4 * Copyright (C) 1991, 1992 Linus Torvalds
8 * Some corrections by tytso.
11 /* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname
14 /* [Feb-Apr 2000, AV] Rewrite to the new namespace architecture.
17 #include <linux/init.h>
18 #include <linux/export.h>
19 #include <linux/kernel.h>
20 #include <linux/slab.h>
22 #include <linux/namei.h>
23 #include <linux/pagemap.h>
24 #include <linux/fsnotify.h>
25 #include <linux/personality.h>
26 #include <linux/security.h>
27 #include <linux/ima.h>
28 #include <linux/syscalls.h>
29 #include <linux/mount.h>
30 #include <linux/audit.h>
31 #include <linux/capability.h>
32 #include <linux/file.h>
33 #include <linux/fcntl.h>
34 #include <linux/device_cgroup.h>
35 #include <linux/fs_struct.h>
36 #include <linux/posix_acl.h>
37 #include <linux/hash.h>
38 #include <asm/uaccess.h>
43 /* [Feb-1997 T. Schoebel-Theuer]
44 * Fundamental changes in the pathname lookup mechanisms (namei)
45 * were necessary because of omirr. The reason is that omirr needs
46 * to know the _real_ pathname, not the user-supplied one, in case
47 * of symlinks (and also when transname replacements occur).
49 * The new code replaces the old recursive symlink resolution with
50 * an iterative one (in case of non-nested symlink chains). It does
51 * this with calls to <fs>_follow_link().
52 * As a side effect, dir_namei(), _namei() and follow_link() are now
53 * replaced with a single function lookup_dentry() that can handle all
54 * the special cases of the former code.
56 * With the new dcache, the pathname is stored at each inode, at least as
57 * long as the refcount of the inode is positive. As a side effect, the
58 * size of the dcache depends on the inode cache and thus is dynamic.
60 * [29-Apr-1998 C. Scott Ananian] Updated above description of symlink
61 * resolution to correspond with current state of the code.
63 * Note that the symlink resolution is not *completely* iterative.
64 * There is still a significant amount of tail- and mid- recursion in
65 * the algorithm. Also, note that <fs>_readlink() is not used in
66 * lookup_dentry(): lookup_dentry() on the result of <fs>_readlink()
67 * may return different results than <fs>_follow_link(). Many virtual
68 * filesystems (including /proc) exhibit this behavior.
71 /* [24-Feb-97 T. Schoebel-Theuer] Side effects caused by new implementation:
72 * New symlink semantics: when open() is called with flags O_CREAT | O_EXCL
73 * and the name already exists in form of a symlink, try to create the new
74 * name indicated by the symlink. The old code always complained that the
75 * name already exists, due to not following the symlink even if its target
76 * is nonexistent. The new semantics affects also mknod() and link() when
77 * the name is a symlink pointing to a non-existent name.
79 * I don't know which semantics is the right one, since I have no access
80 * to standards. But I found by trial that HP-UX 9.0 has the full "new"
81 * semantics implemented, while SunOS 4.1.1 and Solaris (SunOS 5.4) have the
82 * "old" one. Personally, I think the new semantics is much more logical.
83 * Note that "ln old new" where "new" is a symlink pointing to a non-existing
84 * file does succeed in both HP-UX and SunOs, but not in Solaris
85 * and in the old Linux semantics.
88 /* [16-Dec-97 Kevin Buhr] For security reasons, we change some symlink
89 * semantics. See the comments in "open_namei" and "do_link" below.
91 * [10-Sep-98 Alan Modra] Another symlink change.
94 /* [Feb-Apr 2000 AV] Complete rewrite. Rules for symlinks:
95 * inside the path - always follow.
96 * in the last component in creation/removal/renaming - never follow.
97 * if LOOKUP_FOLLOW passed - follow.
98 * if the pathname has trailing slashes - follow.
99 * otherwise - don't follow.
100 * (applied in that order).
102 * [Jun 2000 AV] Inconsistent behaviour of open() in case if flags==O_CREAT
103 * restored for 2.4. This is the last surviving part of old 4.2BSD bug.
104 * During the 2.4 we need to fix the userland stuff depending on it -
105 * hopefully we will be able to get rid of that wart in 2.5. So far only
106 * XEmacs seems to be relying on it...
109 * [Sep 2001 AV] Single-semaphore locking scheme (kudos to David Holland)
110 * implemented. Let's see if raised priority of ->s_vfs_rename_mutex gives
111 * any extra contention...
114 /* In order to reduce some races, while at the same time doing additional
115 * checking and hopefully speeding things up, we copy filenames to the
116 * kernel data space before using them..
118 * POSIX.1 2.4: an empty pathname is invalid (ENOENT).
119 * PATH_MAX includes the nul terminator --RR.
122 #define EMBEDDED_NAME_MAX (PATH_MAX - offsetof(struct filename, iname))
125 getname_flags(const char __user *filename, int flags, int *empty)
127 struct filename *result;
131 result = audit_reusename(filename);
135 result = __getname();
136 if (unlikely(!result))
137 return ERR_PTR(-ENOMEM);
140 * First, try to embed the struct filename inside the names_cache
143 kname = (char *)result->iname;
144 result->name = kname;
146 len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
147 if (unlikely(len < 0)) {
153 * Uh-oh. We have a name that's approaching PATH_MAX. Allocate a
154 * separate struct filename so we can dedicate the entire
155 * names_cache allocation for the pathname, and re-do the copy from
158 if (unlikely(len == EMBEDDED_NAME_MAX)) {
159 const size_t size = offsetof(struct filename, iname[1]);
160 kname = (char *)result;
163 * size is chosen that way we to guarantee that
164 * result->iname[0] is within the same object and that
165 * kname can't be equal to result->iname, no matter what.
167 result = kzalloc(size, GFP_KERNEL);
168 if (unlikely(!result)) {
170 return ERR_PTR(-ENOMEM);
172 result->name = kname;
173 len = strncpy_from_user(kname, filename, PATH_MAX);
174 if (unlikely(len < 0)) {
179 if (unlikely(len == PATH_MAX)) {
182 return ERR_PTR(-ENAMETOOLONG);
187 /* The empty path is special. */
188 if (unlikely(!len)) {
191 if (!(flags & LOOKUP_EMPTY)) {
193 return ERR_PTR(-ENOENT);
197 result->uptr = filename;
198 result->aname = NULL;
199 audit_getname(result);
204 getname(const char __user * filename)
206 return getname_flags(filename, 0, NULL);
210 getname_kernel(const char * filename)
212 struct filename *result;
213 int len = strlen(filename) + 1;
215 result = __getname();
216 if (unlikely(!result))
217 return ERR_PTR(-ENOMEM);
219 if (len <= EMBEDDED_NAME_MAX) {
220 result->name = (char *)result->iname;
221 } else if (len <= PATH_MAX) {
222 struct filename *tmp;
224 tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
225 if (unlikely(!tmp)) {
227 return ERR_PTR(-ENOMEM);
229 tmp->name = (char *)result;
233 return ERR_PTR(-ENAMETOOLONG);
235 memcpy((char *)result->name, filename, len);
237 result->aname = NULL;
239 audit_getname(result);
244 void putname(struct filename *name)
246 BUG_ON(name->refcnt <= 0);
248 if (--name->refcnt > 0)
251 if (name->name != name->iname) {
252 __putname(name->name);
258 static int check_acl(struct inode *inode, int mask)
260 #ifdef CONFIG_FS_POSIX_ACL
261 struct posix_acl *acl;
263 if (mask & MAY_NOT_BLOCK) {
264 acl = get_cached_acl_rcu(inode, ACL_TYPE_ACCESS);
267 /* no ->get_acl() calls in RCU mode... */
268 if (acl == ACL_NOT_CACHED)
270 return posix_acl_permission(inode, acl, mask & ~MAY_NOT_BLOCK);
273 acl = get_acl(inode, ACL_TYPE_ACCESS);
277 int error = posix_acl_permission(inode, acl, mask);
278 posix_acl_release(acl);
287 * This does the basic permission checking
289 static int acl_permission_check(struct inode *inode, int mask)
291 unsigned int mode = inode->i_mode;
293 if (likely(uid_eq(current_fsuid(), inode->i_uid)))
296 if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
297 int error = check_acl(inode, mask);
298 if (error != -EAGAIN)
302 if (in_group_p(inode->i_gid))
307 * If the DACs are ok we don't need any capability check.
309 if ((mask & ~mode & (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0)
315 * generic_permission - check for access rights on a Posix-like filesystem
316 * @inode: inode to check access rights for
317 * @mask: right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC, ...)
319 * Used to check for read/write/execute permissions on a file.
320 * We use "fsuid" for this, letting us set arbitrary permissions
321 * for filesystem access without changing the "normal" uids which
322 * are used for other things.
324 * generic_permission is rcu-walk aware. It returns -ECHILD in case an rcu-walk
325 * request cannot be satisfied (eg. requires blocking or too much complexity).
326 * It would then be called again in ref-walk mode.
328 int generic_permission(struct inode *inode, int mask)
333 * Do the basic permission checks.
335 ret = acl_permission_check(inode, mask);
339 if (S_ISDIR(inode->i_mode)) {
340 /* DACs are overridable for directories */
341 if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
343 if (!(mask & MAY_WRITE))
344 if (capable_wrt_inode_uidgid(inode,
345 CAP_DAC_READ_SEARCH))
350 * Read/write DACs are always overridable.
351 * Executable DACs are overridable when there is
352 * at least one exec bit set.
354 if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
355 if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
359 * Searching includes executable on directories, else just read.
361 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
362 if (mask == MAY_READ)
363 if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
368 EXPORT_SYMBOL(generic_permission);
371 * We _really_ want to just do "generic_permission()" without
372 * even looking at the inode->i_op values. So we keep a cache
373 * flag in inode->i_opflags, that says "this has not special
374 * permission function, use the fast case".
376 static inline int do_inode_permission(struct inode *inode, int mask)
378 if (unlikely(!(inode->i_opflags & IOP_FASTPERM))) {
379 if (likely(inode->i_op->permission))
380 return inode->i_op->permission(inode, mask);
382 /* This gets set once for the inode lifetime */
383 spin_lock(&inode->i_lock);
384 inode->i_opflags |= IOP_FASTPERM;
385 spin_unlock(&inode->i_lock);
387 return generic_permission(inode, mask);
391 * __inode_permission - Check for access rights to a given inode
392 * @inode: Inode to check permission on
393 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
395 * Check for read/write/execute permissions on an inode.
397 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
399 * This does not check for a read-only file system. You probably want
400 * inode_permission().
402 int __inode_permission(struct inode *inode, int mask)
406 if (unlikely(mask & MAY_WRITE)) {
408 * Nobody gets write access to an immutable file.
410 if (IS_IMMUTABLE(inode))
414 retval = do_inode_permission(inode, mask);
418 retval = devcgroup_inode_permission(inode, mask);
422 return security_inode_permission(inode, mask);
424 EXPORT_SYMBOL(__inode_permission);
427 * sb_permission - Check superblock-level permissions
428 * @sb: Superblock of inode to check permission on
429 * @inode: Inode to check permission on
430 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
432 * Separate out file-system wide checks from inode-specific permission checks.
434 static int sb_permission(struct super_block *sb, struct inode *inode, int mask)
436 if (unlikely(mask & MAY_WRITE)) {
437 umode_t mode = inode->i_mode;
439 /* Nobody gets write access to a read-only fs. */
440 if ((sb->s_flags & MS_RDONLY) &&
441 (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))
448 * inode_permission - Check for access rights to a given inode
449 * @inode: Inode to check permission on
450 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
452 * Check for read/write/execute permissions on an inode. We use fs[ug]id for
453 * this, letting us set arbitrary permissions for filesystem access without
454 * changing the "normal" UIDs which are used for other things.
456 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
458 int inode_permission(struct inode *inode, int mask)
462 retval = sb_permission(inode->i_sb, inode, mask);
465 return __inode_permission(inode, mask);
467 EXPORT_SYMBOL(inode_permission);
470 * path_get - get a reference to a path
471 * @path: path to get the reference to
473 * Given a path increment the reference count to the dentry and the vfsmount.
475 void path_get(const struct path *path)
480 EXPORT_SYMBOL(path_get);
483 * path_put - put a reference to a path
484 * @path: path to put the reference to
486 * Given a path decrement the reference count to the dentry and the vfsmount.
488 void path_put(const struct path *path)
493 EXPORT_SYMBOL(path_put);
495 #define EMBEDDED_LEVELS 2
503 struct inode *inode; /* path.dentry.d_inode */
508 int total_link_count;
514 } *stack, internal[EMBEDDED_LEVELS];
517 static struct nameidata *set_nameidata(struct nameidata *p)
519 struct nameidata *old = current->nameidata;
520 p->stack = p->internal;
521 p->total_link_count = old ? old->total_link_count : 0;
522 current->nameidata = p;
526 static void restore_nameidata(struct nameidata *old)
528 struct nameidata *now = current->nameidata;
530 current->nameidata = old;
532 old->total_link_count = now->total_link_count;
533 if (now->stack != now->internal) {
535 now->stack = now->internal;
539 static int __nd_alloc_stack(struct nameidata *nd)
541 struct saved *p = kmalloc(MAXSYMLINKS * sizeof(struct saved),
545 memcpy(p, nd->internal, sizeof(nd->internal));
550 static inline int nd_alloc_stack(struct nameidata *nd)
552 if (likely(nd->depth != EMBEDDED_LEVELS))
554 if (likely(nd->stack != nd->internal))
556 return __nd_alloc_stack(nd);
560 * Path walking has 2 modes, rcu-walk and ref-walk (see
561 * Documentation/filesystems/path-lookup.txt). In situations when we can't
562 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab
563 * normal reference counts on dentries and vfsmounts to transition to rcu-walk
564 * mode. Refcounts are grabbed at the last known good point before rcu-walk
565 * got stuck, so ref-walk may continue from there. If this is not successful
566 * (eg. a seqcount has changed), then failure is returned and it's up to caller
567 * to restart the path walk from the beginning in ref-walk mode.
571 * unlazy_walk - try to switch to ref-walk mode.
572 * @nd: nameidata pathwalk data
573 * @dentry: child of nd->path.dentry or NULL
574 * Returns: 0 on success, -ECHILD on failure
576 * unlazy_walk attempts to legitimize the current nd->path, nd->root and dentry
577 * for ref-walk mode. @dentry must be a path found by a do_lookup call on
578 * @nd or NULL. Must be called from rcu-walk context.
580 static int unlazy_walk(struct nameidata *nd, struct dentry *dentry)
582 struct fs_struct *fs = current->fs;
583 struct dentry *parent = nd->path.dentry;
585 BUG_ON(!(nd->flags & LOOKUP_RCU));
588 * After legitimizing the bastards, terminate_walk()
589 * will do the right thing for non-RCU mode, and all our
590 * subsequent exit cases should rcu_read_unlock()
591 * before returning. Do vfsmount first; if dentry
592 * can't be legitimized, just set nd->path.dentry to NULL
593 * and rely on dput(NULL) being a no-op.
595 if (!legitimize_mnt(nd->path.mnt, nd->m_seq))
597 nd->flags &= ~LOOKUP_RCU;
599 if (!lockref_get_not_dead(&parent->d_lockref)) {
600 nd->path.dentry = NULL;
605 * For a negative lookup, the lookup sequence point is the parents
606 * sequence point, and it only needs to revalidate the parent dentry.
608 * For a positive lookup, we need to move both the parent and the
609 * dentry from the RCU domain to be properly refcounted. And the
610 * sequence number in the dentry validates *both* dentry counters,
611 * since we checked the sequence number of the parent after we got
612 * the child sequence number. So we know the parent must still
613 * be valid if the child sequence number is still valid.
616 if (read_seqcount_retry(&parent->d_seq, nd->seq))
618 BUG_ON(nd->inode != parent->d_inode);
620 if (!lockref_get_not_dead(&dentry->d_lockref))
622 if (read_seqcount_retry(&dentry->d_seq, nd->seq))
627 * Sequence counts matched. Now make sure that the root is
628 * still valid and get it if required.
630 if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
631 spin_lock(&fs->lock);
632 if (nd->root.mnt != fs->root.mnt || nd->root.dentry != fs->root.dentry)
633 goto unlock_and_drop_dentry;
635 spin_unlock(&fs->lock);
641 unlock_and_drop_dentry:
642 spin_unlock(&fs->lock);
650 if (!(nd->flags & LOOKUP_ROOT))
655 static inline int d_revalidate(struct dentry *dentry, unsigned int flags)
657 return dentry->d_op->d_revalidate(dentry, flags);
661 * complete_walk - successful completion of path walk
662 * @nd: pointer nameidata
664 * If we had been in RCU mode, drop out of it and legitimize nd->path.
665 * Revalidate the final result, unless we'd already done that during
666 * the path walk or the filesystem doesn't ask for it. Return 0 on
667 * success, -error on failure. In case of failure caller does not
668 * need to drop nd->path.
670 static int complete_walk(struct nameidata *nd)
672 struct dentry *dentry = nd->path.dentry;
675 if (nd->flags & LOOKUP_RCU) {
676 nd->flags &= ~LOOKUP_RCU;
677 if (!(nd->flags & LOOKUP_ROOT))
680 if (!legitimize_mnt(nd->path.mnt, nd->m_seq)) {
684 if (unlikely(!lockref_get_not_dead(&dentry->d_lockref))) {
686 mntput(nd->path.mnt);
689 if (read_seqcount_retry(&dentry->d_seq, nd->seq)) {
692 mntput(nd->path.mnt);
698 if (likely(!(nd->flags & LOOKUP_JUMPED)))
701 if (likely(!(dentry->d_flags & DCACHE_OP_WEAK_REVALIDATE)))
704 status = dentry->d_op->d_weak_revalidate(dentry, nd->flags);
715 static __always_inline void set_root(struct nameidata *nd)
717 get_fs_root(current->fs, &nd->root);
720 static __always_inline unsigned set_root_rcu(struct nameidata *nd)
722 struct fs_struct *fs = current->fs;
726 seq = read_seqcount_begin(&fs->seq);
728 res = __read_seqcount_begin(&nd->root.dentry->d_seq);
729 } while (read_seqcount_retry(&fs->seq, seq));
733 static void path_put_conditional(struct path *path, struct nameidata *nd)
736 if (path->mnt != nd->path.mnt)
740 static inline void path_to_nameidata(const struct path *path,
741 struct nameidata *nd)
743 if (!(nd->flags & LOOKUP_RCU)) {
744 dput(nd->path.dentry);
745 if (nd->path.mnt != path->mnt)
746 mntput(nd->path.mnt);
748 nd->path.mnt = path->mnt;
749 nd->path.dentry = path->dentry;
753 * Helper to directly jump to a known parsed path from ->follow_link,
754 * caller must have taken a reference to path beforehand.
756 void nd_jump_link(struct path *path)
758 struct nameidata *nd = current->nameidata;
762 nd->inode = nd->path.dentry->d_inode;
763 nd->flags |= LOOKUP_JUMPED;
766 static inline void put_link(struct nameidata *nd)
768 struct saved *last = nd->stack + --nd->depth;
769 struct inode *inode = last->link.dentry->d_inode;
770 if (last->cookie && inode->i_op->put_link)
771 inode->i_op->put_link(last->link.dentry, last->cookie);
772 path_put(&last->link);
775 int sysctl_protected_symlinks __read_mostly = 0;
776 int sysctl_protected_hardlinks __read_mostly = 0;
779 * may_follow_link - Check symlink following for unsafe situations
780 * @link: The path of the symlink
781 * @nd: nameidata pathwalk data
783 * In the case of the sysctl_protected_symlinks sysctl being enabled,
784 * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
785 * in a sticky world-writable directory. This is to protect privileged
786 * processes from failing races against path names that may change out
787 * from under them by way of other users creating malicious symlinks.
788 * It will permit symlinks to be followed only when outside a sticky
789 * world-writable directory, or when the uid of the symlink and follower
790 * match, or when the directory owner matches the symlink's owner.
792 * Returns 0 if following the symlink is allowed, -ve on error.
794 static inline int may_follow_link(struct path *link, struct nameidata *nd)
796 const struct inode *inode;
797 const struct inode *parent;
799 if (!sysctl_protected_symlinks)
802 /* Allowed if owner and follower match. */
803 inode = link->dentry->d_inode;
804 if (uid_eq(current_cred()->fsuid, inode->i_uid))
807 /* Allowed if parent directory not sticky and world-writable. */
808 parent = nd->path.dentry->d_inode;
809 if ((parent->i_mode & (S_ISVTX|S_IWOTH)) != (S_ISVTX|S_IWOTH))
812 /* Allowed if parent directory and link owner match. */
813 if (uid_eq(parent->i_uid, inode->i_uid))
816 audit_log_link_denied("follow_link", link);
817 path_put_conditional(link, nd);
823 * safe_hardlink_source - Check for safe hardlink conditions
824 * @inode: the source inode to hardlink from
826 * Return false if at least one of the following conditions:
827 * - inode is not a regular file
829 * - inode is setgid and group-exec
830 * - access failure for read and write
832 * Otherwise returns true.
834 static bool safe_hardlink_source(struct inode *inode)
836 umode_t mode = inode->i_mode;
838 /* Special files should not get pinned to the filesystem. */
842 /* Setuid files should not get pinned to the filesystem. */
846 /* Executable setgid files should not get pinned to the filesystem. */
847 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
850 /* Hardlinking to unreadable or unwritable sources is dangerous. */
851 if (inode_permission(inode, MAY_READ | MAY_WRITE))
858 * may_linkat - Check permissions for creating a hardlink
859 * @link: the source to hardlink from
861 * Block hardlink when all of:
862 * - sysctl_protected_hardlinks enabled
863 * - fsuid does not match inode
864 * - hardlink source is unsafe (see safe_hardlink_source() above)
867 * Returns 0 if successful, -ve on error.
869 static int may_linkat(struct path *link)
871 const struct cred *cred;
874 if (!sysctl_protected_hardlinks)
877 cred = current_cred();
878 inode = link->dentry->d_inode;
880 /* Source inode owner (or CAP_FOWNER) can hardlink all they like,
881 * otherwise, it must be a safe source.
883 if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||
887 audit_log_link_denied("linkat", link);
891 static __always_inline
892 const char *get_link(struct nameidata *nd)
894 struct saved *last = nd->stack + nd->depth;
895 struct dentry *dentry = nd->link.dentry;
896 struct inode *inode = dentry->d_inode;
900 BUG_ON(nd->flags & LOOKUP_RCU);
902 if (nd->link.mnt == nd->path.mnt)
903 mntget(nd->link.mnt);
905 last->link = nd->link;
910 touch_atime(&last->link);
912 error = security_inode_follow_link(dentry);
913 res = ERR_PTR(error);
917 nd->last_type = LAST_BIND;
920 res = inode->i_op->follow_link(dentry, &last->cookie);
923 path_put(&last->link);
931 static int follow_up_rcu(struct path *path)
933 struct mount *mnt = real_mount(path->mnt);
934 struct mount *parent;
935 struct dentry *mountpoint;
937 parent = mnt->mnt_parent;
938 if (&parent->mnt == path->mnt)
940 mountpoint = mnt->mnt_mountpoint;
941 path->dentry = mountpoint;
942 path->mnt = &parent->mnt;
947 * follow_up - Find the mountpoint of path's vfsmount
949 * Given a path, find the mountpoint of its source file system.
950 * Replace @path with the path of the mountpoint in the parent mount.
953 * Return 1 if we went up a level and 0 if we were already at the
956 int follow_up(struct path *path)
958 struct mount *mnt = real_mount(path->mnt);
959 struct mount *parent;
960 struct dentry *mountpoint;
962 read_seqlock_excl(&mount_lock);
963 parent = mnt->mnt_parent;
965 read_sequnlock_excl(&mount_lock);
968 mntget(&parent->mnt);
969 mountpoint = dget(mnt->mnt_mountpoint);
970 read_sequnlock_excl(&mount_lock);
972 path->dentry = mountpoint;
974 path->mnt = &parent->mnt;
977 EXPORT_SYMBOL(follow_up);
980 * Perform an automount
981 * - return -EISDIR to tell follow_managed() to stop and return the path we
984 static int follow_automount(struct path *path, struct nameidata *nd,
987 struct vfsmount *mnt;
990 if (!path->dentry->d_op || !path->dentry->d_op->d_automount)
993 /* We don't want to mount if someone's just doing a stat -
994 * unless they're stat'ing a directory and appended a '/' to
997 * We do, however, want to mount if someone wants to open or
998 * create a file of any type under the mountpoint, wants to
999 * traverse through the mountpoint or wants to open the
1000 * mounted directory. Also, autofs may mark negative dentries
1001 * as being automount points. These will need the attentions
1002 * of the daemon to instantiate them before they can be used.
1004 if (!(nd->flags & (LOOKUP_PARENT | LOOKUP_DIRECTORY |
1005 LOOKUP_OPEN | LOOKUP_CREATE | LOOKUP_AUTOMOUNT)) &&
1006 path->dentry->d_inode)
1009 nd->total_link_count++;
1010 if (nd->total_link_count >= 40)
1013 mnt = path->dentry->d_op->d_automount(path);
1016 * The filesystem is allowed to return -EISDIR here to indicate
1017 * it doesn't want to automount. For instance, autofs would do
1018 * this so that its userspace daemon can mount on this dentry.
1020 * However, we can only permit this if it's a terminal point in
1021 * the path being looked up; if it wasn't then the remainder of
1022 * the path is inaccessible and we should say so.
1024 if (PTR_ERR(mnt) == -EISDIR && (nd->flags & LOOKUP_PARENT))
1026 return PTR_ERR(mnt);
1029 if (!mnt) /* mount collision */
1032 if (!*need_mntput) {
1033 /* lock_mount() may release path->mnt on error */
1035 *need_mntput = true;
1037 err = finish_automount(mnt, path);
1041 /* Someone else made a mount here whilst we were busy */
1046 path->dentry = dget(mnt->mnt_root);
1055 * Handle a dentry that is managed in some way.
1056 * - Flagged for transit management (autofs)
1057 * - Flagged as mountpoint
1058 * - Flagged as automount point
1060 * This may only be called in refwalk mode.
1062 * Serialization is taken care of in namespace.c
1064 static int follow_managed(struct path *path, struct nameidata *nd)
1066 struct vfsmount *mnt = path->mnt; /* held by caller, must be left alone */
1068 bool need_mntput = false;
1071 /* Given that we're not holding a lock here, we retain the value in a
1072 * local variable for each dentry as we look at it so that we don't see
1073 * the components of that value change under us */
1074 while (managed = ACCESS_ONCE(path->dentry->d_flags),
1075 managed &= DCACHE_MANAGED_DENTRY,
1076 unlikely(managed != 0)) {
1077 /* Allow the filesystem to manage the transit without i_mutex
1079 if (managed & DCACHE_MANAGE_TRANSIT) {
1080 BUG_ON(!path->dentry->d_op);
1081 BUG_ON(!path->dentry->d_op->d_manage);
1082 ret = path->dentry->d_op->d_manage(path->dentry, false);
1087 /* Transit to a mounted filesystem. */
1088 if (managed & DCACHE_MOUNTED) {
1089 struct vfsmount *mounted = lookup_mnt(path);
1094 path->mnt = mounted;
1095 path->dentry = dget(mounted->mnt_root);
1100 /* Something is mounted on this dentry in another
1101 * namespace and/or whatever was mounted there in this
1102 * namespace got unmounted before lookup_mnt() could
1106 /* Handle an automount point */
1107 if (managed & DCACHE_NEED_AUTOMOUNT) {
1108 ret = follow_automount(path, nd, &need_mntput);
1114 /* We didn't change the current path point */
1118 if (need_mntput && path->mnt == mnt)
1123 nd->flags |= LOOKUP_JUMPED;
1124 if (unlikely(ret < 0))
1125 path_put_conditional(path, nd);
1129 int follow_down_one(struct path *path)
1131 struct vfsmount *mounted;
1133 mounted = lookup_mnt(path);
1137 path->mnt = mounted;
1138 path->dentry = dget(mounted->mnt_root);
1143 EXPORT_SYMBOL(follow_down_one);
1145 static inline int managed_dentry_rcu(struct dentry *dentry)
1147 return (dentry->d_flags & DCACHE_MANAGE_TRANSIT) ?
1148 dentry->d_op->d_manage(dentry, true) : 0;
1152 * Try to skip to top of mountpoint pile in rcuwalk mode. Fail if
1153 * we meet a managed dentry that would need blocking.
1155 static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
1156 struct inode **inode)
1159 struct mount *mounted;
1161 * Don't forget we might have a non-mountpoint managed dentry
1162 * that wants to block transit.
1164 switch (managed_dentry_rcu(path->dentry)) {
1174 if (!d_mountpoint(path->dentry))
1175 return !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);
1177 mounted = __lookup_mnt(path->mnt, path->dentry);
1180 path->mnt = &mounted->mnt;
1181 path->dentry = mounted->mnt.mnt_root;
1182 nd->flags |= LOOKUP_JUMPED;
1183 nd->seq = read_seqcount_begin(&path->dentry->d_seq);
1185 * Update the inode too. We don't need to re-check the
1186 * dentry sequence number here after this d_inode read,
1187 * because a mount-point is always pinned.
1189 *inode = path->dentry->d_inode;
1191 return !read_seqretry(&mount_lock, nd->m_seq) &&
1192 !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);
1195 static int follow_dotdot_rcu(struct nameidata *nd)
1197 struct inode *inode = nd->inode;
1202 if (nd->path.dentry == nd->root.dentry &&
1203 nd->path.mnt == nd->root.mnt) {
1206 if (nd->path.dentry != nd->path.mnt->mnt_root) {
1207 struct dentry *old = nd->path.dentry;
1208 struct dentry *parent = old->d_parent;
1211 inode = parent->d_inode;
1212 seq = read_seqcount_begin(&parent->d_seq);
1213 if (read_seqcount_retry(&old->d_seq, nd->seq))
1215 nd->path.dentry = parent;
1219 if (!follow_up_rcu(&nd->path))
1221 inode = nd->path.dentry->d_inode;
1222 nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1224 while (d_mountpoint(nd->path.dentry)) {
1225 struct mount *mounted;
1226 mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry);
1229 nd->path.mnt = &mounted->mnt;
1230 nd->path.dentry = mounted->mnt.mnt_root;
1231 inode = nd->path.dentry->d_inode;
1232 nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1233 if (read_seqretry(&mount_lock, nd->m_seq))
1244 * Follow down to the covering mount currently visible to userspace. At each
1245 * point, the filesystem owning that dentry may be queried as to whether the
1246 * caller is permitted to proceed or not.
1248 int follow_down(struct path *path)
1253 while (managed = ACCESS_ONCE(path->dentry->d_flags),
1254 unlikely(managed & DCACHE_MANAGED_DENTRY)) {
1255 /* Allow the filesystem to manage the transit without i_mutex
1258 * We indicate to the filesystem if someone is trying to mount
1259 * something here. This gives autofs the chance to deny anyone
1260 * other than its daemon the right to mount on its
1263 * The filesystem may sleep at this point.
1265 if (managed & DCACHE_MANAGE_TRANSIT) {
1266 BUG_ON(!path->dentry->d_op);
1267 BUG_ON(!path->dentry->d_op->d_manage);
1268 ret = path->dentry->d_op->d_manage(
1269 path->dentry, false);
1271 return ret == -EISDIR ? 0 : ret;
1274 /* Transit to a mounted filesystem. */
1275 if (managed & DCACHE_MOUNTED) {
1276 struct vfsmount *mounted = lookup_mnt(path);
1281 path->mnt = mounted;
1282 path->dentry = dget(mounted->mnt_root);
1286 /* Don't handle automount points here */
1291 EXPORT_SYMBOL(follow_down);
1294 * Skip to top of mountpoint pile in refwalk mode for follow_dotdot()
1296 static void follow_mount(struct path *path)
1298 while (d_mountpoint(path->dentry)) {
1299 struct vfsmount *mounted = lookup_mnt(path);
1304 path->mnt = mounted;
1305 path->dentry = dget(mounted->mnt_root);
1309 static void follow_dotdot(struct nameidata *nd)
1315 struct dentry *old = nd->path.dentry;
1317 if (nd->path.dentry == nd->root.dentry &&
1318 nd->path.mnt == nd->root.mnt) {
1321 if (nd->path.dentry != nd->path.mnt->mnt_root) {
1322 /* rare case of legitimate dget_parent()... */
1323 nd->path.dentry = dget_parent(nd->path.dentry);
1327 if (!follow_up(&nd->path))
1330 follow_mount(&nd->path);
1331 nd->inode = nd->path.dentry->d_inode;
1335 * This looks up the name in dcache, possibly revalidates the old dentry and
1336 * allocates a new one if not found or not valid. In the need_lookup argument
1337 * returns whether i_op->lookup is necessary.
1339 * dir->d_inode->i_mutex must be held
1341 static struct dentry *lookup_dcache(struct qstr *name, struct dentry *dir,
1342 unsigned int flags, bool *need_lookup)
1344 struct dentry *dentry;
1347 *need_lookup = false;
1348 dentry = d_lookup(dir, name);
1350 if (dentry->d_flags & DCACHE_OP_REVALIDATE) {
1351 error = d_revalidate(dentry, flags);
1352 if (unlikely(error <= 0)) {
1355 return ERR_PTR(error);
1357 d_invalidate(dentry);
1366 dentry = d_alloc(dir, name);
1367 if (unlikely(!dentry))
1368 return ERR_PTR(-ENOMEM);
1370 *need_lookup = true;
1376 * Call i_op->lookup on the dentry. The dentry must be negative and
1379 * dir->d_inode->i_mutex must be held
1381 static struct dentry *lookup_real(struct inode *dir, struct dentry *dentry,
1386 /* Don't create child dentry for a dead directory. */
1387 if (unlikely(IS_DEADDIR(dir))) {
1389 return ERR_PTR(-ENOENT);
1392 old = dir->i_op->lookup(dir, dentry, flags);
1393 if (unlikely(old)) {
1400 static struct dentry *__lookup_hash(struct qstr *name,
1401 struct dentry *base, unsigned int flags)
1404 struct dentry *dentry;
1406 dentry = lookup_dcache(name, base, flags, &need_lookup);
1410 return lookup_real(base->d_inode, dentry, flags);
1414 * It's more convoluted than I'd like it to be, but... it's still fairly
1415 * small and for now I'd prefer to have fast path as straight as possible.
1416 * It _is_ time-critical.
1418 static int lookup_fast(struct nameidata *nd,
1419 struct path *path, struct inode **inode)
1421 struct vfsmount *mnt = nd->path.mnt;
1422 struct dentry *dentry, *parent = nd->path.dentry;
1428 * Rename seqlock is not required here because in the off chance
1429 * of a false negative due to a concurrent rename, we're going to
1430 * do the non-racy lookup, below.
1432 if (nd->flags & LOOKUP_RCU) {
1435 dentry = __d_lookup_rcu(parent, &nd->last, &seq);
1440 * This sequence count validates that the inode matches
1441 * the dentry name information from lookup.
1443 *inode = dentry->d_inode;
1444 negative = d_is_negative(dentry);
1445 if (read_seqcount_retry(&dentry->d_seq, seq))
1451 * This sequence count validates that the parent had no
1452 * changes while we did the lookup of the dentry above.
1454 * The memory barrier in read_seqcount_begin of child is
1455 * enough, we can use __read_seqcount_retry here.
1457 if (__read_seqcount_retry(&parent->d_seq, nd->seq))
1461 if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE)) {
1462 status = d_revalidate(dentry, nd->flags);
1463 if (unlikely(status <= 0)) {
1464 if (status != -ECHILD)
1470 path->dentry = dentry;
1471 if (likely(__follow_mount_rcu(nd, path, inode)))
1474 if (unlazy_walk(nd, dentry))
1477 dentry = __d_lookup(parent, &nd->last);
1480 if (unlikely(!dentry))
1483 if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE) && need_reval)
1484 status = d_revalidate(dentry, nd->flags);
1485 if (unlikely(status <= 0)) {
1490 d_invalidate(dentry);
1495 if (unlikely(d_is_negative(dentry))) {
1500 path->dentry = dentry;
1501 err = follow_managed(path, nd);
1503 *inode = path->dentry->d_inode;
1510 /* Fast lookup failed, do it the slow way */
1511 static int lookup_slow(struct nameidata *nd, struct path *path)
1513 struct dentry *dentry, *parent;
1515 parent = nd->path.dentry;
1516 BUG_ON(nd->inode != parent->d_inode);
1518 mutex_lock(&parent->d_inode->i_mutex);
1519 dentry = __lookup_hash(&nd->last, parent, nd->flags);
1520 mutex_unlock(&parent->d_inode->i_mutex);
1522 return PTR_ERR(dentry);
1523 path->mnt = nd->path.mnt;
1524 path->dentry = dentry;
1525 return follow_managed(path, nd);
1528 static inline int may_lookup(struct nameidata *nd)
1530 if (nd->flags & LOOKUP_RCU) {
1531 int err = inode_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK);
1534 if (unlazy_walk(nd, NULL))
1537 return inode_permission(nd->inode, MAY_EXEC);
1540 static inline int handle_dots(struct nameidata *nd, int type)
1542 if (type == LAST_DOTDOT) {
1543 if (nd->flags & LOOKUP_RCU) {
1544 return follow_dotdot_rcu(nd);
1551 static void terminate_walk(struct nameidata *nd)
1553 if (!(nd->flags & LOOKUP_RCU)) {
1554 path_put(&nd->path);
1556 nd->flags &= ~LOOKUP_RCU;
1557 if (!(nd->flags & LOOKUP_ROOT))
1558 nd->root.mnt = NULL;
1561 while (unlikely(nd->depth))
1565 static int pick_link(struct nameidata *nd, struct path *link)
1568 if (unlikely(nd->total_link_count++ >= MAXSYMLINKS)) {
1569 path_to_nameidata(link, nd);
1572 if (nd->flags & LOOKUP_RCU) {
1573 if (unlikely(nd->path.mnt != link->mnt ||
1574 unlazy_walk(nd, link->dentry))) {
1578 error = nd_alloc_stack(nd);
1579 if (unlikely(error)) {
1580 path_to_nameidata(link, nd);
1589 * Do we need to follow links? We _really_ want to be able
1590 * to do this check without having to look at inode->i_op,
1591 * so we keep a cache of "no, this doesn't need follow_link"
1592 * for the common case.
1594 static inline int should_follow_link(struct nameidata *nd, struct path *link, int follow)
1596 if (likely(!d_is_symlink(link->dentry)))
1600 return pick_link(nd, link);
1603 enum {WALK_GET = 1, WALK_PUT = 2};
1605 static int walk_component(struct nameidata *nd, int flags)
1608 struct inode *inode;
1611 * "." and ".." are special - ".." especially so because it has
1612 * to be able to know about the current root directory and
1613 * parent relationships.
1615 if (unlikely(nd->last_type != LAST_NORM)) {
1616 err = handle_dots(nd, nd->last_type);
1617 if (flags & WALK_PUT)
1621 err = lookup_fast(nd, &path, &inode);
1622 if (unlikely(err)) {
1626 err = lookup_slow(nd, &path);
1630 inode = path.dentry->d_inode;
1632 if (d_is_negative(path.dentry))
1636 if (flags & WALK_PUT)
1638 err = should_follow_link(nd, &path, flags & WALK_GET);
1641 path_to_nameidata(&path, nd);
1646 path_to_nameidata(&path, nd);
1651 * We can do the critical dentry name comparison and hashing
1652 * operations one word at a time, but we are limited to:
1654 * - Architectures with fast unaligned word accesses. We could
1655 * do a "get_unaligned()" if this helps and is sufficiently
1658 * - non-CONFIG_DEBUG_PAGEALLOC configurations (so that we
1659 * do not trap on the (extremely unlikely) case of a page
1660 * crossing operation.
1662 * - Furthermore, we need an efficient 64-bit compile for the
1663 * 64-bit case in order to generate the "number of bytes in
1664 * the final mask". Again, that could be replaced with a
1665 * efficient population count instruction or similar.
1667 #ifdef CONFIG_DCACHE_WORD_ACCESS
1669 #include <asm/word-at-a-time.h>
1673 static inline unsigned int fold_hash(unsigned long hash)
1675 return hash_64(hash, 32);
1678 #else /* 32-bit case */
1680 #define fold_hash(x) (x)
1684 unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1686 unsigned long a, mask;
1687 unsigned long hash = 0;
1690 a = load_unaligned_zeropad(name);
1691 if (len < sizeof(unsigned long))
1695 name += sizeof(unsigned long);
1696 len -= sizeof(unsigned long);
1700 mask = bytemask_from_count(len);
1703 return fold_hash(hash);
1705 EXPORT_SYMBOL(full_name_hash);
1708 * Calculate the length and hash of the path component, and
1709 * return the "hash_len" as the result.
1711 static inline u64 hash_name(const char *name)
1713 unsigned long a, b, adata, bdata, mask, hash, len;
1714 const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
1717 len = -sizeof(unsigned long);
1719 hash = (hash + a) * 9;
1720 len += sizeof(unsigned long);
1721 a = load_unaligned_zeropad(name+len);
1722 b = a ^ REPEAT_BYTE('/');
1723 } while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants)));
1725 adata = prep_zero_mask(a, adata, &constants);
1726 bdata = prep_zero_mask(b, bdata, &constants);
1728 mask = create_zero_mask(adata | bdata);
1730 hash += a & zero_bytemask(mask);
1731 len += find_zero(mask);
1732 return hashlen_create(fold_hash(hash), len);
1737 unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1739 unsigned long hash = init_name_hash();
1741 hash = partial_name_hash(*name++, hash);
1742 return end_name_hash(hash);
1744 EXPORT_SYMBOL(full_name_hash);
1747 * We know there's a real path component here of at least
1750 static inline u64 hash_name(const char *name)
1752 unsigned long hash = init_name_hash();
1753 unsigned long len = 0, c;
1755 c = (unsigned char)*name;
1758 hash = partial_name_hash(c, hash);
1759 c = (unsigned char)name[len];
1760 } while (c && c != '/');
1761 return hashlen_create(end_name_hash(hash), len);
1768 * This is the basic name resolution function, turning a pathname into
1769 * the final dentry. We expect 'base' to be positive and a directory.
1771 * Returns 0 and nd will have valid dentry and mnt on success.
1772 * Returns error and drops reference to input namei data on failure.
1774 static int link_path_walk(const char *name, struct nameidata *nd)
1783 /* At this point we know we have a real path component. */
1788 err = may_lookup(nd);
1792 hash_len = hash_name(name);
1795 if (name[0] == '.') switch (hashlen_len(hash_len)) {
1797 if (name[1] == '.') {
1799 nd->flags |= LOOKUP_JUMPED;
1805 if (likely(type == LAST_NORM)) {
1806 struct dentry *parent = nd->path.dentry;
1807 nd->flags &= ~LOOKUP_JUMPED;
1808 if (unlikely(parent->d_flags & DCACHE_OP_HASH)) {
1809 struct qstr this = { { .hash_len = hash_len }, .name = name };
1810 err = parent->d_op->d_hash(parent, &this);
1813 hash_len = this.hash_len;
1818 nd->last.hash_len = hash_len;
1819 nd->last.name = name;
1820 nd->last_type = type;
1822 name += hashlen_len(hash_len);
1826 * If it wasn't NUL, we know it was '/'. Skip that
1827 * slash, and continue until no more slashes.
1831 } while (unlikely(*name == '/'));
1832 if (unlikely(!*name)) {
1834 /* called from path_init(), done */
1837 name = nd->stack[nd->depth - 1].name;
1838 /* called from trailing_symlink(), done */
1841 /* last component of nested symlink */
1842 err = walk_component(nd, WALK_GET | WALK_PUT);
1844 err = walk_component(nd, WALK_GET);
1850 const char *s = get_link(nd);
1852 if (unlikely(IS_ERR(s))) {
1864 path_put(&nd->path);
1865 nd->path = nd->root;
1866 path_get(&nd->root);
1867 nd->flags |= LOOKUP_JUMPED;
1868 while (unlikely(*++s == '/'))
1871 nd->inode = nd->path.dentry->d_inode;
1872 nd->stack[nd->depth - 1].name = name;
1879 if (!d_can_lookup(nd->path.dentry)) {
1888 static int path_init(int dfd, const struct filename *name, unsigned int flags,
1889 struct nameidata *nd)
1892 const char *s = name->name;
1894 nd->last_type = LAST_ROOT; /* if there are only slashes... */
1895 nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
1898 if (flags & LOOKUP_ROOT) {
1899 struct dentry *root = nd->root.dentry;
1900 struct inode *inode = root->d_inode;
1902 if (!d_can_lookup(root))
1904 retval = inode_permission(inode, MAY_EXEC);
1908 nd->path = nd->root;
1910 if (flags & LOOKUP_RCU) {
1912 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1913 nd->m_seq = read_seqbegin(&mount_lock);
1915 path_get(&nd->path);
1920 nd->root.mnt = NULL;
1922 nd->m_seq = read_seqbegin(&mount_lock);
1924 if (flags & LOOKUP_RCU) {
1926 nd->seq = set_root_rcu(nd);
1929 path_get(&nd->root);
1931 nd->path = nd->root;
1932 } else if (dfd == AT_FDCWD) {
1933 if (flags & LOOKUP_RCU) {
1934 struct fs_struct *fs = current->fs;
1940 seq = read_seqcount_begin(&fs->seq);
1942 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1943 } while (read_seqcount_retry(&fs->seq, seq));
1945 get_fs_pwd(current->fs, &nd->path);
1948 /* Caller must check execute permissions on the starting path component */
1949 struct fd f = fdget_raw(dfd);
1950 struct dentry *dentry;
1955 dentry = f.file->f_path.dentry;
1958 if (!d_can_lookup(dentry)) {
1964 nd->path = f.file->f_path;
1965 if (flags & LOOKUP_RCU) {
1966 if (f.flags & FDPUT_FPUT)
1968 nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1971 path_get(&nd->path);
1976 nd->inode = nd->path.dentry->d_inode;
1977 if (!(flags & LOOKUP_RCU))
1979 if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq)))
1981 if (!(nd->flags & LOOKUP_ROOT))
1982 nd->root.mnt = NULL;
1986 nd->total_link_count = 0;
1987 return link_path_walk(s, nd);
1990 static void path_cleanup(struct nameidata *nd)
1992 if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
1993 path_put(&nd->root);
1994 nd->root.mnt = NULL;
1996 if (unlikely(nd->base))
2000 static int trailing_symlink(struct nameidata *nd)
2003 int error = may_follow_link(&nd->link, nd);
2004 if (unlikely(error))
2006 nd->flags |= LOOKUP_PARENT;
2008 if (unlikely(IS_ERR(s))) {
2017 path_put(&nd->path);
2018 nd->path = nd->root;
2019 path_get(&nd->root);
2020 nd->flags |= LOOKUP_JUMPED;
2022 nd->inode = nd->path.dentry->d_inode;
2023 nd->stack[0].name = NULL;
2024 return link_path_walk(s, nd);
2027 static inline int lookup_last(struct nameidata *nd)
2030 if (nd->last_type == LAST_NORM && nd->last.name[nd->last.len])
2031 nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
2033 nd->flags &= ~LOOKUP_PARENT;
2034 err = walk_component(nd,
2035 nd->flags & LOOKUP_FOLLOW
2037 ? WALK_PUT | WALK_GET
2045 /* Returns 0 and nd will be valid on success; Retuns error, otherwise. */
2046 static int path_lookupat(int dfd, const struct filename *name,
2047 unsigned int flags, struct nameidata *nd)
2052 * Path walking is largely split up into 2 different synchronisation
2053 * schemes, rcu-walk and ref-walk (explained in
2054 * Documentation/filesystems/path-lookup.txt). These share much of the
2055 * path walk code, but some things particularly setup, cleanup, and
2056 * following mounts are sufficiently divergent that functions are
2057 * duplicated. Typically there is a function foo(), and its RCU
2058 * analogue, foo_rcu().
2060 * -ECHILD is the error number of choice (just to avoid clashes) that
2061 * is returned if some aspect of an rcu-walk fails. Such an error must
2062 * be handled by restarting a traditional ref-walk (which will always
2063 * be able to complete).
2065 err = path_init(dfd, name, flags, nd);
2066 if (!err && !(flags & LOOKUP_PARENT)) {
2067 while ((err = lookup_last(nd)) > 0) {
2068 err = trailing_symlink(nd);
2075 err = complete_walk(nd);
2077 if (!err && nd->flags & LOOKUP_DIRECTORY) {
2078 if (!d_can_lookup(nd->path.dentry)) {
2079 path_put(&nd->path);
2088 static int filename_lookup(int dfd, struct filename *name,
2089 unsigned int flags, struct nameidata *nd)
2092 struct nameidata *saved_nd = set_nameidata(nd);
2094 retval = path_lookupat(dfd, name, flags | LOOKUP_RCU, nd);
2095 if (unlikely(retval == -ECHILD))
2096 retval = path_lookupat(dfd, name, flags, nd);
2097 if (unlikely(retval == -ESTALE))
2098 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
2100 if (likely(!retval))
2101 audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT);
2102 restore_nameidata(saved_nd);
2106 /* does lookup, returns the object with parent locked */
2107 struct dentry *kern_path_locked(const char *name, struct path *path)
2109 struct filename *filename = getname_kernel(name);
2110 struct nameidata nd;
2114 if (IS_ERR(filename))
2115 return ERR_CAST(filename);
2117 err = filename_lookup(AT_FDCWD, filename, LOOKUP_PARENT, &nd);
2122 if (nd.last_type != LAST_NORM) {
2124 d = ERR_PTR(-EINVAL);
2127 mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
2128 d = __lookup_hash(&nd.last, nd.path.dentry, 0);
2130 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
2140 int kern_path(const char *name, unsigned int flags, struct path *path)
2142 struct nameidata nd;
2143 struct filename *filename = getname_kernel(name);
2144 int res = PTR_ERR(filename);
2146 if (!IS_ERR(filename)) {
2147 res = filename_lookup(AT_FDCWD, filename, flags, &nd);
2154 EXPORT_SYMBOL(kern_path);
2157 * vfs_path_lookup - lookup a file path relative to a dentry-vfsmount pair
2158 * @dentry: pointer to dentry of the base directory
2159 * @mnt: pointer to vfs mount of the base directory
2160 * @name: pointer to file name
2161 * @flags: lookup flags
2162 * @path: pointer to struct path to fill
2164 int vfs_path_lookup(struct dentry *dentry, struct vfsmount *mnt,
2165 const char *name, unsigned int flags,
2168 struct filename *filename = getname_kernel(name);
2169 int err = PTR_ERR(filename);
2171 BUG_ON(flags & LOOKUP_PARENT);
2173 /* the first argument of filename_lookup() is ignored with LOOKUP_ROOT */
2174 if (!IS_ERR(filename)) {
2175 struct nameidata nd;
2176 nd.root.dentry = dentry;
2178 err = filename_lookup(AT_FDCWD, filename,
2179 flags | LOOKUP_ROOT, &nd);
2186 EXPORT_SYMBOL(vfs_path_lookup);
2189 * lookup_one_len - filesystem helper to lookup single pathname component
2190 * @name: pathname component to lookup
2191 * @base: base directory to lookup from
2192 * @len: maximum length @len should be interpreted to
2194 * Note that this routine is purely a helper for filesystem usage and should
2195 * not be called by generic code.
2197 struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2203 WARN_ON_ONCE(!mutex_is_locked(&base->d_inode->i_mutex));
2207 this.hash = full_name_hash(name, len);
2209 return ERR_PTR(-EACCES);
2211 if (unlikely(name[0] == '.')) {
2212 if (len < 2 || (len == 2 && name[1] == '.'))
2213 return ERR_PTR(-EACCES);
2217 c = *(const unsigned char *)name++;
2218 if (c == '/' || c == '\0')
2219 return ERR_PTR(-EACCES);
2222 * See if the low-level filesystem might want
2223 * to use its own hash..
2225 if (base->d_flags & DCACHE_OP_HASH) {
2226 int err = base->d_op->d_hash(base, &this);
2228 return ERR_PTR(err);
2231 err = inode_permission(base->d_inode, MAY_EXEC);
2233 return ERR_PTR(err);
2235 return __lookup_hash(&this, base, 0);
2237 EXPORT_SYMBOL(lookup_one_len);
2239 int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
2240 struct path *path, int *empty)
2242 struct nameidata nd;
2243 struct filename *tmp = getname_flags(name, flags, empty);
2244 int err = PTR_ERR(tmp);
2247 BUG_ON(flags & LOOKUP_PARENT);
2249 err = filename_lookup(dfd, tmp, flags, &nd);
2257 int user_path_at(int dfd, const char __user *name, unsigned flags,
2260 return user_path_at_empty(dfd, name, flags, path, NULL);
2262 EXPORT_SYMBOL(user_path_at);
2265 * NB: most callers don't do anything directly with the reference to the
2266 * to struct filename, but the nd->last pointer points into the name string
2267 * allocated by getname. So we must hold the reference to it until all
2268 * path-walking is complete.
2270 static struct filename *
2271 user_path_parent(int dfd, const char __user *path,
2272 struct path *parent,
2277 struct nameidata nd;
2278 struct filename *s = getname(path);
2281 /* only LOOKUP_REVAL is allowed in extra flags */
2282 flags &= LOOKUP_REVAL;
2287 error = filename_lookup(dfd, s, flags | LOOKUP_PARENT, &nd);
2290 return ERR_PTR(error);
2294 *type = nd.last_type;
2300 * mountpoint_last - look up last component for umount
2301 * @nd: pathwalk nameidata - currently pointing at parent directory of "last"
2302 * @path: pointer to container for result
2304 * This is a special lookup_last function just for umount. In this case, we
2305 * need to resolve the path without doing any revalidation.
2307 * The nameidata should be the result of doing a LOOKUP_PARENT pathwalk. Since
2308 * mountpoints are always pinned in the dcache, their ancestors are too. Thus,
2309 * in almost all cases, this lookup will be served out of the dcache. The only
2310 * cases where it won't are if nd->last refers to a symlink or the path is
2311 * bogus and it doesn't exist.
2314 * -error: if there was an error during lookup. This includes -ENOENT if the
2315 * lookup found a negative dentry. The nd->path reference will also be
2318 * 0: if we successfully resolved nd->path and found it to not to be a
2319 * symlink that needs to be followed. "path" will also be populated.
2320 * The nd->path reference will also be put.
2322 * 1: if we successfully resolved nd->last and found it to be a symlink
2323 * that needs to be followed. "path" will be populated with the path
2324 * to the link, and nd->path will *not* be put.
2327 mountpoint_last(struct nameidata *nd, struct path *path)
2330 struct dentry *dentry;
2331 struct dentry *dir = nd->path.dentry;
2333 /* If we're in rcuwalk, drop out of it to handle last component */
2334 if (nd->flags & LOOKUP_RCU) {
2335 if (unlazy_walk(nd, NULL)) {
2341 nd->flags &= ~LOOKUP_PARENT;
2343 if (unlikely(nd->last_type != LAST_NORM)) {
2344 error = handle_dots(nd, nd->last_type);
2347 dentry = dget(nd->path.dentry);
2351 mutex_lock(&dir->d_inode->i_mutex);
2352 dentry = d_lookup(dir, &nd->last);
2355 * No cached dentry. Mounted dentries are pinned in the cache,
2356 * so that means that this dentry is probably a symlink or the
2357 * path doesn't actually point to a mounted dentry.
2359 dentry = d_alloc(dir, &nd->last);
2362 mutex_unlock(&dir->d_inode->i_mutex);
2365 dentry = lookup_real(dir->d_inode, dentry, nd->flags);
2366 error = PTR_ERR(dentry);
2367 if (IS_ERR(dentry)) {
2368 mutex_unlock(&dir->d_inode->i_mutex);
2372 mutex_unlock(&dir->d_inode->i_mutex);
2375 if (d_is_negative(dentry)) {
2382 path->dentry = dentry;
2383 path->mnt = nd->path.mnt;
2384 error = should_follow_link(nd, path, nd->flags & LOOKUP_FOLLOW);
2385 if (unlikely(error)) {
2399 * path_mountpoint - look up a path to be umounted
2400 * @dfd: directory file descriptor to start walk from
2401 * @name: full pathname to walk
2402 * @path: pointer to container for result
2403 * @flags: lookup flags
2405 * Look up the given name, but don't attempt to revalidate the last component.
2406 * Returns 0 and "path" will be valid on success; Returns error otherwise.
2409 path_mountpoint(int dfd, const struct filename *name, struct path *path,
2410 struct nameidata *nd, unsigned int flags)
2412 int err = path_init(dfd, name, flags, nd);
2416 while ((err = mountpoint_last(nd, path)) > 0) {
2417 err = trailing_symlink(nd);
2427 filename_mountpoint(int dfd, struct filename *name, struct path *path,
2430 struct nameidata nd, *saved;
2433 return PTR_ERR(name);
2434 saved = set_nameidata(&nd);
2435 error = path_mountpoint(dfd, name, path, &nd, flags | LOOKUP_RCU);
2436 if (unlikely(error == -ECHILD))
2437 error = path_mountpoint(dfd, name, path, &nd, flags);
2438 if (unlikely(error == -ESTALE))
2439 error = path_mountpoint(dfd, name, path, &nd, flags | LOOKUP_REVAL);
2441 audit_inode(name, path->dentry, 0);
2442 restore_nameidata(saved);
2448 * user_path_mountpoint_at - lookup a path from userland in order to umount it
2449 * @dfd: directory file descriptor
2450 * @name: pathname from userland
2451 * @flags: lookup flags
2452 * @path: pointer to container to hold result
2454 * A umount is a special case for path walking. We're not actually interested
2455 * in the inode in this situation, and ESTALE errors can be a problem. We
2456 * simply want track down the dentry and vfsmount attached at the mountpoint
2457 * and avoid revalidating the last component.
2459 * Returns 0 and populates "path" on success.
2462 user_path_mountpoint_at(int dfd, const char __user *name, unsigned int flags,
2465 return filename_mountpoint(dfd, getname(name), path, flags);
2469 kern_path_mountpoint(int dfd, const char *name, struct path *path,
2472 return filename_mountpoint(dfd, getname_kernel(name), path, flags);
2474 EXPORT_SYMBOL(kern_path_mountpoint);
2476 int __check_sticky(struct inode *dir, struct inode *inode)
2478 kuid_t fsuid = current_fsuid();
2480 if (uid_eq(inode->i_uid, fsuid))
2482 if (uid_eq(dir->i_uid, fsuid))
2484 return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
2486 EXPORT_SYMBOL(__check_sticky);
2489 * Check whether we can remove a link victim from directory dir, check
2490 * whether the type of victim is right.
2491 * 1. We can't do it if dir is read-only (done in permission())
2492 * 2. We should have write and exec permissions on dir
2493 * 3. We can't remove anything from append-only dir
2494 * 4. We can't do anything with immutable dir (done in permission())
2495 * 5. If the sticky bit on dir is set we should either
2496 * a. be owner of dir, or
2497 * b. be owner of victim, or
2498 * c. have CAP_FOWNER capability
2499 * 6. If the victim is append-only or immutable we can't do antyhing with
2500 * links pointing to it.
2501 * 7. If we were asked to remove a directory and victim isn't one - ENOTDIR.
2502 * 8. If we were asked to remove a non-directory and victim isn't one - EISDIR.
2503 * 9. We can't remove a root or mountpoint.
2504 * 10. We don't allow removal of NFS sillyrenamed files; it's handled by
2505 * nfs_async_unlink().
2507 static int may_delete(struct inode *dir, struct dentry *victim, bool isdir)
2509 struct inode *inode = victim->d_inode;
2512 if (d_is_negative(victim))
2516 BUG_ON(victim->d_parent->d_inode != dir);
2517 audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
2519 error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
2525 if (check_sticky(dir, inode) || IS_APPEND(inode) ||
2526 IS_IMMUTABLE(inode) || IS_SWAPFILE(inode))
2529 if (!d_is_dir(victim))
2531 if (IS_ROOT(victim))
2533 } else if (d_is_dir(victim))
2535 if (IS_DEADDIR(dir))
2537 if (victim->d_flags & DCACHE_NFSFS_RENAMED)
2542 /* Check whether we can create an object with dentry child in directory
2544 * 1. We can't do it if child already exists (open has special treatment for
2545 * this case, but since we are inlined it's OK)
2546 * 2. We can't do it if dir is read-only (done in permission())
2547 * 3. We should have write and exec permissions on dir
2548 * 4. We can't do it if dir is immutable (done in permission())
2550 static inline int may_create(struct inode *dir, struct dentry *child)
2552 audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
2555 if (IS_DEADDIR(dir))
2557 return inode_permission(dir, MAY_WRITE | MAY_EXEC);
2561 * p1 and p2 should be directories on the same fs.
2563 struct dentry *lock_rename(struct dentry *p1, struct dentry *p2)
2568 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2572 mutex_lock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2574 p = d_ancestor(p2, p1);
2576 mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_PARENT);
2577 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_CHILD);
2581 p = d_ancestor(p1, p2);
2583 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2584 mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_CHILD);
2588 mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2589 mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_PARENT2);
2592 EXPORT_SYMBOL(lock_rename);
2594 void unlock_rename(struct dentry *p1, struct dentry *p2)
2596 mutex_unlock(&p1->d_inode->i_mutex);
2598 mutex_unlock(&p2->d_inode->i_mutex);
2599 mutex_unlock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2602 EXPORT_SYMBOL(unlock_rename);
2604 int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
2607 int error = may_create(dir, dentry);
2611 if (!dir->i_op->create)
2612 return -EACCES; /* shouldn't it be ENOSYS? */
2615 error = security_inode_create(dir, dentry, mode);
2618 error = dir->i_op->create(dir, dentry, mode, want_excl);
2620 fsnotify_create(dir, dentry);
2623 EXPORT_SYMBOL(vfs_create);
2625 static int may_open(struct path *path, int acc_mode, int flag)
2627 struct dentry *dentry = path->dentry;
2628 struct inode *inode = dentry->d_inode;
2638 switch (inode->i_mode & S_IFMT) {
2642 if (acc_mode & MAY_WRITE)
2647 if (path->mnt->mnt_flags & MNT_NODEV)
2656 error = inode_permission(inode, acc_mode);
2661 * An append-only file must be opened in append mode for writing.
2663 if (IS_APPEND(inode)) {
2664 if ((flag & O_ACCMODE) != O_RDONLY && !(flag & O_APPEND))
2670 /* O_NOATIME can only be set by the owner or superuser */
2671 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
2677 static int handle_truncate(struct file *filp)
2679 struct path *path = &filp->f_path;
2680 struct inode *inode = path->dentry->d_inode;
2681 int error = get_write_access(inode);
2685 * Refuse to truncate files with mandatory locks held on them.
2687 error = locks_verify_locked(filp);
2689 error = security_path_truncate(path);
2691 error = do_truncate(path->dentry, 0,
2692 ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
2695 put_write_access(inode);
2699 static inline int open_to_namei_flags(int flag)
2701 if ((flag & O_ACCMODE) == 3)
2706 static int may_o_create(struct path *dir, struct dentry *dentry, umode_t mode)
2708 int error = security_path_mknod(dir, dentry, mode, 0);
2712 error = inode_permission(dir->dentry->d_inode, MAY_WRITE | MAY_EXEC);
2716 return security_inode_create(dir->dentry->d_inode, dentry, mode);
2720 * Attempt to atomically look up, create and open a file from a negative
2723 * Returns 0 if successful. The file will have been created and attached to
2724 * @file by the filesystem calling finish_open().
2726 * Returns 1 if the file was looked up only or didn't need creating. The
2727 * caller will need to perform the open themselves. @path will have been
2728 * updated to point to the new dentry. This may be negative.
2730 * Returns an error code otherwise.
2732 static int atomic_open(struct nameidata *nd, struct dentry *dentry,
2733 struct path *path, struct file *file,
2734 const struct open_flags *op,
2735 bool got_write, bool need_lookup,
2738 struct inode *dir = nd->path.dentry->d_inode;
2739 unsigned open_flag = open_to_namei_flags(op->open_flag);
2743 int create_error = 0;
2744 struct dentry *const DENTRY_NOT_SET = (void *) -1UL;
2747 BUG_ON(dentry->d_inode);
2749 /* Don't create child dentry for a dead directory. */
2750 if (unlikely(IS_DEADDIR(dir))) {
2756 if ((open_flag & O_CREAT) && !IS_POSIXACL(dir))
2757 mode &= ~current_umask();
2759 excl = (open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT);
2761 open_flag &= ~O_TRUNC;
2764 * Checking write permission is tricky, bacuse we don't know if we are
2765 * going to actually need it: O_CREAT opens should work as long as the
2766 * file exists. But checking existence breaks atomicity. The trick is
2767 * to check access and if not granted clear O_CREAT from the flags.
2769 * Another problem is returing the "right" error value (e.g. for an
2770 * O_EXCL open we want to return EEXIST not EROFS).
2772 if (((open_flag & (O_CREAT | O_TRUNC)) ||
2773 (open_flag & O_ACCMODE) != O_RDONLY) && unlikely(!got_write)) {
2774 if (!(open_flag & O_CREAT)) {
2776 * No O_CREATE -> atomicity not a requirement -> fall
2777 * back to lookup + open
2780 } else if (open_flag & (O_EXCL | O_TRUNC)) {
2781 /* Fall back and fail with the right error */
2782 create_error = -EROFS;
2785 /* No side effects, safe to clear O_CREAT */
2786 create_error = -EROFS;
2787 open_flag &= ~O_CREAT;
2791 if (open_flag & O_CREAT) {
2792 error = may_o_create(&nd->path, dentry, mode);
2794 create_error = error;
2795 if (open_flag & O_EXCL)
2797 open_flag &= ~O_CREAT;
2801 if (nd->flags & LOOKUP_DIRECTORY)
2802 open_flag |= O_DIRECTORY;
2804 file->f_path.dentry = DENTRY_NOT_SET;
2805 file->f_path.mnt = nd->path.mnt;
2806 error = dir->i_op->atomic_open(dir, dentry, file, open_flag, mode,
2809 if (create_error && error == -ENOENT)
2810 error = create_error;
2814 if (error) { /* returned 1, that is */
2815 if (WARN_ON(file->f_path.dentry == DENTRY_NOT_SET)) {
2819 if (file->f_path.dentry) {
2821 dentry = file->f_path.dentry;
2823 if (*opened & FILE_CREATED)
2824 fsnotify_create(dir, dentry);
2825 if (!dentry->d_inode) {
2826 WARN_ON(*opened & FILE_CREATED);
2828 error = create_error;
2832 if (excl && !(*opened & FILE_CREATED)) {
2841 * We didn't have the inode before the open, so check open permission
2844 acc_mode = op->acc_mode;
2845 if (*opened & FILE_CREATED) {
2846 WARN_ON(!(open_flag & O_CREAT));
2847 fsnotify_create(dir, dentry);
2848 acc_mode = MAY_OPEN;
2850 error = may_open(&file->f_path, acc_mode, open_flag);
2860 dentry = lookup_real(dir, dentry, nd->flags);
2862 return PTR_ERR(dentry);
2865 int open_flag = op->open_flag;
2867 error = create_error;
2868 if ((open_flag & O_EXCL)) {
2869 if (!dentry->d_inode)
2871 } else if (!dentry->d_inode) {
2873 } else if ((open_flag & O_TRUNC) &&
2877 /* will fail later, go on to get the right error */
2881 path->dentry = dentry;
2882 path->mnt = nd->path.mnt;
2887 * Look up and maybe create and open the last component.
2889 * Must be called with i_mutex held on parent.
2891 * Returns 0 if the file was successfully atomically created (if necessary) and
2892 * opened. In this case the file will be returned attached to @file.
2894 * Returns 1 if the file was not completely opened at this time, though lookups
2895 * and creations will have been performed and the dentry returned in @path will
2896 * be positive upon return if O_CREAT was specified. If O_CREAT wasn't
2897 * specified then a negative dentry may be returned.
2899 * An error code is returned otherwise.
2901 * FILE_CREATE will be set in @*opened if the dentry was created and will be
2902 * cleared otherwise prior to returning.
2904 static int lookup_open(struct nameidata *nd, struct path *path,
2906 const struct open_flags *op,
2907 bool got_write, int *opened)
2909 struct dentry *dir = nd->path.dentry;
2910 struct inode *dir_inode = dir->d_inode;
2911 struct dentry *dentry;
2915 *opened &= ~FILE_CREATED;
2916 dentry = lookup_dcache(&nd->last, dir, nd->flags, &need_lookup);
2918 return PTR_ERR(dentry);
2920 /* Cached positive dentry: will open in f_op->open */
2921 if (!need_lookup && dentry->d_inode)
2924 if ((nd->flags & LOOKUP_OPEN) && dir_inode->i_op->atomic_open) {
2925 return atomic_open(nd, dentry, path, file, op, got_write,
2926 need_lookup, opened);
2930 BUG_ON(dentry->d_inode);
2932 dentry = lookup_real(dir_inode, dentry, nd->flags);
2934 return PTR_ERR(dentry);
2937 /* Negative dentry, just create the file */
2938 if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
2939 umode_t mode = op->mode;
2940 if (!IS_POSIXACL(dir->d_inode))
2941 mode &= ~current_umask();
2943 * This write is needed to ensure that a
2944 * rw->ro transition does not occur between
2945 * the time when the file is created and when
2946 * a permanent write count is taken through
2947 * the 'struct file' in finish_open().
2953 *opened |= FILE_CREATED;
2954 error = security_path_mknod(&nd->path, dentry, mode, 0);
2957 error = vfs_create(dir->d_inode, dentry, mode,
2958 nd->flags & LOOKUP_EXCL);
2963 path->dentry = dentry;
2964 path->mnt = nd->path.mnt;
2973 * Handle the last step of open()
2975 static int do_last(struct nameidata *nd,
2976 struct file *file, const struct open_flags *op,
2977 int *opened, struct filename *name)
2979 struct dentry *dir = nd->path.dentry;
2980 int open_flag = op->open_flag;
2981 bool will_truncate = (open_flag & O_TRUNC) != 0;
2982 bool got_write = false;
2983 int acc_mode = op->acc_mode;
2984 struct inode *inode;
2985 struct path save_parent = { .dentry = NULL, .mnt = NULL };
2987 bool retried = false;
2990 nd->flags &= ~LOOKUP_PARENT;
2991 nd->flags |= op->intent;
2993 if (nd->last_type != LAST_NORM) {
2994 error = handle_dots(nd, nd->last_type);
2995 if (unlikely(error)) {
3002 if (!(open_flag & O_CREAT)) {
3003 if (nd->last.name[nd->last.len])
3004 nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
3005 /* we _can_ be in RCU mode here */
3006 error = lookup_fast(nd, &path, &inode);
3013 BUG_ON(nd->inode != dir->d_inode);
3015 /* create side of things */
3017 * This will *only* deal with leaving RCU mode - LOOKUP_JUMPED
3018 * has been cleared when we got to the last component we are
3021 error = complete_walk(nd);
3028 audit_inode(name, dir, LOOKUP_PARENT);
3030 /* trailing slashes? */
3031 if (nd->last.name[nd->last.len])
3036 if (op->open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {
3037 error = mnt_want_write(nd->path.mnt);
3041 * do _not_ fail yet - we might not need that or fail with
3042 * a different error; let lookup_open() decide; we'll be
3043 * dropping this one anyway.
3046 mutex_lock(&dir->d_inode->i_mutex);
3047 error = lookup_open(nd, &path, file, op, got_write, opened);
3048 mutex_unlock(&dir->d_inode->i_mutex);
3054 if ((*opened & FILE_CREATED) ||
3055 !S_ISREG(file_inode(file)->i_mode))
3056 will_truncate = false;
3058 audit_inode(name, file->f_path.dentry, 0);
3062 if (*opened & FILE_CREATED) {
3063 /* Don't check for write permission, don't truncate */
3064 open_flag &= ~O_TRUNC;
3065 will_truncate = false;
3066 acc_mode = MAY_OPEN;
3067 path_to_nameidata(&path, nd);
3068 goto finish_open_created;
3072 * create/update audit record if it already exists.
3074 if (d_is_positive(path.dentry))
3075 audit_inode(name, path.dentry, 0);
3078 * If atomic_open() acquired write access it is dropped now due to
3079 * possible mount and symlink following (this might be optimized away if
3083 mnt_drop_write(nd->path.mnt);
3088 if ((open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT))
3091 error = follow_managed(&path, nd);
3095 BUG_ON(nd->flags & LOOKUP_RCU);
3096 inode = path.dentry->d_inode;
3098 if (d_is_negative(path.dentry)) {
3099 path_to_nameidata(&path, nd);
3105 error = should_follow_link(nd, &path, nd->flags & LOOKUP_FOLLOW);
3106 if (unlikely(error)) {
3112 if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
3113 path_to_nameidata(&path, nd);
3118 if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path.mnt) {
3119 path_to_nameidata(&path, nd);
3121 save_parent.dentry = nd->path.dentry;
3122 save_parent.mnt = mntget(path.mnt);
3123 nd->path.dentry = path.dentry;
3127 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
3129 error = complete_walk(nd);
3133 path_put(&save_parent);
3136 audit_inode(name, nd->path.dentry, 0);
3138 if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
3141 if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
3143 if (!d_is_reg(nd->path.dentry))
3144 will_truncate = false;
3146 if (will_truncate) {
3147 error = mnt_want_write(nd->path.mnt);
3152 finish_open_created:
3153 error = may_open(&nd->path, acc_mode, open_flag);
3157 BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
3158 error = vfs_open(&nd->path, file, current_cred());
3160 *opened |= FILE_OPENED;
3162 if (error == -EOPENSTALE)
3167 error = open_check_o_direct(file);
3170 error = ima_file_check(file, op->acc_mode, *opened);
3174 if (will_truncate) {
3175 error = handle_truncate(file);
3181 mnt_drop_write(nd->path.mnt);
3182 path_put(&save_parent);
3187 path_put_conditional(&path, nd);
3194 /* If no saved parent or already retried then can't retry */
3195 if (!save_parent.dentry || retried)
3198 BUG_ON(save_parent.dentry != dir);
3199 path_put(&nd->path);
3200 nd->path = save_parent;
3201 nd->inode = dir->d_inode;
3202 save_parent.mnt = NULL;
3203 save_parent.dentry = NULL;
3205 mnt_drop_write(nd->path.mnt);
3212 static int do_tmpfile(int dfd, struct filename *pathname,
3213 struct nameidata *nd, int flags,
3214 const struct open_flags *op,
3215 struct file *file, int *opened)
3217 static const struct qstr name = QSTR_INIT("/", 1);
3218 struct dentry *dentry, *child;
3220 int error = path_lookupat(dfd, pathname,
3221 flags | LOOKUP_DIRECTORY, nd);
3222 if (unlikely(error))
3224 error = mnt_want_write(nd->path.mnt);
3225 if (unlikely(error))
3227 /* we want directory to be writable */
3228 error = inode_permission(nd->inode, MAY_WRITE | MAY_EXEC);
3231 dentry = nd->path.dentry;
3232 dir = dentry->d_inode;
3233 if (!dir->i_op->tmpfile) {
3234 error = -EOPNOTSUPP;
3237 child = d_alloc(dentry, &name);
3238 if (unlikely(!child)) {
3242 nd->flags &= ~LOOKUP_DIRECTORY;
3243 nd->flags |= op->intent;
3244 dput(nd->path.dentry);
3245 nd->path.dentry = child;
3246 error = dir->i_op->tmpfile(dir, nd->path.dentry, op->mode);
3249 audit_inode(pathname, nd->path.dentry, 0);
3250 /* Don't check for other permissions, the inode was just created */
3251 error = may_open(&nd->path, MAY_OPEN, op->open_flag);
3254 file->f_path.mnt = nd->path.mnt;
3255 error = finish_open(file, nd->path.dentry, NULL, opened);
3258 error = open_check_o_direct(file);
3261 } else if (!(op->open_flag & O_EXCL)) {
3262 struct inode *inode = file_inode(file);
3263 spin_lock(&inode->i_lock);
3264 inode->i_state |= I_LINKABLE;
3265 spin_unlock(&inode->i_lock);
3268 mnt_drop_write(nd->path.mnt);
3270 path_put(&nd->path);
3274 static struct file *path_openat(int dfd, struct filename *pathname,
3275 struct nameidata *nd, const struct open_flags *op, int flags)
3281 file = get_empty_filp();
3285 file->f_flags = op->open_flag;
3287 if (unlikely(file->f_flags & __O_TMPFILE)) {
3288 error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
3292 error = path_init(dfd, pathname, flags, nd);
3293 if (unlikely(error))
3296 while ((error = do_last(nd, file, op, &opened, pathname)) > 0) {
3297 nd->flags &= ~(LOOKUP_OPEN|LOOKUP_CREATE|LOOKUP_EXCL);
3298 error = trailing_symlink(nd);
3299 if (unlikely(error))
3305 if (!(opened & FILE_OPENED)) {
3309 if (unlikely(error)) {
3310 if (error == -EOPENSTALE) {
3311 if (flags & LOOKUP_RCU)
3316 file = ERR_PTR(error);
3321 struct file *do_filp_open(int dfd, struct filename *pathname,
3322 const struct open_flags *op)
3324 struct nameidata nd, *saved_nd = set_nameidata(&nd);
3325 int flags = op->lookup_flags;
3328 filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_RCU);
3329 if (unlikely(filp == ERR_PTR(-ECHILD)))
3330 filp = path_openat(dfd, pathname, &nd, op, flags);
3331 if (unlikely(filp == ERR_PTR(-ESTALE)))
3332 filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_REVAL);
3333 restore_nameidata(saved_nd);
3337 struct file *do_file_open_root(struct dentry *dentry, struct vfsmount *mnt,
3338 const char *name, const struct open_flags *op)
3340 struct nameidata nd, *saved_nd;
3342 struct filename *filename;
3343 int flags = op->lookup_flags | LOOKUP_ROOT;
3346 nd.root.dentry = dentry;
3348 if (d_is_symlink(dentry) && op->intent & LOOKUP_OPEN)
3349 return ERR_PTR(-ELOOP);
3351 filename = getname_kernel(name);
3352 if (unlikely(IS_ERR(filename)))
3353 return ERR_CAST(filename);
3355 saved_nd = set_nameidata(&nd);
3356 file = path_openat(-1, filename, &nd, op, flags | LOOKUP_RCU);
3357 if (unlikely(file == ERR_PTR(-ECHILD)))
3358 file = path_openat(-1, filename, &nd, op, flags);
3359 if (unlikely(file == ERR_PTR(-ESTALE)))
3360 file = path_openat(-1, filename, &nd, op, flags | LOOKUP_REVAL);
3361 restore_nameidata(saved_nd);
3366 static struct dentry *filename_create(int dfd, struct filename *name,
3367 struct path *path, unsigned int lookup_flags)
3369 struct dentry *dentry = ERR_PTR(-EEXIST);
3370 struct nameidata nd;
3373 bool is_dir = (lookup_flags & LOOKUP_DIRECTORY);
3376 * Note that only LOOKUP_REVAL and LOOKUP_DIRECTORY matter here. Any
3377 * other flags passed in are ignored!
3379 lookup_flags &= LOOKUP_REVAL;
3381 error = filename_lookup(dfd, name, LOOKUP_PARENT|lookup_flags, &nd);
3383 return ERR_PTR(error);
3386 * Yucky last component or no last component at all?
3387 * (foo/., foo/.., /////)
3389 if (nd.last_type != LAST_NORM)
3391 nd.flags &= ~LOOKUP_PARENT;
3392 nd.flags |= LOOKUP_CREATE | LOOKUP_EXCL;
3394 /* don't fail immediately if it's r/o, at least try to report other errors */
3395 err2 = mnt_want_write(nd.path.mnt);
3397 * Do the final lookup.
3399 mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3400 dentry = __lookup_hash(&nd.last, nd.path.dentry, nd.flags);
3405 if (d_is_positive(dentry))
3409 * Special case - lookup gave negative, but... we had foo/bar/
3410 * From the vfs_mknod() POV we just have a negative dentry -
3411 * all is fine. Let's be bastards - you had / on the end, you've
3412 * been asking for (non-existent) directory. -ENOENT for you.
3414 if (unlikely(!is_dir && nd.last.name[nd.last.len])) {
3418 if (unlikely(err2)) {
3426 dentry = ERR_PTR(error);
3428 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3430 mnt_drop_write(nd.path.mnt);
3436 struct dentry *kern_path_create(int dfd, const char *pathname,
3437 struct path *path, unsigned int lookup_flags)
3439 struct filename *filename = getname_kernel(pathname);
3442 if (IS_ERR(filename))
3443 return ERR_CAST(filename);
3444 res = filename_create(dfd, filename, path, lookup_flags);
3448 EXPORT_SYMBOL(kern_path_create);
3450 void done_path_create(struct path *path, struct dentry *dentry)
3453 mutex_unlock(&path->dentry->d_inode->i_mutex);
3454 mnt_drop_write(path->mnt);
3457 EXPORT_SYMBOL(done_path_create);
3459 struct dentry *user_path_create(int dfd, const char __user *pathname,
3460 struct path *path, unsigned int lookup_flags)
3462 struct filename *tmp = getname(pathname);
3465 return ERR_CAST(tmp);
3466 res = filename_create(dfd, tmp, path, lookup_flags);
3470 EXPORT_SYMBOL(user_path_create);
3472 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3474 int error = may_create(dir, dentry);
3479 if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
3482 if (!dir->i_op->mknod)
3485 error = devcgroup_inode_mknod(mode, dev);
3489 error = security_inode_mknod(dir, dentry, mode, dev);
3493 error = dir->i_op->mknod(dir, dentry, mode, dev);
3495 fsnotify_create(dir, dentry);
3498 EXPORT_SYMBOL(vfs_mknod);
3500 static int may_mknod(umode_t mode)
3502 switch (mode & S_IFMT) {
3508 case 0: /* zero mode translates to S_IFREG */
3517 SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
3520 struct dentry *dentry;
3523 unsigned int lookup_flags = 0;
3525 error = may_mknod(mode);
3529 dentry = user_path_create(dfd, filename, &path, lookup_flags);
3531 return PTR_ERR(dentry);
3533 if (!IS_POSIXACL(path.dentry->d_inode))
3534 mode &= ~current_umask();
3535 error = security_path_mknod(&path, dentry, mode, dev);
3538 switch (mode & S_IFMT) {
3539 case 0: case S_IFREG:
3540 error = vfs_create(path.dentry->d_inode,dentry,mode,true);
3542 case S_IFCHR: case S_IFBLK:
3543 error = vfs_mknod(path.dentry->d_inode,dentry,mode,
3544 new_decode_dev(dev));
3546 case S_IFIFO: case S_IFSOCK:
3547 error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
3551 done_path_create(&path, dentry);
3552 if (retry_estale(error, lookup_flags)) {
3553 lookup_flags |= LOOKUP_REVAL;
3559 SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, dev)
3561 return sys_mknodat(AT_FDCWD, filename, mode, dev);
3564 int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
3566 int error = may_create(dir, dentry);
3567 unsigned max_links = dir->i_sb->s_max_links;
3572 if (!dir->i_op->mkdir)
3575 mode &= (S_IRWXUGO|S_ISVTX);
3576 error = security_inode_mkdir(dir, dentry, mode);
3580 if (max_links && dir->i_nlink >= max_links)
3583 error = dir->i_op->mkdir(dir, dentry, mode);
3585 fsnotify_mkdir(dir, dentry);
3588 EXPORT_SYMBOL(vfs_mkdir);
3590 SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)
3592 struct dentry *dentry;
3595 unsigned int lookup_flags = LOOKUP_DIRECTORY;
3598 dentry = user_path_create(dfd, pathname, &path, lookup_flags);
3600 return PTR_ERR(dentry);
3602 if (!IS_POSIXACL(path.dentry->d_inode))
3603 mode &= ~current_umask();
3604 error = security_path_mkdir(&path, dentry, mode);
3606 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
3607 done_path_create(&path, dentry);
3608 if (retry_estale(error, lookup_flags)) {
3609 lookup_flags |= LOOKUP_REVAL;
3615 SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode)
3617 return sys_mkdirat(AT_FDCWD, pathname, mode);
3621 * The dentry_unhash() helper will try to drop the dentry early: we
3622 * should have a usage count of 1 if we're the only user of this
3623 * dentry, and if that is true (possibly after pruning the dcache),
3624 * then we drop the dentry now.
3626 * A low-level filesystem can, if it choses, legally
3629 * if (!d_unhashed(dentry))
3632 * if it cannot handle the case of removing a directory
3633 * that is still in use by something else..
3635 void dentry_unhash(struct dentry *dentry)
3637 shrink_dcache_parent(dentry);
3638 spin_lock(&dentry->d_lock);
3639 if (dentry->d_lockref.count == 1)
3641 spin_unlock(&dentry->d_lock);
3643 EXPORT_SYMBOL(dentry_unhash);
3645 int vfs_rmdir(struct inode *dir, struct dentry *dentry)
3647 int error = may_delete(dir, dentry, 1);
3652 if (!dir->i_op->rmdir)
3656 mutex_lock(&dentry->d_inode->i_mutex);
3659 if (is_local_mountpoint(dentry))
3662 error = security_inode_rmdir(dir, dentry);
3666 shrink_dcache_parent(dentry);
3667 error = dir->i_op->rmdir(dir, dentry);
3671 dentry->d_inode->i_flags |= S_DEAD;
3673 detach_mounts(dentry);
3676 mutex_unlock(&dentry->d_inode->i_mutex);
3682 EXPORT_SYMBOL(vfs_rmdir);
3684 static long do_rmdir(int dfd, const char __user *pathname)
3687 struct filename *name;
3688 struct dentry *dentry;
3692 unsigned int lookup_flags = 0;
3694 name = user_path_parent(dfd, pathname,
3695 &path, &last, &type, lookup_flags);
3697 return PTR_ERR(name);
3711 error = mnt_want_write(path.mnt);
3715 mutex_lock_nested(&path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3716 dentry = __lookup_hash(&last, path.dentry, lookup_flags);
3717 error = PTR_ERR(dentry);
3720 if (!dentry->d_inode) {
3724 error = security_path_rmdir(&path, dentry);
3727 error = vfs_rmdir(path.dentry->d_inode, dentry);
3731 mutex_unlock(&path.dentry->d_inode->i_mutex);
3732 mnt_drop_write(path.mnt);
3736 if (retry_estale(error, lookup_flags)) {
3737 lookup_flags |= LOOKUP_REVAL;
3743 SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
3745 return do_rmdir(AT_FDCWD, pathname);
3749 * vfs_unlink - unlink a filesystem object
3750 * @dir: parent directory
3752 * @delegated_inode: returns victim inode, if the inode is delegated.
3754 * The caller must hold dir->i_mutex.
3756 * If vfs_unlink discovers a delegation, it will return -EWOULDBLOCK and
3757 * return a reference to the inode in delegated_inode. The caller
3758 * should then break the delegation on that inode and retry. Because
3759 * breaking a delegation may take a long time, the caller should drop
3760 * dir->i_mutex before doing so.
3762 * Alternatively, a caller may pass NULL for delegated_inode. This may
3763 * be appropriate for callers that expect the underlying filesystem not
3764 * to be NFS exported.
3766 int vfs_unlink(struct inode *dir, struct dentry *dentry, struct inode **delegated_inode)
3768 struct inode *target = dentry->d_inode;
3769 int error = may_delete(dir, dentry, 0);
3774 if (!dir->i_op->unlink)
3777 mutex_lock(&target->i_mutex);
3778 if (is_local_mountpoint(dentry))
3781 error = security_inode_unlink(dir, dentry);
3783 error = try_break_deleg(target, delegated_inode);
3786 error = dir->i_op->unlink(dir, dentry);
3789 detach_mounts(dentry);
3794 mutex_unlock(&target->i_mutex);
3796 /* We don't d_delete() NFS sillyrenamed files--they still exist. */
3797 if (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) {
3798 fsnotify_link_count(target);
3804 EXPORT_SYMBOL(vfs_unlink);
3807 * Make sure that the actual truncation of the file will occur outside its
3808 * directory's i_mutex. Truncate can take a long time if there is a lot of
3809 * writeout happening, and we don't want to prevent access to the directory
3810 * while waiting on the I/O.
3812 static long do_unlinkat(int dfd, const char __user *pathname)
3815 struct filename *name;
3816 struct dentry *dentry;
3820 struct inode *inode = NULL;
3821 struct inode *delegated_inode = NULL;
3822 unsigned int lookup_flags = 0;
3824 name = user_path_parent(dfd, pathname,
3825 &path, &last, &type, lookup_flags);
3827 return PTR_ERR(name);
3830 if (type != LAST_NORM)
3833 error = mnt_want_write(path.mnt);
3837 mutex_lock_nested(&path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3838 dentry = __lookup_hash(&last, path.dentry, lookup_flags);
3839 error = PTR_ERR(dentry);
3840 if (!IS_ERR(dentry)) {
3841 /* Why not before? Because we want correct error value */
3842 if (last.name[last.len])
3844 inode = dentry->d_inode;
3845 if (d_is_negative(dentry))
3848 error = security_path_unlink(&path, dentry);
3851 error = vfs_unlink(path.dentry->d_inode, dentry, &delegated_inode);
3855 mutex_unlock(&path.dentry->d_inode->i_mutex);
3857 iput(inode); /* truncate the inode here */
3859 if (delegated_inode) {
3860 error = break_deleg_wait(&delegated_inode);
3864 mnt_drop_write(path.mnt);
3868 if (retry_estale(error, lookup_flags)) {
3869 lookup_flags |= LOOKUP_REVAL;
3876 if (d_is_negative(dentry))
3878 else if (d_is_dir(dentry))
3885 SYSCALL_DEFINE3(unlinkat, int, dfd, const char __user *, pathname, int, flag)
3887 if ((flag & ~AT_REMOVEDIR) != 0)
3890 if (flag & AT_REMOVEDIR)
3891 return do_rmdir(dfd, pathname);
3893 return do_unlinkat(dfd, pathname);
3896 SYSCALL_DEFINE1(unlink, const char __user *, pathname)
3898 return do_unlinkat(AT_FDCWD, pathname);
3901 int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
3903 int error = may_create(dir, dentry);
3908 if (!dir->i_op->symlink)
3911 error = security_inode_symlink(dir, dentry, oldname);
3915 error = dir->i_op->symlink(dir, dentry, oldname);
3917 fsnotify_create(dir, dentry);
3920 EXPORT_SYMBOL(vfs_symlink);
3922 SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
3923 int, newdfd, const char __user *, newname)
3926 struct filename *from;
3927 struct dentry *dentry;
3929 unsigned int lookup_flags = 0;
3931 from = getname(oldname);
3933 return PTR_ERR(from);
3935 dentry = user_path_create(newdfd, newname, &path, lookup_flags);
3936 error = PTR_ERR(dentry);
3940 error = security_path_symlink(&path, dentry, from->name);
3942 error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
3943 done_path_create(&path, dentry);
3944 if (retry_estale(error, lookup_flags)) {
3945 lookup_flags |= LOOKUP_REVAL;
3953 SYSCALL_DEFINE2(symlink, const char __user *, oldname, const char __user *, newname)
3955 return sys_symlinkat(oldname, AT_FDCWD, newname);
3959 * vfs_link - create a new link
3960 * @old_dentry: object to be linked
3962 * @new_dentry: where to create the new link
3963 * @delegated_inode: returns inode needing a delegation break
3965 * The caller must hold dir->i_mutex
3967 * If vfs_link discovers a delegation on the to-be-linked file in need
3968 * of breaking, it will return -EWOULDBLOCK and return a reference to the
3969 * inode in delegated_inode. The caller should then break the delegation
3970 * and retry. Because breaking a delegation may take a long time, the
3971 * caller should drop the i_mutex before doing so.
3973 * Alternatively, a caller may pass NULL for delegated_inode. This may
3974 * be appropriate for callers that expect the underlying filesystem not
3975 * to be NFS exported.
3977 int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry, struct inode **delegated_inode)
3979 struct inode *inode = old_dentry->d_inode;
3980 unsigned max_links = dir->i_sb->s_max_links;
3986 error = may_create(dir, new_dentry);
3990 if (dir->i_sb != inode->i_sb)
3994 * A link to an append-only or immutable file cannot be created.
3996 if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
3998 if (!dir->i_op->link)
4000 if (S_ISDIR(inode->i_mode))
4003 error = security_inode_link(old_dentry, dir, new_dentry);
4007 mutex_lock(&inode->i_mutex);
4008 /* Make sure we don't allow creating hardlink to an unlinked file */
4009 if (inode->i_nlink == 0 && !(inode->i_state & I_LINKABLE))
4011 else if (max_links && inode->i_nlink >= max_links)
4014 error = try_break_deleg(inode, delegated_inode);
4016 error = dir->i_op->link(old_dentry, dir, new_dentry);
4019 if (!error && (inode->i_state & I_LINKABLE)) {
4020 spin_lock(&inode->i_lock);
4021 inode->i_state &= ~I_LINKABLE;
4022 spin_unlock(&inode->i_lock);
4024 mutex_unlock(&inode->i_mutex);
4026 fsnotify_link(dir, inode, new_dentry);
4029 EXPORT_SYMBOL(vfs_link);
4032 * Hardlinks are often used in delicate situations. We avoid
4033 * security-related surprises by not following symlinks on the
4036 * We don't follow them on the oldname either to be compatible
4037 * with linux 2.0, and to avoid hard-linking to directories
4038 * and other special files. --ADM
4040 SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
4041 int, newdfd, const char __user *, newname, int, flags)
4043 struct dentry *new_dentry;
4044 struct path old_path, new_path;
4045 struct inode *delegated_inode = NULL;
4049 if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)
4052 * To use null names we require CAP_DAC_READ_SEARCH
4053 * This ensures that not everyone will be able to create
4054 * handlink using the passed filedescriptor.
4056 if (flags & AT_EMPTY_PATH) {
4057 if (!capable(CAP_DAC_READ_SEARCH))
4062 if (flags & AT_SYMLINK_FOLLOW)
4063 how |= LOOKUP_FOLLOW;
4065 error = user_path_at(olddfd, oldname, how, &old_path);
4069 new_dentry = user_path_create(newdfd, newname, &new_path,
4070 (how & LOOKUP_REVAL));
4071 error = PTR_ERR(new_dentry);
4072 if (IS_ERR(new_dentry))
4076 if (old_path.mnt != new_path.mnt)
4078 error = may_linkat(&old_path);
4079 if (unlikely(error))
4081 error = security_path_link(old_path.dentry, &new_path, new_dentry);
4084 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);
4086 done_path_create(&new_path, new_dentry);
4087 if (delegated_inode) {
4088 error = break_deleg_wait(&delegated_inode);
4090 path_put(&old_path);
4094 if (retry_estale(error, how)) {
4095 path_put(&old_path);
4096 how |= LOOKUP_REVAL;
4100 path_put(&old_path);
4105 SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname)
4107 return sys_linkat(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
4111 * vfs_rename - rename a filesystem object
4112 * @old_dir: parent of source
4113 * @old_dentry: source
4114 * @new_dir: parent of destination
4115 * @new_dentry: destination
4116 * @delegated_inode: returns an inode needing a delegation break
4117 * @flags: rename flags
4119 * The caller must hold multiple mutexes--see lock_rename()).
4121 * If vfs_rename discovers a delegation in need of breaking at either
4122 * the source or destination, it will return -EWOULDBLOCK and return a
4123 * reference to the inode in delegated_inode. The caller should then
4124 * break the delegation and retry. Because breaking a delegation may
4125 * take a long time, the caller should drop all locks before doing
4128 * Alternatively, a caller may pass NULL for delegated_inode. This may
4129 * be appropriate for callers that expect the underlying filesystem not
4130 * to be NFS exported.
4132 * The worst of all namespace operations - renaming directory. "Perverted"
4133 * doesn't even start to describe it. Somebody in UCB had a heck of a trip...
4135 * a) we can get into loop creation.
4136 * b) race potential - two innocent renames can create a loop together.
4137 * That's where 4.4 screws up. Current fix: serialization on
4138 * sb->s_vfs_rename_mutex. We might be more accurate, but that's another
4140 * c) we have to lock _four_ objects - parents and victim (if it exists),
4141 * and source (if it is not a directory).
4142 * And that - after we got ->i_mutex on parents (until then we don't know
4143 * whether the target exists). Solution: try to be smart with locking
4144 * order for inodes. We rely on the fact that tree topology may change
4145 * only under ->s_vfs_rename_mutex _and_ that parent of the object we
4146 * move will be locked. Thus we can rank directories by the tree
4147 * (ancestors first) and rank all non-directories after them.
4148 * That works since everybody except rename does "lock parent, lookup,
4149 * lock child" and rename is under ->s_vfs_rename_mutex.
4150 * HOWEVER, it relies on the assumption that any object with ->lookup()
4151 * has no more than 1 dentry. If "hybrid" objects will ever appear,
4152 * we'd better make sure that there's no link(2) for them.
4153 * d) conversion from fhandle to dentry may come in the wrong moment - when
4154 * we are removing the target. Solution: we will have to grab ->i_mutex
4155 * in the fhandle_to_dentry code. [FIXME - current nfsfh.c relies on
4156 * ->i_mutex on parents, which works but leads to some truly excessive
4159 int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
4160 struct inode *new_dir, struct dentry *new_dentry,
4161 struct inode **delegated_inode, unsigned int flags)
4164 bool is_dir = d_is_dir(old_dentry);
4165 const unsigned char *old_name;
4166 struct inode *source = old_dentry->d_inode;
4167 struct inode *target = new_dentry->d_inode;
4168 bool new_is_dir = false;
4169 unsigned max_links = new_dir->i_sb->s_max_links;
4171 if (source == target)
4174 error = may_delete(old_dir, old_dentry, is_dir);
4179 error = may_create(new_dir, new_dentry);
4181 new_is_dir = d_is_dir(new_dentry);
4183 if (!(flags & RENAME_EXCHANGE))
4184 error = may_delete(new_dir, new_dentry, is_dir);
4186 error = may_delete(new_dir, new_dentry, new_is_dir);
4191 if (!old_dir->i_op->rename && !old_dir->i_op->rename2)
4194 if (flags && !old_dir->i_op->rename2)
4198 * If we are going to change the parent - check write permissions,
4199 * we'll need to flip '..'.
4201 if (new_dir != old_dir) {
4203 error = inode_permission(source, MAY_WRITE);
4207 if ((flags & RENAME_EXCHANGE) && new_is_dir) {
4208 error = inode_permission(target, MAY_WRITE);
4214 error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry,
4219 old_name = fsnotify_oldname_init(old_dentry->d_name.name);
4221 if (!is_dir || (flags & RENAME_EXCHANGE))
4222 lock_two_nondirectories(source, target);
4224 mutex_lock(&target->i_mutex);
4227 if (is_local_mountpoint(old_dentry) || is_local_mountpoint(new_dentry))
4230 if (max_links && new_dir != old_dir) {
4232 if (is_dir && !new_is_dir && new_dir->i_nlink >= max_links)
4234 if ((flags & RENAME_EXCHANGE) && !is_dir && new_is_dir &&
4235 old_dir->i_nlink >= max_links)
4238 if (is_dir && !(flags & RENAME_EXCHANGE) && target)
4239 shrink_dcache_parent(new_dentry);
4241 error = try_break_deleg(source, delegated_inode);
4245 if (target && !new_is_dir) {
4246 error = try_break_deleg(target, delegated_inode);
4250 if (!old_dir->i_op->rename2) {
4251 error = old_dir->i_op->rename(old_dir, old_dentry,
4252 new_dir, new_dentry);
4254 WARN_ON(old_dir->i_op->rename != NULL);
4255 error = old_dir->i_op->rename2(old_dir, old_dentry,
4256 new_dir, new_dentry, flags);
4261 if (!(flags & RENAME_EXCHANGE) && target) {
4263 target->i_flags |= S_DEAD;
4264 dont_mount(new_dentry);
4265 detach_mounts(new_dentry);
4267 if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE)) {
4268 if (!(flags & RENAME_EXCHANGE))
4269 d_move(old_dentry, new_dentry);
4271 d_exchange(old_dentry, new_dentry);
4274 if (!is_dir || (flags & RENAME_EXCHANGE))
4275 unlock_two_nondirectories(source, target);
4277 mutex_unlock(&target->i_mutex);
4280 fsnotify_move(old_dir, new_dir, old_name, is_dir,
4281 !(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);
4282 if (flags & RENAME_EXCHANGE) {
4283 fsnotify_move(new_dir, old_dir, old_dentry->d_name.name,
4284 new_is_dir, NULL, new_dentry);
4287 fsnotify_oldname_free(old_name);
4291 EXPORT_SYMBOL(vfs_rename);
4293 SYSCALL_DEFINE5(renameat2, int, olddfd, const char __user *, oldname,
4294 int, newdfd, const char __user *, newname, unsigned int, flags)
4296 struct dentry *old_dentry, *new_dentry;
4297 struct dentry *trap;
4298 struct path old_path, new_path;
4299 struct qstr old_last, new_last;
4300 int old_type, new_type;
4301 struct inode *delegated_inode = NULL;
4302 struct filename *from;
4303 struct filename *to;
4304 unsigned int lookup_flags = 0, target_flags = LOOKUP_RENAME_TARGET;
4305 bool should_retry = false;
4308 if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE | RENAME_WHITEOUT))
4311 if ((flags & (RENAME_NOREPLACE | RENAME_WHITEOUT)) &&
4312 (flags & RENAME_EXCHANGE))
4315 if ((flags & RENAME_WHITEOUT) && !capable(CAP_MKNOD))
4318 if (flags & RENAME_EXCHANGE)
4322 from = user_path_parent(olddfd, oldname,
4323 &old_path, &old_last, &old_type, lookup_flags);
4325 error = PTR_ERR(from);
4329 to = user_path_parent(newdfd, newname,
4330 &new_path, &new_last, &new_type, lookup_flags);
4332 error = PTR_ERR(to);
4337 if (old_path.mnt != new_path.mnt)
4341 if (old_type != LAST_NORM)
4344 if (flags & RENAME_NOREPLACE)
4346 if (new_type != LAST_NORM)
4349 error = mnt_want_write(old_path.mnt);
4354 trap = lock_rename(new_path.dentry, old_path.dentry);
4356 old_dentry = __lookup_hash(&old_last, old_path.dentry, lookup_flags);
4357 error = PTR_ERR(old_dentry);
4358 if (IS_ERR(old_dentry))
4360 /* source must exist */
4362 if (d_is_negative(old_dentry))
4364 new_dentry = __lookup_hash(&new_last, new_path.dentry, lookup_flags | target_flags);
4365 error = PTR_ERR(new_dentry);
4366 if (IS_ERR(new_dentry))
4369 if ((flags & RENAME_NOREPLACE) && d_is_positive(new_dentry))
4371 if (flags & RENAME_EXCHANGE) {
4373 if (d_is_negative(new_dentry))
4376 if (!d_is_dir(new_dentry)) {
4378 if (new_last.name[new_last.len])
4382 /* unless the source is a directory trailing slashes give -ENOTDIR */
4383 if (!d_is_dir(old_dentry)) {
4385 if (old_last.name[old_last.len])
4387 if (!(flags & RENAME_EXCHANGE) && new_last.name[new_last.len])
4390 /* source should not be ancestor of target */
4392 if (old_dentry == trap)
4394 /* target should not be an ancestor of source */
4395 if (!(flags & RENAME_EXCHANGE))
4397 if (new_dentry == trap)
4400 error = security_path_rename(&old_path, old_dentry,
4401 &new_path, new_dentry, flags);
4404 error = vfs_rename(old_path.dentry->d_inode, old_dentry,
4405 new_path.dentry->d_inode, new_dentry,
4406 &delegated_inode, flags);
4412 unlock_rename(new_path.dentry, old_path.dentry);
4413 if (delegated_inode) {
4414 error = break_deleg_wait(&delegated_inode);
4418 mnt_drop_write(old_path.mnt);
4420 if (retry_estale(error, lookup_flags))
4421 should_retry = true;
4422 path_put(&new_path);
4425 path_put(&old_path);
4428 should_retry = false;
4429 lookup_flags |= LOOKUP_REVAL;
4436 SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
4437 int, newdfd, const char __user *, newname)
4439 return sys_renameat2(olddfd, oldname, newdfd, newname, 0);
4442 SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newname)
4444 return sys_renameat2(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
4447 int vfs_whiteout(struct inode *dir, struct dentry *dentry)
4449 int error = may_create(dir, dentry);
4453 if (!dir->i_op->mknod)
4456 return dir->i_op->mknod(dir, dentry,
4457 S_IFCHR | WHITEOUT_MODE, WHITEOUT_DEV);
4459 EXPORT_SYMBOL(vfs_whiteout);
4461 int readlink_copy(char __user *buffer, int buflen, const char *link)
4463 int len = PTR_ERR(link);
4468 if (len > (unsigned) buflen)
4470 if (copy_to_user(buffer, link, len))
4475 EXPORT_SYMBOL(readlink_copy);
4478 * A helper for ->readlink(). This should be used *ONLY* for symlinks that
4479 * have ->follow_link() touching nd only in nd_set_link(). Using (or not
4480 * using) it for any given inode is up to filesystem.
4482 int generic_readlink(struct dentry *dentry, char __user *buffer, int buflen)
4485 const char *link = dentry->d_inode->i_link;
4489 link = dentry->d_inode->i_op->follow_link(dentry, &cookie);
4491 return PTR_ERR(link);
4493 res = readlink_copy(buffer, buflen, link);
4494 if (dentry->d_inode->i_op->put_link)
4495 dentry->d_inode->i_op->put_link(dentry, cookie);
4498 EXPORT_SYMBOL(generic_readlink);
4500 /* get the link contents into pagecache */
4501 static char *page_getlink(struct dentry * dentry, struct page **ppage)
4505 struct address_space *mapping = dentry->d_inode->i_mapping;
4506 page = read_mapping_page(mapping, 0, NULL);
4511 nd_terminate_link(kaddr, dentry->d_inode->i_size, PAGE_SIZE - 1);
4515 int page_readlink(struct dentry *dentry, char __user *buffer, int buflen)
4517 struct page *page = NULL;
4518 int res = readlink_copy(buffer, buflen, page_getlink(dentry, &page));
4521 page_cache_release(page);
4525 EXPORT_SYMBOL(page_readlink);
4527 const char *page_follow_link_light(struct dentry *dentry, void **cookie)
4529 struct page *page = NULL;
4530 char *res = page_getlink(dentry, &page);
4535 EXPORT_SYMBOL(page_follow_link_light);
4537 void page_put_link(struct dentry *dentry, void *cookie)
4539 struct page *page = cookie;
4541 page_cache_release(page);
4543 EXPORT_SYMBOL(page_put_link);
4546 * The nofs argument instructs pagecache_write_begin to pass AOP_FLAG_NOFS
4548 int __page_symlink(struct inode *inode, const char *symname, int len, int nofs)
4550 struct address_space *mapping = inode->i_mapping;
4555 unsigned int flags = AOP_FLAG_UNINTERRUPTIBLE;
4557 flags |= AOP_FLAG_NOFS;
4560 err = pagecache_write_begin(NULL, mapping, 0, len-1,
4561 flags, &page, &fsdata);
4565 kaddr = kmap_atomic(page);
4566 memcpy(kaddr, symname, len-1);
4567 kunmap_atomic(kaddr);
4569 err = pagecache_write_end(NULL, mapping, 0, len-1, len-1,
4576 mark_inode_dirty(inode);
4581 EXPORT_SYMBOL(__page_symlink);
4583 int page_symlink(struct inode *inode, const char *symname, int len)
4585 return __page_symlink(inode, symname, len,
4586 !(mapping_gfp_mask(inode->i_mapping) & __GFP_FS));
4588 EXPORT_SYMBOL(page_symlink);
4590 const struct inode_operations page_symlink_inode_operations = {
4591 .readlink = generic_readlink,
4592 .follow_link = page_follow_link_light,
4593 .put_link = page_put_link,
4595 EXPORT_SYMBOL(page_symlink_inode_operations);
projects / karo-tx-linux.git / blob