linux/fs/namei.c
<<
>>
Prefs
   1/*
   2 *  linux/fs/namei.c
   3 *
   4 *  Copyright (C) 1991, 1992  Linus Torvalds
   5 */
   6
   7/*
   8 * Some corrections by tytso.
   9 */
  10
  11/* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname
  12 * lookup logic.
  13 */
  14/* [Feb-Apr 2000, AV] Rewrite to the new namespace architecture.
  15 */
  16
  17#include <linux/init.h>
  18#include <linux/export.h>
  19#include <linux/kernel.h>
  20#include <linux/slab.h>
  21#include <linux/fs.h>
  22#include <linux/namei.h>
  23#include <linux/pagemap.h>
  24#include <linux/fsnotify.h>
  25#include <linux/personality.h>
  26#include <linux/security.h>
  27#include <linux/ima.h>
  28#include <linux/syscalls.h>
  29#include <linux/mount.h>
  30#include <linux/audit.h>
  31#include <linux/capability.h>
  32#include <linux/file.h>
  33#include <linux/fcntl.h>
  34#include <linux/device_cgroup.h>
  35#include <linux/fs_struct.h>
  36#include <linux/posix_acl.h>
  37#include <linux/hash.h>
  38#include <asm/uaccess.h>
  39
  40#include "internal.h"
  41#include "mount.h"
  42
  43/* [Feb-1997 T. Schoebel-Theuer]
  44 * Fundamental changes in the pathname lookup mechanisms (namei)
  45 * were necessary because of omirr.  The reason is that omirr needs
  46 * to know the _real_ pathname, not the user-supplied one, in case
  47 * of symlinks (and also when transname replacements occur).
  48 *
  49 * The new code replaces the old recursive symlink resolution with
  50 * an iterative one (in case of non-nested symlink chains).  It does
  51 * this with calls to <fs>_follow_link().
  52 * As a side effect, dir_namei(), _namei() and follow_link() are now 
  53 * replaced with a single function lookup_dentry() that can handle all 
  54 * the special cases of the former code.
  55 *
  56 * With the new dcache, the pathname is stored at each inode, at least as
  57 * long as the refcount of the inode is positive.  As a side effect, the
  58 * size of the dcache depends on the inode cache and thus is dynamic.
  59 *
  60 * [29-Apr-1998 C. Scott Ananian] Updated above description of symlink
  61 * resolution to correspond with current state of the code.
  62 *
  63 * Note that the symlink resolution is not *completely* iterative.
  64 * There is still a significant amount of tail- and mid- recursion in
  65 * the algorithm.  Also, note that <fs>_readlink() is not used in
  66 * lookup_dentry(): lookup_dentry() on the result of <fs>_readlink()
  67 * may return different results than <fs>_follow_link().  Many virtual
  68 * filesystems (including /proc) exhibit this behavior.
  69 */
  70
  71/* [24-Feb-97 T. Schoebel-Theuer] Side effects caused by new implementation:
  72 * New symlink semantics: when open() is called with flags O_CREAT | O_EXCL
  73 * and the name already exists in form of a symlink, try to create the new
  74 * name indicated by the symlink. The old code always complained that the
  75 * name already exists, due to not following the symlink even if its target
  76 * is nonexistent.  The new semantics affects also mknod() and link() when
  77 * the name is a symlink pointing to a non-existent name.
  78 *
  79 * I don't know which semantics is the right one, since I have no access
  80 * to standards. But I found by trial that HP-UX 9.0 has the full "new"
  81 * semantics implemented, while SunOS 4.1.1 and Solaris (SunOS 5.4) have the
  82 * "old" one. Personally, I think the new semantics is much more logical.
  83 * Note that "ln old new" where "new" is a symlink pointing to a non-existing
  84 * file does succeed in both HP-UX and SunOs, but not in Solaris
  85 * and in the old Linux semantics.
  86 */
  87
  88/* [16-Dec-97 Kevin Buhr] For security reasons, we change some symlink
  89 * semantics.  See the comments in "open_namei" and "do_link" below.
  90 *
  91 * [10-Sep-98 Alan Modra] Another symlink change.
  92 */
  93
  94/* [Feb-Apr 2000 AV] Complete rewrite. Rules for symlinks:
  95 *      inside the path - always follow.
  96 *      in the last component in creation/removal/renaming - never follow.
  97 *      if LOOKUP_FOLLOW passed - follow.
  98 *      if the pathname has trailing slashes - follow.
  99 *      otherwise - don't follow.
 100 * (applied in that order).
 101 *
 102 * [Jun 2000 AV] Inconsistent behaviour of open() in case if flags==O_CREAT
 103 * restored for 2.4. This is the last surviving part of old 4.2BSD bug.
 104 * During the 2.4 we need to fix the userland stuff depending on it -
 105 * hopefully we will be able to get rid of that wart in 2.5. So far only
 106 * XEmacs seems to be relying on it...
 107 */
 108/*
 109 * [Sep 2001 AV] Single-semaphore locking scheme (kudos to David Holland)
 110 * implemented.  Let's see if raised priority of ->s_vfs_rename_mutex gives
 111 * any extra contention...
 112 */
 113
 114/* In order to reduce some races, while at the same time doing additional
 115 * checking and hopefully speeding things up, we copy filenames to the
 116 * kernel data space before using them..
 117 *
 118 * POSIX.1 2.4: an empty pathname is invalid (ENOENT).
 119 * PATH_MAX includes the nul terminator --RR.
 120 */
 121
 122#define EMBEDDED_NAME_MAX       (PATH_MAX - offsetof(struct filename, iname))
 123
 124struct filename *
 125getname_flags(const char __user *filename, int flags, int *empty)
 126{
 127        struct filename *result;
 128        char *kname;
 129        int len;
 130
 131        result = audit_reusename(filename);
 132        if (result)
 133                return result;
 134
 135        result = __getname();
 136        if (unlikely(!result))
 137                return ERR_PTR(-ENOMEM);
 138
 139        /*
 140         * First, try to embed the struct filename inside the names_cache
 141         * allocation
 142         */
 143        kname = (char *)result->iname;
 144        result->name = kname;
 145
 146        len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
 147        if (unlikely(len < 0)) {
 148                __putname(result);
 149                return ERR_PTR(len);
 150        }
 151
 152        /*
 153         * Uh-oh. We have a name that's approaching PATH_MAX. Allocate a
 154         * separate struct filename so we can dedicate the entire
 155         * names_cache allocation for the pathname, and re-do the copy from
 156         * userland.
 157         */
 158        if (unlikely(len == EMBEDDED_NAME_MAX)) {
 159                const size_t size = offsetof(struct filename, iname[1]);
 160                kname = (char *)result;
 161
 162                /*
 163                 * size is chosen that way we to guarantee that
 164                 * result->iname[0] is within the same object and that
 165                 * kname can't be equal to result->iname, no matter what.
 166                 */
 167                result = kzalloc(size, GFP_KERNEL);
 168                if (unlikely(!result)) {
 169                        __putname(kname);
 170                        return ERR_PTR(-ENOMEM);
 171                }
 172                result->name = kname;
 173                len = strncpy_from_user(kname, filename, PATH_MAX);
 174                if (unlikely(len < 0)) {
 175                        __putname(kname);
 176                        kfree(result);
 177                        return ERR_PTR(len);
 178                }
 179                if (unlikely(len == PATH_MAX)) {
 180                        __putname(kname);
 181                        kfree(result);
 182                        return ERR_PTR(-ENAMETOOLONG);
 183                }
 184        }
 185
 186        result->refcnt = 1;
 187        /* The empty path is special. */
 188        if (unlikely(!len)) {
 189                if (empty)
 190                        *empty = 1;
 191                if (!(flags & LOOKUP_EMPTY)) {
 192                        putname(result);
 193                        return ERR_PTR(-ENOENT);
 194                }
 195        }
 196
 197        result->uptr = filename;
 198        result->aname = NULL;
 199        audit_getname(result);
 200        return result;
 201}
 202
 203struct filename *
 204getname(const char __user * filename)
 205{
 206        return getname_flags(filename, 0, NULL);
 207}
 208
 209struct filename *
 210getname_kernel(const char * filename)
 211{
 212        struct filename *result;
 213        int len = strlen(filename) + 1;
 214
 215        result = __getname();
 216        if (unlikely(!result))
 217                return ERR_PTR(-ENOMEM);
 218
 219        if (len <= EMBEDDED_NAME_MAX) {
 220                result->name = (char *)result->iname;
 221        } else if (len <= PATH_MAX) {
 222                struct filename *tmp;
 223
 224                tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
 225                if (unlikely(!tmp)) {
 226                        __putname(result);
 227                        return ERR_PTR(-ENOMEM);
 228                }
 229                tmp->name = (char *)result;
 230                result = tmp;
 231        } else {
 232                __putname(result);
 233                return ERR_PTR(-ENAMETOOLONG);
 234        }
 235        memcpy((char *)result->name, filename, len);
 236        result->uptr = NULL;
 237        result->aname = NULL;
 238        result->refcnt = 1;
 239        audit_getname(result);
 240
 241        return result;
 242}
 243
 244void putname(struct filename *name)
 245{
 246        BUG_ON(name->refcnt <= 0);
 247
 248        if (--name->refcnt > 0)
 249                return;
 250
 251        if (name->name != name->iname) {
 252                __putname(name->name);
 253                kfree(name);
 254        } else
 255                __putname(name);
 256}
 257
 258static int check_acl(struct inode *inode, int mask)
 259{
 260#ifdef CONFIG_FS_POSIX_ACL
 261        struct posix_acl *acl;
 262
 263        if (mask & MAY_NOT_BLOCK) {
 264                acl = get_cached_acl_rcu(inode, ACL_TYPE_ACCESS);
 265                if (!acl)
 266                        return -EAGAIN;
 267                /* no ->get_acl() calls in RCU mode... */
 268                if (acl == ACL_NOT_CACHED)
 269                        return -ECHILD;
 270                return posix_acl_permission(inode, acl, mask & ~MAY_NOT_BLOCK);
 271        }
 272
 273        acl = get_acl(inode, ACL_TYPE_ACCESS);
 274        if (IS_ERR(acl))
 275                return PTR_ERR(acl);
 276        if (acl) {
 277                int error = posix_acl_permission(inode, acl, mask);
 278                posix_acl_release(acl);
 279                return error;
 280        }
 281#endif
 282
 283        return -EAGAIN;
 284}
 285
 286/*
 287 * This does the basic permission checking
 288 */
 289static int acl_permission_check(struct inode *inode, int mask)
 290{
 291        unsigned int mode = inode->i_mode;
 292
 293        if (likely(uid_eq(current_fsuid(), inode->i_uid)))
 294                mode >>= 6;
 295        else {
 296                if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
 297                        int error = check_acl(inode, mask);
 298                        if (error != -EAGAIN)
 299                                return error;
 300                }
 301
 302                if (in_group_p(inode->i_gid))
 303                        mode >>= 3;
 304        }
 305
 306        /*
 307         * If the DACs are ok we don't need any capability check.
 308         */
 309        if ((mask & ~mode & (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0)
 310                return 0;
 311        return -EACCES;
 312}
 313
 314/**
 315 * generic_permission -  check for access rights on a Posix-like filesystem
 316 * @inode:      inode to check access rights for
 317 * @mask:       right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC, ...)
 318 *
 319 * Used to check for read/write/execute permissions on a file.
 320 * We use "fsuid" for this, letting us set arbitrary permissions
 321 * for filesystem access without changing the "normal" uids which
 322 * are used for other things.
 323 *
 324 * generic_permission is rcu-walk aware. It returns -ECHILD in case an rcu-walk
 325 * request cannot be satisfied (eg. requires blocking or too much complexity).
 326 * It would then be called again in ref-walk mode.
 327 */
 328int generic_permission(struct inode *inode, int mask)
 329{
 330        int ret;
 331
 332        /*
 333         * Do the basic permission checks.
 334         */
 335        ret = acl_permission_check(inode, mask);
 336        if (ret != -EACCES)
 337                return ret;
 338
 339        if (S_ISDIR(inode->i_mode)) {
 340                /* DACs are overridable for directories */
 341                if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
 342                        return 0;
 343                if (!(mask & MAY_WRITE))
 344                        if (capable_wrt_inode_uidgid(inode,
 345                                                     CAP_DAC_READ_SEARCH))
 346                                return 0;
 347                return -EACCES;
 348        }
 349        /*
 350         * Read/write DACs are always overridable.
 351         * Executable DACs are overridable when there is
 352         * at least one exec bit set.
 353         */
 354        if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
 355                if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
 356                        return 0;
 357
 358        /*
 359         * Searching includes executable on directories, else just read.
 360         */
 361        mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
 362        if (mask == MAY_READ)
 363                if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
 364                        return 0;
 365
 366        return -EACCES;
 367}
 368EXPORT_SYMBOL(generic_permission);
 369
 370/*
 371 * We _really_ want to just do "generic_permission()" without
 372 * even looking at the inode->i_op values. So we keep a cache
 373 * flag in inode->i_opflags, that says "this has not special
 374 * permission function, use the fast case".
 375 */
 376static inline int do_inode_permission(struct inode *inode, int mask)
 377{
 378        if (unlikely(!(inode->i_opflags & IOP_FASTPERM))) {
 379                if (likely(inode->i_op->permission))
 380                        return inode->i_op->permission(inode, mask);
 381
 382                /* This gets set once for the inode lifetime */
 383                spin_lock(&inode->i_lock);
 384                inode->i_opflags |= IOP_FASTPERM;
 385                spin_unlock(&inode->i_lock);
 386        }
 387        return generic_permission(inode, mask);
 388}
 389
 390/**
 391 * __inode_permission - Check for access rights to a given inode
 392 * @inode: Inode to check permission on
 393 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
 394 *
 395 * Check for read/write/execute permissions on an inode.
 396 *
 397 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
 398 *
 399 * This does not check for a read-only file system.  You probably want
 400 * inode_permission().
 401 */
 402int __inode_permission(struct inode *inode, int mask)
 403{
 404        int retval;
 405
 406        if (unlikely(mask & MAY_WRITE)) {
 407                /*
 408                 * Nobody gets write access to an immutable file.
 409                 */
 410                if (IS_IMMUTABLE(inode))
 411                        return -EACCES;
 412        }
 413
 414        retval = do_inode_permission(inode, mask);
 415        if (retval)
 416                return retval;
 417
 418        retval = devcgroup_inode_permission(inode, mask);
 419        if (retval)
 420                return retval;
 421
 422        return security_inode_permission(inode, mask);
 423}
 424EXPORT_SYMBOL(__inode_permission);
 425
 426/**
 427 * sb_permission - Check superblock-level permissions
 428 * @sb: Superblock of inode to check permission on
 429 * @inode: Inode to check permission on
 430 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
 431 *
 432 * Separate out file-system wide checks from inode-specific permission checks.
 433 */
 434static int sb_permission(struct super_block *sb, struct inode *inode, int mask)
 435{
 436        if (unlikely(mask & MAY_WRITE)) {
 437                umode_t mode = inode->i_mode;
 438
 439                /* Nobody gets write access to a read-only fs. */
 440                if ((sb->s_flags & MS_RDONLY) &&
 441                    (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)))
 442                        return -EROFS;
 443        }
 444        return 0;
 445}
 446
 447/**
 448 * inode_permission - Check for access rights to a given inode
 449 * @inode: Inode to check permission on
 450 * @mask: Right to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC)
 451 *
 452 * Check for read/write/execute permissions on an inode.  We use fs[ug]id for
 453 * this, letting us set arbitrary permissions for filesystem access without
 454 * changing the "normal" UIDs which are used for other things.
 455 *
 456 * When checking for MAY_APPEND, MAY_WRITE must also be set in @mask.
 457 */
 458int inode_permission(struct inode *inode, int mask)
 459{
 460        int retval;
 461
 462        retval = sb_permission(inode->i_sb, inode, mask);
 463        if (retval)
 464                return retval;
 465        return __inode_permission(inode, mask);
 466}
 467EXPORT_SYMBOL(inode_permission);
 468
 469/**
 470 * path_get - get a reference to a path
 471 * @path: path to get the reference to
 472 *
 473 * Given a path increment the reference count to the dentry and the vfsmount.
 474 */
 475void path_get(const struct path *path)
 476{
 477        mntget(path->mnt);
 478        dget(path->dentry);
 479}
 480EXPORT_SYMBOL(path_get);
 481
 482/**
 483 * path_put - put a reference to a path
 484 * @path: path to put the reference to
 485 *
 486 * Given a path decrement the reference count to the dentry and the vfsmount.
 487 */
 488void path_put(const struct path *path)
 489{
 490        dput(path->dentry);
 491        mntput(path->mnt);
 492}
 493EXPORT_SYMBOL(path_put);
 494
 495struct nameidata {
 496        struct path     path;
 497        struct qstr     last;
 498        struct path     root;
 499        struct inode    *inode; /* path.dentry.d_inode */
 500        unsigned int    flags;
 501        unsigned        seq, m_seq;
 502        int             last_type;
 503        unsigned        depth;
 504        struct file     *base;
 505        char *saved_names[MAX_NESTED_LINKS + 1];
 506};
 507
 508/*
 509 * Path walking has 2 modes, rcu-walk and ref-walk (see
 510 * Documentation/filesystems/path-lookup.txt).  In situations when we can't
 511 * continue in RCU mode, we attempt to drop out of rcu-walk mode and grab
 512 * normal reference counts on dentries and vfsmounts to transition to rcu-walk
 513 * mode.  Refcounts are grabbed at the last known good point before rcu-walk
 514 * got stuck, so ref-walk may continue from there. If this is not successful
 515 * (eg. a seqcount has changed), then failure is returned and it's up to caller
 516 * to restart the path walk from the beginning in ref-walk mode.
 517 */
 518
 519/**
 520 * unlazy_walk - try to switch to ref-walk mode.
 521 * @nd: nameidata pathwalk data
 522 * @dentry: child of nd->path.dentry or NULL
 523 * Returns: 0 on success, -ECHILD on failure
 524 *
 525 * unlazy_walk attempts to legitimize the current nd->path, nd->root and dentry
 526 * for ref-walk mode.  @dentry must be a path found by a do_lookup call on
 527 * @nd or NULL.  Must be called from rcu-walk context.
 528 */
 529static int unlazy_walk(struct nameidata *nd, struct dentry *dentry)
 530{
 531        struct fs_struct *fs = current->fs;
 532        struct dentry *parent = nd->path.dentry;
 533
 534        BUG_ON(!(nd->flags & LOOKUP_RCU));
 535
 536        /*
 537         * After legitimizing the bastards, terminate_walk()
 538         * will do the right thing for non-RCU mode, and all our
 539         * subsequent exit cases should rcu_read_unlock()
 540         * before returning.  Do vfsmount first; if dentry
 541         * can't be legitimized, just set nd->path.dentry to NULL
 542         * and rely on dput(NULL) being a no-op.
 543         */
 544        if (!legitimize_mnt(nd->path.mnt, nd->m_seq))
 545                return -ECHILD;
 546        nd->flags &= ~LOOKUP_RCU;
 547
 548        if (!lockref_get_not_dead(&parent->d_lockref)) {
 549                nd->path.dentry = NULL; 
 550                goto out;
 551        }
 552
 553        /*
 554         * For a negative lookup, the lookup sequence point is the parents
 555         * sequence point, and it only needs to revalidate the parent dentry.
 556         *
 557         * For a positive lookup, we need to move both the parent and the
 558         * dentry from the RCU domain to be properly refcounted. And the
 559         * sequence number in the dentry validates *both* dentry counters,
 560         * since we checked the sequence number of the parent after we got
 561         * the child sequence number. So we know the parent must still
 562         * be valid if the child sequence number is still valid.
 563         */
 564        if (!dentry) {
 565                if (read_seqcount_retry(&parent->d_seq, nd->seq))
 566                        goto out;
 567                BUG_ON(nd->inode != parent->d_inode);
 568        } else {
 569                if (!lockref_get_not_dead(&dentry->d_lockref))
 570                        goto out;
 571                if (read_seqcount_retry(&dentry->d_seq, nd->seq))
 572                        goto drop_dentry;
 573        }
 574
 575        /*
 576         * Sequence counts matched. Now make sure that the root is
 577         * still valid and get it if required.
 578         */
 579        if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
 580                spin_lock(&fs->lock);
 581                if (nd->root.mnt != fs->root.mnt || nd->root.dentry != fs->root.dentry)
 582                        goto unlock_and_drop_dentry;
 583                path_get(&nd->root);
 584                spin_unlock(&fs->lock);
 585        }
 586
 587        rcu_read_unlock();
 588        return 0;
 589
 590unlock_and_drop_dentry:
 591        spin_unlock(&fs->lock);
 592drop_dentry:
 593        rcu_read_unlock();
 594        dput(dentry);
 595        goto drop_root_mnt;
 596out:
 597        rcu_read_unlock();
 598drop_root_mnt:
 599        if (!(nd->flags & LOOKUP_ROOT))
 600                nd->root.mnt = NULL;
 601        return -ECHILD;
 602}
 603
 604static inline int d_revalidate(struct dentry *dentry, unsigned int flags)
 605{
 606        return dentry->d_op->d_revalidate(dentry, flags);
 607}
 608
 609/**
 610 * complete_walk - successful completion of path walk
 611 * @nd:  pointer nameidata
 612 *
 613 * If we had been in RCU mode, drop out of it and legitimize nd->path.
 614 * Revalidate the final result, unless we'd already done that during
 615 * the path walk or the filesystem doesn't ask for it.  Return 0 on
 616 * success, -error on failure.  In case of failure caller does not
 617 * need to drop nd->path.
 618 */
 619static int complete_walk(struct nameidata *nd)
 620{
 621        struct dentry *dentry = nd->path.dentry;
 622        int status;
 623
 624        if (nd->flags & LOOKUP_RCU) {
 625                nd->flags &= ~LOOKUP_RCU;
 626                if (!(nd->flags & LOOKUP_ROOT))
 627                        nd->root.mnt = NULL;
 628
 629                if (!legitimize_mnt(nd->path.mnt, nd->m_seq)) {
 630                        rcu_read_unlock();
 631                        return -ECHILD;
 632                }
 633                if (unlikely(!lockref_get_not_dead(&dentry->d_lockref))) {
 634                        rcu_read_unlock();
 635                        mntput(nd->path.mnt);
 636                        return -ECHILD;
 637                }
 638                if (read_seqcount_retry(&dentry->d_seq, nd->seq)) {
 639                        rcu_read_unlock();
 640                        dput(dentry);
 641                        mntput(nd->path.mnt);
 642                        return -ECHILD;
 643                }
 644                rcu_read_unlock();
 645        }
 646
 647        if (likely(!(nd->flags & LOOKUP_JUMPED)))
 648                return 0;
 649
 650        if (likely(!(dentry->d_flags & DCACHE_OP_WEAK_REVALIDATE)))
 651                return 0;
 652
 653        status = dentry->d_op->d_weak_revalidate(dentry, nd->flags);
 654        if (status > 0)
 655                return 0;
 656
 657        if (!status)
 658                status = -ESTALE;
 659
 660        path_put(&nd->path);
 661        return status;
 662}
 663
 664static __always_inline void set_root(struct nameidata *nd)
 665{
 666        get_fs_root(current->fs, &nd->root);
 667}
 668
 669static int link_path_walk(const char *, struct nameidata *);
 670
 671static __always_inline unsigned set_root_rcu(struct nameidata *nd)
 672{
 673        struct fs_struct *fs = current->fs;
 674        unsigned seq, res;
 675
 676        do {
 677                seq = read_seqcount_begin(&fs->seq);
 678                nd->root = fs->root;
 679                res = __read_seqcount_begin(&nd->root.dentry->d_seq);
 680        } while (read_seqcount_retry(&fs->seq, seq));
 681        return res;
 682}
 683
 684static void path_put_conditional(struct path *path, struct nameidata *nd)
 685{
 686        dput(path->dentry);
 687        if (path->mnt != nd->path.mnt)
 688                mntput(path->mnt);
 689}
 690
 691static inline void path_to_nameidata(const struct path *path,
 692                                        struct nameidata *nd)
 693{
 694        if (!(nd->flags & LOOKUP_RCU)) {
 695                dput(nd->path.dentry);
 696                if (nd->path.mnt != path->mnt)
 697                        mntput(nd->path.mnt);
 698        }
 699        nd->path.mnt = path->mnt;
 700        nd->path.dentry = path->dentry;
 701}
 702
 703/*
 704 * Helper to directly jump to a known parsed path from ->follow_link,
 705 * caller must have taken a reference to path beforehand.
 706 */
 707void nd_jump_link(struct nameidata *nd, struct path *path)
 708{
 709        path_put(&nd->path);
 710
 711        nd->path = *path;
 712        nd->inode = nd->path.dentry->d_inode;
 713        nd->flags |= LOOKUP_JUMPED;
 714}
 715
 716void nd_set_link(struct nameidata *nd, char *path)
 717{
 718        nd->saved_names[nd->depth] = path;
 719}
 720EXPORT_SYMBOL(nd_set_link);
 721
 722char *nd_get_link(struct nameidata *nd)
 723{
 724        return nd->saved_names[nd->depth];
 725}
 726EXPORT_SYMBOL(nd_get_link);
 727
 728static inline void put_link(struct nameidata *nd, struct path *link, void *cookie)
 729{
 730        struct inode *inode = link->dentry->d_inode;
 731        if (inode->i_op->put_link)
 732                inode->i_op->put_link(link->dentry, nd, cookie);
 733        path_put(link);
 734}
 735
 736int sysctl_protected_symlinks __read_mostly = 0;
 737int sysctl_protected_hardlinks __read_mostly = 0;
 738
 739/**
 740 * may_follow_link - Check symlink following for unsafe situations
 741 * @link: The path of the symlink
 742 * @nd: nameidata pathwalk data
 743 *
 744 * In the case of the sysctl_protected_symlinks sysctl being enabled,
 745 * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
 746 * in a sticky world-writable directory. This is to protect privileged
 747 * processes from failing races against path names that may change out
 748 * from under them by way of other users creating malicious symlinks.
 749 * It will permit symlinks to be followed only when outside a sticky
 750 * world-writable directory, or when the uid of the symlink and follower
 751 * match, or when the directory owner matches the symlink's owner.
 752 *
 753 * Returns 0 if following the symlink is allowed, -ve on error.
 754 */
 755static inline int may_follow_link(struct path *link, struct nameidata *nd)
 756{
 757        const struct inode *inode;
 758        const struct inode *parent;
 759
 760        if (!sysctl_protected_symlinks)
 761                return 0;
 762
 763        /* Allowed if owner and follower match. */
 764        inode = link->dentry->d_inode;
 765        if (uid_eq(current_cred()->fsuid, inode->i_uid))
 766                return 0;
 767
 768        /* Allowed if parent directory not sticky and world-writable. */
 769        parent = nd->path.dentry->d_inode;
 770        if ((parent->i_mode & (S_ISVTX|S_IWOTH)) != (S_ISVTX|S_IWOTH))
 771                return 0;
 772
 773        /* Allowed if parent directory and link owner match. */
 774        if (uid_eq(parent->i_uid, inode->i_uid))
 775                return 0;
 776
 777        audit_log_link_denied("follow_link", link);
 778        path_put_conditional(link, nd);
 779        path_put(&nd->path);
 780        return -EACCES;
 781}
 782
 783/**
 784 * safe_hardlink_source - Check for safe hardlink conditions
 785 * @inode: the source inode to hardlink from
 786 *
 787 * Return false if at least one of the following conditions:
 788 *    - inode is not a regular file
 789 *    - inode is setuid
 790 *    - inode is setgid and group-exec
 791 *    - access failure for read and write
 792 *
 793 * Otherwise returns true.
 794 */
 795static bool safe_hardlink_source(struct inode *inode)
 796{
 797        umode_t mode = inode->i_mode;
 798
 799        /* Special files should not get pinned to the filesystem. */
 800        if (!S_ISREG(mode))
 801                return false;
 802
 803        /* Setuid files should not get pinned to the filesystem. */
 804        if (mode & S_ISUID)
 805                return false;
 806
 807        /* Executable setgid files should not get pinned to the filesystem. */
 808        if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
 809                return false;
 810
 811        /* Hardlinking to unreadable or unwritable sources is dangerous. */
 812        if (inode_permission(inode, MAY_READ | MAY_WRITE))
 813                return false;
 814
 815        return true;
 816}
 817
 818/**
 819 * may_linkat - Check permissions for creating a hardlink
 820 * @link: the source to hardlink from
 821 *
 822 * Block hardlink when all of:
 823 *  - sysctl_protected_hardlinks enabled
 824 *  - fsuid does not match inode
 825 *  - hardlink source is unsafe (see safe_hardlink_source() above)
 826 *  - not CAP_FOWNER
 827 *
 828 * Returns 0 if successful, -ve on error.
 829 */
 830static int may_linkat(struct path *link)
 831{
 832        const struct cred *cred;
 833        struct inode *inode;
 834
 835        if (!sysctl_protected_hardlinks)
 836                return 0;
 837
 838        cred = current_cred();
 839        inode = link->dentry->d_inode;
 840
 841        /* Source inode owner (or CAP_FOWNER) can hardlink all they like,
 842         * otherwise, it must be a safe source.
 843         */
 844        if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) ||
 845            capable(CAP_FOWNER))
 846                return 0;
 847
 848        audit_log_link_denied("linkat", link);
 849        return -EPERM;
 850}
 851
 852static __always_inline int
 853follow_link(struct path *link, struct nameidata *nd, void **p)
 854{
 855        struct dentry *dentry = link->dentry;
 856        int error;
 857        char *s;
 858
 859        BUG_ON(nd->flags & LOOKUP_RCU);
 860
 861        if (link->mnt == nd->path.mnt)
 862                mntget(link->mnt);
 863
 864        error = -ELOOP;
 865        if (unlikely(current->total_link_count >= 40))
 866                goto out_put_nd_path;
 867
 868        cond_resched();
 869        current->total_link_count++;
 870
 871        touch_atime(link);
 872        nd_set_link(nd, NULL);
 873
 874        error = security_inode_follow_link(link->dentry, nd);
 875        if (error)
 876                goto out_put_nd_path;
 877
 878        nd->last_type = LAST_BIND;
 879        *p = dentry->d_inode->i_op->follow_link(dentry, nd);
 880        error = PTR_ERR(*p);
 881        if (IS_ERR(*p))
 882                goto out_put_nd_path;
 883
 884        error = 0;
 885        s = nd_get_link(nd);
 886        if (s) {
 887                if (unlikely(IS_ERR(s))) {
 888                        path_put(&nd->path);
 889                        put_link(nd, link, *p);
 890                        return PTR_ERR(s);
 891                }
 892                if (*s == '/') {
 893                        if (!nd->root.mnt)
 894                                set_root(nd);
 895                        path_put(&nd->path);
 896                        nd->path = nd->root;
 897                        path_get(&nd->root);
 898                        nd->flags |= LOOKUP_JUMPED;
 899                }
 900                nd->inode = nd->path.dentry->d_inode;
 901                error = link_path_walk(s, nd);
 902                if (unlikely(error))
 903                        put_link(nd, link, *p);
 904        }
 905
 906        return error;
 907
 908out_put_nd_path:
 909        *p = NULL;
 910        path_put(&nd->path);
 911        path_put(link);
 912        return error;
 913}
 914
 915static int follow_up_rcu(struct path *path)
 916{
 917        struct mount *mnt = real_mount(path->mnt);
 918        struct mount *parent;
 919        struct dentry *mountpoint;
 920
 921        parent = mnt->mnt_parent;
 922        if (&parent->mnt == path->mnt)
 923                return 0;
 924        mountpoint = mnt->mnt_mountpoint;
 925        path->dentry = mountpoint;
 926        path->mnt = &parent->mnt;
 927        return 1;
 928}
 929
 930/*
 931 * follow_up - Find the mountpoint of path's vfsmount
 932 *
 933 * Given a path, find the mountpoint of its source file system.
 934 * Replace @path with the path of the mountpoint in the parent mount.
 935 * Up is towards /.
 936 *
 937 * Return 1 if we went up a level and 0 if we were already at the
 938 * root.
 939 */
 940int follow_up(struct path *path)
 941{
 942        struct mount *mnt = real_mount(path->mnt);
 943        struct mount *parent;
 944        struct dentry *mountpoint;
 945
 946        read_seqlock_excl(&mount_lock);
 947        parent = mnt->mnt_parent;
 948        if (parent == mnt) {
 949                read_sequnlock_excl(&mount_lock);
 950                return 0;
 951        }
 952        mntget(&parent->mnt);
 953        mountpoint = dget(mnt->mnt_mountpoint);
 954        read_sequnlock_excl(&mount_lock);
 955        dput(path->dentry);
 956        path->dentry = mountpoint;
 957        mntput(path->mnt);
 958        path->mnt = &parent->mnt;
 959        return 1;
 960}
 961EXPORT_SYMBOL(follow_up);
 962
 963/*
 964 * Perform an automount
 965 * - return -EISDIR to tell follow_managed() to stop and return the path we
 966 *   were called with.
 967 */
 968static int follow_automount(struct path *path, unsigned flags,
 969                            bool *need_mntput)
 970{
 971        struct vfsmount *mnt;
 972        int err;
 973
 974        if (!path->dentry->d_op || !path->dentry->d_op->d_automount)
 975                return -EREMOTE;
 976
 977        /* We don't want to mount if someone's just doing a stat -
 978         * unless they're stat'ing a directory and appended a '/' to
 979         * the name.
 980         *
 981         * We do, however, want to mount if someone wants to open or
 982         * create a file of any type under the mountpoint, wants to
 983         * traverse through the mountpoint or wants to open the
 984         * mounted directory.  Also, autofs may mark negative dentries
 985         * as being automount points.  These will need the attentions
 986         * of the daemon to instantiate them before they can be used.
 987         */
 988        if (!(flags & (LOOKUP_PARENT | LOOKUP_DIRECTORY |
 989                     LOOKUP_OPEN | LOOKUP_CREATE | LOOKUP_AUTOMOUNT)) &&
 990            path->dentry->d_inode)
 991                return -EISDIR;
 992
 993        current->total_link_count++;
 994        if (current->total_link_count >= 40)
 995                return -ELOOP;
 996
 997        mnt = path->dentry->d_op->d_automount(path);
 998        if (IS_ERR(mnt)) {
 999                /*
1000                 * The filesystem is allowed to return -EISDIR here to indicate
1001                 * it doesn't want to automount.  For instance, autofs would do
1002                 * this so that its userspace daemon can mount on this dentry.
1003                 *
1004                 * However, we can only permit this if it's a terminal point in
1005                 * the path being looked up; if it wasn't then the remainder of
1006                 * the path is inaccessible and we should say so.
1007                 */
1008                if (PTR_ERR(mnt) == -EISDIR && (flags & LOOKUP_PARENT))
1009                        return -EREMOTE;
1010                return PTR_ERR(mnt);
1011        }
1012
1013        if (!mnt) /* mount collision */
1014                return 0;
1015
1016        if (!*need_mntput) {
1017                /* lock_mount() may release path->mnt on error */
1018                mntget(path->mnt);
1019                *need_mntput = true;
1020        }
1021        err = finish_automount(mnt, path);
1022
1023        switch (err) {
1024        case -EBUSY:
1025                /* Someone else made a mount here whilst we were busy */
1026                return 0;
1027        case 0:
1028                path_put(path);
1029                path->mnt = mnt;
1030                path->dentry = dget(mnt->mnt_root);
1031                return 0;
1032        default:
1033                return err;
1034        }
1035
1036}
1037
1038/*
1039 * Handle a dentry that is managed in some way.
1040 * - Flagged for transit management (autofs)
1041 * - Flagged as mountpoint
1042 * - Flagged as automount point
1043 *
1044 * This may only be called in refwalk mode.
1045 *
1046 * Serialization is taken care of in namespace.c
1047 */
1048static int follow_managed(struct path *path, unsigned flags)
1049{
1050        struct vfsmount *mnt = path->mnt; /* held by caller, must be left alone */
1051        unsigned managed;
1052        bool need_mntput = false;
1053        int ret = 0;
1054
1055        /* Given that we're not holding a lock here, we retain the value in a
1056         * local variable for each dentry as we look at it so that we don't see
1057         * the components of that value change under us */
1058        while (managed = ACCESS_ONCE(path->dentry->d_flags),
1059               managed &= DCACHE_MANAGED_DENTRY,
1060               unlikely(managed != 0)) {
1061                /* Allow the filesystem to manage the transit without i_mutex
1062                 * being held. */
1063                if (managed & DCACHE_MANAGE_TRANSIT) {
1064                        BUG_ON(!path->dentry->d_op);
1065                        BUG_ON(!path->dentry->d_op->d_manage);
1066                        ret = path->dentry->d_op->d_manage(path->dentry, false);
1067                        if (ret < 0)
1068                                break;
1069                }
1070
1071                /* Transit to a mounted filesystem. */
1072                if (managed & DCACHE_MOUNTED) {
1073                        struct vfsmount *mounted = lookup_mnt(path);
1074                        if (mounted) {
1075                                dput(path->dentry);
1076                                if (need_mntput)
1077                                        mntput(path->mnt);
1078                                path->mnt = mounted;
1079                                path->dentry = dget(mounted->mnt_root);
1080                                need_mntput = true;
1081                                continue;
1082                        }
1083
1084                        /* Something is mounted on this dentry in another
1085                         * namespace and/or whatever was mounted there in this
1086                         * namespace got unmounted before lookup_mnt() could
1087                         * get it */
1088                }
1089
1090                /* Handle an automount point */
1091                if (managed & DCACHE_NEED_AUTOMOUNT) {
1092                        ret = follow_automount(path, flags, &need_mntput);
1093                        if (ret < 0)
1094                                break;
1095                        continue;
1096                }
1097
1098                /* We didn't change the current path point */
1099                break;
1100        }
1101
1102        if (need_mntput && path->mnt == mnt)
1103                mntput(path->mnt);
1104        if (ret == -EISDIR)
1105                ret = 0;
1106        return ret < 0 ? ret : need_mntput;
1107}
1108
1109int follow_down_one(struct path *path)
1110{
1111        struct vfsmount *mounted;
1112
1113        mounted = lookup_mnt(path);
1114        if (mounted) {
1115                dput(path->dentry);
1116                mntput(path->mnt);
1117                path->mnt = mounted;
1118                path->dentry = dget(mounted->mnt_root);
1119                return 1;
1120        }
1121        return 0;
1122}
1123EXPORT_SYMBOL(follow_down_one);
1124
1125static inline int managed_dentry_rcu(struct dentry *dentry)
1126{
1127        return (dentry->d_flags & DCACHE_MANAGE_TRANSIT) ?
1128                dentry->d_op->d_manage(dentry, true) : 0;
1129}
1130
1131/*
1132 * Try to skip to top of mountpoint pile in rcuwalk mode.  Fail if
1133 * we meet a managed dentry that would need blocking.
1134 */
1135static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
1136                               struct inode **inode)
1137{
1138        for (;;) {
1139                struct mount *mounted;
1140                /*
1141                 * Don't forget we might have a non-mountpoint managed dentry
1142                 * that wants to block transit.
1143                 */
1144                switch (managed_dentry_rcu(path->dentry)) {
1145                case -ECHILD:
1146                default:
1147                        return false;
1148                case -EISDIR:
1149                        return true;
1150                case 0:
1151                        break;
1152                }
1153
1154                if (!d_mountpoint(path->dentry))
1155                        return !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);
1156
1157                mounted = __lookup_mnt(path->mnt, path->dentry);
1158                if (!mounted)
1159                        break;
1160                path->mnt = &mounted->mnt;
1161                path->dentry = mounted->mnt.mnt_root;
1162                nd->flags |= LOOKUP_JUMPED;
1163                nd->seq = read_seqcount_begin(&path->dentry->d_seq);
1164                /*
1165                 * Update the inode too. We don't need to re-check the
1166                 * dentry sequence number here after this d_inode read,
1167                 * because a mount-point is always pinned.
1168                 */
1169                *inode = path->dentry->d_inode;
1170        }
1171        return !read_seqretry(&mount_lock, nd->m_seq) &&
1172                !(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT);
1173}
1174
1175static int follow_dotdot_rcu(struct nameidata *nd)
1176{
1177        struct inode *inode = nd->inode;
1178        if (!nd->root.mnt)
1179                set_root_rcu(nd);
1180
1181        while (1) {
1182                if (nd->path.dentry == nd->root.dentry &&
1183                    nd->path.mnt == nd->root.mnt) {
1184                        break;
1185                }
1186                if (nd->path.dentry != nd->path.mnt->mnt_root) {
1187                        struct dentry *old = nd->path.dentry;
1188                        struct dentry *parent = old->d_parent;
1189                        unsigned seq;
1190
1191                        inode = parent->d_inode;
1192                        seq = read_seqcount_begin(&parent->d_seq);
1193                        if (read_seqcount_retry(&old->d_seq, nd->seq))
1194                                goto failed;
1195                        nd->path.dentry = parent;
1196                        nd->seq = seq;
1197                        break;
1198                }
1199                if (!follow_up_rcu(&nd->path))
1200                        break;
1201                inode = nd->path.dentry->d_inode;
1202                nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1203        }
1204        while (d_mountpoint(nd->path.dentry)) {
1205                struct mount *mounted;
1206                mounted = __lookup_mnt(nd->path.mnt, nd->path.dentry);
1207                if (!mounted)
1208                        break;
1209                nd->path.mnt = &mounted->mnt;
1210                nd->path.dentry = mounted->mnt.mnt_root;
1211                inode = nd->path.dentry->d_inode;
1212                nd->seq = read_seqcount_begin(&nd->path.dentry->d_seq);
1213                if (read_seqretry(&mount_lock, nd->m_seq))
1214                        goto failed;
1215        }
1216        nd->inode = inode;
1217        return 0;
1218
1219failed:
1220        nd->flags &= ~LOOKUP_RCU;
1221        if (!(nd->flags & LOOKUP_ROOT))
1222                nd->root.mnt = NULL;
1223        rcu_read_unlock();
1224        return -ECHILD;
1225}
1226
1227/*
1228 * Follow down to the covering mount currently visible to userspace.  At each
1229 * point, the filesystem owning that dentry may be queried as to whether the
1230 * caller is permitted to proceed or not.
1231 */
1232int follow_down(struct path *path)
1233{
1234        unsigned managed;
1235        int ret;
1236
1237        while (managed = ACCESS_ONCE(path->dentry->d_flags),
1238               unlikely(managed & DCACHE_MANAGED_DENTRY)) {
1239                /* Allow the filesystem to manage the transit without i_mutex
1240                 * being held.
1241                 *
1242                 * We indicate to the filesystem if someone is trying to mount
1243                 * something here.  This gives autofs the chance to deny anyone
1244                 * other than its daemon the right to mount on its
1245                 * superstructure.
1246                 *
1247                 * The filesystem may sleep at this point.
1248                 */
1249                if (managed & DCACHE_MANAGE_TRANSIT) {
1250                        BUG_ON(!path->dentry->d_op);
1251                        BUG_ON(!path->dentry->d_op->d_manage);
1252                        ret = path->dentry->d_op->d_manage(
1253                                path->dentry, false);
1254                        if (ret < 0)
1255                                return ret == -EISDIR ? 0 : ret;
1256                }
1257
1258                /* Transit to a mounted filesystem. */
1259                if (managed & DCACHE_MOUNTED) {
1260                        struct vfsmount *mounted = lookup_mnt(path);
1261                        if (!mounted)
1262                                break;
1263                        dput(path->dentry);
1264                        mntput(path->mnt);
1265                        path->mnt = mounted;
1266                        path->dentry = dget(mounted->mnt_root);
1267                        continue;
1268                }
1269
1270                /* Don't handle automount points here */
1271                break;
1272        }
1273        return 0;
1274}
1275EXPORT_SYMBOL(follow_down);
1276
1277/*
1278 * Skip to top of mountpoint pile in refwalk mode for follow_dotdot()
1279 */
1280static void follow_mount(struct path *path)
1281{
1282        while (d_mountpoint(path->dentry)) {
1283                struct vfsmount *mounted = lookup_mnt(path);
1284                if (!mounted)
1285                        break;
1286                dput(path->dentry);
1287                mntput(path->mnt);
1288                path->mnt = mounted;
1289                path->dentry = dget(mounted->mnt_root);
1290        }
1291}
1292
1293static void follow_dotdot(struct nameidata *nd)
1294{
1295        if (!nd->root.mnt)
1296                set_root(nd);
1297
1298        while(1) {
1299                struct dentry *old = nd->path.dentry;
1300
1301                if (nd->path.dentry == nd->root.dentry &&
1302                    nd->path.mnt == nd->root.mnt) {
1303                        break;
1304                }
1305                if (nd->path.dentry != nd->path.mnt->mnt_root) {
1306                        /* rare case of legitimate dget_parent()... */
1307                        nd->path.dentry = dget_parent(nd->path.dentry);
1308                        dput(old);
1309                        break;
1310                }
1311                if (!follow_up(&nd->path))
1312                        break;
1313        }
1314        follow_mount(&nd->path);
1315        nd->inode = nd->path.dentry->d_inode;
1316}
1317
1318/*
1319 * This looks up the name in dcache, possibly revalidates the old dentry and
1320 * allocates a new one if not found or not valid.  In the need_lookup argument
1321 * returns whether i_op->lookup is necessary.
1322 *
1323 * dir->d_inode->i_mutex must be held
1324 */
1325static struct dentry *lookup_dcache(struct qstr *name, struct dentry *dir,
1326                                    unsigned int flags, bool *need_lookup)
1327{
1328        struct dentry *dentry;
1329        int error;
1330
1331        *need_lookup = false;
1332        dentry = d_lookup(dir, name);
1333        if (dentry) {
1334                if (dentry->d_flags & DCACHE_OP_REVALIDATE) {
1335                        error = d_revalidate(dentry, flags);
1336                        if (unlikely(error <= 0)) {
1337                                if (error < 0) {
1338                                        dput(dentry);
1339                                        return ERR_PTR(error);
1340                                } else {
1341                                        d_invalidate(dentry);
1342                                        dput(dentry);
1343                                        dentry = NULL;
1344                                }
1345                        }
1346                }
1347        }
1348
1349        if (!dentry) {
1350                dentry = d_alloc(dir, name);
1351                if (unlikely(!dentry))
1352                        return ERR_PTR(-ENOMEM);
1353
1354                *need_lookup = true;
1355        }
1356        return dentry;
1357}
1358
1359/*
1360 * Call i_op->lookup on the dentry.  The dentry must be negative and
1361 * unhashed.
1362 *
1363 * dir->d_inode->i_mutex must be held
1364 */
1365static struct dentry *lookup_real(struct inode *dir, struct dentry *dentry,
1366                                  unsigned int flags)
1367{
1368        struct dentry *old;
1369
1370        /* Don't create child dentry for a dead directory. */
1371        if (unlikely(IS_DEADDIR(dir))) {
1372                dput(dentry);
1373                return ERR_PTR(-ENOENT);
1374        }
1375
1376        old = dir->i_op->lookup(dir, dentry, flags);
1377        if (unlikely(old)) {
1378                dput(dentry);
1379                dentry = old;
1380        }
1381        return dentry;
1382}
1383
1384static struct dentry *__lookup_hash(struct qstr *name,
1385                struct dentry *base, unsigned int flags)
1386{
1387        bool need_lookup;
1388        struct dentry *dentry;
1389
1390        dentry = lookup_dcache(name, base, flags, &need_lookup);
1391        if (!need_lookup)
1392                return dentry;
1393
1394        return lookup_real(base->d_inode, dentry, flags);
1395}
1396
1397/*
1398 *  It's more convoluted than I'd like it to be, but... it's still fairly
1399 *  small and for now I'd prefer to have fast path as straight as possible.
1400 *  It _is_ time-critical.
1401 */
1402static int lookup_fast(struct nameidata *nd,
1403                       struct path *path, struct inode **inode)
1404{
1405        struct vfsmount *mnt = nd->path.mnt;
1406        struct dentry *dentry, *parent = nd->path.dentry;
1407        int need_reval = 1;
1408        int status = 1;
1409        int err;
1410
1411        /*
1412         * Rename seqlock is not required here because in the off chance
1413         * of a false negative due to a concurrent rename, we're going to
1414         * do the non-racy lookup, below.
1415         */
1416        if (nd->flags & LOOKUP_RCU) {
1417                unsigned seq;
1418                bool negative;
1419                dentry = __d_lookup_rcu(parent, &nd->last, &seq);
1420                if (!dentry)
1421                        goto unlazy;
1422
1423                /*
1424                 * This sequence count validates that the inode matches
1425                 * the dentry name information from lookup.
1426                 */
1427                *inode = dentry->d_inode;
1428                negative = d_is_negative(dentry);
1429                if (read_seqcount_retry(&dentry->d_seq, seq))
1430                        return -ECHILD;
1431                if (negative)
1432                        return -ENOENT;
1433
1434                /*
1435                 * This sequence count validates that the parent had no
1436                 * changes while we did the lookup of the dentry above.
1437                 *
1438                 * The memory barrier in read_seqcount_begin of child is
1439                 *  enough, we can use __read_seqcount_retry here.
1440                 */
1441                if (__read_seqcount_retry(&parent->d_seq, nd->seq))
1442                        return -ECHILD;
1443                nd->seq = seq;
1444
1445                if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE)) {
1446                        status = d_revalidate(dentry, nd->flags);
1447                        if (unlikely(status <= 0)) {
1448                                if (status != -ECHILD)
1449                                        need_reval = 0;
1450                                goto unlazy;
1451                        }
1452                }
1453                path->mnt = mnt;
1454                path->dentry = dentry;
1455                if (likely(__follow_mount_rcu(nd, path, inode)))
1456                        return 0;
1457unlazy:
1458                if (unlazy_walk(nd, dentry))
1459                        return -ECHILD;
1460        } else {
1461                dentry = __d_lookup(parent, &nd->last);
1462        }
1463
1464        if (unlikely(!dentry))
1465                goto need_lookup;
1466
1467        if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE) && need_reval)
1468                status = d_revalidate(dentry, nd->flags);
1469        if (unlikely(status <= 0)) {
1470                if (status < 0) {
1471                        dput(dentry);
1472                        return status;
1473                }
1474                d_invalidate(dentry);
1475                dput(dentry);
1476                goto need_lookup;
1477        }
1478
1479        if (unlikely(d_is_negative(dentry))) {
1480                dput(dentry);
1481                return -ENOENT;
1482        }
1483        path->mnt = mnt;
1484        path->dentry = dentry;
1485        err = follow_managed(path, nd->flags);
1486        if (unlikely(err < 0)) {
1487                path_put_conditional(path, nd);
1488                return err;
1489        }
1490        if (err)
1491                nd->flags |= LOOKUP_JUMPED;
1492        *inode = path->dentry->d_inode;
1493        return 0;
1494
1495need_lookup:
1496        return 1;
1497}
1498
1499/* Fast lookup failed, do it the slow way */
1500static int lookup_slow(struct nameidata *nd, struct path *path)
1501{
1502        struct dentry *dentry, *parent;
1503        int err;
1504
1505        parent = nd->path.dentry;
1506        BUG_ON(nd->inode != parent->d_inode);
1507
1508        mutex_lock(&parent->d_inode->i_mutex);
1509        dentry = __lookup_hash(&nd->last, parent, nd->flags);
1510        mutex_unlock(&parent->d_inode->i_mutex);
1511        if (IS_ERR(dentry))
1512                return PTR_ERR(dentry);
1513        path->mnt = nd->path.mnt;
1514        path->dentry = dentry;
1515        err = follow_managed(path, nd->flags);
1516        if (unlikely(err < 0)) {
1517                path_put_conditional(path, nd);
1518                return err;
1519        }
1520        if (err)
1521                nd->flags |= LOOKUP_JUMPED;
1522        return 0;
1523}
1524
1525static inline int may_lookup(struct nameidata *nd)
1526{
1527        if (nd->flags & LOOKUP_RCU) {
1528                int err = inode_permission(nd->inode, MAY_EXEC|MAY_NOT_BLOCK);
1529                if (err != -ECHILD)
1530                        return err;
1531                if (unlazy_walk(nd, NULL))
1532                        return -ECHILD;
1533        }
1534        return inode_permission(nd->inode, MAY_EXEC);
1535}
1536
1537static inline int handle_dots(struct nameidata *nd, int type)
1538{
1539        if (type == LAST_DOTDOT) {
1540                if (nd->flags & LOOKUP_RCU) {
1541                        if (follow_dotdot_rcu(nd))
1542                                return -ECHILD;
1543                } else
1544                        follow_dotdot(nd);
1545        }
1546        return 0;
1547}
1548
1549static void terminate_walk(struct nameidata *nd)
1550{
1551        if (!(nd->flags & LOOKUP_RCU)) {
1552                path_put(&nd->path);
1553        } else {
1554                nd->flags &= ~LOOKUP_RCU;
1555                if (!(nd->flags & LOOKUP_ROOT))
1556                        nd->root.mnt = NULL;
1557                rcu_read_unlock();
1558        }
1559}
1560
1561/*
1562 * Do we need to follow links? We _really_ want to be able
1563 * to do this check without having to look at inode->i_op,
1564 * so we keep a cache of "no, this doesn't need follow_link"
1565 * for the common case.
1566 */
1567static inline int should_follow_link(struct dentry *dentry, int follow)
1568{
1569        return unlikely(d_is_symlink(dentry)) ? follow : 0;
1570}
1571
1572static inline int walk_component(struct nameidata *nd, struct path *path,
1573                int follow)
1574{
1575        struct inode *inode;
1576        int err;
1577        /*
1578         * "." and ".." are special - ".." especially so because it has
1579         * to be able to know about the current root directory and
1580         * parent relationships.
1581         */
1582        if (unlikely(nd->last_type != LAST_NORM))
1583                return handle_dots(nd, nd->last_type);
1584        err = lookup_fast(nd, path, &inode);
1585        if (unlikely(err)) {
1586                if (err < 0)
1587                        goto out_err;
1588
1589                err = lookup_slow(nd, path);
1590                if (err < 0)
1591                        goto out_err;
1592
1593                inode = path->dentry->d_inode;
1594                err = -ENOENT;
1595                if (d_is_negative(path->dentry))
1596                        goto out_path_put;
1597        }
1598
1599        if (should_follow_link(path->dentry, follow)) {
1600                if (nd->flags & LOOKUP_RCU) {
1601                        if (unlikely(nd->path.mnt != path->mnt ||
1602                                     unlazy_walk(nd, path->dentry))) {
1603                                err = -ECHILD;
1604                                goto out_err;
1605                        }
1606                }
1607                BUG_ON(inode != path->dentry->d_inode);
1608                return 1;
1609        }
1610        path_to_nameidata(path, nd);
1611        nd->inode = inode;
1612        return 0;
1613
1614out_path_put:
1615        path_to_nameidata(path, nd);
1616out_err:
1617        terminate_walk(nd);
1618        return err;
1619}
1620
1621/*
1622 * This limits recursive symlink follows to 8, while
1623 * limiting consecutive symlinks to 40.
1624 *
1625 * Without that kind of total limit, nasty chains of consecutive
1626 * symlinks can cause almost arbitrarily long lookups.
1627 */
1628static inline int nested_symlink(struct path *path, struct nameidata *nd)
1629{
1630        int res;
1631
1632        if (unlikely(current->link_count >= MAX_NESTED_LINKS)) {
1633                path_put_conditional(path, nd);
1634                path_put(&nd->path);
1635                return -ELOOP;
1636        }
1637        BUG_ON(nd->depth >= MAX_NESTED_LINKS);
1638
1639        nd->depth++;
1640        current->link_count++;
1641
1642        do {
1643                struct path link = *path;
1644                void *cookie;
1645
1646                res = follow_link(&link, nd, &cookie);
1647                if (res)
1648                        break;
1649                res = walk_component(nd, path, LOOKUP_FOLLOW);
1650                put_link(nd, &link, cookie);
1651        } while (res > 0);
1652
1653        current->link_count--;
1654        nd->depth--;
1655        return res;
1656}
1657
1658/*
1659 * We can do the critical dentry name comparison and hashing
1660 * operations one word at a time, but we are limited to:
1661 *
1662 * - Architectures with fast unaligned word accesses. We could
1663 *   do a "get_unaligned()" if this helps and is sufficiently
1664 *   fast.
1665 *
1666 * - non-CONFIG_DEBUG_PAGEALLOC configurations (so that we
1667 *   do not trap on the (extremely unlikely) case of a page
1668 *   crossing operation.
1669 *
1670 * - Furthermore, we need an efficient 64-bit compile for the
1671 *   64-bit case in order to generate the "number of bytes in
1672 *   the final mask". Again, that could be replaced with a
1673 *   efficient population count instruction or similar.
1674 */
1675#ifdef CONFIG_DCACHE_WORD_ACCESS
1676
1677#include <asm/word-at-a-time.h>
1678
1679#ifdef CONFIG_64BIT
1680
1681static inline unsigned int fold_hash(unsigned long hash)
1682{
1683        return hash_64(hash, 32);
1684}
1685
1686#else   /* 32-bit case */
1687
1688#define fold_hash(x) (x)
1689
1690#endif
1691
1692unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1693{
1694        unsigned long a, mask;
1695        unsigned long hash = 0;
1696
1697        for (;;) {
1698                a = load_unaligned_zeropad(name);
1699                if (len < sizeof(unsigned long))
1700                        break;
1701                hash += a;
1702                hash *= 9;
1703                name += sizeof(unsigned long);
1704                len -= sizeof(unsigned long);
1705                if (!len)
1706                        goto done;
1707        }
1708        mask = bytemask_from_count(len);
1709        hash += mask & a;
1710done:
1711        return fold_hash(hash);
1712}
1713EXPORT_SYMBOL(full_name_hash);
1714
1715/*
1716 * Calculate the length and hash of the path component, and
1717 * return the "hash_len" as the result.
1718 */
1719static inline u64 hash_name(const char *name)
1720{
1721        unsigned long a, b, adata, bdata, mask, hash, len;
1722        const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
1723
1724        hash = a = 0;
1725        len = -sizeof(unsigned long);
1726        do {
1727                hash = (hash + a) * 9;
1728                len += sizeof(unsigned long);
1729                a = load_unaligned_zeropad(name+len);
1730                b = a ^ REPEAT_BYTE('/');
1731        } while (!(has_zero(a, &adata, &constants) | has_zero(b, &bdata, &constants)));
1732
1733        adata = prep_zero_mask(a, adata, &constants);
1734        bdata = prep_zero_mask(b, bdata, &constants);
1735
1736        mask = create_zero_mask(adata | bdata);
1737
1738        hash += a & zero_bytemask(mask);
1739        len += find_zero(mask);
1740        return hashlen_create(fold_hash(hash), len);
1741}
1742
1743#else
1744
1745unsigned int full_name_hash(const unsigned char *name, unsigned int len)
1746{
1747        unsigned long hash = init_name_hash();
1748        while (len--)
1749                hash = partial_name_hash(*name++, hash);
1750        return end_name_hash(hash);
1751}
1752EXPORT_SYMBOL(full_name_hash);
1753
1754/*
1755 * We know there's a real path component here of at least
1756 * one character.
1757 */
1758static inline u64 hash_name(const char *name)
1759{
1760        unsigned long hash = init_name_hash();
1761        unsigned long len = 0, c;
1762
1763        c = (unsigned char)*name;
1764        do {
1765                len++;
1766                hash = partial_name_hash(c, hash);
1767                c = (unsigned char)name[len];
1768        } while (c && c != '/');
1769        return hashlen_create(end_name_hash(hash), len);
1770}
1771
1772#endif
1773
1774/*
1775 * Name resolution.
1776 * This is the basic name resolution function, turning a pathname into
1777 * the final dentry. We expect 'base' to be positive and a directory.
1778 *
1779 * Returns 0 and nd will have valid dentry and mnt on success.
1780 * Returns error and drops reference to input namei data on failure.
1781 */
1782static int link_path_walk(const char *name, struct nameidata *nd)
1783{
1784        struct path next;
1785        int err;
1786        
1787        while (*name=='/')
1788                name++;
1789        if (!*name)
1790                return 0;
1791
1792        /* At this point we know we have a real path component. */
1793        for(;;) {
1794                u64 hash_len;
1795                int type;
1796
1797                err = may_lookup(nd);
1798                if (err)
1799                        break;
1800
1801                hash_len = hash_name(name);
1802
1803                type = LAST_NORM;
1804                if (name[0] == '.') switch (hashlen_len(hash_len)) {
1805                        case 2:
1806                                if (name[1] == '.') {
1807                                        type = LAST_DOTDOT;
1808                                        nd->flags |= LOOKUP_JUMPED;
1809                                }
1810                                break;
1811                        case 1:
1812                                type = LAST_DOT;
1813                }
1814                if (likely(type == LAST_NORM)) {
1815                        struct dentry *parent = nd->path.dentry;
1816                        nd->flags &= ~LOOKUP_JUMPED;
1817                        if (unlikely(parent->d_flags & DCACHE_OP_HASH)) {
1818                                struct qstr this = { { .hash_len = hash_len }, .name = name };
1819                                err = parent->d_op->d_hash(parent, &this);
1820                                if (err < 0)
1821                                        break;
1822                                hash_len = this.hash_len;
1823                                name = this.name;
1824                        }
1825                }
1826
1827                nd->last.hash_len = hash_len;
1828                nd->last.name = name;
1829                nd->last_type = type;
1830
1831                name += hashlen_len(hash_len);
1832                if (!*name)
1833                        return 0;
1834                /*
1835                 * If it wasn't NUL, we know it was '/'. Skip that
1836                 * slash, and continue until no more slashes.
1837                 */
1838                do {
1839                        name++;
1840                } while (unlikely(*name == '/'));
1841                if (!*name)
1842                        return 0;
1843
1844                err = walk_component(nd, &next, LOOKUP_FOLLOW);
1845                if (err < 0)
1846                        return err;
1847
1848                if (err) {
1849                        err = nested_symlink(&next, nd);
1850                        if (err)
1851                                return err;
1852                }
1853                if (!d_can_lookup(nd->path.dentry)) {
1854                        err = -ENOTDIR; 
1855                        break;
1856                }
1857        }
1858        terminate_walk(nd);
1859        return err;
1860}
1861
1862static int path_init(int dfd, const struct filename *name, unsigned int flags,
1863                     struct nameidata *nd)
1864{
1865        int retval = 0;
1866        const char *s = name->name;
1867
1868        nd->last_type = LAST_ROOT; /* if there are only slashes... */
1869        nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
1870        nd->depth = 0;
1871        nd->base = NULL;
1872        if (flags & LOOKUP_ROOT) {
1873                struct dentry *root = nd->root.dentry;
1874                struct inode *inode = root->d_inode;
1875                if (*s) {
1876                        if (!d_can_lookup(root))
1877                                return -ENOTDIR;
1878                        retval = inode_permission(inode, MAY_EXEC);
1879                        if (retval)
1880                                return retval;
1881                }
1882                nd->path = nd->root;
1883                nd->inode = inode;
1884                if (flags & LOOKUP_RCU) {
1885                        rcu_read_lock();
1886                        nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1887                        nd->m_seq = read_seqbegin(&mount_lock);
1888                } else {
1889                        path_get(&nd->path);
1890                }
1891                goto done;
1892        }
1893
1894        nd->root.mnt = NULL;
1895
1896        nd->m_seq = read_seqbegin(&mount_lock);
1897        if (*s == '/') {
1898                if (flags & LOOKUP_RCU) {
1899                        rcu_read_lock();
1900                        nd->seq = set_root_rcu(nd);
1901                } else {
1902                        set_root(nd);
1903                        path_get(&nd->root);
1904                }
1905                nd->path = nd->root;
1906        } else if (dfd == AT_FDCWD) {
1907                if (flags & LOOKUP_RCU) {
1908                        struct fs_struct *fs = current->fs;
1909                        unsigned seq;
1910
1911                        rcu_read_lock();
1912
1913                        do {
1914                                seq = read_seqcount_begin(&fs->seq);
1915                                nd->path = fs->pwd;
1916                                nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1917                        } while (read_seqcount_retry(&fs->seq, seq));
1918                } else {
1919                        get_fs_pwd(current->fs, &nd->path);
1920                }
1921        } else {
1922                /* Caller must check execute permissions on the starting path component */
1923                struct fd f = fdget_raw(dfd);
1924                struct dentry *dentry;
1925
1926                if (!f.file)
1927                        return -EBADF;
1928
1929                dentry = f.file->f_path.dentry;
1930
1931                if (*s) {
1932                        if (!d_can_lookup(dentry)) {
1933                                fdput(f);
1934                                return -ENOTDIR;
1935                        }
1936                }
1937
1938                nd->path = f.file->f_path;
1939                if (flags & LOOKUP_RCU) {
1940                        if (f.flags & FDPUT_FPUT)
1941                                nd->base = f.file;
1942                        nd->seq = __read_seqcount_begin(&nd->path.dentry->d_seq);
1943                        rcu_read_lock();
1944                } else {
1945                        path_get(&nd->path);
1946                        fdput(f);
1947                }
1948        }
1949
1950        nd->inode = nd->path.dentry->d_inode;
1951        if (!(flags & LOOKUP_RCU))
1952                goto done;
1953        if (likely(!read_seqcount_retry(&nd->path.dentry->d_seq, nd->seq)))
1954                goto done;
1955        if (!(nd->flags & LOOKUP_ROOT))
1956                nd->root.mnt = NULL;
1957        rcu_read_unlock();
1958        return -ECHILD;
1959done:
1960        current->total_link_count = 0;
1961        return link_path_walk(s, nd);
1962}
1963
1964static void path_cleanup(struct nameidata *nd)
1965{
1966        if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
1967                path_put(&nd->root);
1968                nd->root.mnt = NULL;
1969        }
1970        if (unlikely(nd->base))
1971                fput(nd->base);
1972}
1973
1974static inline int lookup_last(struct nameidata *nd, struct path *path)
1975{
1976        if (nd->last_type == LAST_NORM && nd->last.name[nd->last.len])
1977                nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
1978
1979        nd->flags &= ~LOOKUP_PARENT;
1980        return walk_component(nd, path, nd->flags & LOOKUP_FOLLOW);
1981}
1982
1983/* Returns 0 and nd will be valid on success; Retuns error, otherwise. */
1984static int path_lookupat(int dfd, const struct filename *name,
1985                                unsigned int flags, struct nameidata *nd)
1986{
1987        struct path path;
1988        int err;
1989
1990        /*
1991         * Path walking is largely split up into 2 different synchronisation
1992         * schemes, rcu-walk and ref-walk (explained in
1993         * Documentation/filesystems/path-lookup.txt). These share much of the
1994         * path walk code, but some things particularly setup, cleanup, and
1995         * following mounts are sufficiently divergent that functions are
1996         * duplicated. Typically there is a function foo(), and its RCU
1997         * analogue, foo_rcu().
1998         *
1999         * -ECHILD is the error number of choice (just to avoid clashes) that
2000         * is returned if some aspect of an rcu-walk fails. Such an error must
2001         * be handled by restarting a traditional ref-walk (which will always
2002         * be able to complete).
2003         */
2004        err = path_init(dfd, name, flags, nd);
2005        if (!err && !(flags & LOOKUP_PARENT)) {
2006                err = lookup_last(nd, &path);
2007                while (err > 0) {
2008                        void *cookie;
2009                        struct path link = path;
2010                        err = may_follow_link(&link, nd);
2011                        if (unlikely(err))
2012                                break;
2013                        nd->flags |= LOOKUP_PARENT;
2014                        err = follow_link(&link, nd, &cookie);
2015                        if (err)
2016                                break;
2017                        err = lookup_last(nd, &path);
2018                        put_link(nd, &link, cookie);
2019                }
2020        }
2021
2022        if (!err)
2023                err = complete_walk(nd);
2024
2025        if (!err && nd->flags & LOOKUP_DIRECTORY) {
2026                if (!d_can_lookup(nd->path.dentry)) {
2027                        path_put(&nd->path);
2028                        err = -ENOTDIR;
2029                }
2030        }
2031
2032        path_cleanup(nd);
2033        return err;
2034}
2035
2036static int filename_lookup(int dfd, struct filename *name,
2037                                unsigned int flags, struct nameidata *nd)
2038{
2039        int retval = path_lookupat(dfd, name, flags | LOOKUP_RCU, nd);
2040        if (unlikely(retval == -ECHILD))
2041                retval = path_lookupat(dfd, name, flags, nd);
2042        if (unlikely(retval == -ESTALE))
2043                retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
2044
2045        if (likely(!retval))
2046                audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT);
2047        return retval;
2048}
2049
2050/* does lookup, returns the object with parent locked */
2051struct dentry *kern_path_locked(const char *name, struct path *path)
2052{
2053        struct filename *filename = getname_kernel(name);
2054        struct nameidata nd;
2055        struct dentry *d;
2056        int err;
2057
2058        if (IS_ERR(filename))
2059                return ERR_CAST(filename);
2060
2061        err = filename_lookup(AT_FDCWD, filename, LOOKUP_PARENT, &nd);
2062        if (err) {
2063                d = ERR_PTR(err);
2064                goto out;
2065        }
2066        if (nd.last_type != LAST_NORM) {
2067                path_put(&nd.path);
2068                d = ERR_PTR(-EINVAL);
2069                goto out;
2070        }
2071        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
2072        d = __lookup_hash(&nd.last, nd.path.dentry, 0);
2073        if (IS_ERR(d)) {
2074                mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
2075                path_put(&nd.path);
2076                goto out;
2077        }
2078        *path = nd.path;
2079out:
2080        putname(filename);
2081        return d;
2082}
2083
2084int kern_path(const char *name, unsigned int flags, struct path *path)
2085{
2086        struct nameidata nd;
2087        struct filename *filename = getname_kernel(name);
2088        int res = PTR_ERR(filename);
2089
2090        if (!IS_ERR(filename)) {
2091                res = filename_lookup(AT_FDCWD, filename, flags, &nd);
2092                putname(filename);
2093                if (!res)
2094                        *path = nd.path;
2095        }
2096        return res;
2097}
2098EXPORT_SYMBOL(kern_path);
2099
2100/**
2101 * vfs_path_lookup - lookup a file path relative to a dentry-vfsmount pair
2102 * @dentry:  pointer to dentry of the base directory
2103 * @mnt: pointer to vfs mount of the base directory
2104 * @name: pointer to file name
2105 * @flags: lookup flags
2106 * @path: pointer to struct path to fill
2107 */
2108int vfs_path_lookup(struct dentry *dentry, struct vfsmount *mnt,
2109                    const char *name, unsigned int flags,
2110                    struct path *path)
2111{
2112        struct filename *filename = getname_kernel(name);
2113        int err = PTR_ERR(filename);
2114
2115        BUG_ON(flags & LOOKUP_PARENT);
2116
2117        /* the first argument of filename_lookup() is ignored with LOOKUP_ROOT */
2118        if (!IS_ERR(filename)) {
2119                struct nameidata nd;
2120                nd.root.dentry = dentry;
2121                nd.root.mnt = mnt;
2122                err = filename_lookup(AT_FDCWD, filename,
2123                                      flags | LOOKUP_ROOT, &nd);
2124                if (!err)
2125                        *path = nd.path;
2126                putname(filename);
2127        }
2128        return err;
2129}
2130EXPORT_SYMBOL(vfs_path_lookup);
2131
2132/*
2133 * Restricted form of lookup. Doesn't follow links, single-component only,
2134 * needs parent already locked. Doesn't follow mounts.
2135 * SMP-safe.
2136 */
2137static struct dentry *lookup_hash(struct nameidata *nd)
2138{
2139        return __lookup_hash(&nd->last, nd->path.dentry, nd->flags);
2140}
2141
2142/**
2143 * lookup_one_len - filesystem helper to lookup single pathname component
2144 * @name:       pathname component to lookup
2145 * @base:       base directory to lookup from
2146 * @len:        maximum length @len should be interpreted to
2147 *
2148 * Note that this routine is purely a helper for filesystem usage and should
2149 * not be called by generic code.
2150 */
2151struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
2152{
2153        struct qstr this;
2154        unsigned int c;
2155        int err;
2156
2157        WARN_ON_ONCE(!mutex_is_locked(&base->d_inode->i_mutex));
2158
2159        this.name = name;
2160        this.len = len;
2161        this.hash = full_name_hash(name, len);
2162        if (!len)
2163                return ERR_PTR(-EACCES);
2164
2165        if (unlikely(name[0] == '.')) {
2166                if (len < 2 || (len == 2 && name[1] == '.'))
2167                        return ERR_PTR(-EACCES);
2168        }
2169
2170        while (len--) {
2171                c = *(const unsigned char *)name++;
2172                if (c == '/' || c == '\0')
2173                        return ERR_PTR(-EACCES);
2174        }
2175        /*
2176         * See if the low-level filesystem might want
2177         * to use its own hash..
2178         */
2179        if (base->d_flags & DCACHE_OP_HASH) {
2180                int err = base->d_op->d_hash(base, &this);
2181                if (err < 0)
2182                        return ERR_PTR(err);
2183        }
2184
2185        err = inode_permission(base->d_inode, MAY_EXEC);
2186        if (err)
2187                return ERR_PTR(err);
2188
2189        return __lookup_hash(&this, base, 0);
2190}
2191EXPORT_SYMBOL(lookup_one_len);
2192
2193int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
2194                 struct path *path, int *empty)
2195{
2196        struct nameidata nd;
2197        struct filename *tmp = getname_flags(name, flags, empty);
2198        int err = PTR_ERR(tmp);
2199        if (!IS_ERR(tmp)) {
2200
2201                BUG_ON(flags & LOOKUP_PARENT);
2202
2203                err = filename_lookup(dfd, tmp, flags, &nd);
2204                putname(tmp);
2205                if (!err)
2206                        *path = nd.path;
2207        }
2208        return err;
2209}
2210
2211int user_path_at(int dfd, const char __user *name, unsigned flags,
2212                 struct path *path)
2213{
2214        return user_path_at_empty(dfd, name, flags, path, NULL);
2215}
2216EXPORT_SYMBOL(user_path_at);
2217
2218/*
2219 * NB: most callers don't do anything directly with the reference to the
2220 *     to struct filename, but the nd->last pointer points into the name string
2221 *     allocated by getname. So we must hold the reference to it until all
2222 *     path-walking is complete.
2223 */
2224static struct filename *
2225user_path_parent(int dfd, const char __user *path, struct nameidata *nd,
2226                 unsigned int flags)
2227{
2228        struct filename *s = getname(path);
2229        int error;
2230
2231        /* only LOOKUP_REVAL is allowed in extra flags */
2232        flags &= LOOKUP_REVAL;
2233
2234        if (IS_ERR(s))
2235                return s;
2236
2237        error = filename_lookup(dfd, s, flags | LOOKUP_PARENT, nd);
2238        if (error) {
2239                putname(s);
2240                return ERR_PTR(error);
2241        }
2242
2243        return s;
2244}
2245
2246/**
2247 * mountpoint_last - look up last component for umount
2248 * @nd:   pathwalk nameidata - currently pointing at parent directory of "last"
2249 * @path: pointer to container for result
2250 *
2251 * This is a special lookup_last function just for umount. In this case, we
2252 * need to resolve the path without doing any revalidation.
2253 *
2254 * The nameidata should be the result of doing a LOOKUP_PARENT pathwalk. Since
2255 * mountpoints are always pinned in the dcache, their ancestors are too. Thus,
2256 * in almost all cases, this lookup will be served out of the dcache. The only
2257 * cases where it won't are if nd->last refers to a symlink or the path is
2258 * bogus and it doesn't exist.
2259 *
2260 * Returns:
2261 * -error: if there was an error during lookup. This includes -ENOENT if the
2262 *         lookup found a negative dentry. The nd->path reference will also be
2263 *         put in this case.
2264 *
2265 * 0:      if we successfully resolved nd->path and found it to not to be a
2266 *         symlink that needs to be followed. "path" will also be populated.
2267 *         The nd->path reference will also be put.
2268 *
2269 * 1:      if we successfully resolved nd->last and found it to be a symlink
2270 *         that needs to be followed. "path" will be populated with the path
2271 *         to the link, and nd->path will *not* be put.
2272 */
2273static int
2274mountpoint_last(struct nameidata *nd, struct path *path)
2275{
2276        int error = 0;
2277        struct dentry *dentry;
2278        struct dentry *dir = nd->path.dentry;
2279
2280        /* If we're in rcuwalk, drop out of it to handle last component */
2281        if (nd->flags & LOOKUP_RCU) {
2282                if (unlazy_walk(nd, NULL)) {
2283                        error = -ECHILD;
2284                        goto out;
2285                }
2286        }
2287
2288        nd->flags &= ~LOOKUP_PARENT;
2289
2290        if (unlikely(nd->last_type != LAST_NORM)) {
2291                error = handle_dots(nd, nd->last_type);
2292                if (error)
2293                        goto out;
2294                dentry = dget(nd->path.dentry);
2295                goto done;
2296        }
2297
2298        mutex_lock(&dir->d_inode->i_mutex);
2299        dentry = d_lookup(dir, &nd->last);
2300        if (!dentry) {
2301                /*
2302                 * No cached dentry. Mounted dentries are pinned in the cache,
2303                 * so that means that this dentry is probably a symlink or the
2304                 * path doesn't actually point to a mounted dentry.
2305                 */
2306                dentry = d_alloc(dir, &nd->last);
2307                if (!dentry) {
2308                        error = -ENOMEM;
2309                        mutex_unlock(&dir->d_inode->i_mutex);
2310                        goto out;
2311                }
2312                dentry = lookup_real(dir->d_inode, dentry, nd->flags);
2313                error = PTR_ERR(dentry);
2314                if (IS_ERR(dentry)) {
2315                        mutex_unlock(&dir->d_inode->i_mutex);
2316                        goto out;
2317                }
2318        }
2319        mutex_unlock(&dir->d_inode->i_mutex);
2320
2321done:
2322        if (d_is_negative(dentry)) {
2323                error = -ENOENT;
2324                dput(dentry);
2325                goto out;
2326        }
2327        path->dentry = dentry;
2328        path->mnt = nd->path.mnt;
2329        if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW))
2330                return 1;
2331        mntget(path->mnt);
2332        follow_mount(path);
2333        error = 0;
2334out:
2335        terminate_walk(nd);
2336        return error;
2337}
2338
2339/**
2340 * path_mountpoint - look up a path to be umounted
2341 * @dfd:        directory file descriptor to start walk from
2342 * @name:       full pathname to walk
2343 * @path:       pointer to container for result
2344 * @flags:      lookup flags
2345 *
2346 * Look up the given name, but don't attempt to revalidate the last component.
2347 * Returns 0 and "path" will be valid on success; Returns error otherwise.
2348 */
2349static int
2350path_mountpoint(int dfd, const struct filename *name, struct path *path,
2351                unsigned int flags)
2352{
2353        struct nameidata nd;
2354        int err;
2355
2356        err = path_init(dfd, name, flags, &nd);
2357        if (unlikely(err))
2358                goto out;
2359
2360        err = mountpoint_last(&nd, path);
2361        while (err > 0) {
2362                void *cookie;
2363                struct path link = *path;
2364                err = may_follow_link(&link, &nd);
2365                if (unlikely(err))
2366                        break;
2367                nd.flags |= LOOKUP_PARENT;
2368                err = follow_link(&link, &nd, &cookie);
2369                if (err)
2370                        break;
2371                err = mountpoint_last(&nd, path);
2372                put_link(&nd, &link, cookie);
2373        }
2374out:
2375        path_cleanup(&nd);
2376        return err;
2377}
2378
2379static int
2380filename_mountpoint(int dfd, struct filename *name, struct path *path,
2381                        unsigned int flags)
2382{
2383        int error;
2384        if (IS_ERR(name))
2385                return PTR_ERR(name);
2386        error = path_mountpoint(dfd, name, path, flags | LOOKUP_RCU);
2387        if (unlikely(error == -ECHILD))
2388                error = path_mountpoint(dfd, name, path, flags);
2389        if (unlikely(error == -ESTALE))
2390                error = path_mountpoint(dfd, name, path, flags | LOOKUP_REVAL);
2391        if (likely(!error))
2392                audit_inode(name, path->dentry, 0);
2393        putname(name);
2394        return error;
2395}
2396
2397/**
2398 * user_path_mountpoint_at - lookup a path from userland in order to umount it
2399 * @dfd:        directory file descriptor
2400 * @name:       pathname from userland
2401 * @flags:      lookup flags
2402 * @path:       pointer to container to hold result
2403 *
2404 * A umount is a special case for path walking. We're not actually interested
2405 * in the inode in this situation, and ESTALE errors can be a problem. We
2406 * simply want track down the dentry and vfsmount attached at the mountpoint
2407 * and avoid revalidating the last component.
2408 *
2409 * Returns 0 and populates "path" on success.
2410 */
2411int
2412user_path_mountpoint_at(int dfd, const char __user *name, unsigned int flags,
2413                        struct path *path)
2414{
2415        return filename_mountpoint(dfd, getname(name), path, flags);
2416}
2417
2418int
2419kern_path_mountpoint(int dfd, const char *name, struct path *path,
2420                        unsigned int flags)
2421{
2422        return filename_mountpoint(dfd, getname_kernel(name), path, flags);
2423}
2424EXPORT_SYMBOL(kern_path_mountpoint);
2425
2426int __check_sticky(struct inode *dir, struct inode *inode)
2427{
2428        kuid_t fsuid = current_fsuid();
2429
2430        if (uid_eq(inode->i_uid, fsuid))
2431                return 0;
2432        if (uid_eq(dir->i_uid, fsuid))
2433                return 0;
2434        return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
2435}
2436EXPORT_SYMBOL(__check_sticky);
2437
2438/*
2439 *      Check whether we can remove a link victim from directory dir, check
2440 *  whether the type of victim is right.
2441 *  1. We can't do it if dir is read-only (done in permission())
2442 *  2. We should have write and exec permissions on dir
2443 *  3. We can't remove anything from append-only dir
2444 *  4. We can't do anything with immutable dir (done in permission())
2445 *  5. If the sticky bit on dir is set we should either
2446 *      a. be owner of dir, or
2447 *      b. be owner of victim, or
2448 *      c. have CAP_FOWNER capability
2449 *  6. If the victim is append-only or immutable we can't do antyhing with
2450 *     links pointing to it.
2451 *  7. If we were asked to remove a directory and victim isn't one - ENOTDIR.
2452 *  8. If we were asked to remove a non-directory and victim isn't one - EISDIR.
2453 *  9. We can't remove a root or mountpoint.
2454 * 10. We don't allow removal of NFS sillyrenamed files; it's handled by
2455 *     nfs_async_unlink().
2456 */
2457static int may_delete(struct inode *dir, struct dentry *victim, bool isdir)
2458{
2459        struct inode *inode = victim->d_inode;
2460        int error;
2461
2462        if (d_is_negative(victim))
2463                return -ENOENT;
2464        BUG_ON(!inode);
2465
2466        BUG_ON(victim->d_parent->d_inode != dir);
2467        audit_inode_child(dir, victim, AUDIT_TYPE_CHILD_DELETE);
2468
2469        error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
2470        if (error)
2471                return error;
2472        if (IS_APPEND(dir))
2473                return -EPERM;
2474
2475        if (check_sticky(dir, inode) || IS_APPEND(inode) ||
2476            IS_IMMUTABLE(inode) || IS_SWAPFILE(inode))
2477                return -EPERM;
2478        if (isdir) {
2479                if (!d_is_dir(victim))
2480                        return -ENOTDIR;
2481                if (IS_ROOT(victim))
2482                        return -EBUSY;
2483        } else if (d_is_dir(victim))
2484                return -EISDIR;
2485        if (IS_DEADDIR(dir))
2486                return -ENOENT;
2487        if (victim->d_flags & DCACHE_NFSFS_RENAMED)
2488                return -EBUSY;
2489        return 0;
2490}
2491
2492/*      Check whether we can create an object with dentry child in directory
2493 *  dir.
2494 *  1. We can't do it if child already exists (open has special treatment for
2495 *     this case, but since we are inlined it's OK)
2496 *  2. We can't do it if dir is read-only (done in permission())
2497 *  3. We should have write and exec permissions on dir
2498 *  4. We can't do it if dir is immutable (done in permission())
2499 */
2500static inline int may_create(struct inode *dir, struct dentry *child)
2501{
2502        audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
2503        if (child->d_inode)
2504                return -EEXIST;
2505        if (IS_DEADDIR(dir))
2506                return -ENOENT;
2507        return inode_permission(dir, MAY_WRITE | MAY_EXEC);
2508}
2509
2510/*
2511 * p1 and p2 should be directories on the same fs.
2512 */
2513struct dentry *lock_rename(struct dentry *p1, struct dentry *p2)
2514{
2515        struct dentry *p;
2516
2517        if (p1 == p2) {
2518                mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2519                return NULL;
2520        }
2521
2522        mutex_lock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2523
2524        p = d_ancestor(p2, p1);
2525        if (p) {
2526                mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_PARENT);
2527                mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_CHILD);
2528                return p;
2529        }
2530
2531        p = d_ancestor(p1, p2);
2532        if (p) {
2533                mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2534                mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_CHILD);
2535                return p;
2536        }
2537
2538        mutex_lock_nested(&p1->d_inode->i_mutex, I_MUTEX_PARENT);
2539        mutex_lock_nested(&p2->d_inode->i_mutex, I_MUTEX_PARENT2);
2540        return NULL;
2541}
2542EXPORT_SYMBOL(lock_rename);
2543
2544void unlock_rename(struct dentry *p1, struct dentry *p2)
2545{
2546        mutex_unlock(&p1->d_inode->i_mutex);
2547        if (p1 != p2) {
2548                mutex_unlock(&p2->d_inode->i_mutex);
2549                mutex_unlock(&p1->d_inode->i_sb->s_vfs_rename_mutex);
2550        }
2551}
2552EXPORT_SYMBOL(unlock_rename);
2553
2554int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
2555                bool want_excl)
2556{
2557        int error = may_create(dir, dentry);
2558        if (error)
2559                return error;
2560
2561        if (!dir->i_op->create)
2562                return -EACCES; /* shouldn't it be ENOSYS? */
2563        mode &= S_IALLUGO;
2564        mode |= S_IFREG;
2565        error = security_inode_create(dir, dentry, mode);
2566        if (error)
2567                return error;
2568        error = dir->i_op->create(dir, dentry, mode, want_excl);
2569        if (!error)
2570                fsnotify_create(dir, dentry);
2571        return error;
2572}
2573EXPORT_SYMBOL(vfs_create);
2574
2575static int may_open(struct path *path, int acc_mode, int flag)
2576{
2577        struct dentry *dentry = path->dentry;
2578        struct inode *inode = dentry->d_inode;
2579        int error;
2580
2581        /* O_PATH? */
2582        if (!acc_mode)
2583                return 0;
2584
2585        if (!inode)
2586                return -ENOENT;
2587
2588        switch (inode->i_mode & S_IFMT) {
2589        case S_IFLNK:
2590                return -ELOOP;
2591        case S_IFDIR:
2592                if (acc_mode & MAY_WRITE)
2593                        return -EISDIR;
2594                break;
2595        case S_IFBLK:
2596        case S_IFCHR:
2597                if (path->mnt->mnt_flags & MNT_NODEV)
2598                        return -EACCES;
2599                /*FALLTHRU*/
2600        case S_IFIFO:
2601        case S_IFSOCK:
2602                flag &= ~O_TRUNC;
2603                break;
2604        }
2605
2606        error = inode_permission(inode, acc_mode);
2607        if (error)
2608                return error;
2609
2610        /*
2611         * An append-only file must be opened in append mode for writing.
2612         */
2613        if (IS_APPEND(inode)) {
2614                if  ((flag & O_ACCMODE) != O_RDONLY && !(flag & O_APPEND))
2615                        return -EPERM;
2616                if (flag & O_TRUNC)
2617                        return -EPERM;
2618        }
2619
2620        /* O_NOATIME can only be set by the owner or superuser */
2621        if (flag & O_NOATIME && !inode_owner_or_capable(inode))
2622                return -EPERM;
2623
2624        return 0;
2625}
2626
2627static int handle_truncate(struct file *filp)
2628{
2629        struct path *path = &filp->f_path;
2630        struct inode *inode = path->dentry->d_inode;
2631        int error = get_write_access(inode);
2632        if (error)
2633                return error;
2634        /*
2635         * Refuse to truncate files with mandatory locks held on them.
2636         */
2637        error = locks_verify_locked(filp);
2638        if (!error)
2639                error = security_path_truncate(path);
2640        if (!error) {
2641                error = do_truncate(path->dentry, 0,
2642                                    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
2643                                    filp);
2644        }
2645        put_write_access(inode);
2646        return error;
2647}
2648
2649static inline int open_to_namei_flags(int flag)
2650{
2651        if ((flag & O_ACCMODE) == 3)
2652                flag--;
2653        return flag;
2654}
2655
2656static int may_o_create(struct path *dir, struct dentry *dentry, umode_t mode)
2657{
2658        int error = security_path_mknod(dir, dentry, mode, 0);
2659        if (error)
2660                return error;
2661
2662        error = inode_permission(dir->dentry->d_inode, MAY_WRITE | MAY_EXEC);
2663        if (error)
2664                return error;
2665
2666        return security_inode_create(dir->dentry->d_inode, dentry, mode);
2667}
2668
2669/*
2670 * Attempt to atomically look up, create and open a file from a negative
2671 * dentry.
2672 *
2673 * Returns 0 if successful.  The file will have been created and attached to
2674 * @file by the filesystem calling finish_open().
2675 *
2676 * Returns 1 if the file was looked up only or didn't need creating.  The
2677 * caller will need to perform the open themselves.  @path will have been
2678 * updated to point to the new dentry.  This may be negative.
2679 *
2680 * Returns an error code otherwise.
2681 */
2682static int atomic_open(struct nameidata *nd, struct dentry *dentry,
2683                        struct path *path, struct file *file,
2684                        const struct open_flags *op,
2685                        bool got_write, bool need_lookup,
2686                        int *opened)
2687{
2688        struct inode *dir =  nd->path.dentry->d_inode;
2689        unsigned open_flag = open_to_namei_flags(op->open_flag);
2690        umode_t mode;
2691        int error;
2692        int acc_mode;
2693        int create_error = 0;
2694        struct dentry *const DENTRY_NOT_SET = (void *) -1UL;
2695        bool excl;
2696
2697        BUG_ON(dentry->d_inode);
2698
2699        /* Don't create child dentry for a dead directory. */
2700        if (unlikely(IS_DEADDIR(dir))) {
2701                error = -ENOENT;
2702                goto out;
2703        }
2704
2705        mode = op->mode;
2706        if ((open_flag & O_CREAT) && !IS_POSIXACL(dir))
2707                mode &= ~current_umask();
2708
2709        excl = (open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT);
2710        if (excl)
2711                open_flag &= ~O_TRUNC;
2712
2713        /*
2714         * Checking write permission is tricky, bacuse we don't know if we are
2715         * going to actually need it: O_CREAT opens should work as long as the
2716         * file exists.  But checking existence breaks atomicity.  The trick is
2717         * to check access and if not granted clear O_CREAT from the flags.
2718         *
2719         * Another problem is returing the "right" error value (e.g. for an
2720         * O_EXCL open we want to return EEXIST not EROFS).
2721         */
2722        if (((open_flag & (O_CREAT | O_TRUNC)) ||
2723            (open_flag & O_ACCMODE) != O_RDONLY) && unlikely(!got_write)) {
2724                if (!(open_flag & O_CREAT)) {
2725                        /*
2726                         * No O_CREATE -> atomicity not a requirement -> fall
2727                         * back to lookup + open
2728                         */
2729                        goto no_open;
2730                } else if (open_flag & (O_EXCL | O_TRUNC)) {
2731                        /* Fall back and fail with the right error */
2732                        create_error = -EROFS;
2733                        goto no_open;
2734                } else {
2735                        /* No side effects, safe to clear O_CREAT */
2736                        create_error = -EROFS;
2737                        open_flag &= ~O_CREAT;
2738                }
2739        }
2740
2741        if (open_flag & O_CREAT) {
2742                error = may_o_create(&nd->path, dentry, mode);
2743                if (error) {
2744                        create_error = error;
2745                        if (open_flag & O_EXCL)
2746                                goto no_open;
2747                        open_flag &= ~O_CREAT;
2748                }
2749        }
2750
2751        if (nd->flags & LOOKUP_DIRECTORY)
2752                open_flag |= O_DIRECTORY;
2753
2754        file->f_path.dentry = DENTRY_NOT_SET;
2755        file->f_path.mnt = nd->path.mnt;
2756        error = dir->i_op->atomic_open(dir, dentry, file, open_flag, mode,
2757                                      opened);
2758        if (error < 0) {
2759                if (create_error && error == -ENOENT)
2760                        error = create_error;
2761                goto out;
2762        }
2763
2764        if (error) {    /* returned 1, that is */
2765                if (WARN_ON(file->f_path.dentry == DENTRY_NOT_SET)) {
2766                        error = -EIO;
2767                        goto out;
2768                }
2769                if (file->f_path.dentry) {
2770                        dput(dentry);
2771                        dentry = file->f_path.dentry;
2772                }
2773                if (*opened & FILE_CREATED)
2774                        fsnotify_create(dir, dentry);
2775                if (!dentry->d_inode) {
2776                        WARN_ON(*opened & FILE_CREATED);
2777                        if (create_error) {
2778                                error = create_error;
2779                                goto out;
2780                        }
2781                } else {
2782                        if (excl && !(*opened & FILE_CREATED)) {
2783                                error = -EEXIST;
2784                                goto out;
2785                        }
2786                }
2787                goto looked_up;
2788        }
2789
2790        /*
2791         * We didn't have the inode before the open, so check open permission
2792         * here.
2793         */
2794        acc_mode = op->acc_mode;
2795        if (*opened & FILE_CREATED) {
2796                WARN_ON(!(open_flag & O_CREAT));
2797                fsnotify_create(dir, dentry);
2798                acc_mode = MAY_OPEN;
2799        }
2800        error = may_open(&file->f_path, acc_mode, open_flag);
2801        if (error)
2802                fput(file);
2803
2804out:
2805        dput(dentry);
2806        return error;
2807
2808no_open:
2809        if (need_lookup) {
2810                dentry = lookup_real(dir, dentry, nd->flags);
2811                if (IS_ERR(dentry))
2812                        return PTR_ERR(dentry);
2813
2814                if (create_error) {
2815                        int open_flag = op->open_flag;
2816
2817                        error = create_error;
2818                        if ((open_flag & O_EXCL)) {
2819                                if (!dentry->d_inode)
2820                                        goto out;
2821                        } else if (!dentry->d_inode) {
2822                                goto out;
2823                        } else if ((open_flag & O_TRUNC) &&
2824                                   d_is_reg(dentry)) {
2825                                goto out;
2826                        }
2827                        /* will fail later, go on to get the right error */
2828                }
2829        }
2830looked_up:
2831        path->dentry = dentry;
2832        path->mnt = nd->path.mnt;
2833        return 1;
2834}
2835
2836/*
2837 * Look up and maybe create and open the last component.
2838 *
2839 * Must be called with i_mutex held on parent.
2840 *
2841 * Returns 0 if the file was successfully atomically created (if necessary) and
2842 * opened.  In this case the file will be returned attached to @file.
2843 *
2844 * Returns 1 if the file was not completely opened at this time, though lookups
2845 * and creations will have been performed and the dentry returned in @path will
2846 * be positive upon return if O_CREAT was specified.  If O_CREAT wasn't
2847 * specified then a negative dentry may be returned.
2848 *
2849 * An error code is returned otherwise.
2850 *
2851 * FILE_CREATE will be set in @*opened if the dentry was created and will be
2852 * cleared otherwise prior to returning.
2853 */
2854static int lookup_open(struct nameidata *nd, struct path *path,
2855                        struct file *file,
2856                        const struct open_flags *op,
2857                        bool got_write, int *opened)
2858{
2859        struct dentry *dir = nd->path.dentry;
2860        struct inode *dir_inode = dir->d_inode;
2861        struct dentry *dentry;
2862        int error;
2863        bool need_lookup;
2864
2865        *opened &= ~FILE_CREATED;
2866        dentry = lookup_dcache(&nd->last, dir, nd->flags, &need_lookup);
2867        if (IS_ERR(dentry))
2868                return PTR_ERR(dentry);
2869
2870        /* Cached positive dentry: will open in f_op->open */
2871        if (!need_lookup && dentry->d_inode)
2872                goto out_no_open;
2873
2874        if ((nd->flags & LOOKUP_OPEN) && dir_inode->i_op->atomic_open) {
2875                return atomic_open(nd, dentry, path, file, op, got_write,
2876                                   need_lookup, opened);
2877        }
2878
2879        if (need_lookup) {
2880                BUG_ON(dentry->d_inode);
2881
2882                dentry = lookup_real(dir_inode, dentry, nd->flags);
2883                if (IS_ERR(dentry))
2884                        return PTR_ERR(dentry);
2885        }
2886
2887        /* Negative dentry, just create the file */
2888        if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
2889                umode_t mode = op->mode;
2890                if (!IS_POSIXACL(dir->d_inode))
2891                        mode &= ~current_umask();
2892                /*
2893                 * This write is needed to ensure that a
2894                 * rw->ro transition does not occur between
2895                 * the time when the file is created and when
2896                 * a permanent write count is taken through
2897                 * the 'struct file' in finish_open().
2898                 */
2899                if (!got_write) {
2900                        error = -EROFS;
2901                        goto out_dput;
2902                }
2903                *opened |= FILE_CREATED;
2904                error = security_path_mknod(&nd->path, dentry, mode, 0);
2905                if (error)
2906                        goto out_dput;
2907                error = vfs_create(dir->d_inode, dentry, mode,
2908                                   nd->flags & LOOKUP_EXCL);
2909                if (error)
2910                        goto out_dput;
2911        }
2912out_no_open:
2913        path->dentry = dentry;
2914        path->mnt = nd->path.mnt;
2915        return 1;
2916
2917out_dput:
2918        dput(dentry);
2919        return error;
2920}
2921
2922/*
2923 * Handle the last step of open()
2924 */
2925static int do_last(struct nameidata *nd, struct path *path,
2926                   struct file *file, const struct open_flags *op,
2927                   int *opened, struct filename *name)
2928{
2929        struct dentry *dir = nd->path.dentry;
2930        int open_flag = op->open_flag;
2931        bool will_truncate = (open_flag & O_TRUNC) != 0;
2932        bool got_write = false;
2933        int acc_mode = op->acc_mode;
2934        struct inode *inode;
2935        bool symlink_ok = false;
2936        struct path save_parent = { .dentry = NULL, .mnt = NULL };
2937        bool retried = false;
2938        int error;
2939
2940        nd->flags &= ~LOOKUP_PARENT;
2941        nd->flags |= op->intent;
2942
2943        if (nd->last_type != LAST_NORM) {
2944                error = handle_dots(nd, nd->last_type);
2945                if (error)
2946                        return error;
2947                goto finish_open;
2948        }
2949
2950        if (!(open_flag & O_CREAT)) {
2951                if (nd->last.name[nd->last.len])
2952                        nd->flags |= LOOKUP_FOLLOW | LOOKUP_DIRECTORY;
2953                if (open_flag & O_PATH && !(nd->flags & LOOKUP_FOLLOW))
2954                        symlink_ok = true;
2955                /* we _can_ be in RCU mode here */
2956                error = lookup_fast(nd, path, &inode);
2957                if (likely(!error))
2958                        goto finish_lookup;
2959
2960                if (error < 0)
2961                        goto out;
2962
2963                BUG_ON(nd->inode != dir->d_inode);
2964        } else {
2965                /* create side of things */
2966                /*
2967                 * This will *only* deal with leaving RCU mode - LOOKUP_JUMPED
2968                 * has been cleared when we got to the last component we are
2969                 * about to look up
2970                 */
2971                error = complete_walk(nd);
2972                if (error)
2973                        return error;
2974
2975                audit_inode(name, dir, LOOKUP_PARENT);
2976                error = -EISDIR;
2977                /* trailing slashes? */
2978                if (nd->last.name[nd->last.len])
2979                        goto out;
2980        }
2981
2982retry_lookup:
2983        if (op->open_flag & (O_CREAT | O_TRUNC | O_WRONLY | O_RDWR)) {
2984                error = mnt_want_write(nd->path.mnt);
2985                if (!error)
2986                        got_write = true;
2987                /*
2988                 * do _not_ fail yet - we might not need that or fail with
2989                 * a different error; let lookup_open() decide; we'll be
2990                 * dropping this one anyway.
2991                 */
2992        }
2993        mutex_lock(&dir->d_inode->i_mutex);
2994        error = lookup_open(nd, path, file, op, got_write, opened);
2995        mutex_unlock(&dir->d_inode->i_mutex);
2996
2997        if (error <= 0) {
2998                if (error)
2999                        goto out;
3000
3001                if ((*opened & FILE_CREATED) ||
3002                    !S_ISREG(file_inode(file)->i_mode))
3003                        will_truncate = false;
3004
3005                audit_inode(name, file->f_path.dentry, 0);
3006                goto opened;
3007        }
3008
3009        if (*opened & FILE_CREATED) {
3010                /* Don't check for write permission, don't truncate */
3011                open_flag &= ~O_TRUNC;
3012                will_truncate = false;
3013                acc_mode = MAY_OPEN;
3014                path_to_nameidata(path, nd);
3015                goto finish_open_created;
3016        }
3017
3018        /*
3019         * create/update audit record if it already exists.
3020         */
3021        if (d_is_positive(path->dentry))
3022                audit_inode(name, path->dentry, 0);
3023
3024        /*
3025         * If atomic_open() acquired write access it is dropped now due to
3026         * possible mount and symlink following (this might be optimized away if
3027         * necessary...)
3028         */
3029        if (got_write) {
3030                mnt_drop_write(nd->path.mnt);
3031                got_write = false;
3032        }
3033
3034        error = -EEXIST;
3035        if ((open_flag & (O_EXCL | O_CREAT)) == (O_EXCL | O_CREAT))
3036                goto exit_dput;
3037
3038        error = follow_managed(path, nd->flags);
3039        if (error < 0)
3040                goto exit_dput;
3041
3042        if (error)
3043                nd->flags |= LOOKUP_JUMPED;
3044
3045        BUG_ON(nd->flags & LOOKUP_RCU);
3046        inode = path->dentry->d_inode;
3047        error = -ENOENT;
3048        if (d_is_negative(path->dentry)) {
3049                path_to_nameidata(path, nd);
3050                goto out;
3051        }
3052finish_lookup:
3053        /* we _can_ be in RCU mode here */
3054        if (should_follow_link(path->dentry, !symlink_ok)) {
3055                if (nd->flags & LOOKUP_RCU) {
3056                        if (unlikely(nd->path.mnt != path->mnt ||
3057                                     unlazy_walk(nd, path->dentry))) {
3058                                error = -ECHILD;
3059                                goto out;
3060                        }
3061                }
3062                BUG_ON(inode != path->dentry->d_inode);
3063                return 1;
3064        }
3065
3066        if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path->mnt) {
3067                path_to_nameidata(path, nd);
3068        } else {
3069                save_parent.dentry = nd->path.dentry;
3070                save_parent.mnt = mntget(path->mnt);
3071                nd->path.dentry = path->dentry;
3072
3073        }
3074        nd->inode = inode;
3075        /* Why this, you ask?  _Now_ we might have grown LOOKUP_JUMPED... */
3076finish_open:
3077        error = complete_walk(nd);
3078        if (error) {
3079                path_put(&save_parent);
3080                return error;
3081        }
3082        audit_inode(name, nd->path.dentry, 0);
3083        error = -EISDIR;
3084        if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
3085                goto out;
3086        error = -ENOTDIR;
3087        if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
3088                goto out;
3089        if (!d_is_reg(nd->path.dentry))
3090                will_truncate = false;
3091
3092        if (will_truncate) {
3093                error = mnt_want_write(nd->path.mnt);
3094                if (error)
3095                        goto out;
3096                got_write = true;
3097        }
3098finish_open_created:
3099        error = may_open(&nd->path, acc_mode, open_flag);
3100        if (error)
3101                goto out;
3102
3103        BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
3104        error = vfs_open(&nd->path, file, current_cred());
3105        if (!error) {
3106                *opened |= FILE_OPENED;
3107        } else {
3108                if (error == -EOPENSTALE)
3109                        goto stale_open;
3110                goto out;
3111        }
3112opened:
3113        error = open_check_o_direct(file);
3114        if (error)
3115                goto exit_fput;
3116        error = ima_file_check(file, op->acc_mode, *opened);
3117        if (error)
3118                goto exit_fput;
3119
3120        if (will_truncate) {
3121                error = handle_truncate(file);
3122                if (error)
3123                        goto exit_fput;
3124        }
3125out:
3126        if (got_write)
3127                mnt_drop_write(nd->path.mnt);
3128        path_put(&save_parent);
3129        terminate_walk(nd);
3130        return error;
3131
3132exit_dput:
3133        path_put_conditional(path, nd);
3134        goto out;
3135exit_fput:
3136        fput(file);
3137        goto out;
3138
3139stale_open:
3140        /* If no saved parent or already retried then can't retry */
3141        if (!save_parent.dentry || retried)
3142                goto out;
3143
3144        BUG_ON(save_parent.dentry != dir);
3145        path_put(&nd->path);
3146        nd->path = save_parent;
3147        nd->inode = dir->d_inode;
3148        save_parent.mnt = NULL;
3149        save_parent.dentry = NULL;
3150        if (got_write) {
3151                mnt_drop_write(nd->path.mnt);
3152                got_write = false;
3153        }
3154        retried = true;
3155        goto retry_lookup;
3156}
3157
3158static int do_tmpfile(int dfd, struct filename *pathname,
3159                struct nameidata *nd, int flags,
3160                const struct open_flags *op,
3161                struct file *file, int *opened)
3162{
3163        static const struct qstr name = QSTR_INIT("/", 1);
3164        struct dentry *dentry, *child;
3165        struct inode *dir;
3166        int error = path_lookupat(dfd, pathname,
3167                                  flags | LOOKUP_DIRECTORY, nd);
3168        if (unlikely(error))
3169                return error;
3170        error = mnt_want_write(nd->path.mnt);
3171        if (unlikely(error))
3172                goto out;
3173        /* we want directory to be writable */
3174        error = inode_permission(nd->inode, MAY_WRITE | MAY_EXEC);
3175        if (error)
3176                goto out2;
3177        dentry = nd->path.dentry;
3178        dir = dentry->d_inode;
3179        if (!dir->i_op->tmpfile) {
3180                error = -EOPNOTSUPP;
3181                goto out2;
3182        }
3183        child = d_alloc(dentry, &name);
3184        if (unlikely(!child)) {
3185                error = -ENOMEM;
3186                goto out2;
3187        }
3188        nd->flags &= ~LOOKUP_DIRECTORY;
3189        nd->flags |= op->intent;
3190        dput(nd->path.dentry);
3191        nd->path.dentry = child;
3192        error = dir->i_op->tmpfile(dir, nd->path.dentry, op->mode);
3193        if (error)
3194                goto out2;
3195        audit_inode(pathname, nd->path.dentry, 0);
3196        /* Don't check for other permissions, the inode was just created */
3197        error = may_open(&nd->path, MAY_OPEN, op->open_flag);
3198        if (error)
3199                goto out2;
3200        file->f_path.mnt = nd->path.mnt;
3201        error = finish_open(file, nd->path.dentry, NULL, opened);
3202        if (error)
3203                goto out2;
3204        error = open_check_o_direct(file);
3205        if (error) {
3206                fput(file);
3207        } else if (!(op->open_flag & O_EXCL)) {
3208                struct inode *inode = file_inode(file);
3209                spin_lock(&inode->i_lock);
3210                inode->i_state |= I_LINKABLE;
3211                spin_unlock(&inode->i_lock);
3212        }
3213out2:
3214        mnt_drop_write(nd->path.mnt);
3215out:
3216        path_put(&nd->path);
3217        return error;
3218}
3219
3220static struct file *path_openat(int dfd, struct filename *pathname,
3221                struct nameidata *nd, const struct open_flags *op, int flags)
3222{
3223        struct file *file;
3224        struct path path;
3225        int opened = 0;
3226        int error;
3227
3228        file = get_empty_filp();
3229        if (IS_ERR(file))
3230                return file;
3231
3232        file->f_flags = op->open_flag;
3233
3234        if (unlikely(file->f_flags & __O_TMPFILE)) {
3235                error = do_tmpfile(dfd, pathname, nd, flags, op, file, &opened);
3236                goto out2;
3237        }
3238
3239        error = path_init(dfd, pathname, flags, nd);
3240        if (unlikely(error))
3241                goto out;
3242
3243        error = do_last(nd, &path, file, op, &opened, pathname);
3244        while (unlikely(error > 0)) { /* trailing symlink */
3245                struct path link = path;
3246                void *cookie;
3247                if (!(nd->flags & LOOKUP_FOLLOW)) {
3248                        path_put_conditional(&path, nd);
3249                        path_put(&nd->path);
3250                        error = -ELOOP;
3251                        break;
3252                }
3253                error = may_follow_link(&link, nd);
3254                if (unlikely(error))
3255                        break;
3256                nd->flags |= LOOKUP_PARENT;
3257                nd->flags &= ~(LOOKUP_OPEN|LOOKUP_CREATE|LOOKUP_EXCL);
3258                error = follow_link(&link, nd, &cookie);
3259                if (unlikely(error))
3260                        break;
3261                error = do_last(nd, &path, file, op, &opened, pathname);
3262                put_link(nd, &link, cookie);
3263        }
3264out:
3265        path_cleanup(nd);
3266out2:
3267        if (!(opened & FILE_OPENED)) {
3268                BUG_ON(!error);
3269                put_filp(file);
3270        }
3271        if (unlikely(error)) {
3272                if (error == -EOPENSTALE) {
3273                        if (flags & LOOKUP_RCU)
3274                                error = -ECHILD;
3275                        else
3276                                error = -ESTALE;
3277                }
3278                file = ERR_PTR(error);
3279        }
3280        return file;
3281}
3282
3283struct file *do_filp_open(int dfd, struct filename *pathname,
3284                const struct open_flags *op)
3285{
3286        struct nameidata nd;
3287        int flags = op->lookup_flags;
3288        struct file *filp;
3289
3290        filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_RCU);
3291        if (unlikely(filp == ERR_PTR(-ECHILD)))
3292                filp = path_openat(dfd, pathname, &nd, op, flags);
3293        if (unlikely(filp == ERR_PTR(-ESTALE)))
3294                filp = path_openat(dfd, pathname, &nd, op, flags | LOOKUP_REVAL);
3295        return filp;
3296}
3297
3298struct file *do_file_open_root(struct dentry *dentry, struct vfsmount *mnt,
3299                const char *name, const struct open_flags *op)
3300{
3301        struct nameidata nd;
3302        struct file *file;
3303        struct filename *filename;
3304        int flags = op->lookup_flags | LOOKUP_ROOT;
3305
3306        nd.root.mnt = mnt;
3307        nd.root.dentry = dentry;
3308
3309        if (d_is_symlink(dentry) && op->intent & LOOKUP_OPEN)
3310                return ERR_PTR(-ELOOP);
3311
3312        filename = getname_kernel(name);
3313        if (unlikely(IS_ERR(filename)))
3314                return ERR_CAST(filename);
3315
3316        file = path_openat(-1, filename, &nd, op, flags | LOOKUP_RCU);
3317        if (unlikely(file == ERR_PTR(-ECHILD)))
3318                file = path_openat(-1, filename, &nd, op, flags);
3319        if (unlikely(file == ERR_PTR(-ESTALE)))
3320                file = path_openat(-1, filename, &nd, op, flags | LOOKUP_REVAL);
3321        putname(filename);
3322        return file;
3323}
3324
3325static struct dentry *filename_create(int dfd, struct filename *name,
3326                                struct path *path, unsigned int lookup_flags)
3327{
3328        struct dentry *dentry = ERR_PTR(-EEXIST);
3329        struct nameidata nd;
3330        int err2;
3331        int error;
3332        bool is_dir = (lookup_flags & LOOKUP_DIRECTORY);
3333
3334        /*
3335         * Note that only LOOKUP_REVAL and LOOKUP_DIRECTORY matter here. Any
3336         * other flags passed in are ignored!
3337         */
3338        lookup_flags &= LOOKUP_REVAL;
3339
3340        error = filename_lookup(dfd, name, LOOKUP_PARENT|lookup_flags, &nd);
3341        if (error)
3342                return ERR_PTR(error);
3343
3344        /*
3345         * Yucky last component or no last component at all?
3346         * (foo/., foo/.., /////)
3347         */
3348        if (nd.last_type != LAST_NORM)
3349                goto out;
3350        nd.flags &= ~LOOKUP_PARENT;
3351        nd.flags |= LOOKUP_CREATE | LOOKUP_EXCL;
3352
3353        /* don't fail immediately if it's r/o, at least try to report other errors */
3354        err2 = mnt_want_write(nd.path.mnt);
3355        /*
3356         * Do the final lookup.
3357         */
3358        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3359        dentry = lookup_hash(&nd);
3360        if (IS_ERR(dentry))
3361                goto unlock;
3362
3363        error = -EEXIST;
3364        if (d_is_positive(dentry))
3365                goto fail;
3366
3367        /*
3368         * Special case - lookup gave negative, but... we had foo/bar/
3369         * From the vfs_mknod() POV we just have a negative dentry -
3370         * all is fine. Let's be bastards - you had / on the end, you've
3371         * been asking for (non-existent) directory. -ENOENT for you.
3372         */
3373        if (unlikely(!is_dir && nd.last.name[nd.last.len])) {
3374                error = -ENOENT;
3375                goto fail;
3376        }
3377        if (unlikely(err2)) {
3378                error = err2;
3379                goto fail;
3380        }
3381        *path = nd.path;
3382        return dentry;
3383fail:
3384        dput(dentry);
3385        dentry = ERR_PTR(error);
3386unlock:
3387        mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3388        if (!err2)
3389                mnt_drop_write(nd.path.mnt);
3390out:
3391        path_put(&nd.path);
3392        return dentry;
3393}
3394
3395struct dentry *kern_path_create(int dfd, const char *pathname,
3396                                struct path *path, unsigned int lookup_flags)
3397{
3398        struct filename *filename = getname_kernel(pathname);
3399        struct dentry *res;
3400
3401        if (IS_ERR(filename))
3402                return ERR_CAST(filename);
3403        res = filename_create(dfd, filename, path, lookup_flags);
3404        putname(filename);
3405        return res;
3406}
3407EXPORT_SYMBOL(kern_path_create);
3408
3409void done_path_create(struct path *path, struct dentry *dentry)
3410{
3411        dput(dentry);
3412        mutex_unlock(&path->dentry->d_inode->i_mutex);
3413        mnt_drop_write(path->mnt);
3414        path_put(path);
3415}
3416EXPORT_SYMBOL(done_path_create);
3417
3418struct dentry *user_path_create(int dfd, const char __user *pathname,
3419                                struct path *path, unsigned int lookup_flags)
3420{
3421        struct filename *tmp = getname(pathname);
3422        struct dentry *res;
3423        if (IS_ERR(tmp))
3424                return ERR_CAST(tmp);
3425        res = filename_create(dfd, tmp, path, lookup_flags);
3426        putname(tmp);
3427        return res;
3428}
3429EXPORT_SYMBOL(user_path_create);
3430
3431int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3432{
3433        int error = may_create(dir, dentry);
3434
3435        if (error)
3436                return error;
3437
3438        if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
3439                return -EPERM;
3440
3441        if (!dir->i_op->mknod)
3442                return -EPERM;
3443
3444        error = devcgroup_inode_mknod(mode, dev);
3445        if (error)
3446                return error;
3447
3448        error = security_inode_mknod(dir, dentry, mode, dev);
3449        if (error)
3450                return error;
3451
3452        error = dir->i_op->mknod(dir, dentry, mode, dev);
3453        if (!error)
3454                fsnotify_create(dir, dentry);
3455        return error;
3456}
3457EXPORT_SYMBOL(vfs_mknod);
3458
3459static int may_mknod(umode_t mode)
3460{
3461        switch (mode & S_IFMT) {
3462        case S_IFREG:
3463        case S_IFCHR:
3464        case S_IFBLK:
3465        case S_IFIFO:
3466        case S_IFSOCK:
3467        case 0: /* zero mode translates to S_IFREG */
3468                return 0;
3469        case S_IFDIR:
3470                return -EPERM;
3471        default:
3472                return -EINVAL;
3473        }
3474}
3475
3476SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
3477                unsigned, dev)
3478{
3479        struct dentry *dentry;
3480        struct path path;
3481        int error;
3482        unsigned int lookup_flags = 0;
3483
3484        error = may_mknod(mode);
3485        if (error)
3486                return error;
3487retry:
3488        dentry = user_path_create(dfd, filename, &path, lookup_flags);
3489        if (IS_ERR(dentry))
3490                return PTR_ERR(dentry);
3491
3492        if (!IS_POSIXACL(path.dentry->d_inode))
3493                mode &= ~current_umask();
3494        error = security_path_mknod(&path, dentry, mode, dev);
3495        if (error)
3496                goto out;
3497        switch (mode & S_IFMT) {
3498                case 0: case S_IFREG:
3499                        error = vfs_create(path.dentry->d_inode,dentry,mode,true);
3500                        break;
3501                case S_IFCHR: case S_IFBLK:
3502                        error = vfs_mknod(path.dentry->d_inode,dentry,mode,
3503                                        new_decode_dev(dev));
3504                        break;
3505                case S_IFIFO: case S_IFSOCK:
3506                        error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
3507                        break;
3508        }
3509out:
3510        done_path_create(&path, dentry);
3511        if (retry_estale(error, lookup_flags)) {
3512                lookup_flags |= LOOKUP_REVAL;
3513                goto retry;
3514        }
3515        return error;
3516}
3517
3518SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, dev)
3519{
3520        return sys_mknodat(AT_FDCWD, filename, mode, dev);
3521}
3522
3523int vfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
3524{
3525        int error = may_create(dir, dentry);
3526        unsigned max_links = dir->i_sb->s_max_links;
3527
3528        if (error)
3529                return error;
3530
3531        if (!dir->i_op->mkdir)
3532                return -EPERM;
3533
3534        mode &= (S_IRWXUGO|S_ISVTX);
3535        error = security_inode_mkdir(dir, dentry, mode);
3536        if (error)
3537                return error;
3538
3539        if (max_links && dir->i_nlink >= max_links)
3540                return -EMLINK;
3541
3542        error = dir->i_op->mkdir(dir, dentry, mode);
3543        if (!error)
3544                fsnotify_mkdir(dir, dentry);
3545        return error;
3546}
3547EXPORT_SYMBOL(vfs_mkdir);
3548
3549SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)
3550{
3551        struct dentry *dentry;
3552        struct path path;
3553        int error;
3554        unsigned int lookup_flags = LOOKUP_DIRECTORY;
3555
3556retry:
3557        dentry = user_path_create(dfd, pathname, &path, lookup_flags);
3558        if (IS_ERR(dentry))
3559                return PTR_ERR(dentry);
3560
3561        if (!IS_POSIXACL(path.dentry->d_inode))
3562                mode &= ~current_umask();
3563        error = security_path_mkdir(&path, dentry, mode);
3564        if (!error)
3565                error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
3566        done_path_create(&path, dentry);
3567        if (retry_estale(error, lookup_flags)) {
3568                lookup_flags |= LOOKUP_REVAL;
3569                goto retry;
3570        }
3571        return error;
3572}
3573
3574SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode)
3575{
3576        return sys_mkdirat(AT_FDCWD, pathname, mode);
3577}
3578
3579/*
3580 * The dentry_unhash() helper will try to drop the dentry early: we
3581 * should have a usage count of 1 if we're the only user of this
3582 * dentry, and if that is true (possibly after pruning the dcache),
3583 * then we drop the dentry now.
3584 *
3585 * A low-level filesystem can, if it choses, legally
3586 * do a
3587 *
3588 *      if (!d_unhashed(dentry))
3589 *              return -EBUSY;
3590 *
3591 * if it cannot handle the case of removing a directory
3592 * that is still in use by something else..
3593 */
3594void dentry_unhash(struct dentry *dentry)
3595{
3596        shrink_dcache_parent(dentry);
3597        spin_lock(&dentry->d_lock);
3598        if (dentry->d_lockref.count == 1)
3599                __d_drop(dentry);
3600        spin_unlock(&dentry->d_lock);
3601}
3602EXPORT_SYMBOL(dentry_unhash);
3603
3604int vfs_rmdir(struct inode *dir, struct dentry *dentry)
3605{
3606        int error = may_delete(dir, dentry, 1);
3607
3608        if (error)
3609                return error;
3610
3611        if (!dir->i_op->rmdir)
3612                return -EPERM;
3613
3614        dget(dentry);
3615        mutex_lock(&dentry->d_inode->i_mutex);
3616
3617        error = -EBUSY;
3618        if (is_local_mountpoint(dentry))
3619                goto out;
3620
3621        error = security_inode_rmdir(dir, dentry);
3622        if (error)
3623                goto out;
3624
3625        shrink_dcache_parent(dentry);
3626        error = dir->i_op->rmdir(dir, dentry);
3627        if (error)
3628                goto out;
3629
3630        dentry->d_inode->i_flags |= S_DEAD;
3631        dont_mount(dentry);
3632        detach_mounts(dentry);
3633
3634out:
3635        mutex_unlock(&dentry->d_inode->i_mutex);
3636        dput(dentry);
3637        if (!error)
3638                d_delete(dentry);
3639        return error;
3640}
3641EXPORT_SYMBOL(vfs_rmdir);
3642
3643static long do_rmdir(int dfd, const char __user *pathname)
3644{
3645        int error = 0;
3646        struct filename *name;
3647        struct dentry *dentry;
3648        struct nameidata nd;
3649        unsigned int lookup_flags = 0;
3650retry:
3651        name = user_path_parent(dfd, pathname, &nd, lookup_flags);
3652        if (IS_ERR(name))
3653                return PTR_ERR(name);
3654
3655        switch(nd.last_type) {
3656        case LAST_DOTDOT:
3657                error = -ENOTEMPTY;
3658                goto exit1;
3659        case LAST_DOT:
3660                error = -EINVAL;
3661                goto exit1;
3662        case LAST_ROOT:
3663                error = -EBUSY;
3664                goto exit1;
3665        }
3666
3667        nd.flags &= ~LOOKUP_PARENT;
3668        error = mnt_want_write(nd.path.mnt);
3669        if (error)
3670                goto exit1;
3671
3672        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3673        dentry = lookup_hash(&nd);
3674        error = PTR_ERR(dentry);
3675        if (IS_ERR(dentry))
3676                goto exit2;
3677        if (!dentry->d_inode) {
3678                error = -ENOENT;
3679                goto exit3;
3680        }
3681        error = security_path_rmdir(&nd.path, dentry);
3682        if (error)
3683                goto exit3;
3684        error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
3685exit3:
3686        dput(dentry);
3687exit2:
3688        mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3689        mnt_drop_write(nd.path.mnt);
3690exit1:
3691        path_put(&nd.path);
3692        putname(name);
3693        if (retry_estale(error, lookup_flags)) {
3694                lookup_flags |= LOOKUP_REVAL;
3695                goto retry;
3696        }
3697        return error;
3698}
3699
3700SYSCALL_DEFINE1(rmdir, const char __user *, pathname)
3701{
3702        return do_rmdir(AT_FDCWD, pathname);
3703}
3704
3705/**
3706 * vfs_unlink - unlink a filesystem object
3707 * @dir:        parent directory
3708 * @dentry:     victim
3709 * @delegated_inode: returns victim inode, if the inode is delegated.
3710 *
3711 * The caller must hold dir->i_mutex.
3712 *
3713 * If vfs_unlink discovers a delegation, it will return -EWOULDBLOCK and
3714 * return a reference to the inode in delegated_inode.  The caller
3715 * should then break the delegation on that inode and retry.  Because
3716 * breaking a delegation may take a long time, the caller should drop
3717 * dir->i_mutex before doing so.
3718 *
3719 * Alternatively, a caller may pass NULL for delegated_inode.  This may
3720 * be appropriate for callers that expect the underlying filesystem not
3721 * to be NFS exported.
3722 */
3723int vfs_unlink(struct inode *dir, struct dentry *dentry, struct inode **delegated_inode)
3724{
3725        struct inode *target = dentry->d_inode;
3726        int error = may_delete(dir, dentry, 0);
3727
3728        if (error)
3729                return error;
3730
3731        if (!dir->i_op->unlink)
3732                return -EPERM;
3733
3734        mutex_lock(&target->i_mutex);
3735        if (is_local_mountpoint(dentry))
3736                error = -EBUSY;
3737        else {
3738                error = security_inode_unlink(dir, dentry);
3739                if (!error) {
3740                        error = try_break_deleg(target, delegated_inode);
3741                        if (error)
3742                                goto out;
3743                        error = dir->i_op->unlink(dir, dentry);
3744                        if (!error) {
3745                                dont_mount(dentry);
3746                                detach_mounts(dentry);
3747                        }
3748                }
3749        }
3750out:
3751        mutex_unlock(&target->i_mutex);
3752
3753        /* We don't d_delete() NFS sillyrenamed files--they still exist. */
3754        if (!error && !(dentry->d_flags & DCACHE_NFSFS_RENAMED)) {
3755                fsnotify_link_count(target);
3756                d_delete(dentry);
3757        }
3758
3759        return error;
3760}
3761EXPORT_SYMBOL(vfs_unlink);
3762
3763/*
3764 * Make sure that the actual truncation of the file will occur outside its
3765 * directory's i_mutex.  Truncate can take a long time if there is a lot of
3766 * writeout happening, and we don't want to prevent access to the directory
3767 * while waiting on the I/O.
3768 */
3769static long do_unlinkat(int dfd, const char __user *pathname)
3770{
3771        int error;
3772        struct filename *name;
3773        struct dentry *dentry;
3774        struct nameidata nd;
3775        struct inode *inode = NULL;
3776        struct inode *delegated_inode = NULL;
3777        unsigned int lookup_flags = 0;
3778retry:
3779        name = user_path_parent(dfd, pathname, &nd, lookup_flags);
3780        if (IS_ERR(name))
3781                return PTR_ERR(name);
3782
3783        error = -EISDIR;
3784        if (nd.last_type != LAST_NORM)
3785                goto exit1;
3786
3787        nd.flags &= ~LOOKUP_PARENT;
3788        error = mnt_want_write(nd.path.mnt);
3789        if (error)
3790                goto exit1;
3791retry_deleg:
3792        mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
3793        dentry = lookup_hash(&nd);
3794        error = PTR_ERR(dentry);
3795        if (!IS_ERR(dentry)) {
3796                /* Why not before? Because we want correct error value */
3797                if (nd.last.name[nd.last.len])
3798                        goto slashes;
3799                inode = dentry->d_inode;
3800                if (d_is_negative(dentry))
3801                        goto slashes;
3802                ihold(inode);
3803                error = security_path_unlink(&nd.path, dentry);
3804                if (error)
3805                        goto exit2;
3806                error = vfs_unlink(nd.path.dentry->d_inode, dentry, &delegated_inode);
3807exit2:
3808                dput(dentry);
3809        }
3810        mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
3811        if (inode)
3812                iput(inode);    /* truncate the inode here */
3813        inode = NULL;
3814        if (delegated_inode) {
3815                error = break_deleg_wait(&delegated_inode);
3816                if (!error)
3817                        goto retry_deleg;
3818        }
3819        mnt_drop_write(nd.path.mnt);
3820exit1:
3821        path_put(&nd.path);
3822        putname(name);
3823        if (retry_estale(error, lookup_flags)) {
3824                lookup_flags |= LOOKUP_REVAL;
3825                inode = NULL;
3826                goto retry;
3827        }
3828        return error;
3829
3830slashes:
3831        if (d_is_negative(dentry))
3832                error = -ENOENT;
3833        else if (d_is_dir(dentry))
3834                error = -EISDIR;
3835        else
3836                error = -ENOTDIR;
3837        goto exit2;
3838}
3839
3840SYSCALL_DEFINE3(unlinkat, int, dfd, const char __user *, pathname, int, flag)
3841{
3842        if ((flag & ~AT_REMOVEDIR) != 0)
3843                return -EINVAL;
3844
3845        if (flag & AT_REMOVEDIR)
3846                return do_rmdir(dfd, pathname);
3847
3848        return do_unlinkat(dfd, pathname);
3849}
3850
3851SYSCALL_DEFINE1(unlink, const char __user *, pathname)
3852{
3853        return do_unlinkat(AT_FDCWD, pathname);
3854}
3855
3856int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
3857{
3858        int error = may_create(dir, dentry);
3859
3860        if (error)
3861                return error;
3862
3863        if (!dir->i_op->symlink)
3864                return -EPERM;
3865
3866        error = security_inode_symlink(dir, dentry, oldname);
3867        if (error)
3868                return error;
3869
3870        error = dir->i_op->symlink(dir, dentry, oldname);
3871        if (!error)
3872                fsnotify_create(dir, dentry);
3873        return error;
3874}
3875EXPORT_SYMBOL(vfs_symlink);
3876
3877SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
3878                int, newdfd, const char __user *, newname)
3879{
3880        int error;
3881        struct filename *from;
3882        struct dentry *dentry;
3883        struct path path;
3884        unsigned int lookup_flags = 0;
3885
3886        from = getname(oldname);
3887        if (IS_ERR(from))
3888                return PTR_ERR(from);
3889retry:
3890        dentry = user_path_create(newdfd, newname, &path, lookup_flags);
3891        error = PTR_ERR(dentry);
3892        if (IS_ERR(dentry))
3893                goto out_putname;
3894
3895        error = security_path_symlink(&path, dentry, from->name);
3896        if (!error)
3897                error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
3898        done_path_create(&path, dentry);
3899        if (retry_estale(error, lookup_flags)) {
3900                lookup_flags |= LOOKUP_REVAL;
3901                goto retry;
3902        }
3903out_putname:
3904        putname(from);
3905        return error;
3906}
3907
3908SYSCALL_DEFINE2(symlink, const char __user *, oldname, const char __user *, newname)
3909{
3910        return sys_symlinkat(oldname, AT_FDCWD, newname);
3911}
3912
3913/**
3914 * vfs_link - create a new link
3915 * @old_dentry: object to be linked
3916 * @dir:        new parent
3917 * @new_dentry: where to create the new link
3918 * @delegated_inode: returns inode needing a delegation break
3919 *
3920 * The caller must hold dir->i_mutex
3921 *
3922 * If vfs_link discovers a delegation on the to-be-linked file in need
3923 * of breaking, it will return -EWOULDBLOCK and return a reference to the
3924 * inode in delegated_inode.  The caller should then break the delegation
3925 * and retry.  Because breaking a delegation may take a long time, the
3926 * caller should drop the i_mutex before doing so.
3927 *
3928 * Alternatively, a caller may pass NULL for delegated_inode.  This may
3929 * be appropriate for callers that expect the underlying filesystem not
3930 * to be NFS exported.
3931 */
3932int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry, struct inode **delegated_inode)
3933{
3934        struct inode *inode = old_dentry->d_inode;
3935        unsigned max_links = dir->i_sb->s_max_links;
3936        int error;
3937
3938        if (!inode)
3939                return -ENOENT;
3940
3941        error = may_create(dir, new_dentry);
3942        if (error)
3943                return error;
3944
3945        if (dir->i_sb != inode->i_sb)
3946                return -EXDEV;
3947
3948        /*
3949         * A link to an append-only or immutable file cannot be created.
3950         */
3951        if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
3952                return -EPERM;
3953        if (!dir->i_op->link)
3954                return -EPERM;
3955        if (S_ISDIR(inode->i_mode))
3956                return -EPERM;
3957
3958        error = security_inode_link(old_dentry, dir, new_dentry);
3959        if (error)
3960                return error;
3961
3962        mutex_lock(&inode->i_mutex);
3963        /* Make sure we don't allow creating hardlink to an unlinked file */
3964        if (inode->i_nlink == 0 && !(inode->i_state & I_LINKABLE))
3965                error =  -ENOENT;
3966        else if (max_links && inode->i_nlink >= max_links)
3967                error = -EMLINK;
3968        else {
3969                error = try_break_deleg(inode, delegated_inode);
3970                if (!error)
3971                        error = dir->i_op->link(old_dentry, dir, new_dentry);
3972        }
3973
3974        if (!error && (inode->i_state & I_LINKABLE)) {
3975                spin_lock(&inode->i_lock);
3976                inode->i_state &= ~I_LINKABLE;
3977                spin_unlock(&inode->i_lock);
3978        }
3979        mutex_unlock(&inode->i_mutex);
3980        if (!error)
3981                fsnotify_link(dir, inode, new_dentry);
3982        return error;
3983}
3984EXPORT_SYMBOL(vfs_link);
3985
3986/*
3987 * Hardlinks are often used in delicate situations.  We avoid
3988 * security-related surprises by not following symlinks on the
3989 * newname.  --KAB
3990 *
3991 * We don't follow them on the oldname either to be compatible
3992 * with linux 2.0, and to avoid hard-linking to directories
3993 * and other special files.  --ADM
3994 */
3995SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
3996                int, newdfd, const char __user *, newname, int, flags)
3997{
3998        struct dentry *new_dentry;
3999        struct path old_path, new_path;
4000        struct inode *delegated_inode = NULL;
4001        int how = 0;
4002        int error;
4003
4004        if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)
4005                return -EINVAL;
4006        /*
4007         * To use null names we require CAP_DAC_READ_SEARCH
4008         * This ensures that not everyone will be able to create
4009         * handlink using the passed filedescriptor.
4010         */
4011        if (flags & AT_EMPTY_PATH) {
4012                if (!capable(CAP_DAC_READ_SEARCH))
4013                        return -ENOENT;
4014                how = LOOKUP_EMPTY;
4015        }
4016
4017        if (flags & AT_SYMLINK_FOLLOW)
4018                how |= LOOKUP_FOLLOW;
4019retry:
4020        error = user_path_at(olddfd, oldname, how, &old_path);
4021        if (error)
4022                return error;
4023
4024        new_dentry = user_path_create(newdfd, newname, &new_path,
4025                                        (how & LOOKUP_REVAL));
4026        error = PTR_ERR(new_dentry);
4027        if (IS_ERR(new_dentry))
4028                goto out;
4029
4030        error = -EXDEV;
4031        if (old_path.mnt != new_path.mnt)
4032                goto out_dput;
4033        error = may_linkat(&old_path);
4034        if (unlikely(error))
4035                goto out_dput;
4036        error = security_path_link(old_path.dentry, &new_path, new_dentry);
4037        if (error)
4038                goto out_dput;
4039        error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);
4040out_dput:
4041        done_path_create(&new_path, new_dentry);
4042        if (delegated_inode) {
4043                error = break_deleg_wait(&delegated_inode);
4044                if (!error) {
4045                        path_put(&old_path);
4046                        goto retry;
4047                }
4048        }
4049        if (retry_estale(error, how)) {
4050                path_put(&old_path);
4051                how |= LOOKUP_REVAL;
4052                goto retry;
4053        }
4054out:
4055        path_put(&old_path);
4056
4057        return error;
4058}
4059
4060SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname)
4061{
4062        return sys_linkat(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
4063}
4064
4065/**
4066 * vfs_rename - rename a filesystem object
4067 * @old_dir:    parent of source
4068 * @old_dentry: source
4069 * @new_dir:    parent of destination
4070 * @new_dentry: destination
4071 * @delegated_inode: returns an inode needing a delegation break
4072 * @flags:      rename flags
4073 *
4074 * The caller must hold multiple mutexes--see lock_rename()).
4075 *
4076 * If vfs_rename discovers a delegation in need of breaking at either
4077 * the source or destination, it will return -EWOULDBLOCK and return a
4078 * reference to the inode in delegated_inode.  The caller should then
4079 * break the delegation and retry.  Because breaking a delegation may
4080 * take a long time, the caller should drop all locks before doing
4081 * so.
4082 *
4083 * Alternatively, a caller may pass NULL for delegated_inode.  This may
4084 * be appropriate for callers that expect the underlying filesystem not
4085 * to be NFS exported.
4086 *
4087 * The worst of all namespace operations - renaming directory. "Perverted"
4088 * doesn't even start to describe it. Somebody in UCB had a heck of a trip...
4089 * Problems:
4090 *      a) we can get into loop creation.
4091 *      b) race potential - two innocent renames can create a loop together.
4092 *         That's where 4.4 screws up. Current fix: serialization on
4093 *         sb->s_vfs_rename_mutex. We might be more accurate, but that's another
4094 *         story.
4095 *      c) we have to lock _four_ objects - parents and victim (if it exists),
4096 *         and source (if it is not a directory).
4097 *         And that - after we got ->i_mutex on parents (until then we don't know
4098 *         whether the target exists).  Solution: try to be smart with locking
4099 *         order for inodes.  We rely on the fact that tree topology may change
4100 *         only under ->s_vfs_rename_mutex _and_ that parent of the object we
4101 *         move will be locked.  Thus we can rank directories by the tree
4102 *         (ancestors first) and rank all non-directories after them.
4103 *         That works since everybody except rename does "lock parent, lookup,
4104 *         lock child" and rename is under ->s_vfs_rename_mutex.
4105 *         HOWEVER, it relies on the assumption that any object with ->lookup()
4106 *         has no more than 1 dentry.  If "hybrid" objects will ever appear,
4107 *         we'd better make sure that there's no link(2) for them.
4108 *      d) conversion from fhandle to dentry may come in the wrong moment - when
4109 *         we are removing the target. Solution: we will have to grab ->i_mutex
4110 *         in the fhandle_to_dentry code. [FIXME - current nfsfh.c relies on
4111 *         ->i_mutex on parents, which works but leads to some truly excessive
4112 *         locking].
4113 */
4114int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
4115               struct inode *new_dir, struct dentry *new_dentry,
4116               struct inode **delegated_inode, unsigned int flags)
4117{
4118        int error;
4119        bool is_dir = d_is_dir(old_dentry);
4120        const unsigned char *old_name;
4121        struct inode *source = old_dentry->d_inode;
4122        struct inode *target = new_dentry->d_inode;
4123        bool new_is_dir = false;
4124        unsigned max_links = new_dir->i_sb->s_max_links;
4125
4126        if (source == target)
4127                return 0;
4128
4129        error = may_delete(old_dir, old_dentry, is_dir);
4130        if (error)
4131                return error;
4132
4133        if (!target) {
4134                error = may_create(new_dir, new_dentry);
4135        } else {
4136                new_is_dir = d_is_dir(new_dentry);
4137
4138                if (!(flags & RENAME_EXCHANGE))
4139                        error = may_delete(new_dir, new_dentry, is_dir);
4140                else
4141                        error = may_delete(new_dir, new_dentry, new_is_dir);
4142        }
4143        if (error)
4144                return error;
4145
4146        if (!old_dir->i_op->rename && !old_dir->i_op->rename2)
4147                return -EPERM;
4148
4149        if (flags && !old_dir->i_op->rename2)
4150                return -EINVAL;
4151
4152        /*
4153         * If we are going to change the parent - check write permissions,
4154         * we'll need to flip '..'.
4155         */
4156        if (new_dir != old_dir) {
4157                if (is_dir) {
4158                        error = inode_permission(source, MAY_WRITE);
4159                        if (error)
4160                                return error;
4161                }
4162                if ((flags & RENAME_EXCHANGE) && new_is_dir) {
4163                        error = inode_permission(target, MAY_WRITE);
4164                        if (error)
4165                                return error;
4166                }
4167        }
4168
4169        error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry,
4170                                      flags);
4171        if (error)
4172                return error;
4173
4174        old_name = fsnotify_oldname_init(old_dentry->d_name.name);
4175        dget(new_dentry);
4176        if (!is_dir || (flags & RENAME_EXCHANGE))
4177                lock_two_nondirectories(source, target);
4178        else if (target)
4179                mutex_lock(&target->i_mutex);
4180
4181        error = -EBUSY;
4182        if (is_local_mountpoint(old_dentry) || is_local_mountpoint(new_dentry))
4183                goto out;
4184
4185        if (max_links && new_dir != old_dir) {
4186                error = -EMLINK;
4187                if (is_dir && !new_is_dir && new_dir->i_nlink >= max_links)
4188                        goto out;
4189                if ((flags & RENAME_EXCHANGE) && !is_dir && new_is_dir &&
4190                    old_dir->i_nlink >= max_links)
4191                        goto out;
4192        }
4193        if (is_dir && !(flags & RENAME_EXCHANGE) && target)
4194                shrink_dcache_parent(new_dentry);
4195        if (!is_dir) {
4196                error = try_break_deleg(source, delegated_inode);
4197                if (error)
4198                        goto out;
4199        }
4200        if (target && !new_is_dir) {
4201                error = try_break_deleg(target, delegated_inode);
4202                if (error)
4203                        goto out;
4204        }
4205        if (!old_dir->i_op->rename2) {
4206                error = old_dir->i_op->rename(old_dir, old_dentry,
4207                                              new_dir, new_dentry);
4208        } else {
4209                WARN_ON(old_dir->i_op->rename != NULL);
4210                error = old_dir->i_op->rename2(old_dir, old_dentry,
4211                                               new_dir, new_dentry, flags);
4212        }
4213        if (error)
4214                goto out;
4215
4216        if (!(flags & RENAME_EXCHANGE) && target) {
4217                if (is_dir)
4218                        target->i_flags |= S_DEAD;
4219                dont_mount(new_dentry);
4220                detach_mounts(new_dentry);
4221        }
4222        if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE)) {
4223                if (!(flags & RENAME_EXCHANGE))
4224                        d_move(old_dentry, new_dentry);
4225                else
4226                        d_exchange(old_dentry, new_dentry);
4227        }
4228out:
4229        if (!is_dir || (flags & RENAME_EXCHANGE))
4230                unlock_two_nondirectories(source, target);
4231        else if (target)
4232                mutex_unlock(&target->i_mutex);
4233        dput(new_dentry);
4234        if (!error) {
4235                fsnotify_move(old_dir, new_dir, old_name, is_dir,
4236                              !(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);
4237                if (flags & RENAME_EXCHANGE) {
4238                        fsnotify_move(new_dir, old_dir, old_dentry->d_name.name,
4239                                      new_is_dir, NULL, new_dentry);
4240                }
4241        }
4242        fsnotify_oldname_free(old_name);
4243
4244        return error;
4245}
4246EXPORT_SYMBOL(vfs_rename);
4247
4248SYSCALL_DEFINE5(renameat2, int, olddfd, const char __user *, oldname,
4249                int, newdfd, const char __user *, newname, unsigned int, flags)
4250{
4251        struct dentry *old_dir, *new_dir;
4252        struct dentry *old_dentry, *new_dentry;
4253        struct dentry *trap;
4254        struct nameidata oldnd, newnd;
4255        struct inode *delegated_inode = NULL;
4256        struct filename *from;
4257        struct filename *to;
4258        unsigned int lookup_flags = 0;
4259        bool should_retry = false;
4260        int error;
4261
4262        if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE | RENAME_WHITEOUT))
4263                return -EINVAL;
4264
4265        if ((flags & (RENAME_NOREPLACE | RENAME_WHITEOUT)) &&
4266            (flags & RENAME_EXCHANGE))
4267                return -EINVAL;
4268
4269        if ((flags & RENAME_WHITEOUT) && !capable(CAP_MKNOD))
4270                return -EPERM;
4271
4272retry:
4273        from = user_path_parent(olddfd, oldname, &oldnd, lookup_flags);
4274        if (IS_ERR(from)) {
4275                error = PTR_ERR(from);
4276                goto exit;
4277        }
4278
4279        to = user_path_parent(newdfd, newname, &newnd, lookup_flags);
4280        if (IS_ERR(to)) {
4281                error = PTR_ERR(to);
4282                goto exit1;
4283        }
4284
4285        error = -EXDEV;
4286        if (oldnd.path.mnt != newnd.path.mnt)
4287                goto exit2;
4288
4289        old_dir = oldnd.path.dentry;
4290        error = -EBUSY;
4291        if (oldnd.last_type != LAST_NORM)
4292                goto exit2;
4293
4294        new_dir = newnd.path.dentry;
4295        if (flags & RENAME_NOREPLACE)
4296                error = -EEXIST;
4297        if (newnd.last_type != LAST_NORM)
4298                goto exit2;
4299
4300        error = mnt_want_write(oldnd.path.mnt);
4301        if (error)
4302                goto exit2;
4303
4304        oldnd.flags &= ~LOOKUP_PARENT;
4305        newnd.flags &= ~LOOKUP_PARENT;
4306        if (!(flags & RENAME_EXCHANGE))
4307                newnd.flags |= LOOKUP_RENAME_TARGET;
4308
4309retry_deleg:
4310        trap = lock_rename(new_dir, old_dir);
4311
4312        old_dentry = lookup_hash(&oldnd);
4313        error = PTR_ERR(old_dentry);
4314        if (IS_ERR(old_dentry))
4315                goto exit3;
4316        /* source must exist */
4317        error = -ENOENT;
4318        if (d_is_negative(old_dentry))
4319                goto exit4;
4320        new_dentry = lookup_hash(&newnd);
4321        error = PTR_ERR(new_dentry);
4322        if (IS_ERR(new_dentry))
4323                goto exit4;
4324        error = -EEXIST;
4325        if ((flags & RENAME_NOREPLACE) && d_is_positive(new_dentry))
4326                goto exit5;
4327        if (flags & RENAME_EXCHANGE) {
4328                error = -ENOENT;
4329                if (d_is_negative(new_dentry))
4330                        goto exit5;
4331
4332                if (!d_is_dir(new_dentry)) {
4333                        error = -ENOTDIR;
4334                        if (newnd.last.name[newnd.last.len])
4335                                goto exit5;
4336                }
4337        }
4338        /* unless the source is a directory trailing slashes give -ENOTDIR */
4339        if (!d_is_dir(old_dentry)) {
4340                error = -ENOTDIR;
4341                if (oldnd.last.name[oldnd.last.len])
4342                        goto exit5;
4343                if (!(flags & RENAME_EXCHANGE) && newnd.last.name[newnd.last.len])
4344                        goto exit5;
4345        }
4346        /* source should not be ancestor of target */
4347        error = -EINVAL;
4348        if (old_dentry == trap)
4349                goto exit5;
4350        /* target should not be an ancestor of source */
4351        if (!(flags & RENAME_EXCHANGE))
4352                error = -ENOTEMPTY;
4353        if (new_dentry == trap)
4354                goto exit5;
4355
4356        error = security_path_rename(&oldnd.path, old_dentry,
4357                                     &newnd.path, new_dentry, flags);
4358        if (error)
4359                goto exit5;
4360        error = vfs_rename(old_dir->d_inode, old_dentry,
4361                           new_dir->d_inode, new_dentry,
4362                           &delegated_inode, flags);
4363exit5:
4364        dput(new_dentry);
4365exit4:
4366        dput(old_dentry);
4367exit3:
4368        unlock_rename(new_dir, old_dir);
4369        if (delegated_inode) {
4370                error = break_deleg_wait(&delegated_inode);
4371                if (!error)
4372                        goto retry_deleg;
4373        }
4374        mnt_drop_write(oldnd.path.mnt);
4375exit2:
4376        if (retry_estale(error, lookup_flags))
4377                should_retry = true;
4378        path_put(&newnd.path);
4379        putname(to);
4380exit1:
4381        path_put(&oldnd.path);
4382        putname(from);
4383        if (should_retry) {
4384                should_retry = false;
4385                lookup_flags |= LOOKUP_REVAL;
4386                goto retry;
4387        }
4388exit:
4389        return error;
4390}
4391
4392SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
4393                int, newdfd, const char __user *, newname)
4394{
4395        return sys_renameat2(olddfd, oldname, newdfd, newname, 0);
4396}
4397
4398SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newname)
4399{
4400        return sys_renameat2(AT_FDCWD, oldname, AT_FDCWD, newname, 0);
4401}
4402
4403int vfs_whiteout(struct inode *dir, struct dentry *dentry)
4404{
4405        int error = may_create(dir, dentry);
4406        if (error)
4407                return error;
4408
4409        if (!dir->i_op->mknod)
4410                return -EPERM;
4411
4412        return dir->i_op->mknod(dir, dentry,
4413                                S_IFCHR | WHITEOUT_MODE, WHITEOUT_DEV);
4414}
4415EXPORT_SYMBOL(vfs_whiteout);
4416
4417int readlink_copy(char __user *buffer, int buflen, const char *link)
4418{
4419        int len = PTR_ERR(link);
4420        if (IS_ERR(link))
4421                goto out;
4422
4423        len = strlen(link);
4424        if (len > (unsigned) buflen)
4425                len = buflen;
4426        if (copy_to_user(buffer, link, len))
4427                len = -EFAULT;
4428out:
4429        return len;
4430}
4431EXPORT_SYMBOL(readlink_copy);
4432
4433/*
4434 * A helper for ->readlink().  This should be used *ONLY* for symlinks that
4435 * have ->follow_link() touching nd only in nd_set_link().  Using (or not
4436 * using) it for any given inode is up to filesystem.
4437 */
4438int generic_readlink(struct dentry *dentry, char __user *buffer, int buflen)
4439{
4440        struct nameidata nd;
4441        void *cookie;
4442        int res;
4443
4444        nd.depth = 0;
4445        cookie = dentry->d_inode->i_op->follow_link(dentry, &nd);
4446        if (IS_ERR(cookie))
4447                return PTR_ERR(cookie);
4448
4449        res = readlink_copy(buffer, buflen, nd_get_link(&nd));
4450        if (dentry->d_inode->i_op->put_link)
4451                dentry->d_inode->i_op->put_link(dentry, &nd, cookie);
4452        return res;
4453}
4454EXPORT_SYMBOL(generic_readlink);
4455
4456/* get the link contents into pagecache */
4457static char *page_getlink(struct dentry * dentry, struct page **ppage)
4458{
4459        char *kaddr;
4460        struct page *page;
4461        struct address_space *mapping = dentry->d_inode->i_mapping;
4462        page = read_mapping_page(mapping, 0, NULL);
4463        if (IS_ERR(page))
4464                return (char*)page;
4465        *ppage = page;
4466        kaddr = kmap(page);
4467        nd_terminate_link(kaddr, dentry->d_inode->i_size, PAGE_SIZE - 1);
4468        return kaddr;
4469}
4470
4471int page_readlink(struct dentry *dentry, char __user *buffer, int buflen)
4472{
4473        struct page *page = NULL;
4474        int res = readlink_copy(buffer, buflen, page_getlink(dentry, &page));
4475        if (page) {
4476                kunmap(page);
4477                page_cache_release(page);
4478        }
4479        return res;
4480}
4481EXPORT_SYMBOL(page_readlink);
4482
4483void *page_follow_link_light(struct dentry *dentry, struct nameidata *nd)
4484{
4485        struct page *page = NULL;
4486        nd_set_link(nd, page_getlink(dentry, &page));
4487        return page;
4488}
4489EXPORT_SYMBOL(page_follow_link_light);
4490
4491void page_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
4492{
4493        struct page *page = cookie;
4494
4495        if (page) {
4496                kunmap(page);
4497                page_cache_release(page);
4498        }
4499}
4500EXPORT_SYMBOL(page_put_link);
4501
4502/*
4503 * The nofs argument instructs pagecache_write_begin to pass AOP_FLAG_NOFS
4504 */
4505int __page_symlink(struct inode *inode, const char *symname, int len, int nofs)
4506{
4507        struct address_space *mapping = inode->i_mapping;
4508        struct page *page;
4509        void *fsdata;
4510        int err;
4511        char *kaddr;
4512        unsigned int flags = AOP_FLAG_UNINTERRUPTIBLE;
4513        if (nofs)
4514                flags |= AOP_FLAG_NOFS;
4515
4516retry:
4517        err = pagecache_write_begin(NULL, mapping, 0, len-1,
4518                                flags, &page, &fsdata);
4519        if (err)
4520                goto fail;
4521
4522        kaddr = kmap_atomic(page);
4523        memcpy(kaddr, symname, len-1);
4524        kunmap_atomic(kaddr);
4525
4526        err = pagecache_write_end(NULL, mapping, 0, len-1, len-1,
4527                                                        page, fsdata);
4528        if (err < 0)
4529                goto fail;
4530        if (err < len-1)
4531                goto retry;
4532
4533        mark_inode_dirty(inode);
4534        return 0;
4535fail:
4536        return err;
4537}
4538EXPORT_SYMBOL(__page_symlink);
4539
4540int page_symlink(struct inode *inode, const char *symname, int len)
4541{
4542        return __page_symlink(inode, symname, len,
4543                        !(mapping_gfp_mask(inode->i_mapping) & __GFP_FS));
4544}
4545EXPORT_SYMBOL(page_symlink);
4546
4547const struct inode_operations page_symlink_inode_operations = {
4548        .readlink       = generic_readlink,
4549        .follow_link    = page_follow_link_light,
4550        .put_link       = page_put_link,
4551};
4552EXPORT_SYMBOL(page_symlink_inode_operations);
4553