2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 1982, 1986, 1989, 1993
5 * The Regents of the University of California. All rights reserved.
6 * (c) UNIX System Laboratories, Inc.
7 * All or some portions of this file are derived from material licensed
8 * to the University of California by American Telephone and Telegraph
9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
10 * the permission of UNIX System Laboratories, Inc.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of the University nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * @(#)vfs_lookup.c 8.4 (Berkeley) 2/16/94
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
42 #include "opt_capsicum.h"
43 #include "opt_ktrace.h"
45 #include <sys/param.h>
46 #include <sys/systm.h>
47 #include <sys/dirent.h>
48 #include <sys/kernel.h>
49 #include <sys/capsicum.h>
50 #include <sys/fcntl.h>
53 #include <sys/mutex.h>
54 #include <sys/namei.h>
55 #include <sys/vnode.h>
56 #include <sys/mount.h>
57 #include <sys/filedesc.h>
60 #include <sys/syscallsubr.h>
61 #include <sys/sysctl.h>
63 #include <sys/ktrace.h>
66 #include <machine/_inttypes.h>
69 #include <security/audit/audit.h>
70 #include <security/mac/mac_framework.h>
74 #define NAMEI_DIAGNOSTIC 1
75 #undef NAMEI_DIAGNOSTIC
77 SDT_PROVIDER_DEFINE(vfs);
78 SDT_PROBE_DEFINE4(vfs, namei, lookup, entry, "struct vnode *", "char *",
79 "unsigned long", "bool");
80 SDT_PROBE_DEFINE4(vfs, namei, lookup, return, "int", "struct vnode *", "bool",
83 /* Allocation zone for namei. */
84 uma_zone_t namei_zone;
86 /* Placeholder vnode for mp traversal. */
87 static struct vnode *vp_crossmp;
90 crossmp_vop_islocked(struct vop_islocked_args *ap)
97 crossmp_vop_lock1(struct vop_lock1_args *ap)
100 struct lock *lk __diagused;
101 const char *file __diagused;
102 int flags, line __diagused;
110 if ((flags & LK_SHARED) == 0)
111 panic("invalid lock request for crossmp");
113 WITNESS_CHECKORDER(&lk->lock_object, LOP_NEWORDER, file, line,
114 flags & LK_INTERLOCK ? &VI_MTX(vp)->lock_object : NULL);
115 WITNESS_LOCK(&lk->lock_object, 0, file, line);
116 if ((flags & LK_INTERLOCK) != 0)
118 LOCK_LOG_LOCK("SLOCK", &lk->lock_object, 0, 0, ap->a_file, line);
123 crossmp_vop_unlock(struct vop_unlock_args *ap)
126 struct lock *lk __diagused;
131 WITNESS_UNLOCK(&lk->lock_object, 0, LOCK_FILE, LOCK_LINE);
132 LOCK_LOG_LOCK("SUNLOCK", &lk->lock_object, 0, 0, LOCK_FILE,
137 static struct vop_vector crossmp_vnodeops = {
138 .vop_default = &default_vnodeops,
139 .vop_islocked = crossmp_vop_islocked,
140 .vop_lock1 = crossmp_vop_lock1,
141 .vop_unlock = crossmp_vop_unlock,
144 * VFS_VOP_VECTOR_REGISTER(crossmp_vnodeops) is not used here since the vnode
145 * gets allocated early. See nameiinit for the direct call below.
148 struct nameicap_tracker {
150 TAILQ_ENTRY(nameicap_tracker) nm_link;
153 /* Zone for cap mode tracker elements used for dotdot capability checks. */
154 MALLOC_DEFINE(M_NAMEITRACKER, "namei_tracker", "namei tracking for dotdot");
157 nameiinit(void *dummy __unused)
160 namei_zone = uma_zcreate("NAMEI", MAXPATHLEN, NULL, NULL, NULL, NULL,
162 vfs_vector_op_register(&crossmp_vnodeops);
163 getnewvnode("crossmp", NULL, &crossmp_vnodeops, &vp_crossmp);
165 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_SECOND, nameiinit, NULL);
167 static int lookup_cap_dotdot = 1;
168 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot, CTLFLAG_RWTUN,
169 &lookup_cap_dotdot, 0,
170 "enables \"..\" components in path lookup in capability mode");
171 static int lookup_cap_dotdot_nonlocal = 1;
172 SYSCTL_INT(_vfs, OID_AUTO, lookup_cap_dotdot_nonlocal, CTLFLAG_RWTUN,
173 &lookup_cap_dotdot_nonlocal, 0,
174 "enables \"..\" components in path lookup in capability mode "
175 "on non-local mount");
178 nameicap_tracker_add(struct nameidata *ndp, struct vnode *dp)
180 struct nameicap_tracker *nt;
182 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0 || dp->v_type != VDIR)
184 nt = TAILQ_LAST(&ndp->ni_cap_tracker, nameicap_tracker_head);
185 if (nt != NULL && nt->dp == dp)
187 nt = malloc(sizeof(*nt), M_NAMEITRACKER, M_WAITOK);
190 TAILQ_INSERT_TAIL(&ndp->ni_cap_tracker, nt, nm_link);
194 nameicap_cleanup_from(struct nameidata *ndp, struct nameicap_tracker *first)
196 struct nameicap_tracker *nt, *nt1;
199 TAILQ_FOREACH_FROM_SAFE(nt, &ndp->ni_cap_tracker, nm_link, nt1) {
200 TAILQ_REMOVE(&ndp->ni_cap_tracker, nt, nm_link);
202 free(nt, M_NAMEITRACKER);
207 nameicap_cleanup(struct nameidata *ndp)
209 KASSERT(TAILQ_EMPTY(&ndp->ni_cap_tracker) ||
210 (ndp->ni_lcf & NI_LCF_CAP_DOTDOT) != 0, ("not strictrelative"));
211 nameicap_cleanup_from(ndp, NULL);
215 * For dotdot lookups in capability mode, only allow the component
216 * lookup to succeed if the resulting directory was already traversed
217 * during the operation. This catches situations where already
218 * traversed directory is moved to different parent, and then we walk
219 * over it with dotdots.
221 * Also allow to force failure of dotdot lookups for non-local
222 * filesystems, where external agents might assist local lookups to
223 * escape the compartment.
226 nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp)
228 struct nameicap_tracker *nt;
231 if (dp == NULL || dp->v_type != VDIR || (ndp->ni_lcf &
232 NI_LCF_STRICTRELATIVE) == 0)
234 if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0)
235 return (ENOTCAPABLE);
237 if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL &&
238 (mp->mnt_flag & MNT_LOCAL) == 0)
239 return (ENOTCAPABLE);
240 TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head,
243 nt = TAILQ_NEXT(nt, nm_link);
245 nameicap_cleanup_from(ndp, nt);
249 return (ENOTCAPABLE);
253 namei_cleanup_cnp(struct componentname *cnp)
256 uma_zfree(namei_zone, cnp->cn_pnbuf);
258 cnp->cn_pnbuf = NULL;
259 cnp->cn_nameptr = NULL;
264 namei_handle_root(struct nameidata *ndp, struct vnode **dpp)
266 struct componentname *cnp;
269 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0) {
271 if (KTRPOINT(curthread, KTR_CAPFAIL))
272 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
274 return (ENOTCAPABLE);
276 while (*(cnp->cn_nameptr) == '/') {
280 *dpp = ndp->ni_rootdir;
286 namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp)
288 struct componentname *cnp;
297 startdir_used = false;
301 #ifdef CAPABILITY_MODE
303 * In capability mode, lookups must be restricted to happen in
304 * the subtree with the root specified by the file descriptor:
305 * - The root must be real file descriptor, not the pseudo-descriptor
307 * - The passed path must be relative and not absolute.
308 * - If lookup_cap_dotdot is disabled, path must not contain the
310 * - If lookup_cap_dotdot is enabled, we verify that all '..'
311 * components lookups result in the directories which were
312 * previously walked by us, which prevents an escape from
315 if (IN_CAPABILITY_MODE(td) && (cnp->cn_flags & NOCAPCHECK) == 0) {
316 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE;
317 ndp->ni_resflags |= NIRES_STRICTREL;
318 if (ndp->ni_dirfd == AT_FDCWD) {
320 if (KTRPOINT(td, KTR_CAPFAIL))
321 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
330 * Get starting point for the translation.
334 * The reference on ni_rootdir is acquired in the block below to avoid
335 * back-to-back atomics for absolute lookups.
337 ndp->ni_rootdir = pwd->pwd_rdir;
338 ndp->ni_topdir = pwd->pwd_jdir;
340 if (cnp->cn_pnbuf[0] == '/') {
341 ndp->ni_resflags |= NIRES_ABS;
342 error = namei_handle_root(ndp, dpp);
344 if (ndp->ni_startdir != NULL) {
345 *dpp = ndp->ni_startdir;
346 startdir_used = true;
347 } else if (ndp->ni_dirfd == AT_FDCWD) {
348 *dpp = pwd->pwd_cdir;
351 if (cnp->cn_flags & AUDITVNODE1)
352 AUDIT_ARG_ATFD1(ndp->ni_dirfd);
353 if (cnp->cn_flags & AUDITVNODE2)
354 AUDIT_ARG_ATFD2(ndp->ni_dirfd);
356 error = fgetvp_lookup(ndp->ni_dirfd, ndp, dpp);
358 if (error == 0 && (*dpp)->v_type != VDIR &&
359 (cnp->cn_pnbuf[0] != '\0' ||
360 (cnp->cn_flags & EMPTYPATH) == 0))
363 if (error == 0 && (cnp->cn_flags & RBENEATH) != 0) {
364 if (cnp->cn_pnbuf[0] == '/') {
366 } else if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0) {
367 ndp->ni_lcf |= NI_LCF_STRICTRELATIVE |
373 * If we are auditing the kernel pathname, save the user pathname.
375 if (cnp->cn_flags & AUDITVNODE1)
376 AUDIT_ARG_UPATH1_VP(td, ndp->ni_rootdir, *dpp, cnp->cn_pnbuf);
377 if (cnp->cn_flags & AUDITVNODE2)
378 AUDIT_ARG_UPATH2_VP(td, ndp->ni_rootdir, *dpp, cnp->cn_pnbuf);
379 if (ndp->ni_startdir != NULL && !startdir_used)
380 vrele(ndp->ni_startdir);
387 if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
388 lookup_cap_dotdot != 0)
389 ndp->ni_lcf |= NI_LCF_CAP_DOTDOT;
390 SDT_PROBE4(vfs, namei, lookup, entry, *dpp, cnp->cn_pnbuf,
391 cnp->cn_flags, false);
397 namei_getpath(struct nameidata *ndp)
399 struct componentname *cnp;
405 * Get a buffer for the name to be translated, and copy the
406 * name into the buffer.
408 cnp->cn_pnbuf = uma_zalloc(namei_zone, M_WAITOK);
409 if (ndp->ni_segflg == UIO_SYSSPACE) {
410 error = copystr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
413 error = copyinstr(ndp->ni_dirp, cnp->cn_pnbuf, MAXPATHLEN,
417 if (__predict_false(error != 0))
420 cnp->cn_nameptr = cnp->cn_pnbuf;
425 namei_emptypath(struct nameidata *ndp)
427 struct componentname *cnp;
433 MPASS(*cnp->cn_pnbuf == '\0');
434 MPASS((cnp->cn_flags & EMPTYPATH) != 0);
435 MPASS((cnp->cn_flags & (LOCKPARENT | WANTPARENT)) == 0);
437 ndp->ni_resflags |= NIRES_EMPTYPATH;
438 error = namei_setup(ndp, &dp, &pwd);
440 namei_cleanup_cnp(cnp);
445 * Usecount on dp already provided by namei_setup.
448 namei_cleanup_cnp(cnp);
451 if ((cnp->cn_flags & LOCKLEAF) != 0) {
452 VOP_LOCK(dp, (cnp->cn_flags & LOCKSHARED) != 0 ?
453 LK_SHARED : LK_EXCLUSIVE);
454 if (VN_IS_DOOMED(dp)) {
460 SDT_PROBE4(vfs, namei, lookup, return, 0, ndp->ni_vp, false, ndp);
464 SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
468 static int __noinline
469 namei_follow_link(struct nameidata *ndp)
474 struct componentname *cnp;
482 if (ndp->ni_loopcnt++ >= MAXSYMLINKS) {
487 if ((cnp->cn_flags & NOMACCHECK) == 0) {
488 error = mac_vnode_check_readlink(td->td_ucred, ndp->ni_vp);
493 if (ndp->ni_pathlen > 1)
494 cp = uma_zalloc(namei_zone, M_WAITOK);
498 aiov.iov_len = MAXPATHLEN;
499 auio.uio_iov = &aiov;
502 auio.uio_rw = UIO_READ;
503 auio.uio_segflg = UIO_SYSSPACE;
505 auio.uio_resid = MAXPATHLEN;
506 error = VOP_READLINK(ndp->ni_vp, &auio, cnp->cn_cred);
508 if (ndp->ni_pathlen > 1)
509 uma_zfree(namei_zone, cp);
512 linklen = MAXPATHLEN - auio.uio_resid;
514 if (ndp->ni_pathlen > 1)
515 uma_zfree(namei_zone, cp);
519 if (linklen + ndp->ni_pathlen > MAXPATHLEN) {
520 if (ndp->ni_pathlen > 1)
521 uma_zfree(namei_zone, cp);
522 error = ENAMETOOLONG;
525 if (ndp->ni_pathlen > 1) {
526 bcopy(ndp->ni_next, cp + linklen, ndp->ni_pathlen);
527 uma_zfree(namei_zone, cnp->cn_pnbuf);
530 cnp->cn_pnbuf[linklen] = '\0';
531 ndp->ni_pathlen += linklen;
537 * Convert a pathname into a pointer to a locked vnode.
539 * The FOLLOW flag is set when symbolic links are to be followed
540 * when they occur at the end of the name translation process.
541 * Symbolic links are always followed for all other pathname
542 * components other than the last.
544 * The segflg defines whether the name is to be copied from user
545 * space or kernel space.
547 * Overall outline of namei:
550 * get starting directory
551 * while (!done && !error) {
552 * call lookup to search path.
553 * if symbolic link, massage name in buffer and continue
557 namei(struct nameidata *ndp)
559 struct vnode *dp; /* the directory we are searching */
560 struct componentname *cnp;
564 enum cache_fpl_status status;
569 KASSERT((ndp->ni_debugflags & NAMEI_DBG_CALLED) == 0,
570 ("%s: repeated call to namei without NDREINIT", __func__));
571 KASSERT(ndp->ni_debugflags == NAMEI_DBG_INITED,
572 ("%s: bad debugflags %d", __func__, ndp->ni_debugflags));
573 ndp->ni_debugflags |= NAMEI_DBG_CALLED;
574 if (ndp->ni_startdir != NULL)
575 ndp->ni_debugflags |= NAMEI_DBG_HADSTARTDIR;
576 if (cnp->cn_flags & FAILIFEXISTS) {
577 KASSERT(cnp->cn_nameiop == CREATE,
578 ("%s: FAILIFEXISTS passed for op %d", __func__, cnp->cn_nameiop));
580 * The limitation below is to restrict hairy corner cases.
582 KASSERT((cnp->cn_flags & (LOCKPARENT | LOCKLEAF)) == LOCKPARENT,
583 ("%s: FAILIFEXISTS must be passed with LOCKPARENT and without LOCKLEAF",
589 * While NDINIT may seem like a more natural place to do it, there are
590 * callers which directly modify flags past invoking init.
592 cnp->cn_origflags = cnp->cn_flags;
594 ndp->ni_cnd.cn_cred = td->td_ucred;
595 KASSERT(ndp->ni_resflags == 0, ("%s: garbage in ni_resflags: %x\n",
596 __func__, ndp->ni_resflags));
597 KASSERT(cnp->cn_cred && td->td_proc, ("namei: bad cred/proc"));
598 KASSERT((cnp->cn_flags & NAMEI_INTERNAL_FLAGS) == 0,
599 ("namei: unexpected flags: %" PRIx64 "\n",
600 cnp->cn_flags & NAMEI_INTERNAL_FLAGS));
601 if (cnp->cn_flags & NOCACHE)
602 KASSERT(cnp->cn_nameiop != LOOKUP,
603 ("%s: NOCACHE passed with LOOKUP", __func__));
604 MPASS(ndp->ni_startdir == NULL || ndp->ni_startdir->v_type == VDIR ||
605 ndp->ni_startdir->v_type == VBAD);
611 error = namei_getpath(ndp);
612 if (__predict_false(error != 0)) {
613 namei_cleanup_cnp(cnp);
614 SDT_PROBE4(vfs, namei, lookup, return, error, NULL,
620 if (KTRPOINT(td, KTR_NAMEI)) {
621 ktrnamei(cnp->cn_pnbuf);
624 TSNAMEI(curthread->td_proc->p_pid, cnp->cn_pnbuf);
627 * First try looking up the target without locking any vnodes.
629 * We may need to start from scratch or pick up where it left off.
631 error = cache_fplookup(ndp, &status, &pwd);
633 case CACHE_FPL_STATUS_UNSET:
634 __assert_unreachable();
636 case CACHE_FPL_STATUS_HANDLED:
640 case CACHE_FPL_STATUS_PARTIAL:
641 TAILQ_INIT(&ndp->ni_cap_tracker);
642 dp = ndp->ni_startdir;
644 case CACHE_FPL_STATUS_DESTROYED:
646 error = namei_getpath(ndp);
647 if (__predict_false(error != 0)) {
648 namei_cleanup_cnp(cnp);
652 case CACHE_FPL_STATUS_ABORTED:
653 TAILQ_INIT(&ndp->ni_cap_tracker);
654 MPASS(ndp->ni_lcf == 0);
655 if (*cnp->cn_pnbuf == '\0') {
656 if ((cnp->cn_flags & EMPTYPATH) != 0) {
657 return (namei_emptypath(ndp));
659 namei_cleanup_cnp(cnp);
660 SDT_PROBE4(vfs, namei, lookup, return, ENOENT, NULL,
664 error = namei_setup(ndp, &dp, &pwd);
666 namei_cleanup_cnp(cnp);
676 ndp->ni_startdir = dp;
677 error = vfs_lookup(ndp);
682 * If not a symbolic link, we're done.
684 if ((cnp->cn_flags & ISSYMLINK) == 0) {
685 SDT_PROBE4(vfs, namei, lookup, return, error,
686 (error == 0 ? ndp->ni_vp : NULL), false, ndp);
687 if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
688 namei_cleanup_cnp(cnp);
690 cnp->cn_flags |= HASBUF;
691 nameicap_cleanup(ndp);
697 error = namei_follow_link(ndp);
703 * Check if root directory should replace current directory.
705 cnp->cn_nameptr = cnp->cn_pnbuf;
706 if (*(cnp->cn_nameptr) == '/') {
708 error = namei_handle_root(ndp, &dp);
718 SDT_PROBE4(vfs, namei, lookup, return, error, NULL, false, ndp);
719 namei_cleanup_cnp(cnp);
720 nameicap_cleanup(ndp);
726 compute_cn_lkflags(struct mount *mp, int lkflags, int cnflags)
729 if (mp == NULL || ((lkflags & LK_SHARED) &&
730 !(mp->mnt_kern_flag & MNTK_LOOKUP_SHARED))) {
731 lkflags &= ~LK_SHARED;
732 lkflags |= LK_EXCLUSIVE;
734 lkflags |= LK_NODDLKTREAT;
739 needs_exclusive_leaf(struct mount *mp, int flags)
743 * Intermediate nodes can use shared locks, we only need to
744 * force an exclusive lock for leaf nodes.
746 if ((flags & (ISLASTCN | LOCKLEAF)) != (ISLASTCN | LOCKLEAF))
749 /* Always use exclusive locks if LOCKSHARED isn't set. */
750 if (!(flags & LOCKSHARED))
754 * For lookups during open(), if the mount point supports
755 * extended shared operations, then use a shared lock for the
756 * leaf node, otherwise use an exclusive lock.
758 if ((flags & ISOPEN) != 0)
759 return (!MNT_EXTENDED_SHARED(mp));
762 * Lookup requests outside of open() that specify LOCKSHARED
763 * only need a shared lock on the leaf vnode.
769 * Various filesystems expect to be able to copy a name component with length
770 * bounded by NAME_MAX into a directory entry buffer of size MAXNAMLEN. Make
771 * sure that these are the same size.
773 _Static_assert(MAXNAMLEN == NAME_MAX,
774 "MAXNAMLEN and NAME_MAX have different values");
776 static int __noinline
777 vfs_lookup_degenerate(struct nameidata *ndp, struct vnode *dp, int wantparent)
779 struct componentname *cnp;
785 cnp->cn_flags |= ISLASTCN;
787 mp = atomic_load_ptr(&dp->v_mount);
788 if (needs_exclusive_leaf(mp, cnp->cn_flags)) {
789 cnp->cn_lkflags &= ~LK_SHARED;
790 cnp->cn_lkflags |= LK_EXCLUSIVE;
794 compute_cn_lkflags(mp, cnp->cn_lkflags | LK_RETRY,
797 if (dp->v_type != VDIR) {
801 if (cnp->cn_nameiop != LOOKUP) {
812 if (cnp->cn_flags & AUDITVNODE1)
813 AUDIT_ARG_VNODE1(dp);
814 else if (cnp->cn_flags & AUDITVNODE2)
815 AUDIT_ARG_VNODE2(dp);
817 if (!(cnp->cn_flags & (LOCKPARENT | LOCKLEAF)))
819 /* XXX This should probably move to the top of function. */
820 if (cnp->cn_flags & SAVESTART)
821 panic("lookup: SAVESTART");
829 * FAILIFEXISTS handling.
831 * XXX namei called with LOCKPARENT but not LOCKLEAF has the strange
832 * behaviour of leaving the vnode unlocked if the target is the same
833 * vnode as the parent.
835 static int __noinline
836 vfs_lookup_failifexists(struct nameidata *ndp)
838 struct componentname *cnp __diagused;
842 MPASS((cnp->cn_flags & ISSYMLINK) == 0);
843 if (ndp->ni_vp == ndp->ni_dvp)
856 * This is a very central and rather complicated routine.
858 * The pathname is pointed to by ni_ptr and is of length ni_pathlen.
859 * The starting directory is taken from ni_startdir. The pathname is
860 * descended until done, or a symbolic link is encountered. The variable
861 * ni_more is clear if the path is completed; it is set to one if a
862 * symbolic link needing interpretation is encountered.
864 * The flag argument is LOOKUP, CREATE, RENAME, or DELETE depending on
865 * whether the name is to be looked up, created, renamed, or deleted.
866 * When CREATE, RENAME, or DELETE is specified, information usable in
867 * creating, renaming, or deleting a directory entry may be calculated.
868 * If flag has LOCKPARENT or'ed into it, the parent directory is returned
869 * locked. If flag has WANTPARENT or'ed into it, the parent directory is
870 * returned unlocked. Otherwise the parent directory is not returned. If
871 * the target of the pathname exists and LOCKLEAF is or'ed into the flag
872 * the target is returned locked, otherwise it is returned unlocked.
873 * When creating or renaming and LOCKPARENT is specified, the target may not
874 * be ".". When deleting and LOCKPARENT is specified, the target may be ".".
876 * Overall outline of lookup:
879 * identify next component of name at ndp->ni_ptr
880 * handle degenerate case where name is null string
881 * if .. and crossing mount points and on mounted filesys, find parent
882 * call VOP_LOOKUP routine for next component name
883 * directory vnode returned in ni_dvp, unlocked unless LOCKPARENT set
884 * component vnode returned in ni_vp (if it exists), locked.
885 * if result vnode is mounted on and crossing mount points,
886 * find mounted on vnode
887 * if more components of name, do next level at dirloop
888 * return the answer in ni_vp, locked if LOCKLEAF set
889 * if LOCKPARENT set, return locked parent in ni_dvp
890 * if WANTPARENT set, return unlocked parent in ni_dvp
893 vfs_lookup(struct nameidata *ndp)
895 char *cp; /* pointer into pathname argument */
896 char *prev_ni_next; /* saved ndp->ni_next */
897 char *nulchar; /* location of '\0' in cn_pnbuf */
898 char *lastchar; /* location of the last character */
899 struct vnode *dp = NULL; /* the directory we are searching */
900 struct vnode *tdp; /* saved dp */
901 struct mount *mp; /* mount table entry */
903 size_t prev_ni_pathlen; /* saved ndp->ni_pathlen */
904 int docache; /* == 0 do not cache last component */
905 int wantparent; /* 1 => wantparent or lockparent flag */
906 int rdonly; /* lookup read-only flag bit */
908 int dpunlocked = 0; /* dp has already been unlocked */
909 int relookup = 0; /* do not consume the path component */
910 struct componentname *cnp = &ndp->ni_cnd;
915 * Setup: break out flag bits into variables.
918 wantparent = cnp->cn_flags & (LOCKPARENT | WANTPARENT);
919 KASSERT(cnp->cn_nameiop == LOOKUP || wantparent,
920 ("CREATE, DELETE, RENAME require LOCKPARENT or WANTPARENT."));
922 * When set to zero, docache causes the last component of the
923 * pathname to be deleted from the cache and the full lookup
924 * of the name to be done (via VOP_CACHEDLOOKUP()). Often
925 * filesystems need some pre-computed values that are made
926 * during the full lookup, for instance UFS sets dp->i_offset.
928 * The docache variable is set to zero when requested by the
929 * NOCACHE flag and for all modifying operations except CREATE.
931 docache = (cnp->cn_flags & NOCACHE) ^ NOCACHE;
932 if (cnp->cn_nameiop == DELETE ||
933 (wantparent && cnp->cn_nameiop != CREATE &&
934 cnp->cn_nameiop != LOOKUP))
936 rdonly = cnp->cn_flags & RDONLY;
937 cnp->cn_flags &= ~ISSYMLINK;
940 cnp->cn_lkflags = LK_SHARED;
941 dp = ndp->ni_startdir;
942 ndp->ni_startdir = NULLVP;
945 * Leading slashes, if any, are supposed to be skipped by the caller.
947 MPASS(cnp->cn_nameptr[0] != '/');
950 * Check for degenerate name (e.g. / or "") which is a way of talking
951 * about a directory, e.g. like "/." or ".".
953 if (__predict_false(cnp->cn_nameptr[0] == '\0')) {
954 error = vfs_lookup_degenerate(ndp, dp, wantparent);
956 goto success_right_lock;
961 * Nul-out trailing slashes (e.g., "foo///" -> "foo").
963 * This must be done before VOP_LOOKUP() because some fs's don't know
964 * about trailing slashes. Remember if there were trailing slashes to
965 * handle symlinks, existing non-directories and non-existing files
966 * that won't be directories specially later.
968 MPASS(ndp->ni_pathlen >= 2);
969 lastchar = &cnp->cn_nameptr[ndp->ni_pathlen - 2];
970 if (*lastchar == '/') {
971 while (lastchar >= cnp->cn_pnbuf) {
975 if (*lastchar != '/') {
979 cnp->cn_flags |= TRAILINGSLASH;
983 * We use shared locks until we hit the parent of the last cn then
984 * we adjust based on the requesting flags.
987 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags | LK_RETRY,
992 * Search a new directory.
994 * The last component of the filename is left accessible via
995 * cnp->cn_nameptr for callers that need the name. Callers needing
996 * the name set the SAVENAME flag. When done, they assume
997 * responsibility for freeing the pathname buffer.
999 * Store / as a temporary sentinel so that we only have one character
1000 * to test for. Pathnames tend to be short so this should not be
1001 * resulting in cache misses.
1003 nulchar = &cnp->cn_nameptr[ndp->ni_pathlen - 1];
1004 KASSERT(*nulchar == '\0',
1005 ("%s: expected nul at %p; string [%s]\n", __func__, nulchar,
1008 for (cp = cnp->cn_nameptr; *cp != '/'; cp++) {
1009 KASSERT(*cp != '\0',
1010 ("%s: encountered unexpected nul; string [%s]\n", __func__,
1015 cnp->cn_namelen = cp - cnp->cn_nameptr;
1016 if (__predict_false(cnp->cn_namelen > NAME_MAX)) {
1017 error = ENAMETOOLONG;
1020 #ifdef NAMEI_DIAGNOSTIC
1023 printf("{%s}: ", cnp->cn_nameptr);
1026 prev_ni_pathlen = ndp->ni_pathlen;
1027 ndp->ni_pathlen -= cnp->cn_namelen;
1028 KASSERT(ndp->ni_pathlen <= PATH_MAX,
1029 ("%s: ni_pathlen underflow to %zd\n", __func__, ndp->ni_pathlen));
1030 prev_ni_next = ndp->ni_next;
1034 * Something else should be clearing this.
1036 cnp->cn_flags &= ~(ISDOTDOT|ISLASTCN);
1038 cnp->cn_flags |= MAKEENTRY;
1039 if (*cp == '\0' && docache == 0)
1040 cnp->cn_flags &= ~MAKEENTRY;
1041 if (cnp->cn_namelen == 2 &&
1042 cnp->cn_nameptr[1] == '.' && cnp->cn_nameptr[0] == '.')
1043 cnp->cn_flags |= ISDOTDOT;
1044 if (*ndp->ni_next == 0) {
1045 cnp->cn_flags |= ISLASTCN;
1047 if (__predict_false(cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.' &&
1048 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME))) {
1054 nameicap_tracker_add(ndp, dp);
1057 * Make sure degenerate names don't get here, their handling was
1058 * previously found in this spot.
1060 MPASS(cnp->cn_nameptr[0] != '\0');
1063 * Handle "..": five special cases.
1064 * 0. If doing a capability lookup and lookup_cap_dotdot is
1065 * disabled, return ENOTCAPABLE.
1066 * 1. Return an error if this is the last component of
1067 * the name and the operation is DELETE or RENAME.
1068 * 2. If at root directory (e.g. after chroot)
1069 * or at absolute root directory
1070 * then ignore it so can't get out.
1071 * 3. If this vnode is the root of a mounted
1072 * filesystem, then replace it with the
1073 * vnode which was mounted on so we take the
1074 * .. in the other filesystem.
1075 * 4. If the vnode is the top directory of
1076 * the jail or chroot, don't let them out.
1077 * 5. If doing a capability lookup and lookup_cap_dotdot is
1078 * enabled, return ENOTCAPABLE if the lookup would escape
1079 * from the initial file descriptor directory. Checks are
1080 * done by ensuring that namei() already traversed the
1081 * result of dotdot lookup.
1083 if (cnp->cn_flags & ISDOTDOT) {
1084 if ((ndp->ni_lcf & (NI_LCF_STRICTRELATIVE | NI_LCF_CAP_DOTDOT))
1085 == NI_LCF_STRICTRELATIVE) {
1087 if (KTRPOINT(curthread, KTR_CAPFAIL))
1088 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1090 error = ENOTCAPABLE;
1093 if ((cnp->cn_flags & ISLASTCN) != 0 &&
1094 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1099 for (pr = cnp->cn_cred->cr_prison; pr != NULL;
1101 if (dp == pr->pr_root)
1103 if (dp == ndp->ni_rootdir ||
1104 dp == ndp->ni_topdir ||
1107 ((dp->v_vflag & VV_ROOT) != 0 &&
1108 (cnp->cn_flags & NOCROSSMOUNT) != 0)) {
1114 if ((dp->v_vflag & VV_ROOT) == 0)
1116 if (VN_IS_DOOMED(dp)) { /* forced unmount */
1121 dp = dp->v_mount->mnt_vnodecovered;
1125 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
1126 LK_RETRY, ISDOTDOT));
1127 error = nameicap_check_dotdot(ndp, dp);
1130 if (KTRPOINT(curthread, KTR_CAPFAIL))
1131 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1139 * We now have a segment name to search for, and a directory to search.
1143 error = mac_vnode_check_lookup(cnp->cn_cred, dp, cnp);
1144 if (__predict_false(error))
1149 ASSERT_VOP_LOCKED(dp, "lookup");
1151 * If we have a shared lock we may need to upgrade the lock for the
1154 if ((cnp->cn_flags & LOCKPARENT) && (cnp->cn_flags & ISLASTCN) &&
1155 dp != vp_crossmp && VOP_ISLOCKED(dp) == LK_SHARED)
1156 vn_lock(dp, LK_UPGRADE|LK_RETRY);
1157 if (VN_IS_DOOMED(dp)) {
1162 * If we're looking up the last component and we need an exclusive
1163 * lock, adjust our lkflags.
1165 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags))
1166 cnp->cn_lkflags = LK_EXCLUSIVE;
1167 #ifdef NAMEI_DIAGNOSTIC
1168 vn_printf(dp, "lookup in ");
1170 lkflags_save = cnp->cn_lkflags;
1171 cnp->cn_lkflags = compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags,
1173 error = VOP_LOOKUP(dp, &ndp->ni_vp, cnp);
1174 cnp->cn_lkflags = lkflags_save;
1176 KASSERT(ndp->ni_vp == NULL, ("leaf should be empty"));
1177 #ifdef NAMEI_DIAGNOSTIC
1178 printf("not found\n");
1180 if ((error == ENOENT) &&
1181 (dp->v_vflag & VV_ROOT) && (dp->v_mount != NULL) &&
1182 (dp->v_mount->mnt_flag & MNT_UNION)) {
1184 dp = dp->v_mount->mnt_vnodecovered;
1188 compute_cn_lkflags(dp->v_mount, cnp->cn_lkflags |
1189 LK_RETRY, cnp->cn_flags));
1190 nameicap_tracker_add(ndp, dp);
1194 if (error == ERELOOKUP) {
1202 if (error != EJUSTRETURN)
1205 * At this point, we know we're at the end of the
1206 * pathname. If creating / renaming, we can consider
1207 * allowing the file or directory to be created / renamed,
1208 * provided we're not on a read-only filesystem.
1214 /* trailing slash only allowed for directories */
1215 if ((cnp->cn_flags & TRAILINGSLASH) &&
1216 !(cnp->cn_flags & WILLBEDIR)) {
1220 if ((cnp->cn_flags & LOCKPARENT) == 0)
1223 * We return with ni_vp NULL to indicate that the entry
1224 * doesn't currently exist, leaving a pointer to the
1225 * (possibly locked) directory vnode in ndp->ni_dvp.
1227 if (cnp->cn_flags & SAVESTART) {
1228 ndp->ni_startdir = ndp->ni_dvp;
1229 VREF(ndp->ni_startdir);
1235 #ifdef NAMEI_DIAGNOSTIC
1241 * Check to see if the vnode has been mounted on;
1242 * if so find the root of the mounted filesystem.
1244 while (dp->v_type == VDIR && (mp = dp->v_mountedhere) &&
1245 (cnp->cn_flags & NOCROSSMOUNT) == 0) {
1246 if (vfs_busy(mp, 0))
1249 if (dp != ndp->ni_dvp)
1253 vrefact(vp_crossmp);
1254 ndp->ni_dvp = vp_crossmp;
1255 error = VFS_ROOT(mp, compute_cn_lkflags(mp, cnp->cn_lkflags,
1256 cnp->cn_flags), &tdp);
1258 if (vn_lock(vp_crossmp, LK_SHARED | LK_NOWAIT))
1259 panic("vp_crossmp exclusively locked or reclaimed");
1264 ndp->ni_vp = dp = tdp;
1268 * Check for symbolic link
1270 if ((dp->v_type == VLNK) &&
1271 ((cnp->cn_flags & FOLLOW) || (cnp->cn_flags & TRAILINGSLASH) ||
1272 *ndp->ni_next == '/')) {
1273 cnp->cn_flags |= ISSYMLINK;
1274 if (VN_IS_DOOMED(dp)) {
1276 * We can't know whether the directory was mounted with
1277 * NOSYMFOLLOW, so we can't follow safely.
1282 if (dp->v_mount->mnt_flag & MNT_NOSYMFOLLOW) {
1287 * Symlink code always expects an unlocked dvp.
1289 if (ndp->ni_dvp != ndp->ni_vp) {
1290 VOP_UNLOCK(ndp->ni_dvp);
1291 ni_dvp_unlocked = 1;
1298 * Not a symbolic link that we will follow. Continue with the
1299 * next component if there is any; otherwise, we're done.
1301 KASSERT((cnp->cn_flags & ISLASTCN) || *ndp->ni_next == '/',
1302 ("lookup: invalid path state."));
1305 ndp->ni_pathlen = prev_ni_pathlen;
1306 ndp->ni_next = prev_ni_next;
1307 if (ndp->ni_dvp != dp)
1313 if (cnp->cn_flags & ISDOTDOT) {
1314 error = nameicap_check_dotdot(ndp, ndp->ni_vp);
1317 if (KTRPOINT(curthread, KTR_CAPFAIL))
1318 ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
1323 if (*ndp->ni_next == '/') {
1324 cnp->cn_nameptr = ndp->ni_next;
1325 while (*cnp->cn_nameptr == '/') {
1329 if (ndp->ni_dvp != dp)
1336 * If we're processing a path with a trailing slash,
1337 * check that the end result is a directory.
1339 if ((cnp->cn_flags & TRAILINGSLASH) && dp->v_type != VDIR) {
1344 * Disallow directory write attempts on read-only filesystems.
1347 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1351 if (cnp->cn_flags & SAVESTART) {
1352 ndp->ni_startdir = ndp->ni_dvp;
1353 VREF(ndp->ni_startdir);
1356 ni_dvp_unlocked = 2;
1357 if (ndp->ni_dvp != dp)
1361 } else if ((cnp->cn_flags & LOCKPARENT) == 0 && ndp->ni_dvp != dp) {
1362 VOP_UNLOCK(ndp->ni_dvp);
1363 ni_dvp_unlocked = 1;
1366 if (cnp->cn_flags & AUDITVNODE1)
1367 AUDIT_ARG_VNODE1(dp);
1368 else if (cnp->cn_flags & AUDITVNODE2)
1369 AUDIT_ARG_VNODE2(dp);
1371 if ((cnp->cn_flags & LOCKLEAF) == 0)
1375 * FIXME: for lookups which only cross a mount point to fetch the
1376 * root vnode, ni_dvp will be set to vp_crossmp. This can be a problem
1377 * if either WANTPARENT or LOCKPARENT is set.
1380 * Because of shared lookup we may have the vnode shared locked, but
1381 * the caller may want it to be exclusively locked.
1383 if (needs_exclusive_leaf(dp->v_mount, cnp->cn_flags) &&
1384 VOP_ISLOCKED(dp) != LK_EXCLUSIVE) {
1385 vn_lock(dp, LK_UPGRADE | LK_RETRY);
1386 if (VN_IS_DOOMED(dp)) {
1392 if (ndp->ni_vp != NULL) {
1393 if ((cnp->cn_flags & ISDOTDOT) == 0)
1394 nameicap_tracker_add(ndp, ndp->ni_vp);
1395 if ((cnp->cn_flags & (FAILIFEXISTS | ISSYMLINK)) == FAILIFEXISTS)
1396 return (vfs_lookup_failifexists(ndp));
1401 if (ni_dvp_unlocked != 2) {
1402 if (dp != ndp->ni_dvp && !ni_dvp_unlocked)
1416 * relookup - lookup a path name component
1417 * Used by lookup to re-acquire things.
1420 vfs_relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp)
1422 struct vnode *dp = NULL; /* the directory we are searching */
1423 int rdonly; /* lookup read-only flag bit */
1426 KASSERT(cnp->cn_flags & ISLASTCN,
1427 ("relookup: Not given last component."));
1429 * Setup: break out flag bits into variables.
1431 KASSERT((cnp->cn_flags & (LOCKPARENT | WANTPARENT)) != 0,
1432 ("relookup: parent not wanted"));
1433 rdonly = cnp->cn_flags & RDONLY;
1434 cnp->cn_flags &= ~ISSYMLINK;
1436 cnp->cn_lkflags = LK_EXCLUSIVE;
1437 vn_lock(dp, LK_EXCLUSIVE | LK_RETRY);
1440 * Search a new directory.
1442 * The last component of the filename is left accessible via
1443 * cnp->cn_nameptr for callers that need the name. Callers needing
1444 * the name set the SAVENAME flag. When done, they assume
1445 * responsibility for freeing the pathname buffer.
1447 #ifdef NAMEI_DIAGNOSTIC
1448 printf("{%s}: ", cnp->cn_nameptr);
1452 * Check for "" which represents the root directory after slash
1455 if (cnp->cn_nameptr[0] == '\0') {
1457 * Support only LOOKUP for "/" because lookup()
1458 * can't succeed for CREATE, DELETE and RENAME.
1460 KASSERT(cnp->cn_nameiop == LOOKUP, ("nameiop must be LOOKUP"));
1461 KASSERT(dp->v_type == VDIR, ("dp is not a directory"));
1463 if (!(cnp->cn_flags & LOCKLEAF))
1466 /* XXX This should probably move to the top of function. */
1467 if (cnp->cn_flags & SAVESTART)
1468 panic("lookup: SAVESTART");
1472 if (cnp->cn_flags & ISDOTDOT)
1473 panic ("relookup: lookup on dot-dot");
1476 * We now have a segment name to search for, and a directory to search.
1478 #ifdef NAMEI_DIAGNOSTIC
1479 vn_printf(dp, "search in ");
1481 if ((error = VOP_LOOKUP(dp, vpp, cnp)) != 0) {
1482 KASSERT(*vpp == NULL, ("leaf should be empty"));
1483 if (error != EJUSTRETURN)
1486 * If creating and at end of pathname, then can consider
1487 * allowing file to be created.
1493 /* ASSERT(dvp == ndp->ni_startdir) */
1494 if (cnp->cn_flags & SAVESTART)
1496 if ((cnp->cn_flags & LOCKPARENT) == 0)
1499 * We return with ni_vp NULL to indicate that the entry
1500 * doesn't currently exist, leaving a pointer to the
1501 * (possibly locked) directory vnode in ndp->ni_dvp.
1509 * Disallow directory write attempts on read-only filesystems.
1512 (cnp->cn_nameiop == DELETE || cnp->cn_nameiop == RENAME)) {
1521 * Set the parent lock/ref state to the requested state.
1523 if ((cnp->cn_flags & LOCKPARENT) == 0 && dvp != dp)
1526 * Check for symbolic link
1528 KASSERT(dp->v_type != VLNK || !(cnp->cn_flags & FOLLOW),
1529 ("relookup: symlink found.\n"));
1531 /* ASSERT(dvp == ndp->ni_startdir) */
1532 if (cnp->cn_flags & SAVESTART)
1535 if ((cnp->cn_flags & LOCKLEAF) == 0)
1545 * Free data allocated by namei(); see namei(9) for details.
1548 NDFREE_PNBUF(struct nameidata *ndp)
1551 if ((ndp->ni_cnd.cn_flags & HASBUF) != 0) {
1552 MPASS((ndp->ni_cnd.cn_flags & (SAVENAME | SAVESTART)) != 0);
1553 uma_zfree(namei_zone, ndp->ni_cnd.cn_pnbuf);
1554 ndp->ni_cnd.cn_flags &= ~HASBUF;
1559 * NDFREE_PNBUF replacement for callers that know there is no buffer.
1561 * This is a hack. Preferably the VFS layer would not produce anything more
1562 * than it was asked to do. Unfortunately several non-LOOKUP cases can add the
1563 * HASBUF flag to the result. Even then an interface could be implemented where
1564 * the caller specifies what they expected to see in the result and what they
1565 * are going to take care of.
1567 * In the meantime provide this kludge as a trivial replacement for NDFREE_PNBUF
1568 * calls scattered throughout the kernel where we know for a fact the flag must not
1573 NDFREE_NOTHING(struct nameidata *ndp)
1575 struct componentname *cnp;
1578 KASSERT(cnp->cn_nameiop == LOOKUP, ("%s: got non-LOOKUP op %d\n",
1579 __func__, cnp->cn_nameiop));
1580 KASSERT((cnp->cn_flags & (SAVENAME | HASBUF)) == 0,
1581 ("%s: bad flags \%" PRIx64 "\n", __func__, cnp->cn_flags));
1586 (NDFREE)(struct nameidata *ndp, const u_int flags)
1594 if (!(flags & NDF_NO_FREE_PNBUF)) {
1597 if (!(flags & NDF_NO_VP_UNLOCK) &&
1598 (ndp->ni_cnd.cn_flags & LOCKLEAF) && ndp->ni_vp)
1600 if (!(flags & NDF_NO_DVP_UNLOCK) &&
1601 (ndp->ni_cnd.cn_flags & LOCKPARENT) &&
1602 ndp->ni_dvp != ndp->ni_vp)
1604 if (!(flags & NDF_NO_VP_RELE) && ndp->ni_vp) {
1613 VOP_UNLOCK(ndp->ni_vp);
1614 if (!(flags & NDF_NO_DVP_RELE) &&
1615 (ndp->ni_cnd.cn_flags & (LOCKPARENT|WANTPARENT))) {
1624 VOP_UNLOCK(ndp->ni_dvp);
1625 if (!(flags & NDF_NO_STARTDIR_RELE) &&
1626 (ndp->ni_cnd.cn_flags & SAVESTART)) {
1627 vrele(ndp->ni_startdir);
1628 ndp->ni_startdir = NULL;
1634 * Validate the final state of ndp after the lookup.
1636 * Historically filesystems were allowed to modify cn_flags. Most notably they
1637 * can add SAVENAME to the request, resulting in HASBUF and pushing subsequent
1638 * clean up to the consumer. In practice this seems to only concern != LOOKUP
1641 * As a step towards stricter API contract this routine validates the state to
1642 * clean up. Note validation is a work in progress with the intent of becoming
1643 * stricter over time.
1645 #define NDMODIFYINGFLAGS (LOCKLEAF | LOCKPARENT | WANTPARENT | SAVENAME | SAVESTART | HASBUF)
1647 NDVALIDATE(struct nameidata *ndp)
1649 struct componentname *cnp;
1650 uint64_t used, orig;
1653 orig = cnp->cn_origflags;
1654 used = cnp->cn_flags;
1655 switch (cnp->cn_nameiop) {
1658 * For plain lookup we require strict conformance -- nothing
1659 * to clean up if it was not requested by the caller.
1661 orig &= NDMODIFYINGFLAGS;
1662 used &= NDMODIFYINGFLAGS;
1663 if ((orig & (SAVENAME | SAVESTART)) != 0)
1673 * Some filesystems set SAVENAME to provoke HASBUF, accommodate
1674 * for it until it gets fixed.
1676 orig &= NDMODIFYINGFLAGS;
1677 orig |= (SAVENAME | HASBUF);
1678 used &= NDMODIFYINGFLAGS;
1679 used |= (SAVENAME | HASBUF);
1687 panic("%s: mismatched flags for op %d: added %" PRIx64 ", "
1688 "removed %" PRIx64" (%" PRIx64" != %" PRIx64"; stored %" PRIx64" != %" PRIx64")",
1689 __func__, cnp->cn_nameiop, used & ~orig, orig &~ used,
1690 orig, used, cnp->cn_origflags, cnp->cn_flags);
1695 * Determine if there is a suitable alternate filename under the specified
1696 * prefix for the specified path. If the create flag is set, then the
1697 * alternate prefix will be used so long as the parent directory exists.
1698 * This is used by the various compatibility ABIs so that Linux binaries prefer
1699 * files under /compat/linux for example. The chosen path (whether under
1700 * the prefix or under /) is returned in a kernel malloc'd buffer pointed
1701 * to by pathbuf. The caller is responsible for free'ing the buffer from
1702 * the M_TEMP bucket if one is returned.
1705 kern_alternate_path(const char *prefix, const char *path, enum uio_seg pathseg,
1706 char **pathbuf, int create, int dirfd)
1708 struct nameidata nd, ndroot;
1709 char *ptr, *buf, *cp;
1713 buf = (char *) malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
1716 /* Copy the prefix into the new pathname as a starting point. */
1717 len = strlcpy(buf, prefix, MAXPATHLEN);
1718 if (len >= MAXPATHLEN) {
1723 sz = MAXPATHLEN - len;
1726 /* Append the filename to the prefix. */
1727 if (pathseg == UIO_SYSSPACE)
1728 error = copystr(path, ptr, sz, &len);
1730 error = copyinstr(path, ptr, sz, &len);
1738 /* Only use a prefix with absolute pathnames. */
1744 if (dirfd != AT_FDCWD) {
1746 * We want the original because the "prefix" is
1747 * included in the already opened dirfd.
1749 bcopy(ptr, buf, len);
1754 * We know that there is a / somewhere in this pathname.
1755 * Search backwards for it, to find the file's parent dir
1756 * to see if it exists in the alternate tree. If it does,
1757 * and we want to create a file (cflag is set). We don't
1758 * need to worry about the root comparison in this case.
1762 for (cp = &ptr[len] - 1; *cp != '/'; cp--);
1765 NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf);
1771 NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, buf);
1778 * We now compare the vnode of the prefix to the one
1779 * vnode asked. If they resolve to be the same, then we
1780 * ignore the match so that the real root gets used.
1781 * This avoids the problem of traversing "../.." to find the
1782 * root directory and never finding it, because "/" resolves
1783 * to the emulation root directory. This is expensive :-(
1785 NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix);
1787 /* We shouldn't ever get an error from this namei(). */
1788 error = namei(&ndroot);
1790 if (nd.ni_vp == ndroot.ni_vp)
1793 NDFREE_PNBUF(&ndroot);
1794 vrele(ndroot.ni_vp);
1802 /* If there was an error, use the original path name. */
1804 bcopy(ptr, buf, len);