1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | #include <linux/syscalls.h> |
3 | #include <linux/export.h> |
4 | #include <linux/uaccess.h> |
5 | #include <linux/fs_struct.h> |
6 | #include <linux/fs.h> |
7 | #include <linux/slab.h> |
8 | #include <linux/prefetch.h> |
9 | #include "mount.h" |
10 | #include "internal.h" |
11 | |
12 | struct prepend_buffer { |
13 | char *buf; |
14 | int len; |
15 | }; |
16 | #define DECLARE_BUFFER(__name, __buf, __len) \ |
17 | struct prepend_buffer __name = {.buf = __buf + __len, .len = __len} |
18 | |
19 | static char *(struct prepend_buffer *p) |
20 | { |
21 | if (likely(p->len >= 0)) |
22 | return p->buf; |
23 | return ERR_PTR(error: -ENAMETOOLONG); |
24 | } |
25 | |
26 | static bool prepend_char(struct prepend_buffer *p, unsigned char c) |
27 | { |
28 | if (likely(p->len > 0)) { |
29 | p->len--; |
30 | *--p->buf = c; |
31 | return true; |
32 | } |
33 | p->len = -1; |
34 | return false; |
35 | } |
36 | |
37 | /* |
38 | * The source of the prepend data can be an optimistic load |
39 | * of a dentry name and length. And because we don't hold any |
40 | * locks, the length and the pointer to the name may not be |
41 | * in sync if a concurrent rename happens, and the kernel |
42 | * copy might fault as a result. |
43 | * |
44 | * The end result will correct itself when we check the |
45 | * rename sequence count, but we need to be able to handle |
46 | * the fault gracefully. |
47 | */ |
48 | static bool prepend_copy(void *dst, const void *src, int len) |
49 | { |
50 | if (unlikely(copy_from_kernel_nofault(dst, src, len))) { |
51 | memset(dst, 'x', len); |
52 | return false; |
53 | } |
54 | return true; |
55 | } |
56 | |
57 | static bool prepend(struct prepend_buffer *p, const char *str, int namelen) |
58 | { |
59 | // Already overflowed? |
60 | if (p->len < 0) |
61 | return false; |
62 | |
63 | // Will overflow? |
64 | if (p->len < namelen) { |
65 | // Fill as much as possible from the end of the name |
66 | str += namelen - p->len; |
67 | p->buf -= p->len; |
68 | prepend_copy(dst: p->buf, src: str, len: p->len); |
69 | p->len = -1; |
70 | return false; |
71 | } |
72 | |
73 | // Fits fully |
74 | p->len -= namelen; |
75 | p->buf -= namelen; |
76 | return prepend_copy(dst: p->buf, src: str, len: namelen); |
77 | } |
78 | |
79 | /** |
80 | * prepend_name - prepend a pathname in front of current buffer pointer |
81 | * @p: prepend buffer which contains buffer pointer and allocated length |
82 | * @name: name string and length qstr structure |
83 | * |
84 | * With RCU path tracing, it may race with d_move(). Use READ_ONCE() to |
85 | * make sure that either the old or the new name pointer and length are |
86 | * fetched. However, there may be mismatch between length and pointer. |
87 | * But since the length cannot be trusted, we need to copy the name very |
88 | * carefully when doing the prepend_copy(). It also prepends "/" at |
89 | * the beginning of the name. The sequence number check at the caller will |
90 | * retry it again when a d_move() does happen. So any garbage in the buffer |
91 | * due to mismatched pointer and length will be discarded. |
92 | * |
93 | * Load acquire is needed to make sure that we see the new name data even |
94 | * if we might get the length wrong. |
95 | */ |
96 | static bool prepend_name(struct prepend_buffer *p, const struct qstr *name) |
97 | { |
98 | const char *dname = smp_load_acquire(&name->name); /* ^^^ */ |
99 | u32 dlen = READ_ONCE(name->len); |
100 | |
101 | return prepend(p, str: dname, namelen: dlen) && prepend_char(p, c: '/'); |
102 | } |
103 | |
104 | static int __prepend_path(const struct dentry *dentry, const struct mount *mnt, |
105 | const struct path *root, struct prepend_buffer *p) |
106 | { |
107 | while (dentry != root->dentry || &mnt->mnt != root->mnt) { |
108 | const struct dentry *parent = READ_ONCE(dentry->d_parent); |
109 | |
110 | if (dentry == mnt->mnt.mnt_root) { |
111 | struct mount *m = READ_ONCE(mnt->mnt_parent); |
112 | struct mnt_namespace *mnt_ns; |
113 | |
114 | if (likely(mnt != m)) { |
115 | dentry = READ_ONCE(mnt->mnt_mountpoint); |
116 | mnt = m; |
117 | continue; |
118 | } |
119 | /* Global root */ |
120 | mnt_ns = READ_ONCE(mnt->mnt_ns); |
121 | /* open-coded is_mounted() to use local mnt_ns */ |
122 | if (!IS_ERR_OR_NULL(ptr: mnt_ns) && !is_anon_ns(ns: mnt_ns)) |
123 | return 1; // absolute root |
124 | else |
125 | return 2; // detached or not attached yet |
126 | } |
127 | |
128 | if (unlikely(dentry == parent)) |
129 | /* Escaped? */ |
130 | return 3; |
131 | |
132 | prefetch(parent); |
133 | if (!prepend_name(p, name: &dentry->d_name)) |
134 | break; |
135 | dentry = parent; |
136 | } |
137 | return 0; |
138 | } |
139 | |
140 | /** |
141 | * prepend_path - Prepend path string to a buffer |
142 | * @path: the dentry/vfsmount to report |
143 | * @root: root vfsmnt/dentry |
144 | * @p: prepend buffer which contains buffer pointer and allocated length |
145 | * |
146 | * The function will first try to write out the pathname without taking any |
147 | * lock other than the RCU read lock to make sure that dentries won't go away. |
148 | * It only checks the sequence number of the global rename_lock as any change |
149 | * in the dentry's d_seq will be preceded by changes in the rename_lock |
150 | * sequence number. If the sequence number had been changed, it will restart |
151 | * the whole pathname back-tracing sequence again by taking the rename_lock. |
152 | * In this case, there is no need to take the RCU read lock as the recursive |
153 | * parent pointer references will keep the dentry chain alive as long as no |
154 | * rename operation is performed. |
155 | */ |
156 | static int prepend_path(const struct path *path, |
157 | const struct path *root, |
158 | struct prepend_buffer *p) |
159 | { |
160 | unsigned seq, m_seq = 0; |
161 | struct prepend_buffer b; |
162 | int error; |
163 | |
164 | rcu_read_lock(); |
165 | restart_mnt: |
166 | read_seqbegin_or_lock(lock: &mount_lock, seq: &m_seq); |
167 | seq = 0; |
168 | rcu_read_lock(); |
169 | restart: |
170 | b = *p; |
171 | read_seqbegin_or_lock(lock: &rename_lock, seq: &seq); |
172 | error = __prepend_path(dentry: path->dentry, mnt: real_mount(mnt: path->mnt), root, p: &b); |
173 | if (!(seq & 1)) |
174 | rcu_read_unlock(); |
175 | if (need_seqretry(lock: &rename_lock, seq)) { |
176 | seq = 1; |
177 | goto restart; |
178 | } |
179 | done_seqretry(lock: &rename_lock, seq); |
180 | |
181 | if (!(m_seq & 1)) |
182 | rcu_read_unlock(); |
183 | if (need_seqretry(lock: &mount_lock, seq: m_seq)) { |
184 | m_seq = 1; |
185 | goto restart_mnt; |
186 | } |
187 | done_seqretry(lock: &mount_lock, seq: m_seq); |
188 | |
189 | if (unlikely(error == 3)) |
190 | b = *p; |
191 | |
192 | if (b.len == p->len) |
193 | prepend_char(p: &b, c: '/'); |
194 | |
195 | *p = b; |
196 | return error; |
197 | } |
198 | |
199 | /** |
200 | * __d_path - return the path of a dentry |
201 | * @path: the dentry/vfsmount to report |
202 | * @root: root vfsmnt/dentry |
203 | * @buf: buffer to return value in |
204 | * @buflen: buffer length |
205 | * |
206 | * Convert a dentry into an ASCII path name. |
207 | * |
208 | * Returns a pointer into the buffer or an error code if the |
209 | * path was too long. |
210 | * |
211 | * "buflen" should be positive. |
212 | * |
213 | * If the path is not reachable from the supplied root, return %NULL. |
214 | */ |
215 | char *__d_path(const struct path *path, |
216 | const struct path *root, |
217 | char *buf, int buflen) |
218 | { |
219 | DECLARE_BUFFER(b, buf, buflen); |
220 | |
221 | prepend_char(p: &b, c: 0); |
222 | if (unlikely(prepend_path(path, root, &b) > 0)) |
223 | return NULL; |
224 | return extract_string(p: &b); |
225 | } |
226 | |
227 | char *d_absolute_path(const struct path *path, |
228 | char *buf, int buflen) |
229 | { |
230 | struct path root = {}; |
231 | DECLARE_BUFFER(b, buf, buflen); |
232 | |
233 | prepend_char(p: &b, c: 0); |
234 | if (unlikely(prepend_path(path, &root, &b) > 1)) |
235 | return ERR_PTR(error: -EINVAL); |
236 | return extract_string(p: &b); |
237 | } |
238 | |
239 | static void get_fs_root_rcu(struct fs_struct *fs, struct path *root) |
240 | { |
241 | unsigned seq; |
242 | |
243 | do { |
244 | seq = read_seqcount_begin(&fs->seq); |
245 | *root = fs->root; |
246 | } while (read_seqcount_retry(&fs->seq, seq)); |
247 | } |
248 | |
249 | /** |
250 | * d_path - return the path of a dentry |
251 | * @path: path to report |
252 | * @buf: buffer to return value in |
253 | * @buflen: buffer length |
254 | * |
255 | * Convert a dentry into an ASCII path name. If the entry has been deleted |
256 | * the string " (deleted)" is appended. Note that this is ambiguous. |
257 | * |
258 | * Returns a pointer into the buffer or an error code if the path was |
259 | * too long. Note: Callers should use the returned pointer, not the passed |
260 | * in buffer, to use the name! The implementation often starts at an offset |
261 | * into the buffer, and may leave 0 bytes at the start. |
262 | * |
263 | * "buflen" should be positive. |
264 | */ |
265 | char *d_path(const struct path *path, char *buf, int buflen) |
266 | { |
267 | DECLARE_BUFFER(b, buf, buflen); |
268 | struct path root; |
269 | |
270 | /* |
271 | * We have various synthetic filesystems that never get mounted. On |
272 | * these filesystems dentries are never used for lookup purposes, and |
273 | * thus don't need to be hashed. They also don't need a name until a |
274 | * user wants to identify the object in /proc/pid/fd/. The little hack |
275 | * below allows us to generate a name for these objects on demand: |
276 | * |
277 | * Some pseudo inodes are mountable. When they are mounted |
278 | * path->dentry == path->mnt->mnt_root. In that case don't call d_dname |
279 | * and instead have d_path return the mounted path. |
280 | */ |
281 | if (path->dentry->d_op && path->dentry->d_op->d_dname && |
282 | (!IS_ROOT(path->dentry) || path->dentry != path->mnt->mnt_root)) |
283 | return path->dentry->d_op->d_dname(path->dentry, buf, buflen); |
284 | |
285 | rcu_read_lock(); |
286 | get_fs_root_rcu(current->fs, root: &root); |
287 | if (unlikely(d_unlinked(path->dentry))) |
288 | prepend(p: &b, str: " (deleted)" , namelen: 11); |
289 | else |
290 | prepend_char(p: &b, c: 0); |
291 | prepend_path(path, root: &root, p: &b); |
292 | rcu_read_unlock(); |
293 | |
294 | return extract_string(p: &b); |
295 | } |
296 | EXPORT_SYMBOL(d_path); |
297 | |
298 | /* |
299 | * Helper function for dentry_operations.d_dname() members |
300 | */ |
301 | char *dynamic_dname(char *buffer, int buflen, const char *fmt, ...) |
302 | { |
303 | va_list args; |
304 | char temp[64]; |
305 | int sz; |
306 | |
307 | va_start(args, fmt); |
308 | sz = vsnprintf(buf: temp, size: sizeof(temp), fmt, args) + 1; |
309 | va_end(args); |
310 | |
311 | if (sz > sizeof(temp) || sz > buflen) |
312 | return ERR_PTR(error: -ENAMETOOLONG); |
313 | |
314 | buffer += buflen - sz; |
315 | return memcpy(buffer, temp, sz); |
316 | } |
317 | |
318 | char *simple_dname(struct dentry *dentry, char *buffer, int buflen) |
319 | { |
320 | DECLARE_BUFFER(b, buffer, buflen); |
321 | /* these dentries are never renamed, so d_lock is not needed */ |
322 | prepend(p: &b, str: " (deleted)" , namelen: 11); |
323 | prepend(p: &b, str: dentry->d_name.name, namelen: dentry->d_name.len); |
324 | prepend_char(p: &b, c: '/'); |
325 | return extract_string(p: &b); |
326 | } |
327 | |
328 | /* |
329 | * Write full pathname from the root of the filesystem into the buffer. |
330 | */ |
331 | static char *__dentry_path(const struct dentry *d, struct prepend_buffer *p) |
332 | { |
333 | const struct dentry *dentry; |
334 | struct prepend_buffer b; |
335 | int seq = 0; |
336 | |
337 | rcu_read_lock(); |
338 | restart: |
339 | dentry = d; |
340 | b = *p; |
341 | read_seqbegin_or_lock(lock: &rename_lock, seq: &seq); |
342 | while (!IS_ROOT(dentry)) { |
343 | const struct dentry *parent = dentry->d_parent; |
344 | |
345 | prefetch(parent); |
346 | if (!prepend_name(p: &b, name: &dentry->d_name)) |
347 | break; |
348 | dentry = parent; |
349 | } |
350 | if (!(seq & 1)) |
351 | rcu_read_unlock(); |
352 | if (need_seqretry(lock: &rename_lock, seq)) { |
353 | seq = 1; |
354 | goto restart; |
355 | } |
356 | done_seqretry(lock: &rename_lock, seq); |
357 | if (b.len == p->len) |
358 | prepend_char(p: &b, c: '/'); |
359 | return extract_string(p: &b); |
360 | } |
361 | |
362 | char *dentry_path_raw(const struct dentry *dentry, char *buf, int buflen) |
363 | { |
364 | DECLARE_BUFFER(b, buf, buflen); |
365 | |
366 | prepend_char(p: &b, c: 0); |
367 | return __dentry_path(d: dentry, p: &b); |
368 | } |
369 | EXPORT_SYMBOL(dentry_path_raw); |
370 | |
371 | char *dentry_path(const struct dentry *dentry, char *buf, int buflen) |
372 | { |
373 | DECLARE_BUFFER(b, buf, buflen); |
374 | |
375 | if (unlikely(d_unlinked(dentry))) |
376 | prepend(p: &b, str: "//deleted" , namelen: 10); |
377 | else |
378 | prepend_char(p: &b, c: 0); |
379 | return __dentry_path(d: dentry, p: &b); |
380 | } |
381 | |
382 | static void get_fs_root_and_pwd_rcu(struct fs_struct *fs, struct path *root, |
383 | struct path *pwd) |
384 | { |
385 | unsigned seq; |
386 | |
387 | do { |
388 | seq = read_seqcount_begin(&fs->seq); |
389 | *root = fs->root; |
390 | *pwd = fs->pwd; |
391 | } while (read_seqcount_retry(&fs->seq, seq)); |
392 | } |
393 | |
394 | /* |
395 | * NOTE! The user-level library version returns a |
396 | * character pointer. The kernel system call just |
397 | * returns the length of the buffer filled (which |
398 | * includes the ending '\0' character), or a negative |
399 | * error value. So libc would do something like |
400 | * |
401 | * char *getcwd(char * buf, size_t size) |
402 | * { |
403 | * int retval; |
404 | * |
405 | * retval = sys_getcwd(buf, size); |
406 | * if (retval >= 0) |
407 | * return buf; |
408 | * errno = -retval; |
409 | * return NULL; |
410 | * } |
411 | */ |
412 | SYSCALL_DEFINE2(getcwd, char __user *, buf, unsigned long, size) |
413 | { |
414 | int error; |
415 | struct path pwd, root; |
416 | char *page = __getname(); |
417 | |
418 | if (!page) |
419 | return -ENOMEM; |
420 | |
421 | rcu_read_lock(); |
422 | get_fs_root_and_pwd_rcu(current->fs, root: &root, pwd: &pwd); |
423 | |
424 | if (unlikely(d_unlinked(pwd.dentry))) { |
425 | rcu_read_unlock(); |
426 | error = -ENOENT; |
427 | } else { |
428 | unsigned len; |
429 | DECLARE_BUFFER(b, page, PATH_MAX); |
430 | |
431 | prepend_char(p: &b, c: 0); |
432 | if (unlikely(prepend_path(&pwd, &root, &b) > 0)) |
433 | prepend(p: &b, str: "(unreachable)" , namelen: 13); |
434 | rcu_read_unlock(); |
435 | |
436 | len = PATH_MAX - b.len; |
437 | if (unlikely(len > PATH_MAX)) |
438 | error = -ENAMETOOLONG; |
439 | else if (unlikely(len > size)) |
440 | error = -ERANGE; |
441 | else if (copy_to_user(to: buf, from: b.buf, n: len)) |
442 | error = -EFAULT; |
443 | else |
444 | error = len; |
445 | } |
446 | __putname(page); |
447 | return error; |
448 | } |
449 | |