open.c source code [linux/fs/open.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* linux/fs/open.c
4	*
5	* Copyright (C) 1991, 1992 Linus Torvalds
6	*/
7
8	#include <linux/string.h>
9	#include <linux/mm.h>
10	#include <linux/file.h>
11	#include <linux/fdtable.h>
12	#include <linux/fsnotify.h>
13	#include <linux/module.h>
14	#include <linux/tty.h>
15	#include <linux/namei.h>
16	#include <linux/backing-dev.h>
17	#include <linux/capability.h>
18	#include <linux/securebits.h>
19	#include <linux/security.h>
20	#include <linux/mount.h>
21	#include <linux/fcntl.h>
22	#include <linux/slab.h>
23	#include <linux/uaccess.h>
24	#include <linux/fs.h>
25	#include <linux/personality.h>
26	#include <linux/pagemap.h>
27	#include <linux/syscalls.h>
28	#include <linux/rcupdate.h>
29	#include <linux/audit.h>
30	#include <linux/falloc.h>
31	#include <linux/fs_struct.h>
32	#include <linux/ima.h>
33	#include <linux/dnotify.h>
34	#include <linux/compat.h>
35	#include <linux/mnt_idmapping.h>
36	#include <linux/filelock.h>
37
38	#include "internal.h"
39
40	int do_truncate(struct mnt_idmap idmap, struct* dentry *dentry,
41	loff_t length, unsigned int time_attrs, struct file *filp)
42	{
43	int ret;
44	struct iattr newattrs;
45
46	/ Not pretty: "inode->i_size" shouldn't really be signed. But it is. /
47	if (length < `0`)
48	return -EINVAL;
49
50	newattrs.ia_size = length;
51	newattrs.ia_valid = ATTR_SIZE \| time_attrs;
52	if (filp) {
53	newattrs.ia_file = filp;
54	newattrs.ia_valid \|= ATTR_FILE;
55	}
56
57	/ Remove suid, sgid, and file capabilities on truncate too /
58	ret = dentry_needs_remove_privs(idmap, dentry);
59	if (ret < `0`)
60	return ret;
61	if (ret)
62	newattrs.ia_valid \|= ret \| ATTR_FORCE;
63
64	inode_lock(inode: dentry->d_inode);
65	/ Note any delegations or leases have already been broken: /
66	ret = notify_change(idmap, dentry, &newattrs, NULL);
67	inode_unlock(inode: dentry->d_inode);
68	return ret;
69	}
70
71	long vfs_truncate(const struct path *path, loff_t length)
72	{
73	struct mnt_idmap *idmap;
74	struct inode *inode;
75	long error;
76
77	inode = path->dentry->d_inode;
78
79	/ For directories it's -EISDIR, for other non-regulars - -EINVAL /
80	if (S_ISDIR(inode->i_mode))
81	return -EISDIR;
82	if (!S_ISREG(inode->i_mode))
83	return -EINVAL;
84
85	error = mnt_want_write(mnt: path->mnt);
86	if (error)
87	goto out;
88
89	idmap = mnt_idmap(mnt: path->mnt);
90	error = inode_permission(idmap, inode, MAY_WRITE);
91	if (error)
92	goto mnt_drop_write_and_out;
93
94	error = -EPERM;
95	if (IS_APPEND(inode))
96	goto mnt_drop_write_and_out;
97
98	error = get_write_access(inode);
99	if (error)
100	goto mnt_drop_write_and_out;
101
102	/*
103	* Make sure that there are no leases. get_write_access() protects
104	* against the truncate racing with a lease-granting setlease().
105	*/
106	error = break_lease(inode, O_WRONLY);
107	if (error)
108	goto put_write_and_out;
109
110	error = security_path_truncate(path);
111	if (!error)
112	error = do_truncate(idmap, dentry: path->dentry, length, time_attrs: `0`, NULL);
113
114	put_write_and_out:
115	put_write_access(inode);
116	mnt_drop_write_and_out:
117	mnt_drop_write(mnt: path->mnt);
118	out:
119	return error;
120	}
121	EXPORT_SYMBOL_GPL(vfs_truncate);
122
123	long do_sys_truncate(const char __user *pathname, loff_t length)
124	{
125	unsigned int lookup_flags = LOOKUP_FOLLOW;
126	struct path path;
127	int error;
128
129	if (length < `0`) / sorry, but loff_t says... /
130	return -EINVAL;
131
132	retry:
133	error = user_path_at(AT_FDCWD, name: pathname, flags: lookup_flags, path: &path);
134	if (!error) {
135	error = vfs_truncate(&path, length);
136	path_put(&path);
137	}
138	if (retry_estale(error, flags: lookup_flags)) {
139	lookup_flags \|= LOOKUP_REVAL;
140	goto retry;
141	}
142	return error;
143	}
144
145	SYSCALL_DEFINE2(truncate, const char __user , path, long*, length)
146	{
147	return do_sys_truncate(pathname: path, length);
148	}
149
150	#ifdef CONFIG_COMPAT
151	COMPAT_SYSCALL_DEFINE2(truncate, const char __user *, path, compat_off_t, length)
152	{
153	return do_sys_truncate(pathname: path, length);
154	}
155	#endif
156
157	long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
158	{
159	struct inode *inode;
160	struct dentry *dentry;
161	struct fd f;
162	int error;
163
164	error = -EINVAL;
165	if (length < `0`)
166	goto out;
167	error = -EBADF;
168	f = fdget(fd);
169	if (!f.file)
170	goto out;
171
172	/ explicitly opened as large or we are on 64-bit box /
173	if (f.file->f_flags & O_LARGEFILE)
174	small = `0`;
175
176	dentry = f.file->f_path.dentry;
177	inode = dentry->d_inode;
178	error = -EINVAL;
179	if (!S_ISREG(inode->i_mode) \|\| !(f.file->f_mode & FMODE_WRITE))
180	goto out_putf;
181
182	error = -EINVAL;
183	/ Cannot ftruncate over 2^31 bytes without large file support /
184	if (small && length > MAX_NON_LFS)
185	goto out_putf;
186
187	error = -EPERM;
188	/ Check IS_APPEND on real upper inode /
189	if (IS_APPEND(file_inode(f.file)))
190	goto out_putf;
191	sb_start_write(sb: inode->i_sb);
192	error = security_file_truncate(file: f.file);
193	if (!error)
194	error = do_truncate(idmap: file_mnt_idmap(file: f.file), dentry, length,
195	ATTR_MTIME \| ATTR_CTIME, filp: f.file);
196	sb_end_write(sb: inode->i_sb);
197	out_putf:
198	fdput(fd: f);
199	out:
200	return error;
201	}
202
203	SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length)
204	{
205	return do_sys_ftruncate(fd, length, small: `1`);
206	}
207
208	#ifdef CONFIG_COMPAT
209	COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_ulong_t, length)
210	{
211	return do_sys_ftruncate(fd, length, small: `1`);
212	}
213	#endif
214
215	/ LFS versions of truncate are only needed on 32 bit machines /
216	#if BITS_PER_LONG == 32
217	SYSCALL_DEFINE2(truncate64, const char __user *, path, loff_t, length)
218	{
219	return do_sys_truncate(path, length);
220	}
221
222	SYSCALL_DEFINE2(ftruncate64, unsigned int, fd, loff_t, length)
223	{
224	return do_sys_ftruncate(fd, length, `0`);
225	}
226	#endif /* BITS_PER_LONG == 32 */
227
228	#if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_TRUNCATE64)
229	COMPAT_SYSCALL_DEFINE3(truncate64, const char __user *, pathname,
230	compat_arg_u64_dual(length))
231	{
232	return ksys_truncate(pathname, compat_arg_u64_glue(length));
233	}
234	#endif
235
236	#if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_FTRUNCATE64)
237	COMPAT_SYSCALL_DEFINE3(ftruncate64, unsigned int, fd,
238	compat_arg_u64_dual(length))
239	{
240	return ksys_ftruncate(fd, compat_arg_u64_glue(length));
241	}
242	#endif
243
244	int vfs_fallocate(struct file file, int* mode, loff_t offset, loff_t len)
245	{
246	struct inode *inode = file_inode(f: file);
247	long ret;
248
249	if (offset < `0` \|\| len <= `0`)
250	return -EINVAL;
251
252	/ Return error if mode is not supported /
253	if (mode & ~FALLOC_FL_SUPPORTED_MASK)
254	return -EOPNOTSUPP;
255
256	/ Punch hole and zero range are mutually exclusive /
257	if ((mode & (FALLOC_FL_PUNCH_HOLE \| FALLOC_FL_ZERO_RANGE)) ==
258	(FALLOC_FL_PUNCH_HOLE \| FALLOC_FL_ZERO_RANGE))
259	return -EOPNOTSUPP;
260
261	/ Punch hole must have keep size set /
262	if ((mode & FALLOC_FL_PUNCH_HOLE) &&
263	!(mode & FALLOC_FL_KEEP_SIZE))
264	return -EOPNOTSUPP;
265
266	/ Collapse range should only be used exclusively. /
267	if ((mode & FALLOC_FL_COLLAPSE_RANGE) &&
268	(mode & ~FALLOC_FL_COLLAPSE_RANGE))
269	return -EINVAL;
270
271	/ Insert range should only be used exclusively. /
272	if ((mode & FALLOC_FL_INSERT_RANGE) &&
273	(mode & ~FALLOC_FL_INSERT_RANGE))
274	return -EINVAL;
275
276	/ Unshare range should only be used with allocate mode. /
277	if ((mode & FALLOC_FL_UNSHARE_RANGE) &&
278	(mode & ~(FALLOC_FL_UNSHARE_RANGE \| FALLOC_FL_KEEP_SIZE)))
279	return -EINVAL;
280
281	if (!(file->f_mode & FMODE_WRITE))
282	return -EBADF;
283
284	/*
285	* We can only allow pure fallocate on append only files
286	*/
287	if ((mode & ~FALLOC_FL_KEEP_SIZE) && IS_APPEND(inode))
288	return -EPERM;
289
290	if (IS_IMMUTABLE(inode))
291	return -EPERM;
292
293	/*
294	* We cannot allow any fallocate operation on an active swapfile
295	*/
296	if (IS_SWAPFILE(inode))
297	return -ETXTBSY;
298
299	/*
300	* Revalidate the write permissions, in case security policy has
301	* changed since the files were opened.
302	*/
303	ret = security_file_permission(file, MAY_WRITE);
304	if (ret)
305	return ret;
306
307	if (S_ISFIFO(inode->i_mode))
308	return -ESPIPE;
309
310	if (S_ISDIR(inode->i_mode))
311	return -EISDIR;
312
313	if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
314	return -ENODEV;
315
316	/ Check for wrap through zero too /
317	if (((offset + len) > inode->i_sb->s_maxbytes) \|\| ((offset + len) < `0`))
318	return -EFBIG;
319
320	if (!file->f_op->fallocate)
321	return -EOPNOTSUPP;
322
323	file_start_write(file);
324	ret = file->f_op->fallocate(file, mode, offset, len);
325
326	/*
327	* Create inotify and fanotify events.
328	*
329	* To keep the logic simple always create events if fallocate succeeds.
330	* This implies that events are even created if the file size remains
331	* unchanged, e.g. when using flag FALLOC_FL_KEEP_SIZE.
332	*/
333	if (ret == `0`)
334	fsnotify_modify(file);
335
336	file_end_write(file);
337	return ret;
338	}
339	EXPORT_SYMBOL_GPL(vfs_fallocate);
340
341	int ksys_fallocate(int fd, int mode, loff_t offset, loff_t len)
342	{
343	struct fd f = fdget(fd);
344	int error = -EBADF;
345
346	if (f.file) {
347	error = vfs_fallocate(f.file, mode, offset, len);
348	fdput(fd: f);
349	}
350	return error;
351	}
352
353	SYSCALL_DEFINE4(fallocate, int, fd, int, mode, loff_t, offset, loff_t, len)
354	{
355	return ksys_fallocate(fd, mode, offset, len);
356	}
357
358	#if defined(CONFIG_COMPAT) && defined(__ARCH_WANT_COMPAT_FALLOCATE)
359	COMPAT_SYSCALL_DEFINE6(fallocate, int, fd, int, mode, compat_arg_u64_dual(offset),
360	compat_arg_u64_dual(len))
361	{
362	return ksys_fallocate(fd, mode, compat_arg_u64_glue(offset),
363	compat_arg_u64_glue(len));
364	}
365	#endif
366
367	/*
368	* access() needs to use the real uid/gid, not the effective uid/gid.
369	* We do this by temporarily clearing all FS-related capabilities and
370	* switching the fsuid/fsgid around to the real ones.
371	*
372	* Creating new credentials is expensive, so we try to skip doing it,
373	* which we can if the result would match what we already got.
374	*/
375	static bool access_need_override_creds(int flags)
376	{
377	const struct cred *cred;
378
379	if (flags & AT_EACCESS)
380	return false;
381
382	cred = current_cred();
383	if (!uid_eq(left: cred->fsuid, right: cred->uid) \|\|
384	!gid_eq(left: cred->fsgid, right: cred->gid))
385	return true;
386
387	if (!issecure(SECURE_NO_SETUID_FIXUP)) {
388	kuid_t root_uid = make_kuid(from: cred->user_ns, uid: `0`);
389	if (!uid_eq(left: cred->uid, right: root_uid)) {
390	if (!cap_isclear(a: cred->cap_effective))
391	return true;
392	} else {
393	if (!cap_isidentical(a: cred->cap_effective,
394	b: cred->cap_permitted))
395	return true;
396	}
397	}
398
399	return false;
400	}
401
402	static const struct cred access_override_creds(void*)
403	{
404	const struct cred *old_cred;
405	struct cred *override_cred;
406
407	override_cred = prepare_creds();
408	if (!override_cred)
409	return NULL;
410
411	/*
412	* XXX access_need_override_creds performs checks in hopes of skipping
413	* this work. Make sure it stays in sync if making any changes in this
414	* routine.
415	*/
416
417	override_cred->fsuid = override_cred->uid;
418	override_cred->fsgid = override_cred->gid;
419
420	if (!issecure(SECURE_NO_SETUID_FIXUP)) {
421	/ Clear the capabilities if we switch to a non-root user /
422	kuid_t root_uid = make_kuid(from: override_cred->user_ns, uid: `0`);
423	if (!uid_eq(left: override_cred->uid, right: root_uid))
424	cap_clear(override_cred->cap_effective);
425	else
426	override_cred->cap_effective =
427	override_cred->cap_permitted;
428	}
429
430	/*
431	* The new set of credentials can only be used in
432	* task-synchronous circumstances, and does not need
433	* RCU freeing, unless somebody then takes a separate
434	* reference to it.
435	*
436	* NOTE! This is _only_ true because this credential
437	* is used purely for override_creds() that installs
438	* it as the subjective cred. Other threads will be
439	* accessing ->real_cred, not the subjective cred.
440	*
441	* If somebody _does_ make a copy of this (using the
442	* 'get_current_cred()' function), that will clear the
443	* non_rcu field, because now that other user may be
444	* expecting RCU freeing. But normal thread-synchronous
445	* cred accesses will keep things non-RCY.
446	*/
447	override_cred->non_rcu = `1`;
448
449	old_cred = override_creds(override_cred);
450
451	/ override_cred() gets its own ref /
452	put_cred(cred: override_cred);
453
454	return old_cred;
455	}
456
457	static long do_faccessat(int dfd, const char __user filename, int* mode, int flags)
458	{
459	struct path path;
460	struct inode *inode;
461	int res;
462	unsigned int lookup_flags = LOOKUP_FOLLOW;
463	const struct cred *old_cred = NULL;
464
465	if (mode & ~S_IRWXO) / where's F_OK, X_OK, W_OK, R_OK? /
466	return -EINVAL;
467
468	if (flags & ~(AT_EACCESS \| AT_SYMLINK_NOFOLLOW \| AT_EMPTY_PATH))
469	return -EINVAL;
470
471	if (flags & AT_SYMLINK_NOFOLLOW)
472	lookup_flags &= ~LOOKUP_FOLLOW;
473	if (flags & AT_EMPTY_PATH)
474	lookup_flags \|= LOOKUP_EMPTY;
475
476	if (access_need_override_creds(flags)) {
477	old_cred = access_override_creds();
478	if (!old_cred)
479	return -ENOMEM;
480	}
481
482	retry:
483	res = user_path_at(dfd, name: filename, flags: lookup_flags, path: &path);
484	if (res)
485	goto out;
486
487	inode = d_backing_inode(upper: path.dentry);
488
489	if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) {
490	/*
491	* MAY_EXEC on regular files is denied if the fs is mounted
492	* with the "noexec" flag.
493	*/
494	res = -EACCES;
495	if (path_noexec(path: &path))
496	goto out_path_release;
497	}
498
499	res = inode_permission(mnt_idmap(mnt: path.mnt), inode, mode \| MAY_ACCESS);
500	/ SuS v2 requires we report a read only fs too /
501	if (res \|\| !(mode & S_IWOTH) \|\| special_file(inode->i_mode))
502	goto out_path_release;
503	/*
504	* This is a rare case where using __mnt_is_readonly()
505	* is OK without a mnt_want/drop_write() pair. Since
506	* no actual write to the fs is performed here, we do
507	* not need to telegraph to that to anyone.
508	*
509	* By doing this, we accept that this access is
510	* inherently racy and know that the fs may change
511	* state before we even see this result.
512	*/
513	if (__mnt_is_readonly(mnt: path.mnt))
514	res = -EROFS;
515
516	out_path_release:
517	path_put(&path);
518	if (retry_estale(error: res, flags: lookup_flags)) {
519	lookup_flags \|= LOOKUP_REVAL;
520	goto retry;
521	}
522	out:
523	if (old_cred)
524	revert_creds(old_cred);
525
526	return res;
527	}
528
529	SYSCALL_DEFINE3(faccessat, int, dfd, const char __user , filename, int*, mode)
530	{
531	return do_faccessat(dfd, filename, mode, flags: `0`);
532	}
533
534	SYSCALL_DEFINE4(faccessat2, int, dfd, const char __user , filename, int*, mode,
535	int, flags)
536	{
537	return do_faccessat(dfd, filename, mode, flags);
538	}
539
540	SYSCALL_DEFINE2(access, const char __user , filename, int*, mode)
541	{
542	return do_faccessat(AT_FDCWD, filename, mode, flags: `0`);
543	}
544
545	SYSCALL_DEFINE1(chdir, const char __user *, filename)
546	{
547	struct path path;
548	int error;
549	unsigned int lookup_flags = LOOKUP_FOLLOW \| LOOKUP_DIRECTORY;
550	retry:
551	error = user_path_at(AT_FDCWD, name: filename, flags: lookup_flags, path: &path);
552	if (error)
553	goto out;
554
555	error = path_permission(path: &path, MAY_EXEC \| MAY_CHDIR);
556	if (error)
557	goto dput_and_out;
558
559	set_fs_pwd(current->fs, &path);
560
561	dput_and_out:
562	path_put(&path);
563	if (retry_estale(error, flags: lookup_flags)) {
564	lookup_flags \|= LOOKUP_REVAL;
565	goto retry;
566	}
567	out:
568	return error;
569	}
570
571	SYSCALL_DEFINE1(fchdir, unsigned int, fd)
572	{
573	struct fd f = fdget_raw(fd);
574	int error;
575
576	error = -EBADF;
577	if (!f.file)
578	goto out;
579
580	error = -ENOTDIR;
581	if (!d_can_lookup(dentry: f.file->f_path.dentry))
582	goto out_putf;
583
584	error = file_permission(file: f.file, MAY_EXEC \| MAY_CHDIR);
585	if (!error)
586	set_fs_pwd(current->fs, &f.file->f_path);
587	out_putf:
588	fdput(fd: f);
589	out:
590	return error;
591	}
592
593	SYSCALL_DEFINE1(chroot, const char __user *, filename)
594	{
595	struct path path;
596	int error;
597	unsigned int lookup_flags = LOOKUP_FOLLOW \| LOOKUP_DIRECTORY;
598	retry:
599	error = user_path_at(AT_FDCWD, name: filename, flags: lookup_flags, path: &path);
600	if (error)
601	goto out;
602
603	error = path_permission(path: &path, MAY_EXEC \| MAY_CHDIR);
604	if (error)
605	goto dput_and_out;
606
607	error = -EPERM;
608	if (!ns_capable(current_user_ns(), CAP_SYS_CHROOT))
609	goto dput_and_out;
610	error = security_path_chroot(path: &path);
611	if (error)
612	goto dput_and_out;
613
614	set_fs_root(current->fs, &path);
615	error = `0`;
616	dput_and_out:
617	path_put(&path);
618	if (retry_estale(error, flags: lookup_flags)) {
619	lookup_flags \|= LOOKUP_REVAL;
620	goto retry;
621	}
622	out:
623	return error;
624	}
625
626	int chmod_common(const struct path *path, umode_t mode)
627	{
628	struct inode *inode = path->dentry->d_inode;
629	struct inode *delegated_inode = NULL;
630	struct iattr newattrs;
631	int error;
632
633	error = mnt_want_write(mnt: path->mnt);
634	if (error)
635	return error;
636	retry_deleg:
637	inode_lock(inode);
638	error = security_path_chmod(path, mode);
639	if (error)
640	goto out_unlock;
641	newattrs.ia_mode = (mode & S_IALLUGO) \| (inode->i_mode & ~S_IALLUGO);
642	newattrs.ia_valid = ATTR_MODE \| ATTR_CTIME;
643	error = notify_change(mnt_idmap(mnt: path->mnt), path->dentry,
644	&newattrs, &delegated_inode);
645	out_unlock:
646	inode_unlock(inode);
647	if (delegated_inode) {
648	error = break_deleg_wait(delegated_inode: &delegated_inode);
649	if (!error)
650	goto retry_deleg;
651	}
652	mnt_drop_write(mnt: path->mnt);
653	return error;
654	}
655
656	int vfs_fchmod(struct file *file, umode_t mode)
657	{
658	audit_file(file);
659	return chmod_common(path: &file->f_path, mode);
660	}
661
662	SYSCALL_DEFINE2(fchmod, unsigned int, fd, umode_t, mode)
663	{
664	struct fd f = fdget(fd);
665	int err = -EBADF;
666
667	if (f.file) {
668	err = vfs_fchmod(file: f.file, mode);
669	fdput(fd: f);
670	}
671	return err;
672	}
673
674	static int do_fchmodat(int dfd, const char __user *filename, umode_t mode,
675	unsigned int flags)
676	{
677	struct path path;
678	int error;
679	unsigned int lookup_flags;
680
681	if (unlikely(flags & ~(AT_SYMLINK_NOFOLLOW \| AT_EMPTY_PATH)))
682	return -EINVAL;
683
684	lookup_flags = (flags & AT_SYMLINK_NOFOLLOW) ? `0` : LOOKUP_FOLLOW;
685	if (flags & AT_EMPTY_PATH)
686	lookup_flags \|= LOOKUP_EMPTY;
687
688	retry:
689	error = user_path_at(dfd, name: filename, flags: lookup_flags, path: &path);
690	if (!error) {
691	error = chmod_common(path: &path, mode);
692	path_put(&path);
693	if (retry_estale(error, flags: lookup_flags)) {
694	lookup_flags \|= LOOKUP_REVAL;
695	goto retry;
696	}
697	}
698	return error;
699	}
700
701	SYSCALL_DEFINE4(fchmodat2, int, dfd, const char __user *, filename,
702	umode_t, mode, unsigned int, flags)
703	{
704	return do_fchmodat(dfd, filename, mode, flags);
705	}
706
707	SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename,
708	umode_t, mode)
709	{
710	return do_fchmodat(dfd, filename, mode, flags: `0`);
711	}
712
713	SYSCALL_DEFINE2(chmod, const char __user *, filename, umode_t, mode)
714	{
715	return do_fchmodat(AT_FDCWD, filename, mode, flags: `0`);
716	}
717
718	/*
719	* Check whether @kuid is valid and if so generate and set vfsuid_t in
720	* ia_vfsuid.
721	*
722	* Return: true if @kuid is valid, false if not.
723	*/
724	static inline bool setattr_vfsuid(struct iattr *attr, kuid_t kuid)
725	{
726	if (!uid_valid(uid: kuid))
727	return false;
728	attr->ia_valid \|= ATTR_UID;
729	attr->ia_vfsuid = VFSUIDT_INIT(kuid);
730	return true;
731	}
732
733	/*
734	* Check whether @kgid is valid and if so generate and set vfsgid_t in
735	* ia_vfsgid.
736	*
737	* Return: true if @kgid is valid, false if not.
738	*/
739	static inline bool setattr_vfsgid(struct iattr *attr, kgid_t kgid)
740	{
741	if (!gid_valid(gid: kgid))
742	return false;
743	attr->ia_valid \|= ATTR_GID;
744	attr->ia_vfsgid = VFSGIDT_INIT(kgid);
745	return true;
746	}
747
748	int chown_common(const struct path *path, uid_t user, gid_t group)
749	{
750	struct mnt_idmap *idmap;
751	struct user_namespace *fs_userns;
752	struct inode *inode = path->dentry->d_inode;
753	struct inode *delegated_inode = NULL;
754	int error;
755	struct iattr newattrs;
756	kuid_t uid;
757	kgid_t gid;
758
759	uid = make_kuid(current_user_ns(), uid: user);
760	gid = make_kgid(current_user_ns(), gid: group);
761
762	idmap = mnt_idmap(mnt: path->mnt);
763	fs_userns = i_user_ns(inode);
764
765	retry_deleg:
766	newattrs.ia_vfsuid = INVALID_VFSUID;
767	newattrs.ia_vfsgid = INVALID_VFSGID;
768	newattrs.ia_valid = ATTR_CTIME;
769	if ((user != (uid_t)-`1`) && !setattr_vfsuid(attr: &newattrs, kuid: uid))
770	return -EINVAL;
771	if ((group != (gid_t)-`1`) && !setattr_vfsgid(attr: &newattrs, kgid: gid))
772	return -EINVAL;
773	inode_lock(inode);
774	if (!S_ISDIR(inode->i_mode))
775	newattrs.ia_valid \|= ATTR_KILL_SUID \| ATTR_KILL_PRIV \|
776	setattr_should_drop_sgid(idmap, inode);
777	/ Continue to send actual fs values, not the mount values. /
778	error = security_path_chown(
779	path,
780	uid: from_vfsuid(idmap, fs_userns, vfsuid: newattrs.ia_vfsuid),
781	gid: from_vfsgid(idmap, fs_userns, vfsgid: newattrs.ia_vfsgid));
782	if (!error)
783	error = notify_change(idmap, path->dentry, &newattrs,
784	&delegated_inode);
785	inode_unlock(inode);
786	if (delegated_inode) {
787	error = break_deleg_wait(delegated_inode: &delegated_inode);
788	if (!error)
789	goto retry_deleg;
790	}
791	return error;
792	}
793
794	int do_fchownat(int dfd, const char __user *filename, uid_t user, gid_t group,
795	int flag)
796	{
797	struct path path;
798	int error = -EINVAL;
799	int lookup_flags;
800
801	if ((flag & ~(AT_SYMLINK_NOFOLLOW \| AT_EMPTY_PATH)) != `0`)
802	goto out;
803
804	lookup_flags = (flag & AT_SYMLINK_NOFOLLOW) ? `0` : LOOKUP_FOLLOW;
805	if (flag & AT_EMPTY_PATH)
806	lookup_flags \|= LOOKUP_EMPTY;
807	retry:
808	error = user_path_at(dfd, name: filename, flags: lookup_flags, path: &path);
809	if (error)
810	goto out;
811	error = mnt_want_write(mnt: path.mnt);
812	if (error)
813	goto out_release;
814	error = chown_common(path: &path, user, group);
815	mnt_drop_write(mnt: path.mnt);
816	out_release:
817	path_put(&path);
818	if (retry_estale(error, flags: lookup_flags)) {
819	lookup_flags \|= LOOKUP_REVAL;
820	goto retry;
821	}
822	out:
823	return error;
824	}
825
826	SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
827	gid_t, group, int, flag)
828	{
829	return do_fchownat(dfd, filename, user, group, flag);
830	}
831
832	SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
833	{
834	return do_fchownat(AT_FDCWD, filename, user, group, flag: `0`);
835	}
836
837	SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group)
838	{
839	return do_fchownat(AT_FDCWD, filename, user, group,
840	AT_SYMLINK_NOFOLLOW);
841	}
842
843	int vfs_fchown(struct file *file, uid_t user, gid_t group)
844	{
845	int error;
846
847	error = mnt_want_write_file(file);
848	if (error)
849	return error;
850	audit_file(file);
851	error = chown_common(path: &file->f_path, user, group);
852	mnt_drop_write_file(file);
853	return error;
854	}
855
856	int ksys_fchown(unsigned int fd, uid_t user, gid_t group)
857	{
858	struct fd f = fdget(fd);
859	int error = -EBADF;
860
861	if (f.file) {
862	error = vfs_fchown(file: f.file, user, group);
863	fdput(fd: f);
864	}
865	return error;
866	}
867
868	SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
869	{
870	return ksys_fchown(fd, user, group);
871	}
872
873	static inline int file_get_write_access(struct file *f)
874	{
875	int error;
876
877	error = get_write_access(inode: f->f_inode);
878	if (unlikely(error))
879	return error;
880	error = mnt_get_write_access(mnt: f->f_path.mnt);
881	if (unlikely(error))
882	goto cleanup_inode;
883	if (unlikely(f->f_mode & FMODE_BACKING)) {
884	error = mnt_get_write_access(mnt: backing_file_user_path(f)->mnt);
885	if (unlikely(error))
886	goto cleanup_mnt;
887	}
888	return `0`;
889
890	cleanup_mnt:
891	mnt_put_write_access(mnt: f->f_path.mnt);
892	cleanup_inode:
893	put_write_access(inode: f->f_inode);
894	return error;
895	}
896
897	static int do_dentry_open(struct file *f,
898	struct inode *inode,
899	int (open)(struct* inode , struct* file *))
900	{
901	static const struct file_operations empty_fops = {};
902	int error;
903
904	path_get(&f->f_path);
905	f->f_inode = inode;
906	f->f_mapping = inode->i_mapping;
907	f->f_wb_err = filemap_sample_wb_err(mapping: f->f_mapping);
908	f->f_sb_err = file_sample_sb_err(file: f);
909
910	if (unlikely(f->f_flags & O_PATH)) {
911	f->f_mode = FMODE_PATH \| FMODE_OPENED;
912	f->f_op = &empty_fops;
913	return `0`;
914	}
915
916	if ((f->f_mode & (FMODE_READ \| FMODE_WRITE)) == FMODE_READ) {
917	i_readcount_inc(inode);
918	} else if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
919	error = file_get_write_access(f);
920	if (unlikely(error))
921	goto cleanup_file;
922	f->f_mode \|= FMODE_WRITER;
923	}
924
925	/ POSIX.1-2008/SUSv4 Section XSI 2.9.7 /
926	if (S_ISREG(inode->i_mode) \|\| S_ISDIR(inode->i_mode))
927	f->f_mode \|= FMODE_ATOMIC_POS;
928
929	f->f_op = fops_get(inode->i_fop);
930	if (WARN_ON(!f->f_op)) {
931	error = -ENODEV;
932	goto cleanup_all;
933	}
934
935	error = security_file_open(file: f);
936	if (error)
937	goto cleanup_all;
938
939	error = break_lease(inode: file_inode(f), mode: f->f_flags);
940	if (error)
941	goto cleanup_all;
942
943	/ normally all 3 are set; ->open() can clear them if needed /
944	f->f_mode \|= FMODE_LSEEK \| FMODE_PREAD \| FMODE_PWRITE;
945	if (!open)
946	open = f->f_op->open;
947	if (open) {
948	error = open(inode, f);
949	if (error)
950	goto cleanup_all;
951	}
952	f->f_mode \|= FMODE_OPENED;
953	if ((f->f_mode & FMODE_READ) &&
954	likely(f->f_op->read \|\| f->f_op->read_iter))
955	f->f_mode \|= FMODE_CAN_READ;
956	if ((f->f_mode & FMODE_WRITE) &&
957	likely(f->f_op->write \|\| f->f_op->write_iter))
958	f->f_mode \|= FMODE_CAN_WRITE;
959	if ((f->f_mode & FMODE_LSEEK) && !f->f_op->llseek)
960	f->f_mode &= ~FMODE_LSEEK;
961	if (f->f_mapping->a_ops && f->f_mapping->a_ops->direct_IO)
962	f->f_mode \|= FMODE_CAN_ODIRECT;
963
964	f->f_flags &= ~(O_CREAT \| O_EXCL \| O_NOCTTY \| O_TRUNC);
965	f->f_iocb_flags = iocb_flags(file: f);
966
967	file_ra_state_init(ra: &f->f_ra, mapping: f->f_mapping->host->i_mapping);
968
969	if ((f->f_flags & O_DIRECT) && !(f->f_mode & FMODE_CAN_ODIRECT))
970	return -EINVAL;
971
972	/*
973	* XXX: Huge page cache doesn't support writing yet. Drop all page
974	* cache for this file before processing writes.
975	*/
976	if (f->f_mode & FMODE_WRITE) {
977	/*
978	* Paired with smp_mb() in collapse_file() to ensure nr_thps
979	* is up to date and the update to i_writecount by
980	* get_write_access() is visible. Ensures subsequent insertion
981	* of THPs into the page cache will fail.
982	*/
983	smp_mb();
984	if (filemap_nr_thps(mapping: inode->i_mapping)) {
985	struct address_space *mapping = inode->i_mapping;
986
987	filemap_invalidate_lock(mapping: inode->i_mapping);
988	/*
989	* unmap_mapping_range just need to be called once
990	* here, because the private pages is not need to be
991	* unmapped mapping (e.g. data segment of dynamic
992	* shared libraries here).
993	*/
994	unmap_mapping_range(mapping, holebegin: `0`, holelen: `0`, even_cows: `0`);
995	truncate_inode_pages(mapping, `0`);
996	filemap_invalidate_unlock(mapping: inode->i_mapping);
997	}
998	}
999
1000	/*
1001	* Once we return a file with FMODE_OPENED, __fput() will call
1002	* fsnotify_close(), so we need fsnotify_open() here for symmetry.
1003	*/
1004	fsnotify_open(file: f);
1005	return `0`;
1006
1007	cleanup_all:
1008	if (WARN_ON_ONCE(error > `0`))
1009	error = -EINVAL;
1010	fops_put(f->f_op);
1011	put_file_access(file: f);
1012	cleanup_file:
1013	path_put(&f->f_path);
1014	f->f_path.mnt = NULL;
1015	f->f_path.dentry = NULL;
1016	f->f_inode = NULL;
1017	return error;
1018	}
1019
1020	/**
1021	* finish_open - finish opening a file
1022	* @file: file pointer
1023	* @dentry: pointer to dentry
1024	* @open: open callback
1025	*
1026	* This can be used to finish opening a file passed to i_op->atomic_open().
1027	*
1028	* If the open callback is set to NULL, then the standard f_op->open()
1029	* filesystem callback is substituted.
1030	*
1031	* NB: the dentry reference is _not_ consumed. If, for example, the dentry is
1032	* the return value of d_splice_alias(), then the caller needs to perform dput()
1033	* on it after finish_open().
1034	*
1035	* Returns zero on success or -errno if the open failed.
1036	*/
1037	int finish_open(struct file file, struct* dentry *dentry,
1038	int (open)(struct* inode , struct* file *))
1039	{
1040	BUG_ON(file->f_mode & FMODE_OPENED); / once it's opened, it's opened /
1041
1042	file->f_path.dentry = dentry;
1043	return do_dentry_open(f: file, inode: d_backing_inode(upper: dentry), open);
1044	}
1045	EXPORT_SYMBOL(finish_open);
1046
1047	/**
1048	* finish_no_open - finish ->atomic_open() without opening the file
1049	*
1050	* @file: file pointer
1051	* @dentry: dentry or NULL (as returned from ->lookup())
1052	*
1053	* This can be used to set the result of a successful lookup in ->atomic_open().
1054	*
1055	* NB: unlike finish_open() this function does consume the dentry reference and
1056	* the caller need not dput() it.
1057	*
1058	* Returns "0" which must be the return value of ->atomic_open() after having
1059	* called this function.
1060	*/
1061	int finish_no_open(struct file file, struct* dentry *dentry)
1062	{
1063	file->f_path.dentry = dentry;
1064	return `0`;
1065	}
1066	EXPORT_SYMBOL(finish_no_open);
1067
1068	char file_path(struct* file filp, char* buf, int* buflen)
1069	{
1070	return d_path(&filp->f_path, buf, buflen);
1071	}
1072	EXPORT_SYMBOL(file_path);
1073
1074	/**
1075	* vfs_open - open the file at the given path
1076	* @path: path to open
1077	* @file: newly allocated file with f_flag initialized
1078	*/
1079	int vfs_open(const struct path path, struct* file *file)
1080	{
1081	file->f_path = *path;
1082	return do_dentry_open(f: file, inode: d_backing_inode(upper: path->dentry), NULL);
1083	}
1084
1085	struct file dentry_open(const* struct path path, int* flags,
1086	const struct cred *cred)
1087	{
1088	int error;
1089	struct file *f;
1090
1091	validate_creds(cred);
1092
1093	/ We must always pass in a valid mount pointer. /
1094	BUG_ON(!path->mnt);
1095
1096	f = alloc_empty_file(flags, cred);
1097	if (!IS_ERR(ptr: f)) {
1098	error = vfs_open(path, file: f);
1099	if (error) {
1100	fput(f);
1101	f = ERR_PTR(error);
1102	}
1103	}
1104	return f;
1105	}
1106	EXPORT_SYMBOL(dentry_open);
1107
1108	/**
1109	* dentry_create - Create and open a file
1110	* @path: path to create
1111	* @flags: O_ flags
1112	* @mode: mode bits for new file
1113	* @cred: credentials to use
1114	*
1115	* Caller must hold the parent directory's lock, and have prepared
1116	* a negative dentry, placed in @path->dentry, for the new file.
1117	*
1118	* Caller sets @path->mnt to the vfsmount of the filesystem where
1119	* the new file is to be created. The parent directory and the
1120	* negative dentry must reside on the same filesystem instance.
1121	*
1122	* On success, returns a "struct file *". Otherwise a ERR_PTR
1123	* is returned.
1124	*/
1125	struct file dentry_create(const* struct path path, int* flags, umode_t mode,
1126	const struct cred *cred)
1127	{
1128	struct file *f;
1129	int error;
1130
1131	validate_creds(cred);
1132	f = alloc_empty_file(flags, cred);
1133	if (IS_ERR(ptr: f))
1134	return f;
1135
1136	error = vfs_create(mnt_idmap(mnt: path->mnt),
1137	d_inode(dentry: path->dentry->d_parent),
1138	path->dentry, mode, true);
1139	if (!error)
1140	error = vfs_open(path, file: f);
1141
1142	if (unlikely(error)) {
1143	fput(f);
1144	return ERR_PTR(error);
1145	}
1146	return f;
1147	}
1148	EXPORT_SYMBOL(dentry_create);
1149
1150	/**
1151	* kernel_file_open - open a file for kernel internal use
1152	* @path: path of the file to open
1153	* @flags: open flags
1154	* @inode: the inode
1155	* @cred: credentials for open
1156	*
1157	* Open a file for use by in-kernel consumers. The file is not accounted
1158	* against nr_files and must not be installed into the file descriptor
1159	* table.
1160	*
1161	* Return: Opened file on success, an error pointer on failure.
1162	*/
1163	struct file kernel_file_open(const* struct path path, int* flags,
1164	struct inode inode, const* struct cred *cred)
1165	{
1166	struct file *f;
1167	int error;
1168
1169	f = alloc_empty_file_noaccount(flags, cred);
1170	if (IS_ERR(ptr: f))
1171	return f;
1172
1173	f->f_path = *path;
1174	error = do_dentry_open(f, inode, NULL);
1175	if (error) {
1176	fput(f);
1177	f = ERR_PTR(error);
1178	}
1179	return f;
1180	}
1181	EXPORT_SYMBOL_GPL(kernel_file_open);
1182
1183	/**
1184	* backing_file_open - open a backing file for kernel internal use
1185	* @user_path: path that the user reuqested to open
1186	* @flags: open flags
1187	* @real_path: path of the backing file
1188	* @cred: credentials for open
1189	*
1190	* Open a backing file for a stackable filesystem (e.g., overlayfs).
1191	* @user_path may be on the stackable filesystem and @real_path on the
1192	* underlying filesystem. In this case, we want to be able to return the
1193	* @user_path of the stackable filesystem. This is done by embedding the
1194	* returned file into a container structure that also stores the stacked
1195	* file's path, which can be retrieved using backing_file_user_path().
1196	*/
1197	struct file backing_file_open(const* struct path user_path, int* flags,
1198	const struct path *real_path,
1199	const struct cred *cred)
1200	{
1201	struct file *f;
1202	int error;
1203
1204	f = alloc_empty_backing_file(flags, cred);
1205	if (IS_ERR(ptr: f))
1206	return f;
1207
1208	path_get(user_path);
1209	backing_file_user_path(f) = user_path;
1210	f->f_path = *real_path;
1211	error = do_dentry_open(f, inode: d_inode(dentry: real_path->dentry), NULL);
1212	if (error) {
1213	fput(f);
1214	f = ERR_PTR(error);
1215	}
1216
1217	return f;
1218	}
1219	EXPORT_SYMBOL_GPL(backing_file_open);
1220
1221	#define WILL_CREATE(flags) (flags & (O_CREAT \| __O_TMPFILE))
1222	#define O_PATH_FLAGS (O_DIRECTORY \| O_NOFOLLOW \| O_PATH \| O_CLOEXEC)
1223
1224	inline struct open_how build_open_how(int flags, umode_t mode)
1225	{
1226	struct open_how how = {
1227	.flags = flags & VALID_OPEN_FLAGS,
1228	.mode = mode & S_IALLUGO,
1229	};
1230
1231	/ O_PATH beats everything else. /
1232	if (how.flags & O_PATH)
1233	how.flags &= O_PATH_FLAGS;
1234	/ Modes should only be set for create-like flags. /
1235	if (!WILL_CREATE(how.flags))
1236	how.mode = `0`;
1237	return how;
1238	}
1239
1240	inline int build_open_flags(const struct open_how how, struct* open_flags *op)
1241	{
1242	u64 flags = how->flags;
1243	u64 strip = __FMODE_NONOTIFY \| O_CLOEXEC;
1244	int lookup_flags = `0`;
1245	int acc_mode = ACC_MODE(flags);
1246
1247	BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPEN_FLAGS),
1248	"struct open_flags doesn't yet handle flags > 32 bits");
1249
1250	/*
1251	* Strip flags that either shouldn't be set by userspace like
1252	* FMODE_NONOTIFY or that aren't relevant in determining struct
1253	* open_flags like O_CLOEXEC.
1254	*/
1255	flags &= ~strip;
1256
1257	/*
1258	* Older syscalls implicitly clear all of the invalid flags or argument
1259	* values before calling build_open_flags(), but openat2(2) checks all
1260	* of its arguments.
1261	*/
1262	if (flags & ~VALID_OPEN_FLAGS)
1263	return -EINVAL;
1264	if (how->resolve & ~VALID_RESOLVE_FLAGS)
1265	return -EINVAL;
1266
1267	/ Scoping flags are mutually exclusive. /
1268	if ((how->resolve & RESOLVE_BENEATH) && (how->resolve & RESOLVE_IN_ROOT))
1269	return -EINVAL;
1270
1271	/ Deal with the mode. /
1272	if (WILL_CREATE(flags)) {
1273	if (how->mode & ~S_IALLUGO)
1274	return -EINVAL;
1275	op->mode = how->mode \| S_IFREG;
1276	} else {
1277	if (how->mode != `0`)
1278	return -EINVAL;
1279	op->mode = `0`;
1280	}
1281
1282	/*
1283	* Block bugs where O_DIRECTORY \| O_CREAT created regular files.
1284	* Note, that blocking O_DIRECTORY \| O_CREAT here also protects
1285	* O_TMPFILE below which requires O_DIRECTORY being raised.
1286	*/
1287	if ((flags & (O_DIRECTORY \| O_CREAT)) == (O_DIRECTORY \| O_CREAT))
1288	return -EINVAL;
1289
1290	/ Now handle the creative implementation of O_TMPFILE. /
1291	if (flags & __O_TMPFILE) {
1292	/*
1293	* In order to ensure programs get explicit errors when trying
1294	* to use O_TMPFILE on old kernels we enforce that O_DIRECTORY
1295	* is raised alongside __O_TMPFILE.
1296	*/
1297	if (!(flags & O_DIRECTORY))
1298	return -EINVAL;
1299	if (!(acc_mode & MAY_WRITE))
1300	return -EINVAL;
1301	}
1302	if (flags & O_PATH) {
1303	/ O_PATH only permits certain other flags to be set. /
1304	if (flags & ~O_PATH_FLAGS)
1305	return -EINVAL;
1306	acc_mode = `0`;
1307	}
1308
1309	/*
1310	* O_SYNC is implemented as __O_SYNC\|O_DSYNC. As many places only
1311	* check for O_DSYNC if the need any syncing at all we enforce it's
1312	* always set instead of having to deal with possibly weird behaviour
1313	* for malicious applications setting only __O_SYNC.
1314	*/
1315	if (flags & __O_SYNC)
1316	flags \|= O_DSYNC;
1317
1318	op->open_flag = flags;
1319
1320	/ O_TRUNC implies we need access checks for write permissions /
1321	if (flags & O_TRUNC)
1322	acc_mode \|= MAY_WRITE;
1323
1324	/ Allow the LSM permission hook to distinguish append*
1325	access from general write access. /*
1326	if (flags & O_APPEND)
1327	acc_mode \|= MAY_APPEND;
1328
1329	op->acc_mode = acc_mode;
1330
1331	op->intent = flags & O_PATH ? `0` : LOOKUP_OPEN;
1332
1333	if (flags & O_CREAT) {
1334	op->intent \|= LOOKUP_CREATE;
1335	if (flags & O_EXCL) {
1336	op->intent \|= LOOKUP_EXCL;
1337	flags \|= O_NOFOLLOW;
1338	}
1339	}
1340
1341	if (flags & O_DIRECTORY)
1342	lookup_flags \|= LOOKUP_DIRECTORY;
1343	if (!(flags & O_NOFOLLOW))
1344	lookup_flags \|= LOOKUP_FOLLOW;
1345
1346	if (how->resolve & RESOLVE_NO_XDEV)
1347	lookup_flags \|= LOOKUP_NO_XDEV;
1348	if (how->resolve & RESOLVE_NO_MAGICLINKS)
1349	lookup_flags \|= LOOKUP_NO_MAGICLINKS;
1350	if (how->resolve & RESOLVE_NO_SYMLINKS)
1351	lookup_flags \|= LOOKUP_NO_SYMLINKS;
1352	if (how->resolve & RESOLVE_BENEATH)
1353	lookup_flags \|= LOOKUP_BENEATH;
1354	if (how->resolve & RESOLVE_IN_ROOT)
1355	lookup_flags \|= LOOKUP_IN_ROOT;
1356	if (how->resolve & RESOLVE_CACHED) {
1357	/ Don't bother even trying for create/truncate/tmpfile open /
1358	if (flags & (O_TRUNC \| O_CREAT \| __O_TMPFILE))
1359	return -EAGAIN;
1360	lookup_flags \|= LOOKUP_CACHED;
1361	}
1362
1363	op->lookup_flags = lookup_flags;
1364	return `0`;
1365	}
1366
1367	/**
1368	* file_open_name - open file and return file pointer
1369	*
1370	* @name: struct filename containing path to open
1371	* @flags: open flags as per the open(2) second argument
1372	* @mode: mode for the new file if O_CREAT is set, else ignored
1373	*
1374	* This is the helper to open a file from kernelspace if you really
1375	* have to. But in generally you should not do this, so please move
1376	* along, nothing to see here..
1377	*/
1378	struct file file_open_name(struct* filename name, int* flags, umode_t mode)
1379	{
1380	struct open_flags op;
1381	struct open_how how = build_open_how(flags, mode);
1382	int err = build_open_flags(how: &how, op: &op);
1383	if (err)
1384	return ERR_PTR(error: err);
1385	return do_filp_open(AT_FDCWD, pathname: name, op: &op);
1386	}
1387
1388	/**
1389	* filp_open - open file and return file pointer
1390	*
1391	* @filename: path to open
1392	* @flags: open flags as per the open(2) second argument
1393	* @mode: mode for the new file if O_CREAT is set, else ignored
1394	*
1395	* This is the helper to open a file from kernelspace if you really
1396	* have to. But in generally you should not do this, so please move
1397	* along, nothing to see here..
1398	*/
1399	struct file filp_open(const* char filename, int* flags, umode_t mode)
1400	{
1401	struct filename *name = getname_kernel(filename);
1402	struct file *file = ERR_CAST(ptr: name);
1403
1404	if (!IS_ERR(ptr: name)) {
1405	file = file_open_name(name, flags, mode);
1406	putname(name);
1407	}
1408	return file;
1409	}
1410	EXPORT_SYMBOL(filp_open);
1411
1412	struct file file_open_root(const* struct path *root,
1413	const char filename, int* flags, umode_t mode)
1414	{
1415	struct open_flags op;
1416	struct open_how how = build_open_how(flags, mode);
1417	int err = build_open_flags(how: &how, op: &op);
1418	if (err)
1419	return ERR_PTR(error: err);
1420	return do_file_open_root(root, filename, &op);
1421	}
1422	EXPORT_SYMBOL(file_open_root);
1423
1424	static long do_sys_openat2(int dfd, const char __user *filename,
1425	struct open_how *how)
1426	{
1427	struct open_flags op;
1428	int fd = build_open_flags(how, op: &op);
1429	struct filename *tmp;
1430
1431	if (fd)
1432	return fd;
1433
1434	tmp = getname(filename);
1435	if (IS_ERR(ptr: tmp))
1436	return PTR_ERR(ptr: tmp);
1437
1438	fd = get_unused_fd_flags(flags: how->flags);
1439	if (fd >= `0`) {
1440	struct file *f = do_filp_open(dfd, pathname: tmp, op: &op);
1441	if (IS_ERR(ptr: f)) {
1442	put_unused_fd(fd);
1443	fd = PTR_ERR(ptr: f);
1444	} else {
1445	fd_install(fd, file: f);
1446	}
1447	}
1448	putname(name: tmp);
1449	return fd;
1450	}
1451
1452	long do_sys_open(int dfd, const char __user filename, int* flags, umode_t mode)
1453	{
1454	struct open_how how = build_open_how(flags, mode);
1455	return do_sys_openat2(dfd, filename, how: &how);
1456	}
1457
1458
1459	SYSCALL_DEFINE3(open, const char __user , filename, int*, flags, umode_t, mode)
1460	{
1461	if (force_o_largefile())
1462	flags \|= O_LARGEFILE;
1463	return do_sys_open(AT_FDCWD, filename, flags, mode);
1464	}
1465
1466	SYSCALL_DEFINE4(openat, int, dfd, const char __user , filename, int*, flags,
1467	umode_t, mode)
1468	{
1469	if (force_o_largefile())
1470	flags \|= O_LARGEFILE;
1471	return do_sys_open(dfd, filename, flags, mode);
1472	}
1473
1474	SYSCALL_DEFINE4(openat2, int, dfd, const char __user *, filename,
1475	struct open_how __user *, how, size_t, usize)
1476	{
1477	int err;
1478	struct open_how tmp;
1479
1480	BUILD_BUG_ON(sizeof(struct open_how) < OPEN_HOW_SIZE_VER0);
1481	BUILD_BUG_ON(sizeof(struct open_how) != OPEN_HOW_SIZE_LATEST);
1482
1483	if (unlikely(usize < OPEN_HOW_SIZE_VER0))
1484	return -EINVAL;
1485
1486	err = copy_struct_from_user(dst: &tmp, ksize: sizeof(tmp), src: how, usize);
1487	if (err)
1488	return err;
1489
1490	audit_openat2_how(how: &tmp);
1491
1492	/ O_LARGEFILE is only allowed for non-O_PATH. /
1493	if (!(tmp.flags & O_PATH) && force_o_largefile())
1494	tmp.flags \|= O_LARGEFILE;
1495
1496	return do_sys_openat2(dfd, filename, how: &tmp);
1497	}
1498
1499	#ifdef CONFIG_COMPAT
1500	/*
1501	* Exactly like sys_open(), except that it doesn't set the
1502	* O_LARGEFILE flag.
1503	*/
1504	COMPAT_SYSCALL_DEFINE3(open, const char __user , filename, int*, flags, umode_t, mode)
1505	{
1506	return do_sys_open(AT_FDCWD, filename, flags, mode);
1507	}
1508
1509	/*
1510	* Exactly like sys_openat(), except that it doesn't set the
1511	* O_LARGEFILE flag.
1512	*/
1513	COMPAT_SYSCALL_DEFINE4(openat, int, dfd, const char __user , filename, int*, flags, umode_t, mode)
1514	{
1515	return do_sys_open(dfd, filename, flags, mode);
1516	}
1517	#endif
1518
1519	#ifndef __alpha__
1520
1521	/*
1522	* For backward compatibility? Maybe this should be moved
1523	* into arch/i386 instead?
1524	*/
1525	SYSCALL_DEFINE2(creat, const char __user *, pathname, umode_t, mode)
1526	{
1527	int flags = O_CREAT \| O_WRONLY \| O_TRUNC;
1528
1529	if (force_o_largefile())
1530	flags \|= O_LARGEFILE;
1531	return do_sys_open(AT_FDCWD, filename: pathname, flags, mode);
1532	}
1533	#endif
1534
1535	/*
1536	* "id" is the POSIX thread ID. We use the
1537	* files pointer for this..
1538	*/
1539	static int filp_flush(struct file *filp, fl_owner_t id)
1540	{
1541	int retval = `0`;
1542
1543	if (CHECK_DATA_CORRUPTION(file_count(filp) == `0`,
1544	"VFS: Close: file count is 0 (f_op=%ps)",
1545	filp->f_op)) {
1546	return `0`;
1547	}
1548
1549	if (filp->f_op->flush)
1550	retval = filp->f_op->flush(filp, id);
1551
1552	if (likely(!(filp->f_mode & FMODE_PATH))) {
1553	dnotify_flush(filp, id);
1554	locks_remove_posix(filp, id);
1555	}
1556	return retval;
1557	}
1558
1559	int filp_close(struct file *filp, fl_owner_t id)
1560	{
1561	int retval;
1562
1563	retval = filp_flush(filp, id);
1564	fput(filp);
1565
1566	return retval;
1567	}
1568	EXPORT_SYMBOL(filp_close);
1569
1570	/*
1571	* Careful here! We test whether the file pointer is NULL before
1572	* releasing the fd. This ensures that one clone task can't release
1573	* an fd while another clone is opening it.
1574	*/
1575	SYSCALL_DEFINE1(close, unsigned int, fd)
1576	{
1577	int retval;
1578	struct file *file;
1579
1580	file = close_fd_get_file(fd);
1581	if (!file)
1582	return -EBADF;
1583
1584	retval = filp_flush(filp: file, current->files);
1585
1586	/*
1587	* We're returning to user space. Don't bother
1588	* with any delayed fput() cases.
1589	*/
1590	__fput_sync(file);
1591
1592	/ can't restart close syscall because file table entry was cleared /
1593	if (unlikely(retval == -ERESTARTSYS \|\|
1594	retval == -ERESTARTNOINTR \|\|
1595	retval == -ERESTARTNOHAND \|\|
1596	retval == -ERESTART_RESTARTBLOCK))
1597	retval = -EINTR;
1598
1599	return retval;
1600	}
1601
1602	/**
1603	* sys_close_range() - Close all file descriptors in a given range.
1604	*
1605	* @fd: starting file descriptor to close
1606	* @max_fd: last file descriptor to close
1607	* @flags: reserved for future extensions
1608	*
1609	* This closes a range of file descriptors. All file descriptors
1610	* from @fd up to and including @max_fd are closed.
1611	* Currently, errors to close a given file descriptor are ignored.
1612	*/
1613	SYSCALL_DEFINE3(close_range, unsigned int, fd, unsigned int, max_fd,
1614	unsigned int, flags)
1615	{
1616	return __close_range(fd, max_fd, flags);
1617	}
1618
1619	/*
1620	* This routine simulates a hangup on the tty, to arrange that users
1621	* are given clean terminals at login time.
1622	*/
1623	SYSCALL_DEFINE0(vhangup)
1624	{
1625	if (capable(CAP_SYS_TTY_CONFIG)) {
1626	tty_vhangup_self();
1627	return `0`;
1628	}
1629	return -EPERM;
1630	}
1631
1632	/*
1633	* Called when an inode is about to be open.
1634	* We use this to disallow opening large files on 32bit systems if
1635	* the caller didn't specify O_LARGEFILE. On 64bit systems we force
1636	* on this flag in sys_open.
1637	*/
1638	int generic_file_open(struct inode * inode, struct file * filp)
1639	{
1640	if (!(filp->f_flags & O_LARGEFILE) && i_size_read(inode) > MAX_NON_LFS)
1641	return -EOVERFLOW;
1642	return `0`;
1643	}
1644
1645	EXPORT_SYMBOL(generic_file_open);
1646
1647	/*
1648	* This is used by subsystems that don't want seekable
1649	* file descriptors. The function is not supposed to ever fail, the only
1650	* reason it returns an 'int' and not 'void' is so that it can be plugged
1651	* directly into file_operations structure.
1652	*/
1653	int nonseekable_open(struct inode inode, struct* file *filp)
1654	{
1655	filp->f_mode &= ~(FMODE_LSEEK \| FMODE_PREAD \| FMODE_PWRITE);
1656	return `0`;
1657	}
1658
1659	EXPORT_SYMBOL(nonseekable_open);
1660
1661	/*
1662	* stream_open is used by subsystems that want stream-like file descriptors.
1663	* Such file descriptors are not seekable and don't have notion of position
1664	* (file.f_pos is always 0 and ppos passed to .read()/.write() is always NULL).
1665	* Contrary to file descriptors of other regular files, .read() and .write()
1666	* can run simultaneously.
1667	*
1668	* stream_open never fails and is marked to return int so that it could be
1669	* directly used as file_operations.open .
1670	*/
1671	int stream_open(struct inode inode, struct* file *filp)
1672	{
1673	filp->f_mode &= ~(FMODE_LSEEK \| FMODE_PREAD \| FMODE_PWRITE \| FMODE_ATOMIC_POS);
1674	filp->f_mode \|= FMODE_STREAM;
1675	return `0`;
1676	}
1677
1678	EXPORT_SYMBOL(stream_open);
1679

source code of linux/fs/open.c