2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 1982, 1986, 1989, 1993
5 * The Regents of the University of California. All rights reserved.
6 * (c) UNIX System Laboratories, Inc.
7 * All or some portions of this file are derived from material licensed
8 * to the University of California by American Telephone and Telegraph
9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
10 * the permission of UNIX System Laboratories, Inc.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of the University nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * @(#)vfs_lookup.c 8.4 (Berkeley) 2/16/94
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
42 #include "opt_capsicum.h"
43 #include "opt_ktrace.h"
45 #include <sys/param.h>
46 #include <sys/systm.h>
47 #include <sys/kernel.h>
48 #include <sys/capsicum.h>
49 #include <sys/fcntl.h>
52 #include <sys/mutex.h>
53 #include <sys/namei.h>
54 #include <sys/vnode.h>
55 #include <sys/mount.h>
56 #include <sys/filedesc.h>
59 #include <sys/syscallsubr.h>
60 #include <sys/sysctl.h>
62 #include <sys/ktrace.h>
65 #include <machine/_inttypes.h>
68 #include <security/audit/audit.h>
69 #include <security/mac/mac_framework.h>
73 #define NAMEI_DIAGNOSTIC 1
74 #undef NAMEI_DIAGNOSTIC
76 SDT_PROVIDER_DEFINE(vfs);
77 SDT_PROBE_DEFINE4(vfs, namei, lookup, entry, "struct vnode *", "char *",
78 "unsigned long", "bool");
79 SDT_PROBE_DEFINE4(vfs, namei, lookup, return, "int", "struct vnode *", "bool",
82 /* Allocation zone for namei. */
83 uma_zone_t namei_zone;
85 /* Placeholder vnode for mp traversal. */
86 static struct vnode *vp_crossmp;
89 crossmp_vop_islocked(struct vop_islocked_args *ap)
96 crossmp_vop_lock1(struct vop_lock1_args *ap)
99 struct lock *lk __unused;
100 const char *file __unused;
101 int flags, line __unused;
109 if ((flags & LK_SHARED) == 0)
110 panic("invalid lock request for crossmp");
112 WITNESS_CHECKORDER(&lk->lock_object, LOP_NEWORDER, file, line,
113 flags & LK_INTERLOCK ? &VI_MTX(vp)->lock_object : NULL);
114 WITNESS_LOCK(&lk->lock_object, 0, file, line);
115 if ((flags & LK_INTERLOCK) != 0)
117 LOCK_LOG_LOCK("SLOCK", &lk->lock_object, 0, 0, ap->a_file, line);
122 crossmp_vop_unlock(struct vop_unlock_args *ap)
125 struct lock *lk __unused;
130 WITNESS_UNLOCK(&lk->lock_object, 0, LOCK_FILE, LOCK_LINE);
131 LOCK_LOG_LOCK("SUNLOCK", &lk->lock_object, 0, 0, LOCK_FILE,
136 static struct vop_vector crossmp_vnodeops = {
137 .vop_default = &default_vnodeops,
138 .vop_islocked = crossmp_vop_islocked,
139 .vop_lock1 = crossmp_vop_lock1,
140 .vop_unlock = crossmp_vop_unlock,
143 * VFS_VOP_VECTOR_REGISTER(crossmp_vnodeops) is not used here since the vnode
144 * gets allocated early. See nameiinit for the direct call below.
147 struct nameicap_tracker {
149 TAILQ_ENTRY(nameicap_tracker) nm_link;
152 /* Zone for cap mode tracker elements used for dotdot capability checks. */
153 MALLOC_DEFINE(M_NAMEITRACKER, "namei_tracker", "namei tracking for dotdot");
156 nameiinit(void *dummy __unused)
159 namei_zone = uma_zcreate("NAMEI", MAXPATHLEN, NULL, NULL, NULL, NULL,
161 vfs_vector_op_register(&crossmp_vnodeops);
162 getnewvnode("crossmp", NULL, &crossmp_vnodeops, &vp_crossmp);
164 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_SECOND, nameiinit, NULL);
166 static int lookup_cap_dotdot = 1;
167 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot, CTLFLAG_RWTUN,
168 &lookup_cap_dotdot, 0,
169 "enables \"..\" components in path lookup in capability mode");
170 static int lookup_cap_dotdot_nonlocal = 1;
171 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot_nonlocal, CTLFLAG_RWTUN,
172 &lookup_cap_dotdot_nonlocal, 0,
173 "enables \"..\" components in path lookup in capability mode "
174 "on non-local mount");
177 nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
179 struct nameicap_tracker *nt;
180 struct componentname *cnp;
182 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR)
185 nt = TAILQ_LAST(&ndp->ni_cap_tracker, nameicap_tracker_head);
186 if (nt != NULL && nt->dp == dp)
188 nt = malloc(sizeof(*nt), M_NAMEITRACKER, M_WAITOK);
191 TAILQ_INSERT_TAIL(&ndp->ni_cap_tracker, nt, nm_link);
195 nameicap_cleanup_from(struct nameidata *ndp, struct nameicap_tracker *first)
197 struct nameicap_tracker *nt, *nt1;
200 TAILQ_FOREACH_FROM_SAFE(nt, &ndp->ni_cap_tracker, nm_link, nt1) {
201 TAILQ_REMOVE(&ndp->ni_cap_tracker, nt, nm_link);
203 free(nt, M_NAMEITRACKER);
208 nameicap_cleanup(struct nameidata *ndp)
210 KASSERT(TAILQ_EMPTY(&ndp->ni_cap_tracker) ||
211 (ndp->ni_lcf & NI_LCF_CAP_DOTDOT) != 0, ("not strictrelative"));
212 nameicap_cleanup_from(ndp, NULL);
216 * For dotdot lookups in capability mode, only allow the component
217 * lookup to succeed if the resulting directory was already traversed
218 * during the operation. This catches situations where already
219 * traversed directory is moved to different parent, and then we walk
220 * over it with dotdots.
222 * Also allow to force failure of dotdot lookups for non-local
223 * filesystems, where external agents might assist local lookups to
224 * escape the compartment.
227 nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp)
229 struct nameicap_tracker *nt;
232 if (dp == NULL || dp->v_type != VDIR || (ndp->ni_lcf &
233 NI_LCF_STRICTRELATIVE) == 0)
235 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0)
236 return (ENOTCAPABLE);
238 if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL &&
239 (mp->mnt_flag & MNT_LOCAL) == 0)
240 return (ENOTCAPABLE);
241 TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head,
246 return (ENOTCAPABLE);
250 namei_cleanup_cnp(struct componentname *cnp)
253 uma_zfree(namei_zone, cnp->cn_pnbuf);
255 cnp->cn_pnbuf = NULL;
256 cnp->cn_nameptr = NULL;
261 namei_handle_root(struct nameidata *ndp, struct vnode **dpp)
263 struct componentname *cnp;
266 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0) {
268 if (KTRPOINT(curthread, KTR_CAPFAIL))
269 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
271 return (ENOTCAPABLE);
273 while (*(cnp->cn_nameptr) == '/') {
277 *dpp = ndp->ni_rootdir;
283 namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
285 struct componentname *cnp;
296 startdir_used = false;
300 #ifdef CAPABILITY_MODE
302 * In capability mode, lookups must be restricted to happen in
303 * the subtree with the root specified by the file descriptor:
304 * - The root must be real file descriptor, not the pseudo-descriptor
306 * - The passed path must be relative and not absolute.
307 * - If lookup_cap_dotdot is disabled, path must not contain the
309 * - If lookup_cap_dotdot is enabled, we verify that all '..'
310 * components lookups result in the directories which were
311 * previously walked by us, which prevents an escape from
314 if (IN_CAPABILITY_MODE(td) && (cnp->cn_flags & NOCAPCHECK) == 0) {
315 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE;
316 ndp->ni_resflags |= NIRES_STRICTREL;
317 if (ndp->ni_dirfd == AT_FDCWD) {
319 if (KTRPOINT(td, KTR_CAPFAIL))
320 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
329 * Get starting point for the translation.
333 * The reference on ni_rootdir is acquired in the block below to avoid
334 * back-to-back atomics for absolute lookups.
336 ndp->ni_rootdir = pwd->pwd_rdir;
337 ndp->ni_topdir = pwd->pwd_jdir;
339 if (cnp->cn_pnbuf[0] == '/') {
340 ndp->ni_resflags |= NIRES_ABS;
341 error = namei_handle_root(ndp, dpp);
343 if (ndp->ni_startdir != NULL) {
344 *dpp = ndp->ni_startdir;
345 startdir_used = true;
346 } else if (ndp->ni_dirfd == AT_FDCWD) {
347 *dpp = pwd->pwd_cdir;
350 rights = *ndp->ni_rightsneeded;
351 cap_rights_set_one(&rights, CAP_LOOKUP);
353 if (cnp->cn_flags & AUDITVNODE1)
354 AUDIT_ARG_ATFD1(ndp->ni_dirfd);
355 if (cnp->cn_flags & AUDITVNODE2)
356 AUDIT_ARG_ATFD2(ndp->ni_dirfd);
358 * Effectively inlined fgetvp_rights, because we need to
359 * inspect the file as well as grabbing the vnode.
361 error = fget_cap(td, ndp->ni_dirfd, &rights,
362 &dfp, &ndp->ni_filecaps);
365 * Preserve the error; it should either be EBADF
366 * or capability-related, both of which can be
367 * safely returned to the caller.
370 if (dfp->f_ops == &badfileops) {
372 } else if (dfp->f_vnode == NULL) {
378 if ((dfp->f_flag & FSEARCH) != 0)
379 cnp->cn_flags |= NOEXECCHECK;
385 * If file descriptor doesn't have all rights,
386 * all lookups relative to it must also be
390 if (!cap_rights_contains(&ndp->ni_filecaps.fc_rights,
392 ndp->ni_filecaps.fc_fcntls != CAP_FCNTL_ALL ||
393 ndp->ni_filecaps.fc_nioctls != -1) {
394 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE;
395 ndp->ni_resflags |= NIRES_STRICTREL;
399 if (error == 0 && (*dpp)->v_type != VDIR)
402 if (error == 0 && (cnp->cn_flags & RBENEATH) != 0) {
403 if (cnp->cn_pnbuf[0] == '/') {
405 } else if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0) {
406 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE |
412 * If we are auditing the kernel pathname, save the user pathname.
414 if (cnp->cn_flags & AUDITVNODE1)
415 AUDIT_ARG_UPATH1_VP(td, ndp->ni_rootdir, *dpp, cnp->cn_pnbuf);
416 if (cnp->cn_flags & AUDITVNODE2)
417 AUDIT_ARG_UPATH2_VP(td, ndp->ni_rootdir, *dpp, cnp->cn_pnbuf);
418 if (ndp->ni_startdir != NULL && !startdir_used)
419 vrele(ndp->ni_startdir);
426 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
427 lookup_cap_dotdot != 0)
428 ndp->ni_lcf |= NI_LCF_CAP_DOTDOT;
429 SDT_PROBE4(vfs, namei, lookup, entry, *dpp, cnp->cn_pnbuf,
430 cnp->cn_flags, false);
436 namei_getpath(struct nameidata *ndp)
438 struct componentname *cnp;
444 * Get a buffer for the name to be translated, and copy the
445 * name into the buffer.
447 cnp->cn_pnbuf = uma_zalloc(namei_zone, M_WAITOK);
448 if (ndp->ni_segflg == UIO_SYSSPACE) {
449 error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
452 error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
456 if (__predict_false(error != 0)) {
457 namei_cleanup_cnp(cnp);
462 * Don't allow empty pathnames.
464 if (__predict_false(*cnp->cn_pnbuf == '\0')) {
465 namei_cleanup_cnp(cnp);
469 cnp->cn_nameptr = cnp->cn_pnbuf;
474 * Convert a pathname into a pointer to a locked vnode.
476 * The FOLLOW flag is set when symbolic links are to be followed
477 * when they occur at the end of the name translation process.
478 * Symbolic links are always followed for all other pathname
479 * components other than the last.
481 * The segflg defines whether the name is to be copied from user
482 * space or kernel space.
484 * Overall outline of namei:
487 * get starting directory
488 * while (!done && !error) {
489 * call lookup to search path.
490 * if symbolic link, massage name in buffer and continue
494 namei(struct nameidata *ndp)
496 char *cp; /* pointer into pathname argument */
497 struct vnode *dp; /* the directory we are searching */
498 struct iovec aiov; /* uio for reading symbolic links */
499 struct componentname *cnp;
504 enum cache_fpl_status status;
509 KASSERT((ndp->ni_debugflags & NAMEI_DBG_CALLED) == 0,
510 ("%s: repeated call to namei without NDREINIT", __func__));
511 KASSERT(ndp->ni_debugflags == NAMEI_DBG_INITED,
512 ("%s: bad debugflags %d", __func__, ndp->ni_debugflags));
513 ndp->ni_debugflags |= NAMEI_DBG_CALLED;
514 if (ndp->ni_startdir != NULL)
515 ndp->ni_debugflags |= NAMEI_DBG_HADSTARTDIR;
516 if (cnp->cn_flags & FAILIFEXISTS) {
517 KASSERT(cnp->cn_nameiop == CREATE,
518 ("%s: FAILIFEXISTS passed for op %d", __func__, cnp->cn_nameiop));
520 * The limitation below is to restrict hairy corner cases.
522 KASSERT((cnp->cn_flags & (LOCKPARENT | LOCKLEAF)) == LOCKPARENT,
523 ("%s: FAILIFEXISTS must be passed with LOCKPARENT and without LOCKLEAF",
529 * While NDINIT may seem like a more natural place to do it, there are
530 * callers which directly modify flags past invoking init.
532 cnp->cn_origflags = cnp->cn_flags;
534 ndp->ni_cnd.cn_cred = ndp->ni_cnd.cn_thread->td_ucred;
535 KASSERT(ndp->ni_resflags == 0, ("%s: garbage in ni_resflags: %x\n",
536 __func__, ndp->ni_resflags));
537 KASSERT(cnp->cn_cred && td->td_proc, ("namei: bad cred/proc"));
538 KASSERT((cnp->cn_flags & NAMEI_INTERNAL_FLAGS) == 0,
539 ("namei: unexpected flags: %" PRIx64 "\n",
540 cnp->cn_flags & NAMEI_INTERNAL_FLAGS));
541 if (cnp->cn_flags & NOCACHE)
542 KASSERT(cnp->cn_nameiop != LOOKUP,
543 ("%s: NOCACHE passed with LOOKUP", __func__));
544 MPASS(ndp->ni_startdir == NULL || ndp->ni_startdir->v_type == VDIR ||
545 ndp->ni_startdir->v_type == VBAD);
551 error = namei_getpath(ndp);
552 if (__predict_false(error != 0)) {
557 if (KTRPOINT(td, KTR_NAMEI)) {
558 KASSERT(cnp->cn_thread == curthread,
559 ("namei not using curthread"));
560 ktrnamei(cnp->cn_pnbuf);
565 * First try looking up the target without locking any vnodes.
567 * We may need to start from scratch or pick up where it left off.
569 error = cache_fplookup(ndp, &status, &pwd);
571 case CACHE_FPL_STATUS_UNSET:
572 __assert_unreachable();
574 case CACHE_FPL_STATUS_HANDLED:
578 case CACHE_FPL_STATUS_PARTIAL:
579 TAILQ_INIT(&ndp->ni_cap_tracker);
580 dp = ndp->ni_startdir;
582 case CACHE_FPL_STATUS_DESTROYED:
584 error = namei_getpath(ndp);
585 if (__predict_false(error != 0)) {
589 case CACHE_FPL_STATUS_ABORTED:
590 TAILQ_INIT(&ndp->ni_cap_tracker);
591 MPASS(ndp->ni_lcf == 0);
592 error = namei_setup(ndp, &dp, &pwd);
594 namei_cleanup_cnp(cnp);
604 ndp->ni_startdir = dp;
610 * If not a symbolic link, we're done.
612 if ((cnp->cn_flags & ISSYMLINK) == 0) {
613 SDT_PROBE4(vfs, namei, lookup, return, error,
614 (error == 0 ? ndp->ni_vp : NULL), false, ndp);
615 if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
616 namei_cleanup_cnp(cnp);
618 cnp->cn_flags |= HASBUF;
619 nameicap_cleanup(ndp);
625 if (ndp->ni_loopcnt++ >= MAXSYMLINKS) {
630 if ((cnp->cn_flags & NOMACCHECK) == 0) {
631 error = mac_vnode_check_readlink(td->td_ucred,
637 if (ndp->ni_pathlen > 1)
638 cp = uma_zalloc(namei_zone, M_WAITOK);
642 aiov.iov_len = MAXPATHLEN;
643 auio.uio_iov = &aiov;
646 auio.uio_rw = UIO_READ;
647 auio.uio_segflg = UIO_SYSSPACE;
649 auio.uio_resid = MAXPATHLEN;
650 error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred);
652 if (ndp->ni_pathlen > 1)
653 uma_zfree(namei_zone, cp);
656 linklen = MAXPATHLEN - auio.uio_resid;
658 if (ndp->ni_pathlen > 1)
659 uma_zfree(namei_zone, cp);
663 if (linklen + ndp->ni_pathlen > MAXPATHLEN) {
664 if (ndp->ni_pathlen > 1)
665 uma_zfree(namei_zone, cp);
666 error = ENAMETOOLONG;
669 if (ndp->ni_pathlen > 1) {
670 bcopy(ndp->ni_next, cp + linklen, ndp->ni_pathlen);
671 uma_zfree(namei_zone, cnp->cn_pnbuf);
674 cnp->cn_pnbuf[linklen] = '\0';
675 ndp->ni_pathlen += linklen;
679 * Check if root directory should replace current directory.
681 cnp->cn_nameptr = cnp->cn_pnbuf;
682 if (*(cnp->cn_nameptr) == '/') {
684 error = namei_handle_root(ndp, &dp);
694 SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
695 namei_cleanup_cnp(cnp);
696 nameicap_cleanup(ndp);
702 compute_cn_lkflags(struct mount *mp, int lkflags, int cnflags)
705 if (mp == NULL || ((lkflags & LK_SHARED) &&
706 (!(mp->mnt_kern_flag & MNTK_LOOKUP_SHARED) ||
707 ((cnflags & ISDOTDOT) &&
708 (mp->mnt_kern_flag & MNTK_LOOKUP_EXCL_DOTDOT))))) {
709 lkflags &= ~LK_SHARED;
710 lkflags |= LK_EXCLUSIVE;
712 lkflags |= LK_NODDLKTREAT;
717 needs_exclusive_leaf(struct mount *mp, int flags)
721 * Intermediate nodes can use shared locks, we only need to
722 * force an exclusive lock for leaf nodes.
724 if ((flags & (ISLASTCN | LOCKLEAF)) != (ISLASTCN | LOCKLEAF))
727 /* Always use exclusive locks if LOCKSHARED isn't set. */
728 if (!(flags & LOCKSHARED))
732 * For lookups during open(), if the mount point supports
733 * extended shared operations, then use a shared lock for the
734 * leaf node, otherwise use an exclusive lock.
736 if ((flags & ISOPEN) != 0)
737 return (!MNT_EXTENDED_SHARED(mp));
740 * Lookup requests outside of open() that specify LOCKSHARED
741 * only need a shared lock on the leaf vnode.
748 * This is a very central and rather complicated routine.
750 * The pathname is pointed to by ni_ptr and is of length ni_pathlen.
751 * The starting directory is taken from ni_startdir. The pathname is
752 * descended until done, or a symbolic link is encountered. The variable
753 * ni_more is clear if the path is completed; it is set to one if a
754 * symbolic link needing interpretation is encountered.
756 * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on
757 * whether the name is to be looked up, created, renamed, or deleted.
758 * When CREATE, RENAME, or DELETE is specified, information usable in
759 * creating, renaming, or deleting a directory entry may be calculated.
760 * If flag has LOCKPARENT or'ed into it, the parent directory is returned
761 * locked. If flag has WANTPARENT or'ed into it, the parent directory is
762 * returned unlocked. Otherwise the parent directory is not returned. If
763 * the target of the pathname exists and LOCKLEAF is or'ed into the flag
764 * the target is returned locked, otherwise it is returned unlocked.
765 * When creating or renaming and LOCKPARENT is specified, the target may not
766 * be ".". When deleting and LOCKPARENT is specified, the target may be ".".
768 * Overall outline of lookup:
771 * identify next component of name at ndp->ni_ptr
772 * handle degenerate case where name is null string
773 * if .. and crossing mount points and on mounted filesys, find parent
774 * call VOP_LOOKUP routine for next component name
775 * directory vnode returned in ni_dvp, unlocked unless LOCKPARENT set
776 * component vnode returned in ni_vp (if it exists), locked.
777 * if result vnode is mounted on and crossing mount points,
778 * find mounted on vnode
779 * if more components of name, do next level at dirloop
780 * return the answer in ni_vp, locked if LOCKLEAF set
781 * if LOCKPARENT set, return locked parent in ni_dvp
782 * if WANTPARENT set, return unlocked parent in ni_dvp
785 lookup(struct nameidata *ndp)
787 char *cp; /* pointer into pathname argument */
788 char *prev_ni_next; /* saved ndp->ni_next */
789 struct vnode *dp = NULL; /* the directory we are searching */
790 struct vnode *tdp; /* saved dp */
791 struct mount *mp; /* mount table entry */
793 size_t prev_ni_pathlen; /* saved ndp->ni_pathlen */
794 int docache; /* == 0 do not cache last component */
795 int wantparent; /* 1 => wantparent or lockparent flag */
796 int rdonly; /* lookup read-only flag bit */
798 int dpunlocked = 0; /* dp has already been unlocked */
799 int relookup = 0; /* do not consume the path component */
800 struct componentname *cnp = &ndp->ni_cnd;
805 * Setup: break out flag bits into variables.
808 wantparent = cnp->cn_flags & (LOCKPARENT | WANTPARENT);
809 KASSERT(cnp->cn_nameiop == LOOKUP || wantparent,
810 ("CREATE, DELETE, RENAME require LOCKPARENT or WANTPARENT."));
812 * When set to zero, docache causes the last component of the
813 * pathname to be deleted from the cache and the full lookup
814 * of the name to be done (via VOP_CACHEDLOOKUP()). Often
815 * filesystems need some pre-computed values that are made
816 * during the full lookup, for instance UFS sets dp->i_offset.
818 * The docache variable is set to zero when requested by the
819 * NOCACHE flag and for all modifying operations except CREATE.
821 docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE;
822 if (cnp->cn_nameiop == DELETE ||
823 (wantparent && cnp->cn_nameiop != CREATE &&
824 cnp->cn_nameiop != LOOKUP))
826 rdonly = cnp->cn_flags & RDONLY;
827 cnp->cn_flags &= ~ISSYMLINK;
830 * We use shared locks until we hit the parent of the last cn then
831 * we adjust based on the requesting flags.
833 cnp->cn_lkflags = LK_SHARED;
834 dp = ndp->ni_startdir;
835 ndp->ni_startdir = NULLVP;
837 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY,
842 * Search a new directory.
844 * The last component of the filename is left accessible via
845 * cnp->cn_nameptr for callers that need the name. Callers needing
846 * the name set the SAVENAME flag. When done, they assume
847 * responsibility for freeing the pathname buffer.
849 for (cp = cnp->cn_nameptr; *cp != 0 && *cp != '/'; cp++)
851 cnp->cn_namelen = cp - cnp->cn_nameptr;
852 if (cnp->cn_namelen > NAME_MAX) {
853 error = ENAMETOOLONG;
856 #ifdef NAMEI_DIAGNOSTIC
859 printf("{%s}: ", cnp->cn_nameptr);
862 prev_ni_pathlen = ndp->ni_pathlen;
863 ndp->ni_pathlen -= cnp->cn_namelen;
864 KASSERT(ndp->ni_pathlen <= PATH_MAX,
865 ("%s: ni_pathlen underflow to %zd\n", __func__, ndp->ni_pathlen));
866 prev_ni_next = ndp->ni_next;
870 * Replace multiple slashes by a single slash and trailing slashes
871 * by a null. This must be done before VOP_LOOKUP() because some
872 * fs's don't know about trailing slashes. Remember if there were
873 * trailing slashes to handle symlinks, existing non-directories
874 * and non-existing files that won't be directories specially later.
876 while (*cp == '/' && (cp[1] == '/' || cp[1] == '\0')) {
880 *ndp->ni_next = '\0';
881 cnp->cn_flags |= TRAILINGSLASH;
886 cnp->cn_flags |= MAKEENTRY;
887 if (*cp == '\0' && docache == 0)
888 cnp->cn_flags &= ~MAKEENTRY;
889 if (cnp->cn_namelen == 2 &&
890 cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.')
891 cnp->cn_flags |= ISDOTDOT;
893 cnp->cn_flags &= ~ISDOTDOT;
894 if (*ndp->ni_next == 0)
895 cnp->cn_flags |= ISLASTCN;
897 cnp->cn_flags &= ~ISLASTCN;
899 if ((cnp->cn_flags & ISLASTCN) != 0 &&
900 cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.' &&
901 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
906 nameicap_tracker_add(ndp, dp);
909 * Check for degenerate name (e.g. / or "")
910 * which is a way of talking about a directory,
911 * e.g. like "/." or ".".
913 if (cnp->cn_nameptr[0] == '\0') {
914 if (dp->v_type != VDIR) {
918 if (cnp->cn_nameiop != LOOKUP) {
928 if (cnp->cn_flags & AUDITVNODE1)
929 AUDIT_ARG_VNODE1(dp);
930 else if (cnp->cn_flags & AUDITVNODE2)
931 AUDIT_ARG_VNODE2(dp);
933 if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF)))
935 /* XXX This should probably move to the top of function. */
936 if (cnp->cn_flags & SAVESTART)
937 panic("lookup: SAVESTART");
942 * Handle "..": five special cases.
943 * 0. If doing a capability lookup and lookup_cap_dotdot is
944 * disabled, return ENOTCAPABLE.
945 * 1. Return an error if this is the last component of
946 * the name and the operation is DELETE or RENAME.
947 * 2. If at root directory (e.g. after chroot)
948 * or at absolute root directory
949 * then ignore it so can't get out.
950 * 3. If this vnode is the root of a mounted
951 * filesystem, then replace it with the
952 * vnode which was mounted on so we take the
953 * .. in the other filesystem.
954 * 4. If the vnode is the top directory of
955 * the jail or chroot, don't let them out.
956 * 5. If doing a capability lookup and lookup_cap_dotdot is
957 * enabled, return ENOTCAPABLE if the lookup would escape
958 * from the initial file descriptor directory. Checks are
959 * done by ensuring that namei() already traversed the
960 * result of dotdot lookup.
962 if (cnp->cn_flags & ISDOTDOT) {
963 if ((ndp->ni_lcf & (NI_LCF_STRICTRELATIVE | NI_LCF_CAP_DOTDOT))
964 == NI_LCF_STRICTRELATIVE) {
966 if (KTRPOINT(curthread, KTR_CAPFAIL))
967 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
972 if ((cnp->cn_flags & ISLASTCN) != 0 &&
973 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
978 for (pr = cnp->cn_cred->cr_prison; pr != NULL;
980 if (dp == pr->pr_root)
982 if (dp == ndp->ni_rootdir ||
983 dp == ndp->ni_topdir ||
986 ((dp->v_vflag & VV_ROOT) != 0 &&
987 (cnp->cn_flags & NOCROSSMOUNT) != 0)) {
993 if ((dp->v_vflag & VV_ROOT) == 0)
995 if (VN_IS_DOOMED(dp)) { /* forced unmount */
1000 dp = dp->v_mount->mnt_vnodecovered;
1004 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
1005 LK_RETRY, ISDOTDOT));
1006 error = nameicap_check_dotdot(ndp, dp);
1009 if (KTRPOINT(curthread, KTR_CAPFAIL))
1010 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1018 * We now have a segment name to search for, and a directory to search.
1022 error = mac_vnode_check_lookup(cnp->cn_thread->td_ucred, dp, cnp);
1028 ASSERT_VOP_LOCKED(dp, "lookup");
1030 * If we have a shared lock we may need to upgrade the lock for the
1033 if ((cnp->cn_flags & LOCKPARENT) && (cnp->cn_flags & ISLASTCN) &&
1034 dp != vp_crossmp && VOP_ISLOCKED(dp) == LK_SHARED)
1035 vn_lock(dp, LK_UPGRADE|LK_RETRY);
1036 if (VN_IS_DOOMED(dp)) {
1041 * If we're looking up the last component and we need an exclusive
1042 * lock, adjust our lkflags.
1044 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags))
1045 cnp->cn_lkflags = LK_EXCLUSIVE;
1046 #ifdef NAMEI_DIAGNOSTIC
1047 vn_printf(dp, "lookup in ");
1049 lkflags_save = cnp->cn_lkflags;
1050 cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags,
1052 error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp);
1053 cnp->cn_lkflags = lkflags_save;
1055 KASSERT(ndp->ni_vp == NULL, ("leaf should be empty"));
1056 #ifdef NAMEI_DIAGNOSTIC
1057 printf("not found\n");
1059 if ((error == ENOENT) &&
1060 (dp->v_vflag & VV_ROOT) && (dp->v_mount != NULL) &&
1061 (dp->v_mount->mnt_flag & MNT_UNION)) {
1063 dp = dp->v_mount->mnt_vnodecovered;
1067 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
1068 LK_RETRY, cnp->cn_flags));
1069 nameicap_tracker_add(ndp, dp);
1073 if (error == ERELOOKUP) {
1081 if (error != EJUSTRETURN)
1084 * At this point, we know we're at the end of the
1085 * pathname. If creating / renaming, we can consider
1086 * allowing the file or directory to be created / renamed,
1087 * provided we're not on a read-only filesystem.
1093 /* trailing slash only allowed for directories */
1094 if ((cnp->cn_flags & TRAILINGSLASH) &&
1095 !(cnp->cn_flags & WILLBEDIR)) {
1099 if ((cnp->cn_flags & LOCKPARENT) == 0)
1102 * We return with ni_vp NULL to indicate that the entry
1103 * doesn't currently exist, leaving a pointer to the
1104 * (possibly locked) directory vnode in ndp->ni_dvp.
1106 if (cnp->cn_flags & SAVESTART) {
1107 ndp->ni_startdir = ndp->ni_dvp;
1108 VREF(ndp->ni_startdir);
1114 #ifdef NAMEI_DIAGNOSTIC
1120 * Check to see if the vnode has been mounted on;
1121 * if so find the root of the mounted filesystem.
1123 while (dp->v_type == VDIR && (mp = dp->v_mountedhere) &&
1124 (cnp->cn_flags & NOCROSSMOUNT) == 0) {
1125 if (vfs_busy(mp, 0))
1128 if (dp != ndp->ni_dvp)
1132 vrefact(vp_crossmp);
1133 ndp->ni_dvp = vp_crossmp;
1134 error = VFS_ROOT(mp, compute_cn_lkflags(mp, cnp->cn_lkflags,
1135 cnp->cn_flags), &tdp);
1137 if (vn_lock(vp_crossmp, LK_SHARED | LK_NOWAIT))
1138 panic("vp_crossmp exclusively locked or reclaimed");
1143 ndp->ni_vp = dp = tdp;
1147 * Check for symbolic link
1149 if ((dp->v_type == VLNK) &&
1150 ((cnp->cn_flags & FOLLOW) || (cnp->cn_flags & TRAILINGSLASH) ||
1151 *ndp->ni_next == '/')) {
1152 cnp->cn_flags |= ISSYMLINK;
1153 if (VN_IS_DOOMED(dp)) {
1155 * We can't know whether the directory was mounted with
1156 * NOSYMFOLLOW, so we can't follow safely.
1161 if (dp->v_mount->mnt_flag & MNT_NOSYMFOLLOW) {
1166 * Symlink code always expects an unlocked dvp.
1168 if (ndp->ni_dvp != ndp->ni_vp) {
1169 VOP_UNLOCK(ndp->ni_dvp);
1170 ni_dvp_unlocked = 1;
1177 * Not a symbolic link that we will follow. Continue with the
1178 * next component if there is any; otherwise, we're done.
1180 KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/',
1181 ("lookup: invalid path state."));
1184 ndp->ni_pathlen = prev_ni_pathlen;
1185 ndp->ni_next = prev_ni_next;
1186 if (ndp->ni_dvp != dp)
1192 if (cnp->cn_flags & ISDOTDOT) {
1193 error = nameicap_check_dotdot(ndp, ndp->ni_vp);
1196 if (KTRPOINT(curthread, KTR_CAPFAIL))
1197 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1202 if (*ndp->ni_next == '/') {
1203 cnp->cn_nameptr = ndp->ni_next;
1204 while (*cnp->cn_nameptr == '/') {
1208 if (ndp->ni_dvp != dp)
1215 * If we're processing a path with a trailing slash,
1216 * check that the end result is a directory.
1218 if ((cnp->cn_flags & TRAILINGSLASH) && dp->v_type != VDIR) {
1223 * Disallow directory write attempts on read-only filesystems.
1226 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1230 if (cnp->cn_flags & SAVESTART) {
1231 ndp->ni_startdir = ndp->ni_dvp;
1232 VREF(ndp->ni_startdir);
1235 ni_dvp_unlocked = 2;
1236 if (ndp->ni_dvp != dp)
1240 } else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp) {
1241 VOP_UNLOCK(ndp->ni_dvp);
1242 ni_dvp_unlocked = 1;
1245 if (cnp->cn_flags & AUDITVNODE1)
1246 AUDIT_ARG_VNODE1(dp);
1247 else if (cnp->cn_flags & AUDITVNODE2)
1248 AUDIT_ARG_VNODE2(dp);
1250 if ((cnp->cn_flags & LOCKLEAF) == 0)
1254 * FIXME: for lookups which only cross a mount point to fetch the
1255 * root vnode, ni_dvp will be set to vp_crossmp. This can be a problem
1256 * if either WANTPARENT or LOCKPARENT is set.
1259 * Because of shared lookup we may have the vnode shared locked, but
1260 * the caller may want it to be exclusively locked.
1262 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags) &&
1263 VOP_ISLOCKED(dp) != LK_EXCLUSIVE) {
1264 vn_lock(dp, LK_UPGRADE | LK_RETRY);
1265 if (VN_IS_DOOMED(dp)) {
1270 if (ndp->ni_vp != NULL) {
1271 if ((cnp->cn_flags & ISDOTDOT) == 0)
1272 nameicap_tracker_add(ndp, ndp->ni_vp);
1273 if ((cnp->cn_flags & (FAILIFEXISTS | ISSYMLINK)) == FAILIFEXISTS)
1279 if (ni_dvp_unlocked != 2) {
1280 if (dp != ndp->ni_dvp && !ni_dvp_unlocked)
1292 * FAILIFEXISTS handling.
1294 * XXX namei called with LOCKPARENT but not LOCKLEAF has the strange
1295 * behaviour of leaving the vnode unlocked if the target is the same
1296 * vnode as the parent.
1298 MPASS((cnp->cn_flags & ISSYMLINK) == 0);
1299 if (ndp->ni_vp == ndp->ni_dvp)
1306 NDFREE(ndp, NDF_ONLY_PNBUF);
1311 * relookup - lookup a path name component
1312 * Used by lookup to re-acquire things.
1315 relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp)
1317 struct vnode *dp = NULL; /* the directory we are searching */
1318 int rdonly; /* lookup read-only flag bit */
1321 KASSERT(cnp->cn_flags & ISLASTCN,
1322 ("relookup: Not given last component."));
1324 * Setup: break out flag bits into variables.
1326 KASSERT((cnp->cn_flags & (LOCKPARENT | WANTPARENT)) != 0,
1327 ("relookup: parent not wanted"));
1328 rdonly = cnp->cn_flags & RDONLY;
1329 cnp->cn_flags &= ~ISSYMLINK;
1331 cnp->cn_lkflags = LK_EXCLUSIVE;
1332 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY);
1335 * Search a new directory.
1337 * The last component of the filename is left accessible via
1338 * cnp->cn_nameptr for callers that need the name. Callers needing
1339 * the name set the SAVENAME flag. When done, they assume
1340 * responsibility for freeing the pathname buffer.
1342 #ifdef NAMEI_DIAGNOSTIC
1343 printf("{%s}: ", cnp->cn_nameptr);
1347 * Check for "" which represents the root directory after slash
1350 if (cnp->cn_nameptr[0] == '\0') {
1352 * Support only LOOKUP for "/" because lookup()
1353 * can't succeed for CREATE, DELETE and RENAME.
1355 KASSERT(cnp->cn_nameiop == LOOKUP, ("nameiop must be LOOKUP"));
1356 KASSERT(dp->v_type == VDIR, ("dp is not a directory"));
1358 if (!(cnp->cn_flags & LOCKLEAF))
1361 /* XXX This should probably move to the top of function. */
1362 if (cnp->cn_flags & SAVESTART)
1363 panic("lookup: SAVESTART");
1367 if (cnp->cn_flags & ISDOTDOT)
1368 panic ("relookup: lookup on dot-dot");
1371 * We now have a segment name to search for, and a directory to search.
1373 #ifdef NAMEI_DIAGNOSTIC
1374 vn_printf(dp, "search in ");
1376 if ((error = VOP_LOOKUP(dp, vpp, cnp)) != 0) {
1377 KASSERT(*vpp == NULL, ("leaf should be empty"));
1378 if (error != EJUSTRETURN)
1381 * If creating and at end of pathname, then can consider
1382 * allowing file to be created.
1388 /* ASSERT(dvp == ndp->ni_startdir) */
1389 if (cnp->cn_flags & SAVESTART)
1391 if ((cnp->cn_flags & LOCKPARENT) == 0)
1394 * We return with ni_vp NULL to indicate that the entry
1395 * doesn't currently exist, leaving a pointer to the
1396 * (possibly locked) directory vnode in ndp->ni_dvp.
1404 * Disallow directory write attempts on read-only filesystems.
1407 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1416 * Set the parent lock/ref state to the requested state.
1418 if ((cnp->cn_flags & LOCKPARENT) == 0 && dvp != dp)
1421 * Check for symbolic link
1423 KASSERT(dp->v_type != VLNK || !(cnp->cn_flags & FOLLOW),
1424 ("relookup: symlink found.\n"));
1426 /* ASSERT(dvp == ndp->ni_startdir) */
1427 if (cnp->cn_flags & SAVESTART)
1430 if ((cnp->cn_flags & LOCKLEAF) == 0)
1440 * Free data allocated by namei(); see namei(9) for details.
1443 NDFREE_PNBUF(struct nameidata *ndp)
1446 if ((ndp->ni_cnd.cn_flags & HASBUF) != 0) {
1447 MPASS((ndp->ni_cnd.cn_flags & (SAVENAME | SAVESTART)) != 0);
1448 uma_zfree(namei_zone, ndp->ni_cnd.cn_pnbuf);
1449 ndp->ni_cnd.cn_flags &= ~HASBUF;
1454 * NDFREE_PNBUF replacement for callers that know there is no buffer.
1456 * This is a hack. Preferably the VFS layer would not produce anything more
1457 * than it was asked to do. Unfortunately several non-LOOKUP cases can add the
1458 * HASBUF flag to the result. Even then an interface could be implemented where
1459 * the caller specifies what they expected to see in the result and what they
1460 * are going to take care of.
1462 * In the meantime provide this kludge as a trivial replacement for NDFREE_PNBUF
1463 * calls scattered throughout the kernel where we know for a fact the flag must not
1468 NDFREE_NOTHING(struct nameidata *ndp)
1470 struct componentname *cnp;
1473 KASSERT(cnp->cn_nameiop == LOOKUP, ("%s: got non-LOOKUP op %d\n",
1474 __func__, cnp->cn_nameiop));
1475 KASSERT((cnp->cn_flags & (SAVENAME | HASBUF)) == 0,
1476 ("%s: bad flags \%" PRIx64 "\n", __func__, cnp->cn_flags));
1481 (NDFREE)(struct nameidata *ndp, const u_int flags)
1489 if (!(flags & NDF_NO_FREE_PNBUF)) {
1492 if (!(flags & NDF_NO_VP_UNLOCK) &&
1493 (ndp->ni_cnd.cn_flags & LOCKLEAF) && ndp->ni_vp)
1495 if (!(flags & NDF_NO_DVP_UNLOCK) &&
1496 (ndp->ni_cnd.cn_flags & LOCKPARENT) &&
1497 ndp->ni_dvp != ndp->ni_vp)
1499 if (!(flags & NDF_NO_VP_RELE) && ndp->ni_vp) {
1508 VOP_UNLOCK(ndp->ni_vp);
1509 if (!(flags & NDF_NO_DVP_RELE) &&
1510 (ndp->ni_cnd.cn_flags & (LOCKPARENT|WANTPARENT))) {
1519 VOP_UNLOCK(ndp->ni_dvp);
1520 if (!(flags & NDF_NO_STARTDIR_RELE) &&
1521 (ndp->ni_cnd.cn_flags & SAVESTART)) {
1522 vrele(ndp->ni_startdir);
1523 ndp->ni_startdir = NULL;
1529 * Validate the final state of ndp after the lookup.
1531 * Historically filesystems were allowed to modify cn_flags. Most notably they
1532 * can add SAVENAME to the request, resulting in HASBUF and pushing subsequent
1533 * clean up to the consumer. In practice this seems to only concern != LOOKUP
1536 * As a step towards stricter API contract this routine validates the state to
1537 * clean up. Note validation is a work in progress with the intent of becoming
1538 * stricter over time.
1540 #define NDMODIFYINGFLAGS (LOCKLEAF | LOCKPARENT | WANTPARENT | SAVENAME | SAVESTART | HASBUF)
1542 NDVALIDATE(struct nameidata *ndp)
1544 struct componentname *cnp;
1545 u_int64_t used, orig;
1548 orig = cnp->cn_origflags;
1549 used = cnp->cn_flags;
1550 switch (cnp->cn_nameiop) {
1553 * For plain lookup we require strict conformance -- nothing
1554 * to clean up if it was not requested by the caller.
1556 orig &= NDMODIFYINGFLAGS;
1557 used &= NDMODIFYINGFLAGS;
1558 if ((orig & (SAVENAME | SAVESTART)) != 0)
1568 * Some filesystems set SAVENAME to provoke HASBUF, accomodate
1569 * for it until it gets fixed.
1571 orig &= NDMODIFYINGFLAGS;
1572 orig |= (SAVENAME | HASBUF);
1573 used &= NDMODIFYINGFLAGS;
1574 used |= (SAVENAME | HASBUF);
1582 panic("%s: mismatched flags for op %d: added %" PRIx64 ", "
1583 "removed %" PRIx64" (%" PRIx64" != %" PRIx64"; stored %" PRIx64" != %" PRIx64")",
1584 __func__, cnp->cn_nameiop, used & ~orig, orig &~ used,
1585 orig, used, cnp->cn_origflags, cnp->cn_flags);
1590 * Determine if there is a suitable alternate filename under the specified
1591 * prefix for the specified path. If the create flag is set, then the
1592 * alternate prefix will be used so long as the parent directory exists.
1593 * This is used by the various compatibility ABIs so that Linux binaries prefer
1594 * files under /compat/linux for example. The chosen path (whether under
1595 * the prefix or under /) is returned in a kernel malloc'd buffer pointed
1596 * to by pathbuf. The caller is responsible for free'ing the buffer from
1597 * the M_TEMP bucket if one is returned.
1600 kern_alternate_path(struct thread *td, const char *prefix, const char *path,
1601 enum uio_seg pathseg, char **pathbuf, int create, int dirfd)
1603 struct nameidata nd, ndroot;
1604 char *ptr, *buf, *cp;
1608 buf = (char *) malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
1611 /* Copy the prefix into the new pathname as a starting point. */
1612 len = strlcpy(buf, prefix, MAXPATHLEN);
1613 if (len >= MAXPATHLEN) {
1618 sz = MAXPATHLEN - len;
1621 /* Append the filename to the prefix. */
1622 if (pathseg == UIO_SYSSPACE)
1623 error = copystr(path, ptr, sz, &len);
1625 error = copyinstr(path, ptr, sz, &len);
1633 /* Only use a prefix with absolute pathnames. */
1639 if (dirfd != AT_FDCWD) {
1641 * We want the original because the "prefix" is
1642 * included in the already opened dirfd.
1644 bcopy(ptr, buf, len);
1649 * We know that there is a / somewhere in this pathname.
1650 * Search backwards for it, to find the file's parent dir
1651 * to see if it exists in the alternate tree. If it does,
1652 * and we want to create a file (cflag is set). We don't
1653 * need to worry about the root comparison in this case.
1657 for (cp = &ptr[len] - 1; *cp != '/'; cp--);
1660 NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf, td);
1666 NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf, td);
1673 * We now compare the vnode of the prefix to the one
1674 * vnode asked. If they resolve to be the same, then we
1675 * ignore the match so that the real root gets used.
1676 * This avoids the problem of traversing "../.." to find the
1677 * root directory and never finding it, because "/" resolves
1678 * to the emulation root directory. This is expensive :-(
1680 NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix,
1683 /* We shouldn't ever get an error from this namei(). */
1684 error = namei(&ndroot);
1686 if (nd.ni_vp == ndroot.ni_vp)
1689 NDFREE(&ndroot, NDF_ONLY_PNBUF);
1690 vrele(ndroot.ni_vp);
1694 NDFREE(&nd, NDF_ONLY_PNBUF);
1698 /* If there was an error, use the original path name. */
1700 bcopy(ptr, buf, len);