FreeBSD/Linux Kernel Cross Reference
sys/kern/vfs_lookup.c
1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1993
5 * The Regents of the University of California. All rights reserved.
6 * (c) UNIX System Laboratories, Inc.
7 * All or some portions of this file are derived from material licensed
8 * to the University of California by American Telephone and Telegraph
9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
10 * the permission of UNIX System Laboratories, Inc.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of the University nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 *
36 * @(#)vfs_lookup.c 8.4 (Berkeley) 2/16/94
37 */
38
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
41
42 #include "opt_capsicum.h"
43 #include "opt_ktrace.h"
44
45 #include <sys/param.h>
46 #include <sys/systm.h>
47 #include <sys/dirent.h>
48 #include <sys/kernel.h>
49 #include <sys/capsicum.h>
50 #include <sys/fcntl.h>
51 #include <sys/jail.h>
52 #include <sys/lock.h>
53 #include <sys/mutex.h>
54 #include <sys/namei.h>
55 #include <sys/vnode.h>
56 #include <sys/mount.h>
57 #include <sys/filedesc.h>
58 #include <sys/proc.h>
59 #include <sys/sdt.h>
60 #include <sys/syscallsubr.h>
61 #include <sys/sysctl.h>
62 #ifdef KTRACE
63 #include <sys/ktrace.h>
64 #endif
65 #ifdef INVARIANTS
66 #include <machine/_inttypes.h>
67 #endif
68
69 #include <security/audit/audit.h>
70 #include <security/mac/mac_framework.h>
71
72 #include <vm/uma.h>
73
74 #define NAMEI_DIAGNOSTIC 1
75 #undef NAMEI_DIAGNOSTIC
76
77 #ifdef INVARIANTS
78 static void NDVALIDATE_impl(struct nameidata *, int);
79 #define NDVALIDATE(ndp) NDVALIDATE_impl(ndp, __LINE__)
80 #else
81 #define NDVALIDATE(ndp)
82 #endif
83
84 SDT_PROVIDER_DEFINE(vfs);
85 SDT_PROBE_DEFINE4(vfs, namei, lookup, entry, "struct vnode *", "char *",
86 "unsigned long", "bool");
87 SDT_PROBE_DEFINE4(vfs, namei, lookup, return, "int", "struct vnode *", "bool",
88 "struct nameidata");
89
90 /* Allocation zone for namei. */
91 uma_zone_t namei_zone;
92
93 /* Placeholder vnode for mp traversal. */
94 static struct vnode *vp_crossmp;
95
96 static int
97 crossmp_vop_islocked(struct vop_islocked_args *ap)
98 {
99
100 return (LK_SHARED);
101 }
102
103 static int
104 crossmp_vop_lock1(struct vop_lock1_args *ap)
105 {
106 struct vnode *vp;
107 struct lock *lk __diagused;
108 int flags;
109
110 vp = ap->a_vp;
111 lk = vp->v_vnlock;
112 flags = ap->a_flags;
113
114 KASSERT((flags & (LK_SHARED | LK_NOWAIT)) == (LK_SHARED | LK_NOWAIT),
115 ("%s: invalid lock request 0x%x for crossmp", __func__, flags));
116
117 if ((flags & LK_INTERLOCK) != 0)
118 VI_UNLOCK(vp);
119 LOCK_LOG_LOCK("SLOCK", &lk->lock_object, 0, 0, ap->a_file, ap->a_line);
120 return (0);
121 }
122
123 static int
124 crossmp_vop_unlock(struct vop_unlock_args *ap)
125 {
126 struct vnode *vp;
127 struct lock *lk __diagused;
128
129 vp = ap->a_vp;
130 lk = vp->v_vnlock;
131
132 LOCK_LOG_LOCK("SUNLOCK", &lk->lock_object, 0, 0, LOCK_FILE,
133 LOCK_LINE);
134 return (0);
135 }
136
137 static struct vop_vector crossmp_vnodeops = {
138 .vop_default = &default_vnodeops,
139 .vop_islocked = crossmp_vop_islocked,
140 .vop_lock1 = crossmp_vop_lock1,
141 .vop_unlock = crossmp_vop_unlock,
142 };
143 /*
144 * VFS_VOP_VECTOR_REGISTER(crossmp_vnodeops) is not used here since the vnode
145 * gets allocated early. See nameiinit for the direct call below.
146 */
147
148 struct nameicap_tracker {
149 struct vnode *dp;
150 TAILQ_ENTRY(nameicap_tracker) nm_link;
151 };
152
153 /* Zone for cap mode tracker elements used for dotdot capability checks. */
154 MALLOC_DEFINE(M_NAMEITRACKER, "namei_tracker", "namei tracking for dotdot");
155
156 static void
157 nameiinit(void *dummy __unused)
158 {
159
160 namei_zone = uma_zcreate("NAMEI", MAXPATHLEN, NULL, NULL, NULL, NULL,
161 UMA_ALIGN_PTR, 0);
162 vfs_vector_op_register(&crossmp_vnodeops);
163 getnewvnode("crossmp", NULL, &crossmp_vnodeops, &vp_crossmp);
164 vp_crossmp->v_state = VSTATE_CONSTRUCTED;
165 }
166 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_SECOND, nameiinit, NULL);
167
168 static int lookup_cap_dotdot = 1;
169 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot, CTLFLAG_RWTUN,
170 &lookup_cap_dotdot, 0,
171 "enables \"..\" components in path lookup in capability mode");
172 static int lookup_cap_dotdot_nonlocal = 1;
173 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot_nonlocal, CTLFLAG_RWTUN,
174 &lookup_cap_dotdot_nonlocal, 0,
175 "enables \"..\" components in path lookup in capability mode "
176 "on non-local mount");
177
178 static void
179 nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
180 {
181 struct nameicap_tracker *nt;
182
183 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR)
184 return;
185 nt = TAILQ_LAST(&ndp->ni_cap_tracker, nameicap_tracker_head);
186 if (nt != NULL && nt->dp == dp)
187 return;
188 nt = malloc(sizeof(*nt), M_NAMEITRACKER, M_WAITOK);
189 vhold(dp);
190 nt->dp = dp;
191 TAILQ_INSERT_TAIL(&ndp->ni_cap_tracker, nt, nm_link);
192 }
193
194 static void
195 nameicap_cleanup_from(struct nameidata *ndp, struct nameicap_tracker *first)
196 {
197 struct nameicap_tracker *nt, *nt1;
198
199 nt = first;
200 TAILQ_FOREACH_FROM_SAFE(nt, &ndp->ni_cap_tracker, nm_link, nt1) {
201 TAILQ_REMOVE(&ndp->ni_cap_tracker, nt, nm_link);
202 vdrop(nt->dp);
203 free(nt, M_NAMEITRACKER);
204 }
205 }
206
207 static void
208 nameicap_cleanup(struct nameidata *ndp)
209 {
210 KASSERT(TAILQ_EMPTY(&ndp->ni_cap_tracker) ||
211 (ndp->ni_lcf & NI_LCF_CAP_DOTDOT) != 0, ("not strictrelative"));
212 nameicap_cleanup_from(ndp, NULL);
213 }
214
215 /*
216 * For dotdot lookups in capability mode, only allow the component
217 * lookup to succeed if the resulting directory was already traversed
218 * during the operation. This catches situations where already
219 * traversed directory is moved to different parent, and then we walk
220 * over it with dotdots.
221 *
222 * Also allow to force failure of dotdot lookups for non-local
223 * filesystems, where external agents might assist local lookups to
224 * escape the compartment.
225 */
226 static int
227 nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp)
228 {
229 struct nameicap_tracker *nt;
230 struct mount *mp;
231
232 if (dp == NULL || dp->v_type != VDIR || (ndp->ni_lcf &
233 NI_LCF_STRICTRELATIVE) == 0)
234 return (0);
235 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0)
236 return (ENOTCAPABLE);
237 mp = dp->v_mount;
238 if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL &&
239 (mp->mnt_flag & MNT_LOCAL) == 0)
240 return (ENOTCAPABLE);
241 TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head,
242 nm_link) {
243 if (dp == nt->dp) {
244 nt = TAILQ_NEXT(nt, nm_link);
245 if (nt != NULL)
246 nameicap_cleanup_from(ndp, nt);
247 return (0);
248 }
249 }
250 return (ENOTCAPABLE);
251 }
252
253 static void
254 namei_cleanup_cnp(struct componentname *cnp)
255 {
256
257 uma_zfree(namei_zone, cnp->cn_pnbuf);
258 cnp->cn_pnbuf = NULL;
259 cnp->cn_nameptr = NULL;
260 }
261
262 static int
263 namei_handle_root(struct nameidata *ndp, struct vnode **dpp)
264 {
265 struct componentname *cnp;
266
267 cnp = &ndp->ni_cnd;
268 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0) {
269 #ifdef KTRACE
270 if (KTRPOINT(curthread, KTR_CAPFAIL))
271 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
272 #endif
273 return (ENOTCAPABLE);
274 }
275 while (*(cnp->cn_nameptr) == '/') {
276 cnp->cn_nameptr++;
277 ndp->ni_pathlen--;
278 }
279 *dpp = ndp->ni_rootdir;
280 vrefact(*dpp);
281 return (0);
282 }
283
284 static int
285 namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
286 {
287 struct componentname *cnp;
288 struct thread *td;
289 struct pwd *pwd;
290 int error;
291 bool startdir_used;
292
293 cnp = &ndp->ni_cnd;
294 td = curthread;
295
296 startdir_used = false;
297 *pwdp = NULL;
298 *dpp = NULL;
299
300 #ifdef CAPABILITY_MODE
301 /*
302 * In capability mode, lookups must be restricted to happen in
303 * the subtree with the root specified by the file descriptor:
304 * - The root must be real file descriptor, not the pseudo-descriptor
305 * AT_FDCWD.
306 * - The passed path must be relative and not absolute.
307 * - If lookup_cap_dotdot is disabled, path must not contain the
308 * '..' components.
309 * - If lookup_cap_dotdot is enabled, we verify that all '..'
310 * components lookups result in the directories which were
311 * previously walked by us, which prevents an escape from
312 * the relative root.
313 */
314 if (IN_CAPABILITY_MODE(td) && (cnp->cn_flags & NOCAPCHECK) == 0) {
315 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE;
316 ndp->ni_resflags |= NIRES_STRICTREL;
317 if (ndp->ni_dirfd == AT_FDCWD) {
318 #ifdef KTRACE
319 if (KTRPOINT(td, KTR_CAPFAIL))
320 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
321 #endif
322 return (ECAPMODE);
323 }
324 }
325 #endif
326 error = 0;
327
328 /*
329 * Get starting point for the translation.
330 */
331 pwd = pwd_hold(td);
332 /*
333 * The reference on ni_rootdir is acquired in the block below to avoid
334 * back-to-back atomics for absolute lookups.
335 */
336 ndp->ni_rootdir = pwd->pwd_rdir;
337 ndp->ni_topdir = pwd->pwd_jdir;
338
339 if (cnp->cn_pnbuf[0] == '/') {
340 ndp->ni_resflags |= NIRES_ABS;
341 error = namei_handle_root(ndp, dpp);
342 } else {
343 if (ndp->ni_startdir != NULL) {
344 *dpp = ndp->ni_startdir;
345 startdir_used = true;
346 } else if (ndp->ni_dirfd == AT_FDCWD) {
347 *dpp = pwd->pwd_cdir;
348 vrefact(*dpp);
349 } else {
350 if (cnp->cn_flags & AUDITVNODE1)
351 AUDIT_ARG_ATFD1(ndp->ni_dirfd);
352 if (cnp->cn_flags & AUDITVNODE2)
353 AUDIT_ARG_ATFD2(ndp->ni_dirfd);
354
355 error = fgetvp_lookup(ndp->ni_dirfd, ndp, dpp);
356 }
357 if (error == 0 && (*dpp)->v_type != VDIR &&
358 (cnp->cn_pnbuf[0] != '\0' ||
359 (cnp->cn_flags & EMPTYPATH) == 0))
360 error = ENOTDIR;
361 }
362 if (error == 0 && (cnp->cn_flags & RBENEATH) != 0) {
363 if (cnp->cn_pnbuf[0] == '/') {
364 error = ENOTCAPABLE;
365 } else if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0) {
366 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE |
367 NI_LCF_CAP_DOTDOT;
368 }
369 }
370
371 /*
372 * If we are auditing the kernel pathname, save the user pathname.
373 */
374 if (cnp->cn_flags & AUDITVNODE1)
375 AUDIT_ARG_UPATH1_VP(td, ndp->ni_rootdir, *dpp, cnp->cn_pnbuf);
376 if (cnp->cn_flags & AUDITVNODE2)
377 AUDIT_ARG_UPATH2_VP(td, ndp->ni_rootdir, *dpp, cnp->cn_pnbuf);
378 if (ndp->ni_startdir != NULL && !startdir_used)
379 vrele(ndp->ni_startdir);
380 if (error != 0) {
381 if (*dpp != NULL)
382 vrele(*dpp);
383 pwd_drop(pwd);
384 return (error);
385 }
386 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
387 lookup_cap_dotdot != 0)
388 ndp->ni_lcf |= NI_LCF_CAP_DOTDOT;
389 SDT_PROBE4(vfs, namei, lookup, entry, *dpp, cnp->cn_pnbuf,
390 cnp->cn_flags, false);
391 *pwdp = pwd;
392 return (0);
393 }
394
395 static int
396 namei_getpath(struct nameidata *ndp)
397 {
398 struct componentname *cnp;
399 int error;
400
401 cnp = &ndp->ni_cnd;
402
403 /*
404 * Get a buffer for the name to be translated, and copy the
405 * name into the buffer.
406 */
407 cnp->cn_pnbuf = uma_zalloc(namei_zone, M_WAITOK);
408 if (ndp->ni_segflg == UIO_SYSSPACE) {
409 error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
410 &ndp->ni_pathlen);
411 } else {
412 error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
413 &ndp->ni_pathlen);
414 }
415
416 return (error);
417 }
418
419 static int
420 namei_emptypath(struct nameidata *ndp)
421 {
422 struct componentname *cnp;
423 struct pwd *pwd;
424 struct vnode *dp;
425 int error;
426
427 cnp = &ndp->ni_cnd;
428 MPASS(*cnp->cn_pnbuf == '\0');
429 MPASS((cnp->cn_flags & EMPTYPATH) != 0);
430 MPASS((cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == 0);
431
432 ndp->ni_resflags |= NIRES_EMPTYPATH;
433 error = namei_setup(ndp, &dp, &pwd);
434 if (error != 0) {
435 goto errout;
436 }
437
438 /*
439 * Usecount on dp already provided by namei_setup.
440 */
441 ndp->ni_vp = dp;
442 pwd_drop(pwd);
443 NDVALIDATE(ndp);
444 if ((cnp->cn_flags & LOCKLEAF) != 0) {
445 VOP_LOCK(dp, (cnp->cn_flags & LOCKSHARED) != 0 ?
446 LK_SHARED : LK_EXCLUSIVE);
447 if (VN_IS_DOOMED(dp)) {
448 vput(dp);
449 error = ENOENT;
450 goto errout;
451 }
452 }
453 SDT_PROBE4(vfs, namei, lookup, return, 0, ndp->ni_vp, false, ndp);
454 return (0);
455
456 errout:
457 SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
458 namei_cleanup_cnp(cnp);
459 return (error);
460 }
461
462 static int __noinline
463 namei_follow_link(struct nameidata *ndp)
464 {
465 char *cp;
466 struct iovec aiov;
467 struct uio auio;
468 struct componentname *cnp;
469 struct thread *td;
470 int error, linklen;
471
472 error = 0;
473 cnp = &ndp->ni_cnd;
474 td = curthread;
475
476 if (ndp->ni_loopcnt++ >= MAXSYMLINKS) {
477 error = ELOOP;
478 goto out;
479 }
480 #ifdef MAC
481 if ((cnp->cn_flags & NOMACCHECK) == 0) {
482 error = mac_vnode_check_readlink(td->td_ucred, ndp->ni_vp);
483 if (error != 0)
484 goto out;
485 }
486 #endif
487 if (ndp->ni_pathlen > 1)
488 cp = uma_zalloc(namei_zone, M_WAITOK);
489 else
490 cp = cnp->cn_pnbuf;
491 aiov.iov_base = cp;
492 aiov.iov_len = MAXPATHLEN;
493 auio.uio_iov = &aiov;
494 auio.uio_iovcnt = 1;
495 auio.uio_offset = 0;
496 auio.uio_rw = UIO_READ;
497 auio.uio_segflg = UIO_SYSSPACE;
498 auio.uio_td = td;
499 auio.uio_resid = MAXPATHLEN;
500 error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred);
501 if (error != 0) {
502 if (ndp->ni_pathlen > 1)
503 uma_zfree(namei_zone, cp);
504 goto out;
505 }
506 linklen = MAXPATHLEN - auio.uio_resid;
507 if (linklen == 0) {
508 if (ndp->ni_pathlen > 1)
509 uma_zfree(namei_zone, cp);
510 error = ENOENT;
511 goto out;
512 }
513 if (linklen + ndp->ni_pathlen > MAXPATHLEN) {
514 if (ndp->ni_pathlen > 1)
515 uma_zfree(namei_zone, cp);
516 error = ENAMETOOLONG;
517 goto out;
518 }
519 if (ndp->ni_pathlen > 1) {
520 bcopy(ndp->ni_next, cp + linklen, ndp->ni_pathlen);
521 uma_zfree(namei_zone, cnp->cn_pnbuf);
522 cnp->cn_pnbuf = cp;
523 } else
524 cnp->cn_pnbuf[linklen] = '\0';
525 ndp->ni_pathlen += linklen;
526 out:
527 return (error);
528 }
529
530 /*
531 * Convert a pathname into a pointer to a locked vnode.
532 *
533 * The FOLLOW flag is set when symbolic links are to be followed
534 * when they occur at the end of the name translation process.
535 * Symbolic links are always followed for all other pathname
536 * components other than the last.
537 *
538 * The segflg defines whether the name is to be copied from user
539 * space or kernel space.
540 *
541 * Overall outline of namei:
542 *
543 * copy in name
544 * get starting directory
545 * while (!done && !error) {
546 * call lookup to search path.
547 * if symbolic link, massage name in buffer and continue
548 * }
549 */
550 int
551 namei(struct nameidata *ndp)
552 {
553 struct vnode *dp; /* the directory we are searching */
554 struct componentname *cnp;
555 struct thread *td;
556 struct pwd *pwd;
557 int error;
558 enum cache_fpl_status status;
559
560 cnp = &ndp->ni_cnd;
561 td = curthread;
562 #ifdef INVARIANTS
563 KASSERT((ndp->ni_debugflags & NAMEI_DBG_CALLED) == 0,
564 ("%s: repeated call to namei without NDREINIT", __func__));
565 KASSERT(ndp->ni_debugflags == NAMEI_DBG_INITED,
566 ("%s: bad debugflags %d", __func__, ndp->ni_debugflags));
567 ndp->ni_debugflags |= NAMEI_DBG_CALLED;
568 if (ndp->ni_startdir != NULL)
569 ndp->ni_debugflags |= NAMEI_DBG_HADSTARTDIR;
570 if (cnp->cn_flags & FAILIFEXISTS) {
571 KASSERT(cnp->cn_nameiop == CREATE,
572 ("%s: FAILIFEXISTS passed for op %d", __func__, cnp->cn_nameiop));
573 /*
574 * The limitation below is to restrict hairy corner cases.
575 */
576 KASSERT((cnp->cn_flags & (LOCKPARENT | LOCKLEAF)) == LOCKPARENT,
577 ("%s: FAILIFEXISTS must be passed with LOCKPARENT and without LOCKLEAF",
578 __func__));
579 }
580 #endif
581 ndp->ni_cnd.cn_cred = td->td_ucred;
582 KASSERT(ndp->ni_resflags == 0, ("%s: garbage in ni_resflags: %x\n",
583 __func__, ndp->ni_resflags));
584 KASSERT(cnp->cn_cred && td->td_proc, ("namei: bad cred/proc"));
585 KASSERT((cnp->cn_flags & NAMEI_INTERNAL_FLAGS) == 0,
586 ("namei: unexpected flags: %" PRIx64 "\n",
587 cnp->cn_flags & NAMEI_INTERNAL_FLAGS));
588 if (cnp->cn_flags & NOCACHE)
589 KASSERT(cnp->cn_nameiop != LOOKUP,
590 ("%s: NOCACHE passed with LOOKUP", __func__));
591 MPASS(ndp->ni_startdir == NULL || ndp->ni_startdir->v_type == VDIR ||
592 ndp->ni_startdir->v_type == VBAD);
593
594 ndp->ni_lcf = 0;
595 ndp->ni_loopcnt = 0;
596 ndp->ni_vp = NULL;
597
598 error = namei_getpath(ndp);
599 if (__predict_false(error != 0)) {
600 namei_cleanup_cnp(cnp);
601 SDT_PROBE4(vfs, namei, lookup, return, error, NULL,
602 false, ndp);
603 return (error);
604 }
605
606 cnp->cn_nameptr = cnp->cn_pnbuf;
607
608 #ifdef KTRACE
609 if (KTRPOINT(td, KTR_NAMEI)) {
610 ktrnamei(cnp->cn_pnbuf);
611 }
612 #endif
613 TSNAMEI(curthread->td_proc->p_pid, cnp->cn_pnbuf);
614
615 /*
616 * First try looking up the target without locking any vnodes.
617 *
618 * We may need to start from scratch or pick up where it left off.
619 */
620 error = cache_fplookup(ndp, &status, &pwd);
621 switch (status) {
622 case CACHE_FPL_STATUS_UNSET:
623 __assert_unreachable();
624 break;
625 case CACHE_FPL_STATUS_HANDLED:
626 if (error == 0)
627 NDVALIDATE(ndp);
628 return (error);
629 case CACHE_FPL_STATUS_PARTIAL:
630 TAILQ_INIT(&ndp->ni_cap_tracker);
631 dp = ndp->ni_startdir;
632 break;
633 case CACHE_FPL_STATUS_DESTROYED:
634 ndp->ni_loopcnt = 0;
635 error = namei_getpath(ndp);
636 if (__predict_false(error != 0)) {
637 namei_cleanup_cnp(cnp);
638 return (error);
639 }
640 cnp->cn_nameptr = cnp->cn_pnbuf;
641 /* FALLTHROUGH */
642 case CACHE_FPL_STATUS_ABORTED:
643 TAILQ_INIT(&ndp->ni_cap_tracker);
644 MPASS(ndp->ni_lcf == 0);
645 if (*cnp->cn_pnbuf == '\0') {
646 if ((cnp->cn_flags & EMPTYPATH) != 0) {
647 return (namei_emptypath(ndp));
648 }
649 namei_cleanup_cnp(cnp);
650 SDT_PROBE4(vfs, namei, lookup, return, ENOENT, NULL,
651 false, ndp);
652 return (ENOENT);
653 }
654 error = namei_setup(ndp, &dp, &pwd);
655 if (error != 0) {
656 namei_cleanup_cnp(cnp);
657 return (error);
658 }
659 break;
660 }
661
662 /*
663 * Locked lookup.
664 */
665 for (;;) {
666 ndp->ni_startdir = dp;
667 error = vfs_lookup(ndp);
668 if (error != 0)
669 goto out;
670
671 /*
672 * If not a symbolic link, we're done.
673 */
674 if ((cnp->cn_flags & ISSYMLINK) == 0) {
675 SDT_PROBE4(vfs, namei, lookup, return, error,
676 ndp->ni_vp, false, ndp);
677 nameicap_cleanup(ndp);
678 pwd_drop(pwd);
679 NDVALIDATE(ndp);
680 return (0);
681 }
682 error = namei_follow_link(ndp);
683 if (error != 0)
684 break;
685 vput(ndp->ni_vp);
686 dp = ndp->ni_dvp;
687 /*
688 * Check if root directory should replace current directory.
689 */
690 cnp->cn_nameptr = cnp->cn_pnbuf;
691 if (*(cnp->cn_nameptr) == '/') {
692 vrele(dp);
693 error = namei_handle_root(ndp, &dp);
694 if (error != 0)
695 goto out;
696 }
697 }
698 vput(ndp->ni_vp);
699 ndp->ni_vp = NULL;
700 vrele(ndp->ni_dvp);
701 out:
702 MPASS(error != 0);
703 SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
704 namei_cleanup_cnp(cnp);
705 nameicap_cleanup(ndp);
706 pwd_drop(pwd);
707 return (error);
708 }
709
710 static int
711 compute_cn_lkflags(struct mount *mp, int lkflags, int cnflags)
712 {
713
714 if (mp == NULL || ((lkflags & LK_SHARED) &&
715 !(mp->mnt_kern_flag & MNTK_LOOKUP_SHARED))) {
716 lkflags &= ~LK_SHARED;
717 lkflags |= LK_EXCLUSIVE;
718 }
719 lkflags |= LK_NODDLKTREAT;
720 return (lkflags);
721 }
722
723 static __inline int
724 needs_exclusive_leaf(struct mount *mp, int flags)
725 {
726
727 /*
728 * Intermediate nodes can use shared locks, we only need to
729 * force an exclusive lock for leaf nodes.
730 */
731 if ((flags & (ISLASTCN | LOCKLEAF)) != (ISLASTCN | LOCKLEAF))
732 return (0);
733
734 /* Always use exclusive locks if LOCKSHARED isn't set. */
735 if (!(flags & LOCKSHARED))
736 return (1);
737
738 /*
739 * For lookups during open(), if the mount point supports
740 * extended shared operations, then use a shared lock for the
741 * leaf node, otherwise use an exclusive lock.
742 */
743 if ((flags & ISOPEN) != 0)
744 return (!MNT_EXTENDED_SHARED(mp));
745
746 /*
747 * Lookup requests outside of open() that specify LOCKSHARED
748 * only need a shared lock on the leaf vnode.
749 */
750 return (0);
751 }
752
753 /*
754 * Various filesystems expect to be able to copy a name component with length
755 * bounded by NAME_MAX into a directory entry buffer of size MAXNAMLEN. Make
756 * sure that these are the same size.
757 */
758 _Static_assert(MAXNAMLEN == NAME_MAX,
759 "MAXNAMLEN and NAME_MAX have different values");
760
761 static int __noinline
762 vfs_lookup_degenerate(struct nameidata *ndp, struct vnode *dp, int wantparent)
763 {
764 struct componentname *cnp;
765 struct mount *mp;
766 int error;
767
768 cnp = &ndp->ni_cnd;
769
770 cnp->cn_flags |= ISLASTCN;
771
772 mp = atomic_load_ptr(&dp->v_mount);
773 if (needs_exclusive_leaf(mp, cnp->cn_flags)) {
774 cnp->cn_lkflags &= ~LK_SHARED;
775 cnp->cn_lkflags |= LK_EXCLUSIVE;
776 }
777
778 vn_lock(dp,
779 compute_cn_lkflags(mp, cnp->cn_lkflags | LK_RETRY,
780 cnp->cn_flags));
781
782 if (dp->v_type != VDIR) {
783 error = ENOTDIR;
784 goto bad;
785 }
786 if (cnp->cn_nameiop != LOOKUP) {
787 error = EISDIR;
788 goto bad;
789 }
790 if (wantparent) {
791 ndp->ni_dvp = dp;
792 VREF(dp);
793 }
794 ndp->ni_vp = dp;
795 cnp->cn_namelen = 0;
796
797 if (cnp->cn_flags & AUDITVNODE1)
798 AUDIT_ARG_VNODE1(dp);
799 else if (cnp->cn_flags & AUDITVNODE2)
800 AUDIT_ARG_VNODE2(dp);
801
802 if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF)))
803 VOP_UNLOCK(dp);
804 return (0);
805 bad:
806 VOP_UNLOCK(dp);
807 return (error);
808 }
809
810 /*
811 * FAILIFEXISTS handling.
812 *
813 * XXX namei called with LOCKPARENT but not LOCKLEAF has the strange
814 * behaviour of leaving the vnode unlocked if the target is the same
815 * vnode as the parent.
816 */
817 static int __noinline
818 vfs_lookup_failifexists(struct nameidata *ndp)
819 {
820 struct componentname *cnp __diagused;
821
822 cnp = &ndp->ni_cnd;
823
824 MPASS((cnp->cn_flags & ISSYMLINK) == 0);
825 if (ndp->ni_vp == ndp->ni_dvp)
826 vrele(ndp->ni_dvp);
827 else
828 vput(ndp->ni_dvp);
829 vrele(ndp->ni_vp);
830 ndp->ni_dvp = NULL;
831 ndp->ni_vp = NULL;
832 NDFREE_PNBUF(ndp);
833 return (EEXIST);
834 }
835
836 /*
837 * Search a pathname.
838 * This is a very central and rather complicated routine.
839 *
840 * The pathname is pointed to by ni_ptr and is of length ni_pathlen.
841 * The starting directory is taken from ni_startdir. The pathname is
842 * descended until done, or a symbolic link is encountered. The variable
843 * ni_more is clear if the path is completed; it is set to one if a
844 * symbolic link needing interpretation is encountered.
845 *
846 * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on
847 * whether the name is to be looked up, created, renamed, or deleted.
848 * When CREATE, RENAME, or DELETE is specified, information usable in
849 * creating, renaming, or deleting a directory entry may be calculated.
850 * If flag has LOCKPARENT or'ed into it, the parent directory is returned
851 * locked. If flag has WANTPARENT or'ed into it, the parent directory is
852 * returned unlocked. Otherwise the parent directory is not returned. If
853 * the target of the pathname exists and LOCKLEAF is or'ed into the flag
854 * the target is returned locked, otherwise it is returned unlocked.
855 * When creating or renaming and LOCKPARENT is specified, the target may not
856 * be ".". When deleting and LOCKPARENT is specified, the target may be ".".
857 *
858 * Overall outline of lookup:
859 *
860 * dirloop:
861 * identify next component of name at ndp->ni_ptr
862 * handle degenerate case where name is null string
863 * if .. and crossing mount points and on mounted filesys, find parent
864 * call VOP_LOOKUP routine for next component name
865 * directory vnode returned in ni_dvp, unlocked unless LOCKPARENT set
866 * component vnode returned in ni_vp (if it exists), locked.
867 * if result vnode is mounted on and crossing mount points,
868 * find mounted on vnode
869 * if more components of name, do next level at dirloop
870 * return the answer in ni_vp, locked if LOCKLEAF set
871 * if LOCKPARENT set, return locked parent in ni_dvp
872 * if WANTPARENT set, return unlocked parent in ni_dvp
873 */
874 int
875 vfs_lookup(struct nameidata *ndp)
876 {
877 char *cp; /* pointer into pathname argument */
878 char *prev_ni_next; /* saved ndp->ni_next */
879 char *nulchar; /* location of '\0' in cn_pnbuf */
880 char *lastchar; /* location of the last character */
881 struct vnode *dp = NULL; /* the directory we are searching */
882 struct vnode *tdp; /* saved dp */
883 struct mount *mp; /* mount table entry */
884 struct prison *pr;
885 size_t prev_ni_pathlen; /* saved ndp->ni_pathlen */
886 int docache; /* == 0 do not cache last component */
887 int wantparent; /* 1 => wantparent or lockparent flag */
888 int rdonly; /* lookup read-only flag bit */
889 int error = 0;
890 int dpunlocked = 0; /* dp has already been unlocked */
891 int relookup = 0; /* do not consume the path component */
892 struct componentname *cnp = &ndp->ni_cnd;
893 int lkflags_save;
894 int ni_dvp_unlocked;
895 int crosslkflags;
896 bool crosslock;
897
898 /*
899 * Setup: break out flag bits into variables.
900 */
901 ni_dvp_unlocked = 0;
902 wantparent = cnp->cn_flags & (LOCKPARENT | WANTPARENT);
903 KASSERT(cnp->cn_nameiop == LOOKUP || wantparent,
904 ("CREATE, DELETE, RENAME require LOCKPARENT or WANTPARENT."));
905 /*
906 * When set to zero, docache causes the last component of the
907 * pathname to be deleted from the cache and the full lookup
908 * of the name to be done (via VOP_CACHEDLOOKUP()). Often
909 * filesystems need some pre-computed values that are made
910 * during the full lookup, for instance UFS sets dp->i_offset.
911 *
912 * The docache variable is set to zero when requested by the
913 * NOCACHE flag and for all modifying operations except CREATE.
914 */
915 docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE;
916 if (cnp->cn_nameiop == DELETE ||
917 (wantparent && cnp->cn_nameiop != CREATE &&
918 cnp->cn_nameiop != LOOKUP))
919 docache = 0;
920 rdonly = cnp->cn_flags & RDONLY;
921 cnp->cn_flags &= ~ISSYMLINK;
922 ndp->ni_dvp = NULL;
923
924 cnp->cn_lkflags = LK_SHARED;
925 dp = ndp->ni_startdir;
926 ndp->ni_startdir = NULLVP;
927
928 /*
929 * Leading slashes, if any, are supposed to be skipped by the caller.
930 */
931 MPASS(cnp->cn_nameptr[0] != '/');
932
933 /*
934 * Check for degenerate name (e.g. / or "") which is a way of talking
935 * about a directory, e.g. like "/." or ".".
936 */
937 if (__predict_false(cnp->cn_nameptr[0] == '\0')) {
938 error = vfs_lookup_degenerate(ndp, dp, wantparent);
939 if (error == 0)
940 goto success_right_lock;
941 goto bad_unlocked;
942 }
943
944 /*
945 * Nul-out trailing slashes (e.g., "foo///" -> "foo").
946 *
947 * This must be done before VOP_LOOKUP() because some fs's don't know
948 * about trailing slashes. Remember if there were trailing slashes to
949 * handle symlinks, existing non-directories and non-existing files
950 * that won't be directories specially later.
951 */
952 MPASS(ndp->ni_pathlen >= 2);
953 lastchar = &cnp->cn_nameptr[ndp->ni_pathlen - 2];
954 if (*lastchar == '/') {
955 while (lastchar >= cnp->cn_pnbuf) {
956 *lastchar = '\0';
957 lastchar--;
958 ndp->ni_pathlen--;
959 if (*lastchar != '/') {
960 break;
961 }
962 }
963 cnp->cn_flags |= TRAILINGSLASH;
964 }
965
966 /*
967 * We use shared locks until we hit the parent of the last cn then
968 * we adjust based on the requesting flags.
969 */
970 vn_lock(dp,
971 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY,
972 cnp->cn_flags));
973
974 dirloop:
975 /*
976 * Search a new directory.
977 *
978 * The last component of the filename is left accessible via
979 * cnp->cn_nameptr. It has to be freed with a call to NDFREE*.
980 *
981 * Store / as a temporary sentinel so that we only have one character
982 * to test for. Pathnames tend to be short so this should not be
983 * resulting in cache misses.
984 */
985 nulchar = &cnp->cn_nameptr[ndp->ni_pathlen - 1];
986 KASSERT(*nulchar == '\0',
987 ("%s: expected nul at %p; string [%s]\n", __func__, nulchar,
988 cnp->cn_pnbuf));
989 *nulchar = '/';
990 for (cp = cnp->cn_nameptr; *cp != '/'; cp++) {
991 KASSERT(*cp != '\0',
992 ("%s: encountered unexpected nul; string [%s]\n", __func__,
993 cnp->cn_nameptr));
994 continue;
995 }
996 *nulchar = '\0';
997 cnp->cn_namelen = cp - cnp->cn_nameptr;
998 if (__predict_false(cnp->cn_namelen > NAME_MAX)) {
999 error = ENAMETOOLONG;
1000 goto bad;
1001 }
1002 #ifdef NAMEI_DIAGNOSTIC
1003 { char c = *cp;
1004 *cp = '\0';
1005 printf("{%s}: ", cnp->cn_nameptr);
1006 *cp = c; }
1007 #endif
1008 prev_ni_pathlen = ndp->ni_pathlen;
1009 ndp->ni_pathlen -= cnp->cn_namelen;
1010 KASSERT(ndp->ni_pathlen <= PATH_MAX,
1011 ("%s: ni_pathlen underflow to %zd\n", __func__, ndp->ni_pathlen));
1012 prev_ni_next = ndp->ni_next;
1013 ndp->ni_next = cp;
1014
1015 /*
1016 * Something else should be clearing this.
1017 */
1018 cnp->cn_flags &= ~(ISDOTDOT|ISLASTCN);
1019
1020 cnp->cn_flags |= MAKEENTRY;
1021 if (*cp == '\0' && docache == 0)
1022 cnp->cn_flags &= ~MAKEENTRY;
1023 if (cnp->cn_namelen == 2 &&
1024 cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.')
1025 cnp->cn_flags |= ISDOTDOT;
1026 if (*ndp->ni_next == 0) {
1027 cnp->cn_flags |= ISLASTCN;
1028
1029 if (__predict_false(cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.' &&
1030 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME))) {
1031 error = EINVAL;
1032 goto bad;
1033 }
1034 }
1035
1036 nameicap_tracker_add(ndp, dp);
1037
1038 /*
1039 * Make sure degenerate names don't get here, their handling was
1040 * previously found in this spot.
1041 */
1042 MPASS(cnp->cn_nameptr[0] != '\0');
1043
1044 /*
1045 * Handle "..": five special cases.
1046 * 0. If doing a capability lookup and lookup_cap_dotdot is
1047 * disabled, return ENOTCAPABLE.
1048 * 1. Return an error if this is the last component of
1049 * the name and the operation is DELETE or RENAME.
1050 * 2. If at root directory (e.g. after chroot)
1051 * or at absolute root directory
1052 * then ignore it so can't get out.
1053 * 3. If this vnode is the root of a mounted
1054 * filesystem, then replace it with the
1055 * vnode which was mounted on so we take the
1056 * .. in the other filesystem.
1057 * 4. If the vnode is the top directory of
1058 * the jail or chroot, don't let them out.
1059 * 5. If doing a capability lookup and lookup_cap_dotdot is
1060 * enabled, return ENOTCAPABLE if the lookup would escape
1061 * from the initial file descriptor directory. Checks are
1062 * done by ensuring that namei() already traversed the
1063 * result of dotdot lookup.
1064 */
1065 if (cnp->cn_flags & ISDOTDOT) {
1066 if ((ndp->ni_lcf & (NI_LCF_STRICTRELATIVE | NI_LCF_CAP_DOTDOT))
1067 == NI_LCF_STRICTRELATIVE) {
1068 #ifdef KTRACE
1069 if (KTRPOINT(curthread, KTR_CAPFAIL))
1070 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1071 #endif
1072 error = ENOTCAPABLE;
1073 goto bad;
1074 }
1075 if ((cnp->cn_flags & ISLASTCN) != 0 &&
1076 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1077 error = EINVAL;
1078 goto bad;
1079 }
1080 for (;;) {
1081 for (pr = cnp->cn_cred->cr_prison; pr != NULL;
1082 pr = pr->pr_parent)
1083 if (dp == pr->pr_root)
1084 break;
1085 if (dp == ndp->ni_rootdir ||
1086 dp == ndp->ni_topdir ||
1087 dp == rootvnode ||
1088 pr != NULL ||
1089 ((dp->v_vflag & VV_ROOT) != 0 &&
1090 (cnp->cn_flags & NOCROSSMOUNT) != 0)) {
1091 ndp->ni_dvp = dp;
1092 ndp->ni_vp = dp;
1093 VREF(dp);
1094 goto nextname;
1095 }
1096 if ((dp->v_vflag & VV_ROOT) == 0)
1097 break;
1098 if (VN_IS_DOOMED(dp)) { /* forced unmount */
1099 error = ENOENT;
1100 goto bad;
1101 }
1102 tdp = dp;
1103 dp = dp->v_mount->mnt_vnodecovered;
1104 VREF(dp);
1105 vput(tdp);
1106 vn_lock(dp,
1107 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
1108 LK_RETRY, ISDOTDOT));
1109 error = nameicap_check_dotdot(ndp, dp);
1110 if (error != 0) {
1111 #ifdef KTRACE
1112 if (KTRPOINT(curthread, KTR_CAPFAIL))
1113 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1114 #endif
1115 goto bad;
1116 }
1117 }
1118 }
1119
1120 /*
1121 * We now have a segment name to search for, and a directory to search.
1122 */
1123 unionlookup:
1124 #ifdef MAC
1125 error = mac_vnode_check_lookup(cnp->cn_cred, dp, cnp);
1126 if (__predict_false(error))
1127 goto bad;
1128 #endif
1129 ndp->ni_dvp = dp;
1130 ndp->ni_vp = NULL;
1131 ASSERT_VOP_LOCKED(dp, "lookup");
1132 /*
1133 * If we have a shared lock we may need to upgrade the lock for the
1134 * last operation.
1135 */
1136 if ((cnp->cn_flags & LOCKPARENT) && (cnp->cn_flags & ISLASTCN) &&
1137 dp != vp_crossmp && VOP_ISLOCKED(dp) == LK_SHARED)
1138 vn_lock(dp, LK_UPGRADE|LK_RETRY);
1139 if (VN_IS_DOOMED(dp)) {
1140 error = ENOENT;
1141 goto bad;
1142 }
1143 /*
1144 * If we're looking up the last component and we need an exclusive
1145 * lock, adjust our lkflags.
1146 */
1147 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags))
1148 cnp->cn_lkflags = LK_EXCLUSIVE;
1149 #ifdef NAMEI_DIAGNOSTIC
1150 vn_printf(dp, "lookup in ");
1151 #endif
1152 lkflags_save = cnp->cn_lkflags;
1153 cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags,
1154 cnp->cn_flags);
1155 error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp);
1156 cnp->cn_lkflags = lkflags_save;
1157 if (error != 0) {
1158 KASSERT(ndp->ni_vp == NULL, ("leaf should be empty"));
1159 #ifdef NAMEI_DIAGNOSTIC
1160 printf("not found\n");
1161 #endif
1162 if ((error == ENOENT) &&
1163 (dp->v_vflag & VV_ROOT) && (dp->v_mount != NULL) &&
1164 (dp->v_mount->mnt_flag & MNT_UNION)) {
1165 tdp = dp;
1166 dp = dp->v_mount->mnt_vnodecovered;
1167 VREF(dp);
1168 vput(tdp);
1169 vn_lock(dp,
1170 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
1171 LK_RETRY, cnp->cn_flags));
1172 nameicap_tracker_add(ndp, dp);
1173 goto unionlookup;
1174 }
1175
1176 if (error == ERELOOKUP) {
1177 vref(dp);
1178 ndp->ni_vp = dp;
1179 error = 0;
1180 relookup = 1;
1181 goto good;
1182 }
1183
1184 if (error != EJUSTRETURN)
1185 goto bad;
1186 /*
1187 * At this point, we know we're at the end of the
1188 * pathname. If creating / renaming, we can consider
1189 * allowing the file or directory to be created / renamed,
1190 * provided we're not on a read-only filesystem.
1191 */
1192 if (rdonly) {
1193 error = EROFS;
1194 goto bad;
1195 }
1196 /* trailing slash only allowed for directories */
1197 if ((cnp->cn_flags & TRAILINGSLASH) &&
1198 !(cnp->cn_flags & WILLBEDIR)) {
1199 error = ENOENT;
1200 goto bad;
1201 }
1202 if ((cnp->cn_flags & LOCKPARENT) == 0)
1203 VOP_UNLOCK(dp);
1204 /*
1205 * We return with ni_vp NULL to indicate that the entry
1206 * doesn't currently exist, leaving a pointer to the
1207 * (possibly locked) directory vnode in ndp->ni_dvp.
1208 */
1209 goto success;
1210 }
1211
1212 good:
1213 #ifdef NAMEI_DIAGNOSTIC
1214 printf("found\n");
1215 #endif
1216 dp = ndp->ni_vp;
1217
1218 /*
1219 * Check for symbolic link
1220 */
1221 if ((dp->v_type == VLNK) &&
1222 ((cnp->cn_flags & FOLLOW) || (cnp->cn_flags & TRAILINGSLASH) ||
1223 *ndp->ni_next == '/')) {
1224 cnp->cn_flags |= ISSYMLINK;
1225 if (VN_IS_DOOMED(dp)) {
1226 /*
1227 * We can't know whether the directory was mounted with
1228 * NOSYMFOLLOW, so we can't follow safely.
1229 */
1230 error = ENOENT;
1231 goto bad2;
1232 }
1233 if (dp->v_mount->mnt_flag & MNT_NOSYMFOLLOW) {
1234 error = EACCES;
1235 goto bad2;
1236 }
1237 /*
1238 * Symlink code always expects an unlocked dvp.
1239 */
1240 if (ndp->ni_dvp != ndp->ni_vp) {
1241 VOP_UNLOCK(ndp->ni_dvp);
1242 ni_dvp_unlocked = 1;
1243 }
1244 goto success;
1245 } else if ((vn_irflag_read(dp) & VIRF_MOUNTPOINT) != 0) {
1246 if ((cnp->cn_flags & NOCROSSMOUNT) != 0)
1247 goto nextname;
1248 } else
1249 goto nextname;
1250
1251 /*
1252 * Check to see if the vnode has been mounted on;
1253 * if so find the root of the mounted filesystem.
1254 */
1255 do {
1256 mp = dp->v_mountedhere;
1257 KASSERT(mp != NULL,
1258 ("%s: NULL mountpoint for VIRF_MOUNTPOINT vnode", __func__));
1259 crosslock = (dp->v_vflag & VV_CROSSLOCK) != 0;
1260 crosslkflags = compute_cn_lkflags(mp, cnp->cn_lkflags,
1261 cnp->cn_flags);
1262 if (__predict_false(crosslock)) {
1263 /*
1264 * We are going to be holding the vnode lock, which
1265 * in this case is shared by the root vnode of the
1266 * filesystem mounted at mp, across the call to
1267 * VFS_ROOT(). Make the situation clear to the
1268 * filesystem by passing LK_CANRECURSE if the
1269 * lock is held exclusive, or by clearinng
1270 * LK_NODDLKTREAT to allow recursion on the shared
1271 * lock in the presence of an exclusive waiter.
1272 */
1273 if (VOP_ISLOCKED(dp) == LK_EXCLUSIVE) {
1274 crosslkflags &= ~LK_SHARED;
1275 crosslkflags |= LK_EXCLUSIVE | LK_CANRECURSE;
1276 } else if ((crosslkflags & LK_EXCLUSIVE) != 0) {
1277 vn_lock(dp, LK_UPGRADE | LK_RETRY);
1278 if (VN_IS_DOOMED(dp)) {
1279 error = ENOENT;
1280 goto bad2;
1281 }
1282 } else
1283 crosslkflags &= ~LK_NODDLKTREAT;
1284 }
1285 if (vfs_busy(mp, 0) != 0)
1286 continue;
1287 if (__predict_true(!crosslock))
1288 vput(dp);
1289 if (dp != ndp->ni_dvp)
1290 vput(ndp->ni_dvp);
1291 else
1292 vrele(ndp->ni_dvp);
1293 vrefact(vp_crossmp);
1294 ndp->ni_dvp = vp_crossmp;
1295 error = VFS_ROOT(mp, crosslkflags, &tdp);
1296 vfs_unbusy(mp);
1297 if (__predict_false(crosslock))
1298 vput(dp);
1299 if (vn_lock(vp_crossmp, LK_SHARED | LK_NOWAIT))
1300 panic("vp_crossmp exclusively locked or reclaimed");
1301 if (error != 0) {
1302 dpunlocked = 1;
1303 goto bad2;
1304 }
1305 ndp->ni_vp = dp = tdp;
1306 } while ((vn_irflag_read(dp) & VIRF_MOUNTPOINT) != 0);
1307
1308 nextname:
1309 /*
1310 * Not a symbolic link that we will follow. Continue with the
1311 * next component if there is any; otherwise, we're done.
1312 */
1313 KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/',
1314 ("lookup: invalid path state."));
1315 if (relookup) {
1316 relookup = 0;
1317 ndp->ni_pathlen = prev_ni_pathlen;
1318 ndp->ni_next = prev_ni_next;
1319 if (ndp->ni_dvp != dp)
1320 vput(ndp->ni_dvp);
1321 else
1322 vrele(ndp->ni_dvp);
1323 goto dirloop;
1324 }
1325 if (cnp->cn_flags & ISDOTDOT) {
1326 error = nameicap_check_dotdot(ndp, ndp->ni_vp);
1327 if (error != 0) {
1328 #ifdef KTRACE
1329 if (KTRPOINT(curthread, KTR_CAPFAIL))
1330 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1331 #endif
1332 goto bad2;
1333 }
1334 }
1335 if (*ndp->ni_next == '/') {
1336 cnp->cn_nameptr = ndp->ni_next;
1337 while (*cnp->cn_nameptr == '/') {
1338 cnp->cn_nameptr++;
1339 ndp->ni_pathlen--;
1340 }
1341 if (ndp->ni_dvp != dp)
1342 vput(ndp->ni_dvp);
1343 else
1344 vrele(ndp->ni_dvp);
1345 goto dirloop;
1346 }
1347 /*
1348 * If we're processing a path with a trailing slash,
1349 * check that the end result is a directory.
1350 */
1351 if ((cnp->cn_flags & TRAILINGSLASH) && dp->v_type != VDIR) {
1352 error = ENOTDIR;
1353 goto bad2;
1354 }
1355 /*
1356 * Disallow directory write attempts on read-only filesystems.
1357 */
1358 if (rdonly &&
1359 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1360 error = EROFS;
1361 goto bad2;
1362 }
1363 if (!wantparent) {
1364 ni_dvp_unlocked = 2;
1365 if (ndp->ni_dvp != dp)
1366 vput(ndp->ni_dvp);
1367 else
1368 vrele(ndp->ni_dvp);
1369 } else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp) {
1370 VOP_UNLOCK(ndp->ni_dvp);
1371 ni_dvp_unlocked = 1;
1372 }
1373
1374 if (cnp->cn_flags & AUDITVNODE1)
1375 AUDIT_ARG_VNODE1(dp);
1376 else if (cnp->cn_flags & AUDITVNODE2)
1377 AUDIT_ARG_VNODE2(dp);
1378
1379 if ((cnp->cn_flags & LOCKLEAF) == 0)
1380 VOP_UNLOCK(dp);
1381 success:
1382 /*
1383 * FIXME: for lookups which only cross a mount point to fetch the
1384 * root vnode, ni_dvp will be set to vp_crossmp. This can be a problem
1385 * if either WANTPARENT or LOCKPARENT is set.
1386 */
1387 /*
1388 * Because of shared lookup we may have the vnode shared locked, but
1389 * the caller may want it to be exclusively locked.
1390 */
1391 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags) &&
1392 VOP_ISLOCKED(dp) != LK_EXCLUSIVE) {
1393 vn_lock(dp, LK_UPGRADE | LK_RETRY);
1394 if (VN_IS_DOOMED(dp)) {
1395 error = ENOENT;
1396 goto bad2;
1397 }
1398 }
1399 success_right_lock:
1400 if (ndp->ni_vp != NULL) {
1401 if ((cnp->cn_flags & ISDOTDOT) == 0)
1402 nameicap_tracker_add(ndp, ndp->ni_vp);
1403 if ((cnp->cn_flags & (FAILIFEXISTS | ISSYMLINK)) == FAILIFEXISTS)
1404 return (vfs_lookup_failifexists(ndp));
1405 }
1406 return (0);
1407
1408 bad2:
1409 if (ni_dvp_unlocked != 2) {
1410 if (dp != ndp->ni_dvp && !ni_dvp_unlocked)
1411 vput(ndp->ni_dvp);
1412 else
1413 vrele(ndp->ni_dvp);
1414 }
1415 bad:
1416 if (!dpunlocked)
1417 vput(dp);
1418 bad_unlocked:
1419 ndp->ni_vp = NULL;
1420 return (error);
1421 }
1422
1423 /*
1424 * relookup - lookup a path name component
1425 * Used by lookup to re-acquire things.
1426 */
1427 int
1428 vfs_relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp,
1429 bool refstart)
1430 {
1431 struct vnode *dp = NULL; /* the directory we are searching */
1432 int rdonly; /* lookup read-only flag bit */
1433 int error = 0;
1434
1435 KASSERT(cnp->cn_flags & ISLASTCN,
1436 ("relookup: Not given last component."));
1437 /*
1438 * Setup: break out flag bits into variables.
1439 */
1440 KASSERT((cnp->cn_flags & (LOCKPARENT | WANTPARENT)) != 0,
1441 ("relookup: parent not wanted"));
1442 rdonly = cnp->cn_flags & RDONLY;
1443 cnp->cn_flags &= ~ISSYMLINK;
1444 dp = dvp;
1445 cnp->cn_lkflags = LK_EXCLUSIVE;
1446 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY);
1447
1448 /*
1449 * Search a new directory.
1450 *
1451 * See a comment in vfs_lookup for cnp->cn_nameptr.
1452 */
1453 #ifdef NAMEI_DIAGNOSTIC
1454 printf("{%s}: ", cnp->cn_nameptr);
1455 #endif
1456
1457 /*
1458 * Check for "" which represents the root directory after slash
1459 * removal.
1460 */
1461 if (cnp->cn_nameptr[0] == '\0') {
1462 /*
1463 * Support only LOOKUP for "/" because lookup()
1464 * can't succeed for CREATE, DELETE and RENAME.
1465 */
1466 KASSERT(cnp->cn_nameiop == LOOKUP, ("nameiop must be LOOKUP"));
1467 KASSERT(dp->v_type == VDIR, ("dp is not a directory"));
1468
1469 if (!(cnp->cn_flags & LOCKLEAF))
1470 VOP_UNLOCK(dp);
1471 *vpp = dp;
1472 /* XXX This should probably move to the top of function. */
1473 if (refstart)
1474 panic("lookup: SAVESTART");
1475 return (0);
1476 }
1477
1478 if (cnp->cn_flags & ISDOTDOT)
1479 panic ("relookup: lookup on dot-dot");
1480
1481 /*
1482 * We now have a segment name to search for, and a directory to search.
1483 */
1484 #ifdef NAMEI_DIAGNOSTIC
1485 vn_printf(dp, "search in ");
1486 #endif
1487 if ((error = VOP_LOOKUP(dp, vpp, cnp)) != 0) {
1488 KASSERT(*vpp == NULL, ("leaf should be empty"));
1489 if (error != EJUSTRETURN)
1490 goto bad;
1491 /*
1492 * If creating and at end of pathname, then can consider
1493 * allowing file to be created.
1494 */
1495 if (rdonly) {
1496 error = EROFS;
1497 goto bad;
1498 }
1499 /* ASSERT(dvp == ndp->ni_startdir) */
1500 if (refstart)
1501 VREF(dvp);
1502 if ((cnp->cn_flags & LOCKPARENT) == 0)
1503 VOP_UNLOCK(dp);
1504 /*
1505 * We return with ni_vp NULL to indicate that the entry
1506 * doesn't currently exist, leaving a pointer to the
1507 * (possibly locked) directory vnode in ndp->ni_dvp.
1508 */
1509 return (0);
1510 }
1511
1512 dp = *vpp;
1513
1514 /*
1515 * Disallow directory write attempts on read-only filesystems.
1516 */
1517 if (rdonly &&
1518 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1519 if (dvp == dp)
1520 vrele(dvp);
1521 else
1522 vput(dvp);
1523 error = EROFS;
1524 goto bad;
1525 }
1526 /*
1527 * Set the parent lock/ref state to the requested state.
1528 */
1529 if ((cnp->cn_flags & LOCKPARENT) == 0 && dvp != dp)
1530 VOP_UNLOCK(dvp);
1531 /*
1532 * Check for symbolic link
1533 */
1534 KASSERT(dp->v_type != VLNK || !(cnp->cn_flags & FOLLOW),
1535 ("relookup: symlink found.\n"));
1536
1537 /* ASSERT(dvp == ndp->ni_startdir) */
1538 if (refstart)
1539 VREF(dvp);
1540
1541 if ((cnp->cn_flags & LOCKLEAF) == 0)
1542 VOP_UNLOCK(dp);
1543 return (0);
1544 bad:
1545 vput(dp);
1546 *vpp = NULL;
1547 return (error);
1548 }
1549
1550 #ifdef INVARIANTS
1551 /*
1552 * Validate the final state of ndp after the lookup.
1553 */
1554 static void
1555 NDVALIDATE_impl(struct nameidata *ndp, int line)
1556 {
1557 struct componentname *cnp;
1558
1559 cnp = &ndp->ni_cnd;
1560 if (cnp->cn_pnbuf == NULL)
1561 panic("%s: got no buf! called from %d", __func__, line);
1562 }
1563
1564 #endif
1565
1566 /*
1567 * Determine if there is a suitable alternate filename under the specified
1568 * prefix for the specified path. If the create flag is set, then the
1569 * alternate prefix will be used so long as the parent directory exists.
1570 * This is used by the various compatibility ABIs so that Linux binaries prefer
1571 * files under /compat/linux for example. The chosen path (whether under
1572 * the prefix or under /) is returned in a kernel malloc'd buffer pointed
1573 * to by pathbuf. The caller is responsible for free'ing the buffer from
1574 * the M_TEMP bucket if one is returned.
1575 */
1576 int
1577 kern_alternate_path(const char *prefix, const char *path, enum uio_seg pathseg,
1578 char **pathbuf, int create, int dirfd)
1579 {
1580 struct nameidata nd, ndroot;
1581 char *ptr, *buf, *cp;
1582 size_t len, sz;
1583 int error;
1584
1585 buf = (char *) malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
1586 *pathbuf = buf;
1587
1588 /* Copy the prefix into the new pathname as a starting point. */
1589 len = strlcpy(buf, prefix, MAXPATHLEN);
1590 if (len >= MAXPATHLEN) {
1591 *pathbuf = NULL;
1592 free(buf, M_TEMP);
1593 return (EINVAL);
1594 }
1595 sz = MAXPATHLEN - len;
1596 ptr = buf + len;
1597
1598 /* Append the filename to the prefix. */
1599 if (pathseg == UIO_SYSSPACE)
1600 error = copystr(path, ptr, sz, &len);
1601 else
1602 error = copyinstr(path, ptr, sz, &len);
1603
1604 if (error) {
1605 *pathbuf = NULL;
1606 free(buf, M_TEMP);
1607 return (error);
1608 }
1609
1610 /* Only use a prefix with absolute pathnames. */
1611 if (*ptr != '/') {
1612 error = EINVAL;
1613 goto keeporig;
1614 }
1615
1616 if (dirfd != AT_FDCWD) {
1617 /*
1618 * We want the original because the "prefix" is
1619 * included in the already opened dirfd.
1620 */
1621 bcopy(ptr, buf, len);
1622 return (0);
1623 }
1624
1625 /*
1626 * We know that there is a / somewhere in this pathname.
1627 * Search backwards for it, to find the file's parent dir
1628 * to see if it exists in the alternate tree. If it does,
1629 * and we want to create a file (cflag is set). We don't
1630 * need to worry about the root comparison in this case.
1631 */
1632
1633 if (create) {
1634 for (cp = &ptr[len] - 1; *cp != '/'; cp--);
1635 *cp = '\0';
1636
1637 NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf);
1638 error = namei(&nd);
1639 *cp = '/';
1640 if (error != 0)
1641 goto keeporig;
1642 } else {
1643 NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf);
1644
1645 error = namei(&nd);
1646 if (error != 0)
1647 goto keeporig;
1648
1649 /*
1650 * We now compare the vnode of the prefix to the one
1651 * vnode asked. If they resolve to be the same, then we
1652 * ignore the match so that the real root gets used.
1653 * This avoids the problem of traversing "../.." to find the
1654 * root directory and never finding it, because "/" resolves
1655 * to the emulation root directory. This is expensive :-(
1656 */
1657 NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix);
1658
1659 /* We shouldn't ever get an error from this namei(). */
1660 error = namei(&ndroot);
1661 if (error == 0) {
1662 if (nd.ni_vp == ndroot.ni_vp)
1663 error = ENOENT;
1664
1665 NDFREE_PNBUF(&ndroot);
1666 vrele(ndroot.ni_vp);
1667 }
1668 }
1669
1670 NDFREE_PNBUF(&nd);
1671 vrele(nd.ni_vp);
1672
1673 keeporig:
1674 /* If there was an error, use the original path name. */
1675 if (error)
1676 bcopy(ptr, buf, len);
1677 return (error);
1678 }
Cache object: 887621b47f9dca7e0b7bb6666a014d2c
|