(inode, mask);
416 return security_inode_permission(inode, mask);
418 EXPORT_SYMBOL(__inode_permission);
421 * sb_permission - Check superblock-level permissions
422 * @sb: Superblock of inode to check permission on
423 * @inode: Inode to check permission on
424 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
426 * Separate out file-system wide checks from inode-specific permission checks.
428 static int sb_permission(struct super_block *sb, struct inode *inode, int mask)
430 if (unlikely(mask & MAY_WRITE)) {
431 umode_t mode = inode->i_mode;
433 /* Nobody gets write access to a read-only fs. */
434 if ((sb->s_flags & MS_RDONLY) &&
435 (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))
442 * inode_permission - Check for access rights to a given inode
443 * @inode: Inode to check permission on
444 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
446 * Check for read/write/execute permissions on an inode. We use fs[ug]id for
447 * this, letting us set arbitrary permissions for filesystem access without
448 * changing the "normal" UIDs which are used for other things.
450 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
452 int inode_permission(struct inode *inode, int mask)
456 retval = sb_permission(inode->i_sb, inode, mask);
459 return __inode_permission(inode, mask);
461 EXPORT_SYMBOL(inode_permission);
464 * path_get - get a reference to a path
465 * @path: path to get the reference to
467 * Given a path increment the reference count to the dentry and the vfsmount.
469 void path_get(const struct path *path)
474 EXPORT_SYMBOL(path_get);
477 * path_put - put a reference to a path
478 * @path: path to put the reference to
480 * Given a path decrement the reference count to the dentry and the vfsmount.
482 void path_put(const struct path *path)
487 EXPORT_SYMBOL(path_put);
493 struct inode *inode; /* path.dentry.d_inode */
499 char *saved_names[MAX_NESTED_LINKS + 1];
503 * Path walking has 2 modes, rcu-walk and ref-walk (see
504 * Documentation/filesystems/path-lookup.txt). In situations when we can't
505 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab
506 * normal reference counts on dentries and vfsmounts to transition to rcu-walk
507 * mode. Refcounts are grabbed at the last known good point before rcu-walk
508 * got stuck, so ref-walk may continue from there. If this is not successful
509 * (eg. a seqcount has changed), then failure is returned and it's up to caller
510 * to restart the path walk from the beginning in ref-walk mode.
514 * unlazy_walk - try to switch to ref-walk mode.
515 * @nd: nameidata pathwalk data
516 * @dentry: child of nd->path.dentry or NULL
517 * Returns: 0 on success, -ECHILD on failure
519 * unlazy_walk attempts to legitimize the current nd->path, nd->root and dentry
520 * for ref-walk mode. @dentry must be a path found by a do_lookup call on
521 * @nd or NULL. Must be called from rcu-walk context.
523 static int unlazy_walk(struct nameidata *nd, struct dentry *dentry)
525 struct fs_struct *fs = current->fs;
526 struct dentry *parent = nd->path.dentry;
528 BUG_ON(!(nd->flags & LOOKUP_RCU));
531 * After legitimizing the bastards, terminate_walk()
532 * will do the right thing for non-RCU mode, and all our
533 * subsequent exit cases should rcu_read_unlock()
534 * before returning. Do vfsmount first; if dentry
535 * can't be legitimized, just set nd->path.dentry to NULL
536 * and rely on dput(NULL) being a no-op.
538 if (!legitimize_mnt(nd->path.mnt, nd->m_seq))
540 nd->flags &= ~LOOKUP_RCU;
542 if (!lockref_get_not_dead(&parent->d_lockref)) {
543 nd->path.dentry = NULL;
548 * For a negative lookup, the lookup sequence point is the parents
549 * sequence point, and it only needs to revalidate the parent dentry.
551 * For a positive lookup, we need to move both the parent and the
552 * dentry from the RCU domain to be properly refcounted. And the
553 * sequence number in the dentry validates *both* dentry counters,
554 * since we checked the sequence number of the parent after we got
555 * the child sequence number. So we know the parent must still
556 * be valid if the child sequence number is still valid.
559 if (read_seqcount_retry(&parent->d_seq, nd->seq))
561 BUG_ON(nd->inode != parent->d_inode);
563 if (!lockref_get_not_dead(&dentry->d_lockref))
565 if (read_seqcount_retry(&dentry->d_seq, nd->seq))
570 * Sequence counts matched. Now make sure that the root is
571 * still valid and get it if required.
573 if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
574 spin_lock(&fs->lock);
575 if (nd->root.mnt != fs->root.mnt || nd->root.dentry != fs->root.dentry)
576 goto unlock_and_drop_dentry;
578 spin_unlock(&fs->lock);
584 unlock_and_drop_dentry:
585 spin_unlock(&fs->lock);
593 if (!(nd->flags & LOOKUP_ROOT))
598 static inline int d_revalidate(struct dentry *dentry, unsigned int flags)
600 return dentry->d_op->d_revalidate(dentry, flags);
604 * complete_walk - successful completion of path walk
605 * @nd: pointer nameidata
607 * If we had been in RCU mode, drop out of it and legitimize nd->path.
608 * Revalidate the final result, unless we'd already done that during
609 * the path walk or the filesystem doesn't ask for it. Return 0 on
610 * success, -error on failure. In case of failure caller does not
611 * need to drop nd->path.
613 static int complete_walk(struct nameidata *nd)
615 struct dentry *dentry = nd->path.dentry;
618 if (nd->flags & LOOKUP_RCU) {
619 nd->flags &= ~LOOKUP_RCU;
620 if (!(nd->flags & LOOKUP_ROOT))
623 if (!legitimize_mnt(nd->path.mnt, nd->m_seq)) {
627 if (unlikely(!lockref_get_not_dead(&dentry->d_lockref))) {
629 mntput(nd->path.mnt);
632 if (read_seqcount_retry(&dentry->d_seq, nd->seq)) {
635 mntput(nd->path.mnt);
641 if (likely(!(nd->flags & LOOKUP_JUMPED)))
644 if (likely(!(dentry->d_flags & DCACHE_OP_WEAK_REVALIDATE)))
647 status = dentry->d_op->d_weak_revalidate(dentry, nd->flags);
658 static __always_inline void set_root(struct nameidata *nd)
660 get_fs_root(current->fs, &nd->root);
663 static int link_path_walk(const char *, struct nameidata *);
665 static __always_inline unsigned set_root_rcu(struct nameidata *nd)
667 struct fs_struct *fs = current->fs;
671 seq = read_seqcount_begin(&fs->seq);
673 res = __read_seqcount_begin(&nd->root.dentry->d_seq);
674 } while (read_seqcount_retry(&fs->seq, seq));
678 static void path_put_conditional(struct path *path, struct nameidata *nd)
681 if (path->mnt != nd->path.mnt)
685 static inline void path_to_nameidata(const struct path *path,
686 struct nameidata *nd)
688 if (!(nd->flags & LOOKUP_RCU)) {
689 dput(nd->path.dentry);
690 if (nd->path.mnt != path->mnt)
691 mntput(nd->path.mnt);
693 nd->path.mnt = path->mnt;
694 nd->path.dentry = path->dentry;
698 * Helper to directly jump to a known parsed path from ->follow_link,
699 * caller must have taken a reference to path beforehand.
701 void nd_jump_link(struct nameidata *nd, struct path *path)
706 nd->inode = nd->path.dentry->d_inode;
707 nd->flags |= LOOKUP_JUMPED;
710 void nd_set_link(struct nameidata *nd, char *path)
712 nd->saved_names[nd->depth] = path;
714 EXPORT_SYMBOL(nd_set_link);
716 char *nd_get_link(struct nameidata *nd)
718 return nd->saved_names[nd->depth];
720 EXPORT_SYMBOL(nd_get_link);
722 static inline void put_link(struct nameidata *nd, struct path *link, void *cookie)
724 struct inode *inode = link->dentry->d_inode;
725 if (inode->i_op->put_link)
726 inode->i_op->put_link(link->dentry, nd, cookie);
730 int sysctl_protected_symlinks __read_mostly = 0;
731 int sysctl_protected_hardlinks __read_mostly = 0;
734 * may_follow_link - Check symlink following for unsafe situations
735 * @link: The path of the symlink
736 * @nd: nameidata pathwalk data
738 * In the case of the sysctl_protected_symlinks sysctl being enabled,
739 * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
740 * in a sticky world-writable directory. This is to protect privileged
741 * processes from failing races against path names that may change out
742 * from under them by way of other users creating malicious symlinks.
743 * It will permit symlinks to be followed only when outside a sticky
744 * world-writable directory, or when the uid of the symlink and follower
745 * match, or when the directory owner matches the symlink's owner.
747 * Returns 0 if following the symlink is allowed, -ve on error.
749 static inline int may_follow_link(struct path *link, struct nameidata *nd)
751 const struct inode *inode;
752 const struct inode *parent;
754 if (!sysctl_protected_symlinks)
757 /* Allowed if owner and follower match. */
758 inode = link->dentry->d_inode;
759 if (uid_eq(current_cred()->fsuid, inode->i_uid))
762 /* Allowed if parent directory not sticky and world-writable. */
763 parent = nd->path.dentry->d_inode;
764 if ((parent->i_mode & (S_ISVTX|S_IWOTH)) != (S_ISVTX|S_IWOTH))
767 /* Allowed if parent directory and link owner match. */
768 if (uid_eq(parent->i_uid, inode->i_uid))
771 audit_log_link_denied("follow_link", link);
772 path_put_conditional(link, nd);
778 * safe_hardlink_source - Check for safe hardlink conditions
779 * @inode: the source inode to hardlink from
781 * Return false if at least one of the following conditions:
782 * - inode is not a regular file
784 * - inode is setgid and group-exec
785 * - access failure for read and write
787 * Otherwise returns true.
789 static bool safe_hardlink_source(struct inode *inode)
791 umode_t mode = inode->i_mode;
793 /* Special files should not get pinned to the filesystem. */
797 /* Setuid files should not get pinned to the filesystem. */
801 /* Executable setgid files should not get pinned to the filesystem. */
802 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
805 /* Hardlinking to unreadable or unwritable sources is dangerous. */
806 if (inode_permission(inode, MAY_READ | MAY_WRITE))
813 * may_linkat - Check permissions for creating a hardlink
814 * @link: the source to hardlink from
816 * Block hardlink when all of:
817 * - sysctl_protected_hardlinks enabled
818 * - fsuid does not match inode
819 * - hardlink source is unsafe (see safe_hardlink_source() above)
822 * Returns 0 if successful, -ve on error.
824 static int may_linkat(struct path *link)
826 const struct cred *cred;
829 if (!sysctl_protected_hardlinks)
832 cred = current_cred();
833 inode = link->dentry->d_inode;
835 /* Source inode owner (or CAP_FOWNER) can hardlink all they like,
836 * otherwise, it must be a safe source.
838 if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||
842 audit_log_link_denied("linkat", link);
846 static __always_inline int
847 follow_link(struct path *link, struct nameidata *nd, void **p)
849 struct dentry *dentry = link->dentry;
853 BUG_ON(nd->flags & LOOKUP_RCU);
855 if (link->mnt == nd->path.mnt)
859 if (unlikely(current->total_link_count >= 40))
860 goto out_put_nd_path;
863 current->total_link_count++;
866 nd_set_link(nd, NULL);
868 error = security_inode_follow_link(link->dentry, nd);
870 goto out_put_nd_path;
872 nd->last_type = LAST_BIND;
873 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
876 goto out_put_nd_path;
881 if (unlikely(IS_ERR(s))) {
883 put_link(nd, link, *p);
892 nd->flags |= LOOKUP_JUMPED;
894 nd->inode = nd->path.dentry->d_inode;
895 error = link_path_walk(s, nd);
897 put_link(nd, link, *p);
909 static int follow_up_rcu(struct path *path)
911 struct mount *mnt = real_mount(path->mnt);
912 struct mount *parent;
913 struct dentry *mountpoint;
915 parent = mnt->mnt_parent;
916 if (&parent->mnt == path->mnt)
918 mountpoint = mnt->mnt_mountpoint;
919 path->dentry = mountpoint;
920 path->mnt = &parent->mnt;
925 * follow_up - Find the mountpoint of path's vfsmount
927 * Given a path, find the mountpoint of its source file system.
928 * Replace @path with the path of the mountpoint in the parent mount.
931 * Return 1 if we went up a level and 0 if we were already at the
934 int follow_up(struct path *path)
936 struct mount *mnt = real_mount(path->mnt);
937 struct mount *parent;
938 struct dentry *mountpoint;
940 read_seqlock_excl(&mount_lock);
941 parent = mnt->mnt_parent;
943 read_sequnlock_excl(&mount_lock);
946 mntget(&parent->mnt);
947 mountpoint = dget(mnt->mnt_mountpoint);
948 read_sequnlock_excl(&mount_lock);
950 path->dentry = mountpoint;
952 path->mnt = &parent->mnt;
955 EXPORT_SYMBOL(follow_up);
958 * Perform an automount
959 * - return -EISDIR to tell follow_managed() to stop and return the path we
962 static int follow_automount(struct path *path, unsigned flags,
965 struct vfsmount *mnt;
968 if (!path->dentry->d_op || !path->dentry->d_op->d_automount)
971 /* We don't want to mount if someone's just doing a stat -
972 * unless they're stat'ing a directory and appended a '/' to
975 * We do, however, want to mount if someone wants to open or
976 * create a file of any type under the mountpoint, wants to
977 * traverse through the mountpoint or wants to open the
978 * mounted directory. Also, autofs may mark negative dentries
979 * as being automount points. These will need the attentions
980 * of the daemon to instantiate them before they can be used.
982 if (!(flags & (LOOKUP_PARENT | LOOKUP_DIRECTORY |
983 LOOKUP_OPEN | LOOKUP_CREATE | LOOKUP_AUTOMOUNT)) &&
984 path->dentry->d_inode)
987 current->total_link_count++;
988 if (current->total_link_count >= 40)
991 mnt = path->dentry->d_op->d_automount(path);
994 * The filesystem is allowed to return -EISDIR here to indicate
995 * it doesn't want to automount. For instance, autofs would do
996 * this so that its userspace daemon can mount on this dentry.
998 * However, we can only permit this if it's a terminal point in
999 * the path being looked up; if it wasn't then the remainder of
1000 * the path is inaccessible and we should say so.
1002 if (PTR_ERR(mnt) == -EISDIR && (flags & LOOKUP_PARENT))
1004 return PTR_ERR(mnt);
1007 if (!mnt) /* mount collision */
1010 if (!*need_mntput) {
1011 /* lock_mount() may release path->mnt on error */
1013 *need_mntput = true;
1015 err = finish_automount(mnt, path);
1019 /* Someone else made a mount here whilst we were busy */
1024 path->dentry = dget(mnt->mnt_root);
1033 * Handle a dentry that is managed in some way.
1034 * - Flagged for transit management (autofs)
1035 * - Flagged as mountpoint
1036 * - Flagged as automount point
1038 * This may only be called in refwalk mode.
1040 * Serialization is taken care of in namespace.c
1042 static int follow_managed(struct path *path, unsigned flags)
1044 struct vfsmount *mnt = path->mnt; /* held by caller, must be left alone */
1046 bool need_mntput = false;
1049 /* Given that we're not holding a lock here, we retain the value in a
1050 * local variable for each dentry as we look at it so that we don't see
1051 * the components of that value change under us */
1052 while (managed = ACCESS_ONCE(path->dentry->d_flags),
1053 managed &= DCACHE_MANAGED_DENTRY,
1054 unlikely(managed != 0)) {
1055 /* Allow the filesystem to manage the transit without i_mutex
1057 if (managed & DCACHE_MANAGE_TRANSIT) {
1058 BUG_ON(!path->dentry->d_op);
1059 BUG_ON(!path->dentry->d_op->d_manage);
1060 ret = path->dentry->d_op->d_manage(path->dentry, false);
1065 /* Transit to a mounted filesystem. */
1066 if (managed & DCACHE_MOUNTED) {
1067 struct vfsmount *mounted = lookup_mnt(path);
1072 path->mnt = mounted;
1073 path->dentry = dget(mounted->mnt_root);
1078 /* Something is mounted on this dentry in another
1079 * namespace and/or whatever was mounted there in this
1080 * namespace got unmounted before lookup_mnt() could
1084 /* Handle an automount point */
1085 if (managed & DCACHE_NEED_AUTOMOUNT) {
1086 ret = follow_automount(path, flags, &need_mntput);
1092 /* We didn't change the current path point */
1096 if (need_mntput && path->mnt == mnt)
1100 return ret < 0 ? ret : need_mntput;
1103 int follow_down_one(struct path *path)
1105 struct vfsmount *mounted;
1107 mounted = lookup_mnt(path);
1111 path->mnt = mounted;
1112 path->dentry = dget(mounted->mnt_root);
1117 EXPORT_SYMBOL(follow_down_one);
1119 static inline int managed_dentry_rcu(struct dentry *dentry)
1121 return (dentry->d_flags & DCACHE_MANAGE_TRANSIT) ?
1122 dentry->d_op->d_manage(dentry, true) : 0;
1126 * Try to skip to top of mountpoint pile in rcuwalk mode. Fail if
1127 * we meet a managed dentry that would need blocking.
1129 static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
1130 struct inode **inode)
1133 struct mount *mounted;
1135 * Don't forget we might have a non-mountpoint managed dentry
1136 * that wants to block transit.
1138 switch (managed_dentry_rcu(path->dentry)) {
1148 if (!d_mountpoint(path->dentry))
1149 return !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);
1151 mounted = __lookup_mnt(path->mnt, path->dentry);
1154 path->mnt = &mounted->mnt;
1155 path->dentry = mounted->mnt.mnt_root;
1156 nd->flags |= LOOKUP_JUMPED;
1157 nd->seq = read_seqcount_begin(&path->dentry->d_seq);
1159 * Update the inode too. We don't need to re-check the
1160 * dentry sequence number here after this d_inode read,
1161 * because a mount-point is always pinned.
1163 *inode = path->dentry->d_inode;
1165 return !read_seqretry(&mount_lock, nd->m_seq) &&
1166 !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);
1169 static int follow_dotdot_rcu(struct nameidata *nd)
1171 struct inode *inode = nd->inode;
1176 if (nd->path.dentry == nd->root.dentry &&
1177 nd->path.mnt == nd->root.mnt) {
1180 if (nd->path.dentry != nd->path.mnt->mnt_root) {
1181 struct dentry *old = nd->path.dentry;
1182 struct dentry *parent = old->d_parent;
1185 inode = parent->d_inode;
1186 seq = read_seqcount_begin(&parent->d_seq);
1187 if (read_seqcount_retry(&old->d_seq, nd->seq))
1189 nd->path.dentry = parent;
1193 if (!follow_up_rcu(&nd->path))
1195 inode = nd->path.dentry->d_inode;
1196 nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1198 while (d_mountpoint(nd->path.dentry)) {
1199 struct mount *mounted;
1200 mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry);
1203 nd->path.mnt = &mounted->mnt;
1204 nd->path.dentry = mounted->mnt.mnt_root;
1205 inode = nd->path.dentry->d_inode;
1206 nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1207 if (read_seqretry(&mount_lock, nd->m_seq))
1214 nd->flags &= ~LOOKUP_RCU;
1215 if (!(nd->flags & LOOKUP_ROOT))
1216 nd->root.mnt = NULL;
1222 * Follow down to the covering mount currently visible to userspace. At each
1223 * point, the filesystem owning that dentry may be queried as to whether the
1224 * caller is permitted to proceed or not.
1226 int follow_down(struct path *path)
1231 while (managed = ACCESS_ONCE(path->dentry->d_flags),
1232 unlikely(managed & DCACHE_MANAGED_DENTRY)) {
1233 /* Allow the filesystem to manage the transit without i_mutex
1236 * We indicate to the filesystem if someone is trying to mount
1237 * something here. This gives autofs the chance to deny anyone
1238 * other than its daemon the right to mount on its
1241 * The filesystem may sleep at this point.
1243 if (managed & DCACHE_MANAGE_TRANSIT) {
1244 BUG_ON(!path->dentry->d_op);
1245 BUG_ON(!path->dentry->d_op->d_manage);
1246 ret = path->dentry->d_op->d_manage(
1247 path->dentry, false);
1249 return ret == -EISDIR ? 0 : ret;
1252 /* Transit to a mounted filesystem. */
1253 if (managed & DCACHE_MOUNTED) {
1254 struct vfsmount *mounted = lookup_mnt(path);
1259 path->mnt = mounted;
1260 path->dentry = dget(mounted->mnt_root);
1264 /* Don't handle automount points here */
1269 EXPORT_SYMBOL(follow_down);
1272 * Skip to top of mountpoint pile in refwalk mode for follow_dotdot()
1274 static void follow_mount(struct path *path)
1276 while (d_mountpoint(path->dentry)) {
1277 struct vfsmount *mounted = lookup_mnt(path);
1282 path->mnt = mounted;
1283 path->dentry = dget(mounted->mnt_root);
1287 static void follow_dotdot(struct nameidata *nd)
1293 struct dentry *old = nd->path.dentry;
1295 if (nd->path.dentry == nd->root.dentry &&
1296 nd->path.mnt == nd->root.mnt) {
1299 if (nd->path.dentry != nd->path.mnt->mnt_root) {
1300 /* rare case of legitimate dget_parent()... */
1301 nd->path.dentry = dget_parent(nd->path.dentry);
1305 if (!follow_up(&nd->path))
1308 follow_mount(&nd->path);
1309 nd->inode = nd->path.dentry->d_inode;
1313 * This looks up the name in dcache, possibly revalidates the old dentry and
1314 * allocates a new one if not found or not valid. In the need_lookup argument
1315 * returns whether i_op->lookup is necessary.
1317 * dir->d_inode->i_mutex must be held
1319 static struct dentry *lookup_dcache(struct qstr *name, struct dentry *dir,
1320 unsigned int flags, bool *need_lookup)
1322 struct dentry *dentry;
1325 *need_lookup = false;
1326 dentry = d_lookup(dir, name);
1328 if (dentry->d_flags & DCACHE_OP_REVALIDATE) {
1329 error = d_revalidate(dentry, flags);
1330 if (unlikely(error <= 0)) {
1333 return ERR_PTR(error);
1335 d_invalidate(dentry);
1344 dentry = d_alloc(dir, name);
1345 if (unlikely(!dentry))
1346 return ERR_PTR(-ENOMEM);
1348 *need_lookup = true;
1354 * Call i_op->lookup on the dentry. The dentry must be negative and
1357 * dir->d_inode->i_mutex must be held
1359 static struct dentry *lookup_real(struct inode *dir, struct dentry *dentry,
1364 /* Don't create child dentry for a dead directory. */
1365 if (unlikely(IS_DEADDIR(dir))) {
1367 return ERR_PTR(-ENOENT);
1370 old = dir->i_op->lookup(dir, dentry, flags);
1371 if (unlikely(old)) {
1378 static struct dentry *__lookup_hash(struct qstr *name,
1379 struct dentry *base, unsigned int flags)
1382 struct dentry *dentry;
1384 dentry = lookup_dcache(name, base, flags, &need_lookup);
1388 return lookup_real(base->d_inode, dentry, flags);
1392 * It's more convoluted than I'd like it to be, but... it's still fairly
1393 * small and for now I'd prefer to have fast path as straight as possible.
1394 * It _is_ time-critical.
1396 static int lookup_fast(struct nameidata *nd,
1397 struct path *path, struct inode **inode)
1399 struct vfsmount *mnt = nd->path.mnt;
1400 struct dentry *dentry, *parent = nd->path.dentry;
1406 * Rename seqlock is not required here because in the off chance
1407 * of a false negative due to a concurrent rename, we're going to
1408 * do the non-racy lookup, below.
1410 if (nd->flags & LOOKUP_RCU) {
1412 dentry = __d_lookup_rcu(parent, &nd->last, &seq);
1417 * This sequence count validates that the inode matches
1418 * the dentry name information from lookup.
1420 *inode = dentry->d_inode;
1421 if (read_seqcount_retry(&dentry->d_seq, seq))
1425 * This sequence count validates that the parent had no
1426 * changes while we did the lookup of the dentry above.
1428 * The memory barrier in read_seqcount_begin of child is
1429 * enough, we can use __read_seqcount_retry here.
1431 if (__read_seqcount_retry(&parent->d_seq, nd->seq))
1435 if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE)) {
1436 status = d_revalidate(dentry, nd->flags);
1437 if (unlikely(status <= 0)) {
1438 if (status != -ECHILD)
1444 path->dentry = dentry;
1445 if (likely(__follow_mount_rcu(nd, path, inode)))
1448 if (unlazy_walk(nd, dentry))
1451 dentry = __d_lookup(parent, &nd->last);
1454 if (unlikely(!dentry))
1457 if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE) && need_reval)
1458 status = d_revalidate(dentry, nd->flags);
1459 if (unlikely(status <= 0)) {
1464 d_invalidate(dentry);
1470 path->dentry = dentry;
1471 err = follow_managed(path, nd->flags);
1472 if (unlikely(err < 0)) {
1473 path_put_conditional(path, nd);
1477 nd->flags |= LOOKUP_JUMPED;
1478 *inode = path->dentry->d_inode;
1485 /* Fast lookup failed, do it the slow way */
1486 static int lookup_slow(struct nameidata *nd, struct path *path)
1488 struct dentry *dentry, *parent;
1491 parent = nd->path.dentry;
1492 BUG_ON(nd->inode != parent->d_inode);
1494 mutex_lock(&parent->d_inode->i_mutex);
1495 dentry = __lookup_hash(&nd->last, parent, nd->flags);
1496 mutex_unlock(&parent->d_inode->i_mutex);
1498 return PTR_ERR(dentry);
1499 path->mnt = nd->path.mnt;
1500 path->dentry = dentry;
1501 err = follow_managed(path, nd->flags);
1502 if (unlikely(err < 0)) {
1503 path_put_conditional(path, nd);
1507 nd->flags |= LOOKUP_JUMPED;
1511 static inline int may_lookup(struct nameidata *nd)
1513 if (nd->flags & LOOKUP_RCU) {
1514 int err = inode_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK);
1517 if (unlazy_walk(nd, NULL))
1520 return inode_permission(nd->inode, MAY_EXEC);
1523 static inline int handle_dots(struct nameidata *nd, int type)
1525 if (type == LAST_DOTDOT) {
1526 if (nd->flags & LOOKUP_RCU) {
1527 if (follow_dotdot_rcu(nd))
1535 static void terminate_walk(struct nameidata *nd)
1537 if (!(nd->flags & LOOKUP_RCU)) {
1538 path_put(&nd->path);
1540 nd->flags &= ~LOOKUP_RCU;
1541 if (!(nd->flags & LOOKUP_ROOT))
1542 nd->root.mnt = NULL;
1548 * Do we need to follow links? We _really_ want to be able
1549 * to do this check without having to look at inode->i_op,
1550 * so we keep a cache of "no, this doesn't need follow_link"
1551 * for the common case.
1553 static inline int should_follow_link(struct dentry *dentry, int follow)
1555 return unlikely(d_is_symlink(dentry)) ? follow : 0;
1558 static inline int walk_component(struct nameidata *nd, struct path *path,
1561 struct inode *inode;
1564 * "." and ".." are special - ".." especially so because it has
1565 * to be able to know about the current root directory and
1566 * parent relationships.
1568 if (unlikely(nd->last_type != LAST_NORM))
1569 return handle_dots(nd, nd->last_type);
1570 err = lookup_fast(nd, path, &inode);
1571 if (unlikely(err)) {
1575 err = lookup_slow(nd, path);
1579 inode = path->dentry->d_inode;
1582 if (!inode || d_is_negative(path->dentry))
1585 if (should_follow_link(path->dentry, follow)) {
1586 if (nd->flags & LOOKUP_RCU) {
1587 if (unlikely(unlazy_walk(nd, path->dentry))) {
1592 BUG_ON(inode != path->dentry->d_inode);
1595 path_to_nameidata(path, nd);
1600 path_to_nameidata(path, nd);
1607 * This limits recursive symlink follows to 8, while
1608 * limiting consecutive symlinks to 40.
1610 * Without that kind of total limit, nasty chains of consecutive
1611 * symlinks can cause almost arbitrarily long lookups.
1613 static inline int nested_symlink(struct path *path, struct nameidata *nd)
1617 if (unlikely(current->link_count >= MAX_NESTED_LINKS)) {
1618 path_put_conditional(path, nd);
1619 path_put(&nd->path);
1622 BUG_ON(nd->depth >= MAX_NESTED_LINKS);
1625 current->link_count++;
1628 struct path link = *path;
1631 res = follow_link(&link, nd, &cookie);
1634 res = walk_component(nd, path, LOOKUP_FOLLOW);
1635 put_link(nd, &link, cookie);
1638 current->link_count--;
1644 * We can do the critical dentry name comparison and hashing
1645 * operations one word at a time, but we are limited to:
1647 * - Architectures with fast unaligned word accesses. We could
1648 * do a "get_unaligned()" if this helps and is sufficiently
1651 * - non-CONFIG_DEBUG_PAGEALLOC configurations (so that we
1652 * do not trap on the (extremely unlikely) case of a page
1653 * crossing operation.
1655 * - Furthermore, we need an efficient 64-bit compile for the
1656 * 64-bit case in order to generate the "number of bytes in
1657 * the final mask". Again, that could be replaced with a
1658 * efficient population count instruction or similar.
1660 #ifdef CONFIG_DCACHE_WORD_ACCESS
1662 #include <asm/word-at-a-time.h>
1666 static inline unsigned int fold_hash(unsigned long hash)
1668 return hash_64(hash, 32);
1671 #else /* 32-bit case */
1673 #define fold_hash(x) (x)
1677 unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1679 unsigned long a, mask;
1680 unsigned long hash = 0;
1683 a = load_unaligned_zeropad(name);
1684 if (len < sizeof(unsigned long))
1688 name += sizeof(unsigned long);
1689 len -= sizeof(unsigned long);
1693 mask = bytemask_from_count(len);
1696 return fold_hash(hash);
1698 EXPORT_SYMBOL(full_name_hash);
1701 * Calculate the length and hash of the path component, and
1702 * return the "hash_len" as the result.
1704 static inline u64 hash_name(const char *name)
1706 unsigned long a, b, adata, bdata, mask, hash, len;
1707 const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
1710 len = -sizeof(unsigned long);
1712 hash = (hash + a) * 9;
1713 len += sizeof(unsigned long);
1714 a = load_unaligned_zeropad(name+len);
1715 b = a ^ REPEAT_BYTE('/');
1716 } while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants)));
1718 adata = prep_zero_mask(a, adata, &constants);
1719 bdata = prep_zero_mask(b, bdata, &constants);
1721 mask = create_zero_mask(adata | bdata);
1723 hash += a & zero_bytemask(mask);
1724 len += find_zero(mask);
1725 return hashlen_create(fold_hash(hash), len);
1730 unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1732 unsigned long hash = init_name_hash();
1734 hash = partial_name_hash(*name++, hash);
1735 return end_name_hash(hash);
1737 EXPORT_SYMBOL(full_name_hash);
1740 * We know there's a real path component here of at least
1743 static inline u64 hash_name(const char *name)
1745 unsigned long hash = init_name_hash();
1746 unsigned long len = 0, c;
1748 c = (unsigned char)*name;
1751 hash = partial_name_hash(c, hash);
1752 c = (unsigned char)name[len];
1753 } while (c && c != '/');
1754 return hashlen_create(end_name_hash(hash), len);
1761 * This is the basic name resolution function, turning a pathname into
1762 * the final dentry. We expect 'base' to be positive and a directory.
1764 * Returns 0 and nd will have valid dentry and mnt on success.
1765 * Returns error and drops reference to input namei data on failure.
1767 static int link_path_walk(const char *name, struct nameidata *nd)
1777 /* At this point we know we have a real path component. */
1782 err = may_lookup(nd);
1786 hash_len = hash_name(name);
1789 if (name[0] == '.') switch (hashlen_len(hash_len)) {
1791 if (name[1] == '.') {
1793 nd->flags |= LOOKUP_JUMPED;
1799 if (likely(type == LAST_NORM)) {
1800 struct dentry *parent = nd->path.dentry;
1801 nd->flags &= ~LOOKUP_JUMPED;
1802 if (unlikely(parent->d_flags & DCACHE_OP_HASH)) {
1803 struct qstr this = { { .hash_len = hash_len }, .name = name };
1804 err = parent->d_op->d_hash(parent, &this);
1807 hash_len = this.hash_len;
1812 nd->last.hash_len = hash_len;
1813 nd->last.name = name;
1814 nd->last_type = type;
1816 name += hashlen_len(hash_len);
1820 * If it wasn't NUL, we know it was '/'. Skip that
1821 * slash, and continue until no more slashes.
1825 } while (unlikely(*name == '/'));
1829 err = walk_component(nd, &next, LOOKUP_FOLLOW);
1834 err = nested_symlink(&next, nd);
1838 if (!d_can_lookup(nd->path.dentry)) {
1847 static int path_init(int dfd, const struct filename *name, unsigned int flags,
1848 struct nameidata *nd)
1851 const char *s = name->name;
1853 nd->last_type = LAST_ROOT; /* if there are only slashes... */
1854 nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
1857 if (flags & LOOKUP_ROOT) {
1858 struct dentry *root = nd->root.dentry;
1859 struct inode *inode = root->d_inode;
1861 if (!d_can_lookup(root))
1863 retval = inode_permission(inode, MAY_EXEC);
1867 nd->path = nd->root;
1869 if (flags & LOOKUP_RCU) {
1871 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1872 nd->m_seq = read_seqbegin(&mount_lock);
1874 path_get(&nd->path);
1879 nd->root.mnt = NULL;
1881 nd->m_seq = read_seqbegin(&mount_lock);
1883 if (flags & LOOKUP_RCU) {
1885 nd->seq = set_root_rcu(nd);
1888 path_get(&nd->root);
1890 nd->path = nd->root;
1891 } else if (dfd == AT_FDCWD) {
1892 if (flags & LOOKUP_RCU) {
1893 struct fs_struct *fs = current->fs;
1899 seq = read_seqcount_begin(&fs->seq);
1901 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1902 } while (read_seqcount_retry(&fs->seq, seq));
1904 get_fs_pwd(current->fs, &nd->path);
1907 /* Caller must check execute permissions on the starting path component */
1908 struct fd f = fdget_raw(dfd);
1909 struct dentry *dentry;
1914 dentry = f.file->f_path.dentry;
1917 if (!d_can_lookup(dentry)) {
1923 nd->path = f.file->f_path;
1924 if (flags & LOOKUP_RCU) {
1925 if (f.flags & FDPUT_FPUT)
1927 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1930 path_get(&nd->path);
1935 nd->inode = nd->path.dentry->d_inode;
1936 if (!(flags & LOOKUP_RCU))
1938 if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq)))
1940 if (!(nd->flags & LOOKUP_ROOT))
1941 nd->root.mnt = NULL;
1945 current->total_link_count = 0;
1946 return link_path_walk(s, nd);
1949 static void path_cleanup(struct nameidata *nd)
1951 if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
1952 path_put(&nd->root);
1953 nd->root.mnt = NULL;
1955 if (unlikely(nd->base))
1959 static inline int lookup_last(struct nameidata *nd, struct path *path)
1961 if (nd->last_type == LAST_NORM && nd->last.name[nd->last.len])
1962 nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
1964 nd->flags &= ~LOOKUP_PARENT;
1965 return walk_component(nd, path, nd->flags & LOOKUP_FOLLOW);
1968 /* Returns 0 and nd will be valid on success; Retuns error, otherwise. */
1969 static int path_lookupat(int dfd, const struct filename *name,
1970 unsigned int flags, struct nameidata *nd)
1976 * Path walking is largely split up into 2 different synchronisation
1977 * schemes, rcu-walk and ref-walk (explained in
1978 * Documentation/filesystems/path-lookup.txt). These share much of the
1979 * path walk code, but some things particularly setup, cleanup, and
1980 * following mounts are sufficiently divergent that functions are
1981 * duplicated. Typically there is a function foo(), and its RCU
1982 * analogue, foo_rcu().
1984 * -ECHILD is the error number of choice (just to avoid clashes) that
1985 * is returned if some aspect of an rcu-walk fails. Such an error must
1986 * be handled by restarting a traditional ref-walk (which will always
1987 * be able to complete).
1989 err = path_init(dfd, name, flags, nd);
1990 if (!err && !(flags & LOOKUP_PARENT)) {
1991 err = lookup_last(nd, &path);
1994 struct path link = path;
1995 err = may_follow_link(&link, nd);
1998 nd->flags |= LOOKUP_PARENT;
1999 err = follow_link(&link, nd, &cookie);
2002 err = lookup_last(nd, &path);
2003 put_link(nd, &link, cookie);
2008 err = complete_walk(nd);
2010 if (!err && nd->flags & LOOKUP_DIRECTORY) {
2011 if (!d_can_lookup(nd->path.dentry)) {
2012 path_put(&nd->path);
2021 static int filename_lookup(int dfd, struct filename *name,
2022 unsigned int flags, struct nameidata *nd)
2024 int retval = path_lookupat(dfd, name, flags | LOOKUP_RCU, nd);
2025 if (unlikely(retval == -ECHILD))
2026 retval = path_lookupat(dfd, name, flags, nd);
2027 if (unlikely(retval == -ESTALE))
2028 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
2030 if (likely(!retval))
2031 audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT);
2035 /* does lookup, returns the object with parent locked */
2036 struct dentry *kern_path_locked(const char *name, struct path *path)
2038 struct filename *filename = getname_kernel(name);
2039 struct nameidata nd;
2043 if (IS_ERR(filename))
2044 return ERR_CAST(filename);
2046 err = filename_lookup(AT_FDCWD, filename, LOOKUP_PARENT, &nd);
2051 if (nd.last_type != LAST_NORM) {
2053 d = ERR_PTR(-EINVAL);
2056 mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
2057 d = __lookup_hash(&nd.last, nd.path.dentry, 0);
2059 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
2069 int kern_path(const char *name, unsigned int flags, struct path *path)
2071 struct nameidata nd;
2072 struct filename *filename = getname_kernel(name);
2073 int res = PTR_ERR(filename);
2075 if (!IS_ERR(filename)) {
2076 res = filename_lookup(AT_FDCWD, filename, flags, &nd);
2083 EXPORT_SYMBOL(kern_path);
2086 * vfs_path_lookup - lookup a file path relative to a dentry-vfsmount pair
2087 * @dentry: pointer to dentry of the base directory
2088 * @mnt: pointer to vfs mount of the base directory
2089 * @name: pointer to file name
2090 * @flags: lookup flags
2091 * @path: pointer to struct path to fill
2093 int vfs_path_lookup(struct dentry *dentry, struct vfsmount *mnt,
2094 const char *name, unsigned int flags,
2097 struct filename *filename = getname_kernel(name);
2098 int err = PTR_ERR(filename);
2100 BUG_ON(flags & LOOKUP_PARENT);
2102 /* the first argument of filename_lookup() is ignored with LOOKUP_ROOT */
2103 if (!IS_ERR(filename)) {
2104 struct nameidata nd;
2105 nd.root.dentry = dentry;
2107 err = filename_lookup(AT_FDCWD, filename,
2108 flags | LOOKUP_ROOT, &nd);
2115 EXPORT_SYMBOL(vfs_path_lookup);
2118 * Restricted form of lookup. Doesn't follow links, single-component only,
2119 * needs parent already locked. Doesn't follow mounts.
2122 static struct dentry *lookup_hash(struct nameidata *nd)
2124 return __lookup_hash(&nd->last, nd->path.dentry, nd->flags);
2128 * lookup_one_len - filesystem helper to lookup single pathname component
2129 * @name: pathname component to lookup
2130 * @base: base directory to lookup from
2131 * @len: maximum length @len should be interpreted to
2133 * Note that this routine is purely a helper for filesystem usage and should
2134 * not be called by generic code.
2136 struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2142 WARN_ON_ONCE(!mutex_is_locked(&base->d_inode->i_mutex));
2146 this.hash = full_name_hash(name, len);
2148 return ERR_PTR(-EACCES);
2150 if (unlikely(name[0] == '.')) {
2151 if (len < 2 || (len == 2 && name[1] == '.'))
2152 return ERR_PTR(-EACCES);
2156 c = *(const unsigned char *)name++;
2157 if (c == '/' || c == '\0')
2158 return ERR_PTR(-EACCES);
2161 * See if the low-level filesystem might want
2162 * to use its own hash..
2164 if (base->d_flags & DCACHE_OP_HASH) {
2165 int err = base->d_op->d_hash(base, &this);
2167 return ERR_PTR(err);
2170 err = inode_permission(base->d_inode, MAY_EXEC);
2172 return ERR_PTR(err);
2174 return __lookup_hash(&this, base, 0);
2176 EXPORT_SYMBOL(lookup_one_len);
2178 int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
2179 struct path *path, int *empty)
2181 struct nameidata nd;
2182 struct filename *tmp = getname_flags(name, flags, empty);
2183 int err = PTR_ERR(tmp);
2186 BUG_ON(flags & LOOKUP_PARENT);
2188 err = filename_lookup(dfd, tmp, flags, &nd);
2196 int user_path_at(int dfd, const char __user *name, unsigned flags,
2199 return user_path_at_empty(dfd, name, flags, path, NULL);
2201 EXPORT_SYMBOL(user_path_at);
2204 * NB: most callers don't do anything directly with the reference to the
2205 * to struct filename, but the nd->last pointer points into the name string
2206 * allocated by getname. So we must hold the reference to it until all
2207 * path-walking is complete.
2209 static struct filename *
2210 user_path_parent(int dfd, const char __user *path, struct nameidata *nd,
2213 struct filename *s = getname(path);
2216 /* only LOOKUP_REVAL is allowed in extra flags */
2217 flags &= LOOKUP_REVAL;
2222 error = filename_lookup(dfd, s, flags | LOOKUP_PARENT, nd);
2225 return ERR_PTR(error);
2232 * mountpoint_last - look up last component for umount
2233 * @nd: pathwalk nameidata - currently pointing at parent directory of "last"
2234 * @path: pointer to container for result
2236 * This is a special lookup_last function just for umount. In this case, we
2237 * need to resolve the path without doing any revalidation.
2239 * The nameidata should be the result of doing a LOOKUP_PARENT pathwalk. Since
2240 * mountpoints are always pinned in the dcache, their ancestors are too. Thus,
2241 * in almost all cases, this lookup will be served out of the dcache. The only
2242 * cases where it won't are if nd->last refers to a symlink or the path is
2243 * bogus and it doesn't exist.
2246 * -error: if there was an error during lookup. This includes -ENOENT if the
2247 * lookup found a negative dentry. The nd->path reference will also be
2250 * 0: if we successfully resolved nd->path and found it to not to be a
2251 * symlink that needs to be followed. "path" will also be populated.
2252 * The nd->path reference will also be put.
2254 * 1: if we successfully resolved nd->last and found it to be a symlink
2255 * that needs to be followed. "path" will be populated with the path
2256 * to the link, and nd->path will *not* be put.
2259 mountpoint_last(struct nameidata *nd, struct path *path)
2262 struct dentry *dentry;
2263 struct dentry *dir = nd->path.dentry;
2265 /* If we're in rcuwalk, drop out of it to handle last component */
2266 if (nd->flags & LOOKUP_RCU) {
2267 if (unlazy_walk(nd, NULL)) {
2273 nd->flags &= ~LOOKUP_PARENT;
2275 if (unlikely(nd->last_type != LAST_NORM)) {
2276 error = handle_dots(nd, nd->last_type);
2279 dentry = dget(nd->path.dentry);
2283 mutex_lock(&dir->d_inode->i_mutex);
2284 dentry = d_lookup(dir, &nd->last);
2287 * No cached dentry. Mounted dentries are pinned in the cache,
2288 * so that means that this dentry is probably a symlink or the
2289 * path doesn't actually point to a mounted dentry.
2291 dentry = d_alloc(dir, &nd->last);
2294 mutex_unlock(&dir->d_inode->i_mutex);
2297 dentry = lookup_real(dir->d_inode, dentry, nd->flags);
2298 error = PTR_ERR(dentry);
2299 if (IS_ERR(dentry)) {
2300 mutex_unlock(&dir->d_inode->i_mutex);
2304 mutex_unlock(&dir->d_inode->i_mutex);
2307 if (!dentry->d_inode || d_is_negative(dentry)) {
2312 path->dentry = dentry;
2313 path->mnt = nd->path.mnt;
2314 if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW))
2325 * path_mountpoint - look up a path to be umounted
2326 * @dfd: directory file descriptor to start walk from
2327 * @name: full pathname to walk
2328 * @path: pointer to container for result
2329 * @flags: lookup flags
2331 * Look up the given name, but don't attempt to revalidate the last component.
2332 * Returns 0 and "path" will be valid on success; Returns error otherwise.
2335 path_mountpoint(int dfd, const struct filename *name, struct path *path,
2338 struct nameidata nd;
2341 err = path_init(dfd, name, flags, &nd);
2345 err = mountpoint_last(&nd, path);
2348 struct path link = *path;
2349 err = may_follow_link(&link, &nd);
2352 nd.flags |= LOOKUP_PARENT;
2353 err = follow_link(&link, &nd, &cookie);
2356 err = mountpoint_last(&nd, path);
2357 put_link(&nd, &link, cookie);
2365 filename_mountpoint(int dfd, struct filename *name, struct path *path,
2370 return PTR_ERR(name);
2371 error = path_mountpoint(dfd, name, path, flags | LOOKUP_RCU);
2372 if (unlikely(error == -ECHILD))
2373 error = path_mountpoint(dfd, name, path, flags);
2374 if (unlikely(error == -ESTALE))
2375 error = path_mountpoint(dfd, name, path, flags | LOOKUP_REVAL);
2377 audit_inode(name, path->dentry, 0);
2383 * user_path_mountpoint_at - lookup a path from userland in order to umount it
2384 * @dfd: directory file descriptor
2385 * @name: pathname from userland
2386 * @flags: lookup flags
2387 * @path: pointer to container to hold result
2389 * A umount is a special case for path walking. We're not actually interested
2390 * in the inode in this situation, and ESTALE errors can be a problem. We
2391 * simply want track down the dentry and vfsmount attached at the mountpoint
2392 * and avoid revalidating the last component.
2394 * Returns 0 and populates "path" on success.
2397 user_path_mountpoint_at(int dfd, const char __user *name, unsigned int flags,
2400 return filename_mountpoint(dfd, getname(name), path, flags);
2404 kern_path_mountpoint(int dfd, const char *name, struct path *path,
2407 return filename_mountpoint(dfd, getname_kernel(name), path, flags);
2409 EXPORT_SYMBOL(kern_path_mountpoint);
2411 int __check_sticky(struct inode *dir, struct inode *inode)
2413 kuid_t fsuid = current_fsuid();
2415 if (uid_eq(inode->i_uid, fsuid))
2417 if (uid_eq(dir->i_uid, fsuid))
2419 return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
2421 EXPORT_SYMBOL(__check_sticky);
2424 * Check whether we can remove a link victim from directory dir, check
2425 * whether the type of victim is right.
2426 * 1. We can't do it if dir is read-only (done in permission())
2427 * 2. We should have write and exec permissions on dir
2428 * 3. We can't remove anything from append-only dir
2429 * 4. We can't do anything with immutable dir (done in permission())
2430 * 5. If the sticky bit on dir is set we should either
2431 * a. be owner of dir, or
2432 * b. be owner of victim, or
2433 * c. have CAP_FOWNER capability
2434 * 6. If the victim is append-only or immutable we can't do antyhing with
2435 * links pointing to it.
2436 * 7. If we were asked to remove a directory and victim isn't one - ENOTDIR.
2437 * 8. If we were asked to remove a non-directory and victim isn't one - EISDIR.
2438 * 9. We can't remove a root or mountpoint.
2439 * 10. We don't allow removal of NFS sillyrenamed files; it's handled by
2440 * nfs_async_unlink().
2442 static int may_delete(struct inode *dir, struct dentry *victim, bool isdir)
2444 struct inode *inode = victim->d_inode;
2447 if (d_is_negative(victim))
2451 BUG_ON(victim->d_parent->d_inode != dir);
2452 audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
2454 error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
2460 if (check_sticky(dir, inode) || IS_APPEND(inode) ||
2461 IS_IMMUTABLE(inode) || IS_SWAPFILE(inode))
2464 if (!d_is_dir(victim))
2466 if (IS_ROOT(victim))
2468 } else if (d_is_dir(victim))
2470 if (IS_DEADDIR(dir))
2472 if (victim->d_flags & DCACHE_NFSFS_RENAMED)
2477 /* Check whether we can create an object with dentry child in directory
2479 * 1. We can't do it if child already exists (open has special treatment for
2480 * this case, but since we are inlined it's OK)
2481 * 2. We can't do it if dir is read-only (done in permission())
2482 * 3. We should have write and exec permissions on dir
2483 * 4. We can't do it if dir is immutable (done in permission())
2485 static inline int may_create(struct inode *dir, struct dentry *child)
2487 audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
2490 if (IS_DEADDIR(dir))
2492 return inode_permission(dir, MAY_WRITE | MAY_EXEC);
2496 * p1 and p2 should be directories on the same fs.
2498 struct dentry *lock_rename(struct dentry *p1, struct dentry *p2)
2503 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2507 mutex_lock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2509 p = d_ancestor(p2, p1);
2511 mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_PARENT);
2512 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_CHILD);
2516 p = d_ancestor(p1, p2);
2518 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2519 mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_CHILD);
2523 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2524 mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_PARENT2);
2527 EXPORT_SYMBOL(lock_rename);
2529 void unlock_rename(struct dentry *p1, struct dentry *p2)
2531 mutex_unlock(&p1->d_inode->i_mutex);
2533 mutex_unlock(&p2->d_inode->i_mutex);
2534 mutex_unlock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2537 EXPORT_SYMBOL(unlock_rename);
2539 int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
2542 int error = may_create(dir, dentry);
2546 if (!dir->i_op->create)
2547 return -EACCES; /* shouldn't it be ENOSYS? */
2550 error = security_inode_create(dir, dentry, mode);
2553 error = dir->i_op->create(dir, dentry, mode, want_excl);
2555 fsnotify_create(dir, dentry);
2558 EXPORT_SYMBOL(vfs_create);
2560 static int may_open(struct path *path, int acc_mode, int flag)
2562 struct dentry *dentry = path->dentry;
2563 struct inode *inode = dentry->d_inode;
2573 switch (inode->i_mode & S_IFMT) {
2577 if (acc_mode & MAY_WRITE)
2582 if (path->mnt->mnt_flags & MNT_NODEV)
2591 error = inode_permission(inode, acc_mode);
2596 * An append-only file must be opened in append mode for writing.
2598 if (IS_APPEND(inode)) {
2599 if ((flag & O_ACCMODE) != O_RDONLY && !(flag & O_APPEND))
2605 /* O_NOATIME can only be set by the owner or superuser */
2606 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
2612 static int handle_truncate(struct file *filp)
2614 struct path *path = &filp->f_path;
2615 struct inode *inode = path->dentry->d_inode;
2616 int error = get_write_access(inode);
2620 * Refuse to truncate files with mandatory locks held on them.
2622 error = locks_verify_locked(filp);
2624 error = security_path_truncate(path);
2626 error = do_truncate(path->dentry, 0,
2627 ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
2630 put_write_access(inode);
2634 static inline int open_to_namei_flags(int flag)
2636 if ((flag & O_ACCMODE) == 3)
2641 static int may_o_create(struct path *dir, struct dentry *dentry, umode_t mode)
2643 int error = security_path_mknod(dir, dentry, mode, 0);
2647 error = inode_permission(dir->dentry->d_inode, MAY_WRITE | MAY_EXEC);
2651 return security_inode_create(dir->dentry->d_inode, dentry, mode);
2655 * Attempt to atomically look up, create and open a file from a negative
2658 * Returns 0 if successful. The file will have been created and attached to
2659 * @file by the filesystem calling finish_open().
2661 * Returns 1 if the file was looked up only or didn't need creating. The
2662 * caller will need to perform the open themselves. @path will have been
2663 * updated to point to the new dentry. This may be negative.
2665 * Returns an error code otherwise.
2667 static int atomic_open(struct nameidata *nd, struct dentry *dentry,
2668 struct path *path, struct file *file,
2669 const struct open_flags *op,
2670 bool got_write, bool need_lookup,
2673 struct inode *dir = nd->path.dentry->d_inode;
2674 unsigned open_flag = open_to_namei_flags(op->open_flag);
2678 int create_error = 0;
2679 struct dentry *const DENTRY_NOT_SET = (void *) -1UL;
2682 BUG_ON(dentry->d_inode);
2684 /* Don't create child dentry for a dead directory. */
2685 if (unlikely(IS_DEADDIR(dir))) {
2691 if ((open_flag & O_CREAT) && !IS_POSIXACL(dir))
2692 mode &= ~current_umask();
2694 excl = (open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT);
2696 open_flag &= ~O_TRUNC;
2699 * Checking write permission is tricky, bacuse we don't know if we are
2700 * going to actually need it: O_CREAT opens should work as long as the
2701 * file exists. But checking existence breaks atomicity. The trick is
2702 * to check access and if not granted clear O_CREAT from the flags.
2704 * Another problem is returing the "right" error value (e.g. for an
2705 * O_EXCL open we want to return EEXIST not EROFS).
2707 if (((open_flag & (O_CREAT | O_TRUNC)) ||
2708 (open_flag & O_ACCMODE) != O_RDONLY) && unlikely(!got_write)) {
2709 if (!(open_flag & O_CREAT)) {
2711 * No O_CREATE -> atomicity not a requirement -> fall
2712 * back to lookup + open
2715 } else if (open_flag & (O_EXCL | O_TRUNC)) {
2716 /* Fall back and fail with the right error */
2717 create_error = -EROFS;
2720 /* No side effects, safe to clear O_CREAT */
2721 create_error = -EROFS;
2722 open_flag &= ~O_CREAT;
2726 if (open_flag & O_CREAT) {
2727 error = may_o_create(&nd->path, dentry, mode);
2729 create_error = error;
2730 if (open_flag & O_EXCL)
2732 open_flag &= ~O_CREAT;
2736 if (nd->flags & LOOKUP_DIRECTORY)
2737 open_flag |= O_DIRECTORY;
2739 file->f_path.dentry = DENTRY_NOT_SET;
2740 file->f_path.mnt = nd->path.mnt;
2741 error = dir->i_op->atomic_open(dir, dentry, file, open_flag, mode,
2744 if (create_error && error == -ENOENT)
2745 error = create_error;
2749 if (error) { /* returned 1, that is */
2750 if (WARN_ON(file->f_path.dentry == DENTRY_NOT_SET)) {
2754 if (file->f_path.dentry) {
2756 dentry = file->f_path.dentry;
2758 if (*opened & FILE_CREATED)
2759 fsnotify_create(dir, dentry);
2760 if (!dentry->d_inode) {
2761 WARN_ON(*opened & FILE_CREATED);
2763 error = create_error;
2767 if (excl && !(*opened & FILE_CREATED)) {
2776 * We didn't have the inode before the open, so check open permission
2779 acc_mode = op->acc_mode;
2780 if (*opened & FILE_CREATED) {
2781 WARN_ON(!(open_flag & O_CREAT));
2782 fsnotify_create(dir, dentry);
2783 acc_mode = MAY_OPEN;
2785 error = may_open(&file->f_path, acc_mode, open_flag);
2795 dentry = lookup_real(dir, dentry, nd->flags);
2797 return PTR_ERR(dentry);
2800 int open_flag = op->open_flag;
2802 error = create_error;
2803 if ((open_flag & O_EXCL)) {
2804 if (!dentry->d_inode)
2806 } else if (!dentry->d_inode) {
2808 } else if ((open_flag & O_TRUNC) &&
2812 /* will fail later, go on to get the right error */
2816 path->dentry = dentry;
2817 path->mnt = nd->path.mnt;
2822 * Look up and maybe create and open the last component.
2824 * Must be called with i_mutex held on parent.
2826 * Returns 0 if the file was successfully atomically created (if necessary) and
2827 * opened. In this case the file will be returned attached to @file.
2829 * Returns 1 if the file was not completely opened at this time, though lookups
2830 * and creations will have been performed and the dentry returned in @path will
2831 * be positive upon return if O_CREAT was specified. If O_CREAT wasn't
2832 * specified then a negative dentry may be returned.
2834 * An error code is returned otherwise.
2836 * FILE_CREATE will be set in @*opened if the dentry was created and will be
2837 * cleared otherwise prior to returning.
2839 static int lookup_open(struct nameidata *nd, struct path *path,
2841 const struct open_flags *op,
2842 bool got_write, int *opened)
2844 struct dentry *dir = nd->path.dentry;
2845 struct inode *dir_inode = dir->d_inode;
2846 struct dentry *dentry;
2850 *opened &= ~FILE_CREATED;
2851 dentry = lookup_dcache(&nd->last, dir, nd->flags, &need_lookup);
2853 return PTR_ERR(dentry);
2855 /* Cached positive dentry: will open in f_op->open */
2856 if (!need_lookup && dentry->d_inode)
2859 if ((nd->flags & LOOKUP_OPEN) && dir_inode->i_op->atomic_open) {
2860 return atomic_open(nd, dentry, path, file, op, got_write,
2861 need_lookup, opened);
2865 BUG_ON(dentry->d_inode);
2867 dentry = lookup_real(dir_inode, dentry, nd->flags);
2869 return PTR_ERR(dentry);
2872 /* Negative dentry, just create the file */
2873 if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
2874 umode_t mode = op->mode;
2875 if (!IS_POSIXACL(dir->d_inode))
2876 mode &= ~current_umask();
2878 * This write is needed to ensure that a
2879 * rw->ro transition does not occur between
2880 * the time when the file is created and when
2881 * a permanent write count is taken through
2882 * the 'struct file' in finish_open().
2888 *opened |= FILE_CREATED;
2889 error = security_path_mknod(&nd->path, dentry, mode, 0);
2892 error = vfs_create(dir->d_inode, dentry, mode,
2893 nd->flags & LOOKUP_EXCL);
2898 path->dentry = dentry;
2899 path->mnt = nd->path.mnt;
2908 * Handle the last step of open()
2910 static int do_last(struct nameidata *nd, struct path *path,
2911 struct file *file, const struct open_flags *op,
2912 int *opened, struct filename *name)
2914 struct dentry *dir = nd->path.dentry;
2915 int open_flag = op->open_flag;
2916 bool will_truncate = (open_flag & O_TRUNC) != 0;
2917 bool got_write = false;
2918 int acc_mode = op->acc_mode;
2919 struct inode *inode;
2920 bool symlink_ok = false;
2921 struct path save_parent = { .dentry = NULL, .mnt = NULL };
2922 bool retried = false;
2925 nd->flags &= ~LOOKUP_PARENT;
2926 nd->flags |= op->intent;
2928 if (nd->last_type != LAST_NORM) {
2929 error = handle_dots(nd, nd->last_type);
2935 if (!(open_flag & O_CREAT)) {
2936 if (nd->last.name[nd->last.len])
2937 nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
2938 if (open_flag & O_PATH && !(nd->flags & LOOKUP_FOLLOW))
2940 /* we _can_ be in RCU mode here */
2941 error = lookup_fast(nd, path, &inode);
2948 BUG_ON(nd->inode != dir->d_inode);
2950 /* create side of things */
2952 * This will *only* deal with leaving RCU mode - LOOKUP_JUMPED
2953 * has been cleared when we got to the last component we are
2956 error = complete_walk(nd);
2960 audit_inode(name, dir, LOOKUP_PARENT);
2962 /* trailing slashes? */
2963 if (nd->last.name[nd->last.len])
2968 if (op->open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {
2969 error = mnt_want_write(nd->path.mnt);
2973 * do _not_ fail yet - we might not need that or fail with
2974 * a different error; let lookup_open() decide; we'll be
2975 * dropping this one anyway.
2978 mutex_lock(&dir->d_inode->i_mutex);
2979 error = lookup_open(nd, path, file, op, got_write, opened);
2980 mutex_unlock(&dir->d_inode->i_mutex);
2986 if ((*opened & FILE_CREATED) ||
2987 !S_ISREG(file_inode(file)->i_mode))
2988 will_truncate = false;
2990 audit_inode(name, file->f_path.dentry, 0);
2994 if (*opened & FILE_CREATED) {
2995 /* Don't check for write permission, don't truncate */
2996 open_flag &= ~O_TRUNC;
2997 will_truncate = false;
2998 acc_mode = MAY_OPEN;
2999 path_to_nameidata(path, nd);
3000 goto finish_open_created;
3004 * create/update audit record if it already exists.
3006 if (d_is_positive(path->dentry))
3007 audit_inode(name, path->dentry, 0);
3010 * If atomic_open() acquired write access it is dropped now due to
3011 * possible mount and symlink following (this might be optimized away if
3015 mnt_drop_write(nd->path.mnt);
3020 if ((open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT))
3023 error = follow_managed(path, nd->flags);
3028 nd->flags |= LOOKUP_JUMPED;
3030 BUG_ON(nd->flags & LOOKUP_RCU);
3031 inode = path->dentry->d_inode;
3033 /* we _can_ be in RCU mode here */
3035 if (!inode || d_is_negative(path->dentry)) {
3036 path_to_nameidata(path, nd);
3040 if (should_follow_link(path->dentry, !symlink_ok)) {
3041 if (nd->flags & LOOKUP_RCU) {
3042 if (unlikely(unlazy_walk(nd, path->dentry))) {
3047 BUG_ON(inode != path->dentry->d_inode);
3051 if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path->mnt) {
3052 path_to_nameidata(path, nd);
3054 save_parent.dentry = nd->path.dentry;
3055 save_parent.mnt = mntget(path->mnt);
3056 nd->path.dentry = path->dentry;
3060 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
3062 error = complete_walk(nd);
3064 path_put(&save_parent);
3067 audit_inode(name, nd->path.dentry, 0);
3069 if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
3072 if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
3074 if (!S_ISREG(nd->inode->i_mode))
3075 will_truncate = false;
3077 if (will_truncate) {
3078 error = mnt_want_write(nd->path.mnt);
3083 finish_open_created:
3084 error = may_open(&nd->path, acc_mode, open_flag);
3088 BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
3089 error = vfs_open(&nd->path, file, current_cred());
3091 *opened |= FILE_OPENED;
3093 if (error == -EOPENSTALE)
3098 error = open_check_o_direct(file);
3101 error = ima_file_check(file, op->acc_mode, *opened);
3105 if (will_truncate) {
3106 error = handle_truncate(file);
3112 mnt_drop_write(nd->path.mnt);
3113 path_put(&save_parent);
3118 path_put_conditional(path, nd);
3125 /* If no saved parent or already retried then can't retry */
3126 if (!save_parent.dentry || retried)
3129 BUG_ON(save_parent.dentry != dir);
3130 path_put(&nd->path);
3131 nd->path = save_parent;
3132 nd->inode = dir->d_inode;
3133 save_parent.mnt = NULL;
3134 save_parent.dentry = NULL;
3136 mnt_drop_write(nd->path.mnt);
3143 static int do_tmpfile(int dfd, struct filename *pathname,
3144 struct nameidata *nd, int flags,
3145 const struct open_flags *op,
3146 struct file *file, int *opened)
3148 static const struct qstr name = QSTR_INIT("/", 1);
3149 struct dentry *dentry, *child;
3151 int error = path_lookupat(dfd, pathname,
3152 flags | LOOKUP_DIRECTORY, nd);
3153 if (unlikely(error))
3155 error = mnt_want_write(nd->path.mnt);
3156 if (unlikely(error))
3158 /* we want directory to be writable */
3159 error = inode_permission(nd->inode, MAY_WRITE | MAY_EXEC);
3162 dentry = nd->path.dentry;
3163 dir = dentry->d_inode;
3164 if (!dir->i_op->tmpfile) {
3165 error = -EOPNOTSUPP;
3168 child = d_alloc(dentry, &name);
3169 if (unlikely(!child)) {
3173 nd->flags &= ~LOOKUP_DIRECTORY;
3174 nd->flags |= op->intent;
3175 dput(nd->path.dentry);
3176 nd->path.dentry = child;
3177 error = dir->i_op->tmpfile(dir, nd->path.dentry, op->mode);
3180 audit_inode(pathname, nd->path.dentry, 0);
3181 /* Don't check for other permissions, the inode was just created */
3182 error = may_open(&nd->path, MAY_OPEN, op->open_flag);
3185 file->f_path.mnt = nd->path.mnt;
3186 error = finish_open(file, nd->path.dentry, NULL, opened);
3189 error = open_check_o_direct(file);
3192 } else if (!(op->open_flag & O_EXCL)) {
3193 struct inode *inode = file_inode(file);
3194 spin_lock(&inode->i_lock);
3195 inode->i_state |= I_LINKABLE;
3196 spin_unlock(&inode->i_lock);
3199 mnt_drop_write(nd->path.mnt);
3201 path_put(&nd->path);
3205 static struct file *path_openat(int dfd, struct filename *pathname,
3206 struct nameidata *nd, const struct open_flags *op, int flags)
3213 file = get_empty_filp();
3217 file->f_flags = op->open_flag;
3219 if (unlikely(file->f_flags & __O_TMPFILE)) {
3220 error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
3224 error = path_init(dfd, pathname, flags, nd);
3225 if (unlikely(error))
3228 error = do_last(nd, &path, file, op, &opened, pathname);
3229 while (unlikely(error > 0)) { /* trailing symlink */
3230 struct path link = path;
3232 if (!(nd->flags & LOOKUP_FOLLOW)) {
3233 path_put_conditional(&path, nd);
3234 path_put(&nd->path);
3238 error = may_follow_link(&link, nd);
3239 if (unlikely(error))
3241 nd->flags |= LOOKUP_PARENT;
3242 nd->flags &= ~(LOOKUP_OPEN|LOOKUP_CREATE|LOOKUP_EXCL);
3243 error = follow_link(&link, nd, &cookie);
3244 if (unlikely(error))
3246 error = do_last(nd, &path, file, op, &opened, pathname);
3247 put_link(nd, &link, cookie);
3251 if (!(opened & FILE_OPENED)) {
3255 if (unlikely(error)) {
3256 if (error == -EOPENSTALE) {
3257 if (flags & LOOKUP_RCU)
3262 file = ERR_PTR(error);
3267 struct file *do_filp_open(int dfd, struct filename *pathname,
3268 const struct open_flags *op)
3270 struct nameidata nd;
3271 int flags = op->lookup_flags;
3274 filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_RCU);
3275 if (unlikely(filp == ERR_PTR(-ECHILD)))
3276 filp = path_openat(dfd, pathname, &nd, op, flags);
3277 if (unlikely(filp == ERR_PTR(-ESTALE)))
3278 filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_REVAL);
3282 struct file *do_file_open_root(struct dentry *dentry, struct vfsmount *mnt,
3283 const char *name, const struct open_flags *op)
3285 struct nameidata nd;
3287 struct filename *filename;
3288 int flags = op->lookup_flags | LOOKUP_ROOT;
3291 nd.root.dentry = dentry;
3293 if (d_is_symlink(dentry) && op->intent & LOOKUP_OPEN)
3294 return ERR_PTR(-ELOOP);
3296 filename = getname_kernel(name);
3297 if (unlikely(IS_ERR(filename)))
3298 return ERR_CAST(filename);
3300 file = path_openat(-1, filename, &nd, op, flags | LOOKUP_RCU);
3301 if (unlikely(file == ERR_PTR(-ECHILD)))
3302 file = path_openat(-1, filename, &nd, op, flags);
3303 if (unlikely(file == ERR_PTR(-ESTALE)))
3304 file = path_openat(-1, filename, &nd, op, flags | LOOKUP_REVAL);
3309 static struct dentry *filename_create(int dfd, struct filename *name,
3310 struct path *path, unsigned int lookup_flags)
3312 struct dentry *dentry = ERR_PTR(-EEXIST);
3313 struct nameidata nd;
3316 bool is_dir = (lookup_flags & LOOKUP_DIRECTORY);
3319 * Note that only LOOKUP_REVAL and LOOKUP_DIRECTORY matter here. Any
3320 * other flags passed in are ignored!
3322 lookup_flags &= LOOKUP_REVAL;
3324 error = filename_lookup(dfd, name, LOOKUP_PARENT|lookup_flags, &nd);
3326 return ERR_PTR(error);
3329 * Yucky last component or no last component at all?
3330 * (foo/., foo/.., /////)
3332 if (nd.last_type != LAST_NORM)
3334 nd.flags &= ~LOOKUP_PARENT;
3335 nd.flags |= LOOKUP_CREATE | LOOKUP_EXCL;
3337 /* don't fail immediately if it's r/o, at least try to report other errors */
3338 err2 = mnt_want_write(nd.path.mnt);
3340 * Do the final lookup.
3342 mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3343 dentry = lookup_hash(&nd);
3348 if (d_is_positive(dentry))
3352 * Special case - lookup gave negative, but... we had foo/bar/
3353 * From the vfs_mknod() POV we just have a negative dentry -
3354 * all is fine. Let's be bastards - you had / on the end, you've
3355 * been asking for (non-existent) directory. -ENOENT for you.
3357 if (unlikely(!is_dir && nd.last.name[nd.last.len])) {
3361 if (unlikely(err2)) {
3369 dentry = ERR_PTR(error);
3371 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3373 mnt_drop_write(nd.path.mnt);
3379 struct dentry *kern_path_create(int dfd, const char *pathname,
3380 struct path *path, unsigned int lookup_flags)
3382 struct filename *filename = getname_kernel(pathname);
3385 if (IS_ERR(filename))
3386 return ERR_CAST(filename);
3387 res = filename_create(dfd, filename, path, lookup_flags);
3391 EXPORT_SYMBOL(kern_path_create);
3393 void done_path_create(struct path *path, struct dentry *dentry)
3396 mutex_unlock(&path->dentry->d_inode->i_mutex);
3397 mnt_drop_write(path->mnt);
3400 EXPORT_SYMBOL(done_path_create);
3402 struct dentry *user_path_create(int dfd, const char __user *pathname,
3403 struct path *path, unsigned int lookup_flags)
3405 struct filename *tmp = getname(pathname);
3408 return ERR_CAST(tmp);
3409 res = filename_create(dfd, tmp, path, lookup_flags);
3413 EXPORT_SYMBOL(user_path_create);
3415 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3417 int error = may_create(dir, dentry);
3422 if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
3425 if (!dir->i_op->mknod)
3428 error = devcgroup_inode_mknod(mode, dev);
3432 error = security_inode_mknod(dir, dentry, mode, dev);
3436 error = dir->i_op->mknod(dir, dentry, mode, dev);
3438 fsnotify_create(dir, dentry);
3441 EXPORT_SYMBOL(vfs_mknod);
3443 static int may_mknod(umode_t mode)
3445 switch (mode & S_IFMT) {
3451 case 0: /* zero mode translates to S_IFREG */
3460 SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
3463 struct dentry *dentry;
3466 unsigned int lookup_flags = 0;
3468 error = may_mknod(mode);
3472 dentry = user_path_create(dfd, filename, &path, lookup_flags);
3474 return PTR_ERR(dentry);
3476 if (!IS_POSIXACL(path.dentry->d_inode))
3477 mode &= ~current_umask();
3478 error = security_path_mknod(&path, dentry, mode, dev);
3481 switch (mode & S_IFMT) {
3482 case 0: case S_IFREG:
3483 error = vfs_create(path.dentry->d_inode,dentry,mode,true);
3485 case S_IFCHR: case S_IFBLK:
3486 error = vfs_mknod(path.dentry->d_inode,dentry,mode,
3487 new_decode_dev(dev));
3489 case S_IFIFO: case S_IFSOCK:
3490 error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
3494 done_path_create(&path, dentry);
3495 if (retry_estale(error, lookup_flags)) {
3496 lookup_flags |= LOOKUP_REVAL;
3502 SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, dev)
3504 return sys_mknodat(AT_FDCWD, filename, mode, dev);
3507 int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
3509 int error = may_create(dir, dentry);
3510 unsigned max_links = dir->i_sb->s_max_links;
3515 if (!dir->i_op->mkdir)
3518 mode &= (S_IRWXUGO|S_ISVTX);
3519 error = security_inode_mkdir(dir, dentry, mode);
3523 if (max_links && dir->i_nlink >= max_links)
3526 error = dir->i_op->mkdir(dir, dentry, mode);
3528 fsnotify_mkdir(dir, dentry);
3531 EXPORT_SYMBOL(vfs_mkdir);
3533 SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)
3535 struct dentry *dentry;
3538 unsigned int lookup_flags = LOOKUP_DIRECTORY;
3541 dentry = user_path_create(dfd, pathname, &path, lookup_flags);
3543 return PTR_ERR(dentry);
3545 if (!IS_POSIXACL(path.dentry->d_inode))
3546 mode &= ~current_umask();
3547 error = security_path_mkdir(&path, dentry, mode);
3549 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
3550 done_path_create(&path, dentry);
3551 if (retry_estale(error, lookup_flags)) {
3552 lookup_flags |= LOOKUP_REVAL;
3558 SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode)
3560 return sys_mkdirat(AT_FDCWD, pathname, mode);
3564 * The dentry_unhash() helper will try to drop the dentry early: we
3565 * should have a usage count of 1 if we're the only user of this
3566 * dentry, and if that is true (possibly after pruning the dcache),
3567 * then we drop the dentry now.
3569 * A low-level filesystem can, if it choses, legally
3572 * if (!d_unhashed(dentry))
3575 * if it cannot handle the case of removing a directory
3576 * that is still in use by something else..
3578 void dentry_unhash(struct dentry *dentry)
3580 shrink_dcache_parent(dentry);
3581 spin_lock(&dentry->d_lock);
3582 if (dentry->d_lockref.count == 1)
3584 spin_unlock(&dentry->d_lock);
3586 EXPORT_SYMBOL(dentry_unhash);
3588 int vfs_rmdir(struct inode *dir, struct dentry *dentry)
3590 int error = may_delete(dir, dentry, 1);
3595 if (!dir->i_op->rmdir)
3599 mutex_lock(&dentry->d_inode->i_mutex);
3602 if (is_local_mountpoint(dentry))
3605 error = security_inode_rmdir(dir, dentry);
3609 shrink_dcache_parent(dentry);
3610 error = dir->i_op->rmdir(dir, dentry);
3614 dentry->d_inode->i_flags |= S_DEAD;
3616 detach_mounts(dentry);
3619 mutex_unlock(&dentry->d_inode->i_mutex);
3625 EXPORT_SYMBOL(vfs_rmdir);
3627 static long do_rmdir(int dfd, const char __user *pathname)
3630 struct filename *name;
3631 struct dentry *dentry;
3632 struct nameidata nd;
3633 unsigned int lookup_flags = 0;
3635 name = user_path_parent(dfd, pathname, &nd, lookup_flags);
3637 return PTR_ERR(name);
3639 switch(nd.last_type) {
3651 nd.flags &= ~LOOKUP_PARENT;
3652 error = mnt_want_write(nd.path.mnt);
3656 mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3657 dentry = lookup_hash(&nd);
3658 error = PTR_ERR(dentry);
3661 if (!dentry->d_inode) {
3665 error = security_path_rmdir(&nd.path, dentry);
3668 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
3672 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3673 mnt_drop_write(nd.path.mnt);
3677 if (retry_estale(error, lookup_flags)) {
3678 lookup_flags |= LOOKUP_REVAL;
3684 SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
3686 return do_rmdir(AT_FDCWD, pathname);
3690 * vfs_unlink - unlink a filesystem object
3691 * @dir: parent directory
3693 * @delegated_inode: returns victim inode, if the inode is delegated.
3695 * The caller must hold dir->i_mutex.
3697 * If vfs_unlink discovers a delegation, it will return -EWOULDBLOCK and
3698 * return a reference to the inode in delegated_inode. The caller
3699 * should then break the delegation on that inode and retry. Because
3700 * breaking a delegation may take a long time, the caller should drop
3701 * dir->i_mutex before doing so.
3703 * Alternatively, a caller may pass NULL for delegated_inode. This may
3704 * be appropriate for callers that expect the underlying filesystem not
3705 * to be NFS exported.
3707 int vfs_unlink(struct inode *dir, struct dentry *dentry, struct inode **delegated_inode)
3709 struct inode *target = dentry->d_inode;
3710 int error = may_delete(dir, dentry, 0);
3715 if (!dir->i_op->unlink)
3718 mutex_lock(&target->i_mutex);
3719 if (is_local_mountpoint(dentry))
3722 error = security_inode_unlink(dir, dentry);
3724 error = try_break_deleg(target, delegated_inode);
3727 error = dir->i_op->unlink(dir, dentry);
3730 detach_mounts(dentry);
3735 mutex_unlock(&target->i_mutex);
3737 /* We don't d_delete() NFS sillyrenamed files--they still exist. */
3738 if (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) {
3739 fsnotify_link_count(target);
3745 EXPORT_SYMBOL(vfs_unlink);
3748 * Make sure that the actual truncation of the file will occur outside its
3749 * directory's i_mutex. Truncate can take a long time if there is a lot of
3750 * writeout happening, and we don't want to prevent access to the directory
3751 * while waiting on the I/O.
3753 static long do_unlinkat(int dfd, const char __user *pathname)
3756 struct filename *name;
3757 struct dentry *dentry;
3758 struct nameidata nd;
3759 struct inode *inode = NULL;
3760 struct inode *delegated_inode = NULL;
3761 unsigned int lookup_flags = 0;
3763 name = user_path_parent(dfd, pathname, &nd, lookup_flags);
3765 return PTR_ERR(name);
3768 if (nd.last_type != LAST_NORM)
3771 nd.flags &= ~LOOKUP_PARENT;
3772 error = mnt_want_write(nd.path.mnt);
3776 mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3777 dentry = lookup_hash(&nd);
3778 error = PTR_ERR(dentry);
3779 if (!IS_ERR(dentry)) {
3780 /* Why not before? Because we want correct error value */
3781 if (nd.last.name[nd.last.len])
3783 inode = dentry->d_inode;
3784 if (d_is_negative(dentry))
3787 error = security_path_unlink(&nd.path, dentry);
3790 error = vfs_unlink(nd.path.dentry->d_inode, dentry, &delegated_inode);
3794 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3796 iput(inode); /* truncate the inode here */
3798 if (delegated_inode) {
3799 error = break_deleg_wait(&delegated_inode);
3803 mnt_drop_write(nd.path.mnt);
3807 if (retry_estale(error, lookup_flags)) {
3808 lookup_flags |= LOOKUP_REVAL;
3815 if (d_is_negative(dentry))
3817 else if (d_is_dir(dentry))
3824 SYSCALL_DEFINE3(unlinkat, int, dfd, const char __user *, pathname, int, flag)
3826 if ((flag & ~AT_REMOVEDIR) != 0)
3829 if (flag & AT_REMOVEDIR)
3830 return do_rmdir(dfd, pathname);
3832 return do_unlinkat(dfd, pathname);
3835 SYSCALL_DEFINE1(unlink, const char __user *, pathname)
3837 return do_unlinkat(AT_FDCWD, pathname);
3840 int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
3842 int error = may_create(dir, dentry);
3847 if (!dir->i_op->symlink)
3850 error = security_inode_symlink(dir, dentry, oldname);
3854 error = dir->i_op->symlink(dir, dentry, oldname);
3856 fsnotify_create(dir, dentry);
3859 EXPORT_SYMBOL(vfs_symlink);
3861 SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
3862 int, newdfd, const char __user *, newname)
3865 struct filename *from;
3866 struct dentry *dentry;
3868 unsigned int lookup_flags = 0;
3870 from = getname(oldname);
3872 return PTR_ERR(from);
3874 dentry = user_path_create(newdfd, newname, &path, lookup_flags);
3875 error = PTR_ERR(dentry);
3879 error = security_path_symlink(&path, dentry, from->name);
3881 error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
3882 done_path_create(&path, dentry);
3883 if (retry_estale(error, lookup_flags)) {
3884 lookup_flags |= LOOKUP_REVAL;
3892 SYSCALL_DEFINE2(symlink, const char __user *, oldname, const char __user *, newname)
3894 return sys_symlinkat(oldname, AT_FDCWD, newname);
3898 * vfs_link - create a new link
3899 * @old_dentry: object to be linked
3901 * @new_dentry: where to create the new link
3902 * @delegated_inode: returns inode needing a delegation break
3904 * The caller must hold dir->i_mutex
3906 * If vfs_link discovers a delegation on the to-be-linked file in need
3907 * of breaking, it will return -EWOULDBLOCK and return a reference to the
3908 * inode in delegated_inode. The caller should then break the delegation
3909 * and retry. Because breaking a delegation may take a long time, the
3910 * caller should drop the i_mutex before doing so.
3912 * Alternatively, a caller may pass NULL for delegated_inode. This may
3913 * be appropriate for callers that expect the underlying filesystem not
3914 * to be NFS exported.
3916 int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry, struct inode **delegated_inode)
3918 struct inode *inode = old_dentry->d_inode;
3919 unsigned max_links = dir->i_sb->s_max_links;
3925 error = may_create(dir, new_dentry);
3929 if (dir->i_sb != inode->i_sb)
3933 * A link to an append-only or immutable file cannot be created.
3935 if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
3937 if (!dir->i_op->link)
3939 if (S_ISDIR(inode->i_mode))
3942 error = security_inode_link(old_dentry, dir, new_dentry);
3946 mutex_lock(&inode->i_mutex);
3947 /* Make sure we don't allow creating hardlink to an unlinked file */
3948 if (inode->i_nlink == 0 && !(inode->i_state & I_LINKABLE))
3950 else if (max_links && inode->i_nlink >= max_links)
3953 error = try_break_deleg(inode, delegated_inode);
3955 error = dir->i_op->link(old_dentry, dir, new_dentry);
3958 if (!error && (inode->i_state & I_LINKABLE)) {
3959 spin_lock(&inode->i_lock);
3960 inode->i_state &= ~I_LINKABLE;
3961 spin_unlock(&inode->i_lock);
3963 mutex_unlock(&inode->i_mutex);
3965 fsnotify_link(dir, inode, new_dentry);
3968 EXPORT_SYMBOL(vfs_link);
3971 * Hardlinks are often used in delicate situations. We avoid
3972 * security-related surprises by not following symlinks on the
3975 * We don't follow them on the oldname either to be compatible
3976 * with linux 2.0, and to avoid hard-linking to directories
3977 * and other special files. --ADM
3979 SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
3980 int, newdfd, const char __user *, newname, int, flags)
3982 struct dentry *new_dentry;
3983 struct path old_path, new_path;
3984 struct inode *delegated_inode = NULL;
3988 if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)
3991 * To use null names we require CAP_DAC_READ_SEARCH
3992 * This ensures that not everyone will be able to create
3993 * handlink using the passed filedescriptor.
3995 if (flags & AT_EMPTY_PATH) {
3996 if (!capable(CAP_DAC_READ_SEARCH))
4001 if (flags & AT_SYMLINK_FOLLOW)
4002 how |= LOOKUP_FOLLOW;
4004 error = user_path_at(olddfd, oldname, how, &old_path);
4008 new_dentry = user_path_create(newdfd, newname, &new_path,
4009 (how & LOOKUP_REVAL));
4010 error = PTR_ERR(new_dentry);
4011 if (IS_ERR(new_dentry))
4015 if (old_path.mnt != new_path.mnt)
4017 error = may_linkat(&old_path);
4018 if (unlikely(error))
4020 error = security_path_link(old_path.dentry, &new_path, new_dentry);
4023 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);
4025 done_path_create(&new_path, new_dentry);
4026 if (delegated_inode) {
4027 error = break_deleg_wait(&delegated_inode);
4029 path_put(&old_path);
4033 if (retry_estale(error, how)) {
4034 path_put(&old_path);
4035 how |= LOOKUP_REVAL;
4039 path_put(&old_path);
4044 SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname)
4046 return sys_linkat(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
4050 * vfs_rename - rename a filesystem object
4051 * @old_dir: parent of source
4052 * @old_dentry: source
4053 * @new_dir: parent of destination
4054 * @new_dentry: destination
4055 * @delegated_inode: returns an inode needing a delegation break
4056 * @flags: rename flags
4058 * The caller must hold multiple mutexes--see lock_rename()).
4060 * If vfs_rename discovers a delegation in need of breaking at either
4061 * the source or destination, it will return -EWOULDBLOCK and return a
4062 * reference to the inode in delegated_inode. The caller should then
4063 * break the delegation and retry. Because breaking a delegation may
4064 * take a long time, the caller should drop all locks before doing
4067 * Alternatively, a caller may pass NULL for delegated_inode. This may
4068 * be appropriate for callers that expect the underlying filesystem not
4069 * to be NFS exported.
4071 * The worst of all namespace operations - renaming directory. "Perverted"
4072 * doesn't even start to describe it. Somebody in UCB had a heck of a trip...
4074 * a) we can get into loop creation.
4075 * b) race potential - two innocent renames can create a loop together.
4076 * That's where 4.4 screws up. Current fix: serialization on
4077 * sb->s_vfs_rename_mutex. We might be more accurate, but that's another
4079 * c) we have to lock _four_ objects - parents and victim (if it exists),
4080 * and source (if it is not a directory).
4081 * And that - after we got ->i_mutex on parents (until then we don't know
4082 * whether the target exists). Solution: try to be smart with locking
4083 * order for inodes. We rely on the fact that tree topology may change
4084 * only under ->s_vfs_rename_mutex _and_ that parent of the object we
4085 * move will be locked. Thus we can rank directories by the tree
4086 * (ancestors first) and rank all non-directories after them.
4087 * That works since everybody except rename does "lock parent, lookup,
4088 * lock child" and rename is under ->s_vfs_rename_mutex.
4089 * HOWEVER, it relies on the assumption that any object with ->lookup()
4090 * has no more than 1 dentry. If "hybrid" objects will ever appear,
4091 * we'd better make sure that there's no link(2) for them.
4092 * d) conversion from fhandle to dentry may come in the wrong moment - when
4093 * we are removing the target. Solution: we will have to grab ->i_mutex
4094 * in the fhandle_to_dentry code. [FIXME - current nfsfh.c relies on
4095 * ->i_mutex on parents, which works but leads to some truly excessive
4098 int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
4099 struct inode *new_dir, struct dentry *new_dentry,
4100 struct inode **delegated_inode, unsigned int flags)
4103 bool is_dir = d_is_dir(old_dentry);
4104 const unsigned char *old_name;
4105 struct inode *source = old_dentry->d_inode;
4106 struct inode *target = new_dentry->d_inode;
4107 bool new_is_dir = false;
4108 unsigned max_links = new_dir->i_sb->s_max_links;
4110 if (source == target)
4113 error = may_delete(old_dir, old_dentry, is_dir);
4118 error = may_create(new_dir, new_dentry);
4120 new_is_dir = d_is_dir(new_dentry);
4122 if (!(flags & RENAME_EXCHANGE))
4123 error = may_delete(new_dir, new_dentry, is_dir);
4125 error = may_delete(new_dir, new_dentry, new_is_dir);
4130 if (!old_dir->i_op->rename && !old_dir->i_op->rename2)
4133 if (flags && !old_dir->i_op->rename2)
4137 * If we are going to change the parent - check write permissions,
4138 * we'll need to flip '..'.
4140 if (new_dir != old_dir) {
4142 error = inode_permission(source, MAY_WRITE);
4146 if ((flags & RENAME_EXCHANGE) && new_is_dir) {
4147 error = inode_permission(target, MAY_WRITE);
4153 error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry,
4158 old_name = fsnotify_oldname_init(old_dentry->d_name.name);
4160 if (!is_dir || (flags & RENAME_EXCHANGE))
4161 lock_two_nondirectories(source, target);
4163 mutex_lock(&target->i_mutex);
4166 if (is_local_mountpoint(old_dentry) || is_local_mountpoint(new_dentry))
4169 if (max_links && new_dir != old_dir) {
4171 if (is_dir && !new_is_dir && new_dir->i_nlink >= max_links)
4173 if ((flags & RENAME_EXCHANGE) && !is_dir && new_is_dir &&
4174 old_dir->i_nlink >= max_links)
4177 if (is_dir && !(flags & RENAME_EXCHANGE) && target)
4178 shrink_dcache_parent(new_dentry);
4180 error = try_break_deleg(source, delegated_inode);
4184 if (target && !new_is_dir) {
4185 error = try_break_deleg(target, delegated_inode);
4189 if (!old_dir->i_op->rename2) {
4190 error = old_dir->i_op->rename(old_dir, old_dentry,
4191 new_dir, new_dentry);
4193 WARN_ON(old_dir->i_op->rename != NULL);
4194 error = old_dir->i_op->rename2(old_dir, old_dentry,
4195 new_dir, new_dentry, flags);
4200 if (!(flags & RENAME_EXCHANGE) && target) {
4202 target->i_flags |= S_DEAD;
4203 dont_mount(new_dentry);
4204 detach_mounts(new_dentry);
4206 if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE)) {
4207 if (!(flags & RENAME_EXCHANGE))
4208 d_move(old_dentry, new_dentry);
4210 d_exchange(old_dentry, new_dentry);
4213 if (!is_dir || (flags & RENAME_EXCHANGE))
4214 unlock_two_nondirectories(source, target);
4216 mutex_unlock(&target->i_mutex);
4219 fsnotify_move(old_dir, new_dir, old_name, is_dir,
4220 !(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);
4221 if (flags & RENAME_EXCHANGE) {
4222 fsnotify_move(new_dir, old_dir, old_dentry->d_name.name,
4223 new_is_dir, NULL, new_dentry);
4226 fsnotify_oldname_free(old_name);
4230 EXPORT_SYMBOL(vfs_rename);
4232 SYSCALL_DEFINE5(renameat2, int, olddfd, const char __user *, oldname,
4233 int, newdfd, const char __user *, newname, unsigned int, flags)
4235 struct dentry *old_dir, *new_dir;
4236 struct dentry *old_dentry, *new_dentry;
4237 struct dentry *trap;
4238 struct nameidata oldnd, newnd;
4239 struct inode *delegated_inode = NULL;
4240 struct filename *from;
4241 struct filename *to;
4242 unsigned int lookup_flags = 0;
4243 bool should_retry = false;
4246 if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE | RENAME_WHITEOUT))
4249 if ((flags & (RENAME_NOREPLACE | RENAME_WHITEOUT)) &&
4250 (flags & RENAME_EXCHANGE))
4253 if ((flags & RENAME_WHITEOUT) && !capable(CAP_MKNOD))
4257 from = user_path_parent(olddfd, oldname, &oldnd, lookup_flags);
4259 error = PTR_ERR(from);
4263 to = user_path_parent(newdfd, newname, &newnd, lookup_flags);
4265 error = PTR_ERR(to);
4270 if (oldnd.path.mnt != newnd.path.mnt)
4273 old_dir = oldnd.path.dentry;
4275 if (oldnd.last_type != LAST_NORM)
4278 new_dir = newnd.path.dentry;
4279 if (flags & RENAME_NOREPLACE)
4281 if (newnd.last_type != LAST_NORM)
4284 error = mnt_want_write(oldnd.path.mnt);
4288 oldnd.flags &= ~LOOKUP_PARENT;
4289 newnd.flags &= ~LOOKUP_PARENT;
4290 if (!(flags & RENAME_EXCHANGE))
4291 newnd.flags |= LOOKUP_RENAME_TARGET;
4294 trap = lock_rename(new_dir, old_dir);
4296 old_dentry = lookup_hash(&oldnd);
4297 error = PTR_ERR(old_dentry);
4298 if (IS_ERR(old_dentry))
4300 /* source must exist */
4302 if (d_is_negative(old_dentry))
4304 new_dentry = lookup_hash(&newnd);
4305 error = PTR_ERR(new_dentry);
4306 if (IS_ERR(new_dentry))
4309 if ((flags & RENAME_NOREPLACE) && d_is_positive(new_dentry))
4311 if (flags & RENAME_EXCHANGE) {
4313 if (d_is_negative(new_dentry))
4316 if (!d_is_dir(new_dentry)) {
4318 if (newnd.last.name[newnd.last.len])
4322 /* unless the source is a directory trailing slashes give -ENOTDIR */
4323 if (!d_is_dir(old_dentry)) {
4325 if (oldnd.last.name[oldnd.last.len])
4327 if (!(flags & RENAME_EXCHANGE) && newnd.last.name[newnd.last.len])
4330 /* source should not be ancestor of target */
4332 if (old_dentry == trap)
4334 /* target should not be an ancestor of source */
4335 if (!(flags & RENAME_EXCHANGE))
4337 if (new_dentry == trap)
4340 error = security_path_rename(&oldnd.path, old_dentry,
4341 &newnd.path, new_dentry, flags);
4344 error = vfs_rename(old_dir->d_inode, old_dentry,
4345 new_dir->d_inode, new_dentry,
4346 &delegated_inode, flags);
4352 unlock_rename(new_dir, old_dir);
4353 if (delegated_inode) {
4354 error = break_deleg_wait(&delegated_inode);
4358 mnt_drop_write(oldnd.path.mnt);
4360 if (retry_estale(error, lookup_flags))
4361 should_retry = true;
4362 path_put(&newnd.path);
4365 path_put(&oldnd.path);
4368 should_retry = false;
4369 lookup_flags |= LOOKUP_REVAL;
4376 SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
4377 int, newdfd, const char __user *, newname)
4379 return sys_renameat2(olddfd, oldname, newdfd, newname, 0);
4382 SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newname)
4384 return sys_renameat2(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
4387 int vfs_whiteout(struct inode *dir, struct dentry *dentry)
4389 int error = may_create(dir, dentry);
4393 if (!dir->i_op->mknod)
4396 return dir->i_op->mknod(dir, dentry,
4397 S_IFCHR | WHITEOUT_MODE, WHITEOUT_DEV);
4399 EXPORT_SYMBOL(vfs_whiteout);
4401 int readlink_copy(char __user *buffer, int buflen, const char *link)
4403 int len = PTR_ERR(link);
4408 if (len > (unsigned) buflen)
4410 if (copy_to_user(buffer, link, len))
4415 EXPORT_SYMBOL(readlink_copy);
4418 * A helper for ->readlink(). This should be used *ONLY* for symlinks that
4419 * have ->follow_link() touching nd only in nd_set_link(). Using (or not
4420 * using) it for any given inode is up to filesystem.
4422 int generic_readlink(struct dentry *dentry, char __user *buffer, int buflen)
4424 struct nameidata nd;
4429 cookie = dentry->d_inode->i_op->follow_link(dentry, &nd);
4431 return PTR_ERR(cookie);
4433 res = readlink_copy(buffer, buflen, nd_get_link(&nd));
4434 if (dentry->d_inode->i_op->put_link)
4435 dentry->d_inode->i_op->put_link(dentry, &nd, cookie);
4438 EXPORT_SYMBOL(generic_readlink);
4440 /* get the link contents into pagecache */
4441 static char *page_getlink(struct dentry * dentry, struct page **ppage)
4445 struct address_space *mapping = dentry->d_inode->i_mapping;
4446 page = read_mapping_page(mapping, 0, NULL);
4451 nd_terminate_link(kaddr, dentry->d_inode->i_size, PAGE_SIZE - 1);
4455 int page_readlink(struct dentry *dentry, char __user *buffer, int buflen)
4457 struct page *page = NULL;
4458 int res = readlink_copy(buffer, buflen, page_getlink(dentry, &page));
4461 page_cache_release(page);
4465 EXPORT_SYMBOL(page_readlink);
4467 void *page_follow_link_light(struct dentry *dentry, struct nameidata *nd)
4469 struct page *page = NULL;
4470 nd_set_link(nd, page_getlink(dentry, &page));
4473 EXPORT_SYMBOL(page_follow_link_light);
4475 void page_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
4477 struct page *page = cookie;
4481 page_cache_release(page);
4484 EXPORT_SYMBOL(page_put_link);
4487 * The nofs argument instructs pagecache_write_begin to pass AOP_FLAG_NOFS
4489 int __page_symlink(struct inode *inode, const char *symname, int len, int nofs)
4491 struct address_space *mapping = inode->i_mapping;
4496 unsigned int flags = AOP_FLAG_UNINTERRUPTIBLE;
4498 flags |= AOP_FLAG_NOFS;
4501 err = pagecache_write_begin(NULL, mapping, 0, len-1,
4502 flags, &page, &fsdata);
4506 kaddr = kmap_atomic(page);
4507 memcpy(kaddr, symname, len-1);
4508 kunmap_atomic(kaddr);
4510 err = pagecache_write_end(NULL, mapping, 0, len-1, len-1,
4517 mark_inode_dirty(inode);
4522 EXPORT_SYMBOL(__page_symlink);
4524 int page_symlink(struct inode *inode, const char *symname, int len)
4526 return __page_symlink(inode, symname, len,
4527 !(mapping_gfp_mask(inode->i_mapping) & __GFP_FS));
4529 EXPORT_SYMBOL(page_symlink);
4531 const struct inode_operations page_symlink_inode_operations = {
4532 .readlink = generic_readlink,
4533 .follow_link = page_follow_link_light,
4534 .put_link = page_put_link,
4536 EXPORT_SYMBOL(page_symlink_inode_operations);
projects / karo-tx-linux.git / blob