1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 *
4 * Copyright (C) 2019-2021 Paragon Software GmbH, All rights reserved.
5 *
6 * Directory handling functions for NTFS-based filesystems.
7 *
8 */
9
10 #include <linux/fs.h>
11 #include <linux/filelock.h>
12 #include <linux/nls.h>
13
14 #include "debug.h"
15 #include "ntfs.h"
16 #include "ntfs_fs.h"
17
18 /* Convert little endian UTF-16 to NLS string. */
ntfs_utf16_to_nls(struct ntfs_sb_info * sbi,const __le16 * name,u32 len,u8 * buf,int buf_len)19 int ntfs_utf16_to_nls(struct ntfs_sb_info *sbi, const __le16 *name, u32 len,
20 u8 *buf, int buf_len)
21 {
22 int ret, warn;
23 u8 *op;
24 struct nls_table *nls = sbi->options->nls;
25
26 static_assert(sizeof(wchar_t) == sizeof(__le16));
27
28 if (!nls) {
29 /* UTF-16 -> UTF-8 */
30 ret = utf16s_to_utf8s((wchar_t *)name, len, UTF16_LITTLE_ENDIAN,
31 buf, buf_len);
32 buf[ret] = '\0';
33 return ret;
34 }
35
36 op = buf;
37 warn = 0;
38
39 while (len--) {
40 u16 ec;
41 int charlen;
42 char dump[5];
43
44 if (buf_len < NLS_MAX_CHARSET_SIZE) {
45 ntfs_warn(sbi->sb,
46 "filename was truncated while converting.");
47 break;
48 }
49
50 ec = le16_to_cpu(*name++);
51 charlen = nls->uni2char(ec, op, buf_len);
52
53 if (charlen > 0) {
54 op += charlen;
55 buf_len -= charlen;
56 continue;
57 }
58
59 *op++ = '_';
60 buf_len -= 1;
61 if (warn)
62 continue;
63
64 warn = 1;
65 hex_byte_pack(&dump[0], ec >> 8);
66 hex_byte_pack(&dump[2], ec);
67 dump[4] = 0;
68
69 ntfs_err(sbi->sb, "failed to convert \"%s\" to %s", dump,
70 nls->charset);
71 }
72
73 *op = '\0';
74 return op - buf;
75 }
76
77 // clang-format off
78 #define PLANE_SIZE 0x00010000
79
80 #define SURROGATE_PAIR 0x0000d800
81 #define SURROGATE_LOW 0x00000400
82 #define SURROGATE_BITS 0x000003ff
83 // clang-format on
84
85 /*
86 * put_utf16 - Modified version of put_utf16 from fs/nls/nls_base.c
87 *
88 * Function is sparse warnings free.
89 */
put_utf16(wchar_t * s,unsigned int c,enum utf16_endian endian)90 static inline void put_utf16(wchar_t *s, unsigned int c,
91 enum utf16_endian endian)
92 {
93 static_assert(sizeof(wchar_t) == sizeof(__le16));
94 static_assert(sizeof(wchar_t) == sizeof(__be16));
95
96 switch (endian) {
97 default:
98 *s = (wchar_t)c;
99 break;
100 case UTF16_LITTLE_ENDIAN:
101 *(__le16 *)s = __cpu_to_le16(c);
102 break;
103 case UTF16_BIG_ENDIAN:
104 *(__be16 *)s = __cpu_to_be16(c);
105 break;
106 }
107 }
108
109 /*
110 * _utf8s_to_utf16s
111 *
112 * Modified version of 'utf8s_to_utf16s' allows to
113 * detect -ENAMETOOLONG without writing out of expected maximum.
114 */
_utf8s_to_utf16s(const u8 * s,int inlen,enum utf16_endian endian,wchar_t * pwcs,int maxout)115 static int _utf8s_to_utf16s(const u8 *s, int inlen, enum utf16_endian endian,
116 wchar_t *pwcs, int maxout)
117 {
118 u16 *op;
119 int size;
120 unicode_t u;
121
122 op = pwcs;
123 while (inlen > 0 && *s) {
124 if (*s & 0x80) {
125 size = utf8_to_utf32(s, inlen, &u);
126 if (size < 0)
127 return -EINVAL;
128 s += size;
129 inlen -= size;
130
131 if (u >= PLANE_SIZE) {
132 if (maxout < 2)
133 return -ENAMETOOLONG;
134
135 u -= PLANE_SIZE;
136 put_utf16(op++,
137 SURROGATE_PAIR |
138 ((u >> 10) & SURROGATE_BITS),
139 endian);
140 put_utf16(op++,
141 SURROGATE_PAIR | SURROGATE_LOW |
142 (u & SURROGATE_BITS),
143 endian);
144 maxout -= 2;
145 } else {
146 if (maxout < 1)
147 return -ENAMETOOLONG;
148
149 put_utf16(op++, u, endian);
150 maxout--;
151 }
152 } else {
153 if (maxout < 1)
154 return -ENAMETOOLONG;
155
156 put_utf16(op++, *s++, endian);
157 inlen--;
158 maxout--;
159 }
160 }
161 return op - pwcs;
162 }
163
164 /*
165 * ntfs_nls_to_utf16 - Convert input string to UTF-16.
166 * @name: Input name.
167 * @name_len: Input name length.
168 * @uni: Destination memory.
169 * @max_ulen: Destination memory.
170 * @endian: Endian of target UTF-16 string.
171 *
172 * This function is called:
173 * - to create NTFS name
174 * - to create symlink
175 *
176 * Return: UTF-16 string length or error (if negative).
177 */
ntfs_nls_to_utf16(struct ntfs_sb_info * sbi,const u8 * name,u32 name_len,struct cpu_str * uni,u32 max_ulen,enum utf16_endian endian)178 int ntfs_nls_to_utf16(struct ntfs_sb_info *sbi, const u8 *name, u32 name_len,
179 struct cpu_str *uni, u32 max_ulen,
180 enum utf16_endian endian)
181 {
182 int ret, slen;
183 const u8 *end;
184 struct nls_table *nls = sbi->options->nls;
185 u16 *uname = uni->name;
186
187 static_assert(sizeof(wchar_t) == sizeof(u16));
188
189 if (!nls) {
190 /* utf8 -> utf16 */
191 ret = _utf8s_to_utf16s(name, name_len, endian, uname, max_ulen);
192 uni->len = ret;
193 return ret;
194 }
195
196 for (ret = 0, end = name + name_len; name < end; ret++, name += slen) {
197 if (ret >= max_ulen)
198 return -ENAMETOOLONG;
199
200 slen = nls->char2uni(name, end - name, uname + ret);
201 if (!slen)
202 return -EINVAL;
203 if (slen < 0)
204 return slen;
205 }
206
207 #ifdef __BIG_ENDIAN
208 if (endian == UTF16_LITTLE_ENDIAN) {
209 int i = ret;
210
211 while (i--) {
212 __cpu_to_le16s(uname);
213 uname++;
214 }
215 }
216 #else
217 if (endian == UTF16_BIG_ENDIAN) {
218 int i = ret;
219
220 while (i--) {
221 __cpu_to_be16s(uname);
222 uname++;
223 }
224 }
225 #endif
226
227 uni->len = ret;
228 return ret;
229 }
230
231 /*
232 * dir_search_u - Helper function.
233 */
dir_search_u(struct inode * dir,const struct cpu_str * uni,struct ntfs_fnd * fnd)234 struct inode *dir_search_u(struct inode *dir, const struct cpu_str *uni,
235 struct ntfs_fnd *fnd)
236 {
237 int err = 0;
238 struct super_block *sb = dir->i_sb;
239 struct ntfs_sb_info *sbi = sb->s_fs_info;
240 struct ntfs_inode *ni = ntfs_i(dir);
241 struct NTFS_DE *e;
242 int diff;
243 struct inode *inode = NULL;
244 struct ntfs_fnd *fnd_a = NULL;
245
246 if (!fnd) {
247 fnd_a = fnd_get();
248 if (!fnd_a) {
249 err = -ENOMEM;
250 goto out;
251 }
252 fnd = fnd_a;
253 }
254
255 err = indx_find(&ni->dir, ni, NULL, uni, 0, sbi, &diff, &e, fnd);
256
257 if (err)
258 goto out;
259
260 if (diff) {
261 err = -ENOENT;
262 goto out;
263 }
264
265 inode = ntfs_iget5(sb, &e->ref, uni);
266 if (!IS_ERR(inode) && is_bad_inode(inode)) {
267 iput(inode);
268 err = -EINVAL;
269 }
270 out:
271 fnd_put(fnd_a);
272
273 return err == -ENOENT ? NULL : err ? ERR_PTR(err) : inode;
274 }
275
276 /*
277 * returns false if 'ctx' if full
278 */
ntfs_dir_emit(struct ntfs_sb_info * sbi,struct ntfs_inode * ni,const struct NTFS_DE * e,u8 * name,struct dir_context * ctx)279 static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
280 struct ntfs_inode *ni, const struct NTFS_DE *e,
281 u8 *name, struct dir_context *ctx)
282 {
283 const struct ATTR_FILE_NAME *fname;
284 unsigned long ino;
285 int name_len;
286 u32 dt_type;
287
288 fname = Add2Ptr(e, sizeof(struct NTFS_DE));
289
290 if (fname->type == FILE_NAME_DOS)
291 return true;
292
293 if (!mi_is_ref(&ni->mi, &fname->home))
294 return true;
295
296 ino = ino_get(&e->ref);
297
298 if (ino == MFT_REC_ROOT)
299 return true;
300
301 /* Skip meta files. Unless option to show metafiles is set. */
302 if (!sbi->options->showmeta && ntfs_is_meta_file(sbi, ino))
303 return true;
304
305 if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
306 return true;
307
308 if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size))
309 return true;
310
311 name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
312 PATH_MAX);
313 if (name_len <= 0) {
314 ntfs_warn(sbi->sb, "failed to convert name for inode %lx.",
315 ino);
316 return true;
317 }
318
319 /*
320 * NTFS: symlinks are "dir + reparse" or "file + reparse"
321 * Unfortunately reparse attribute is used for many purposes (several dozens).
322 * It is not possible here to know is this name symlink or not.
323 * To get exactly the type of name we should to open inode (read mft).
324 * getattr for opened file (fstat) correctly returns symlink.
325 */
326 dt_type = (fname->dup.fa & FILE_ATTRIBUTE_DIRECTORY) ? DT_DIR : DT_REG;
327
328 /*
329 * It is not reliable to detect the type of name using duplicated information
330 * stored in parent directory.
331 * The only correct way to get the type of name - read MFT record and find ATTR_STD.
332 * The code below is not good idea.
333 * It does additional locks/reads just to get the type of name.
334 * Should we use additional mount option to enable branch below?
335 */
336 if (fname->dup.extend_data && ino != ni->mi.rno) {
337 struct inode *inode = ntfs_iget5(sbi->sb, &e->ref, NULL);
338 if (!IS_ERR_OR_NULL(inode)) {
339 dt_type = fs_umode_to_dtype(inode->i_mode);
340 iput(inode);
341 }
342 }
343
344 return dir_emit(ctx, (s8 *)name, name_len, ino, dt_type);
345 }
346
347 /*
348 * ntfs_read_hdr - Helper function for ntfs_readdir().
349 *
350 * returns 0 if ok.
351 * returns -EINVAL if directory is corrupted.
352 * returns +1 if 'ctx' is full.
353 */
ntfs_read_hdr(struct ntfs_sb_info * sbi,struct ntfs_inode * ni,const struct INDEX_HDR * hdr,u64 vbo,u64 pos,u8 * name,struct dir_context * ctx)354 static int ntfs_read_hdr(struct ntfs_sb_info *sbi, struct ntfs_inode *ni,
355 const struct INDEX_HDR *hdr, u64 vbo, u64 pos,
356 u8 *name, struct dir_context *ctx)
357 {
358 const struct NTFS_DE *e;
359 u32 e_size;
360 u32 end = le32_to_cpu(hdr->used);
361 u32 off = le32_to_cpu(hdr->de_off);
362
363 for (;; off += e_size) {
364 if (off + sizeof(struct NTFS_DE) > end)
365 return -EINVAL;
366
367 e = Add2Ptr(hdr, off);
368 e_size = le16_to_cpu(e->size);
369 if (e_size < sizeof(struct NTFS_DE) || off + e_size > end)
370 return -EINVAL;
371
372 if (de_is_last(e))
373 return 0;
374
375 /* Skip already enumerated. */
376 if (vbo + off < pos)
377 continue;
378
379 if (le16_to_cpu(e->key_size) < SIZEOF_ATTRIBUTE_FILENAME)
380 return -EINVAL;
381
382 ctx->pos = vbo + off;
383
384 /* Submit the name to the filldir callback. */
385 if (!ntfs_dir_emit(sbi, ni, e, name, ctx)) {
386 /* ctx is full. */
387 return +1;
388 }
389 }
390 }
391
392 /*
393 * ntfs_readdir - file_operations::iterate_shared
394 *
395 * Use non sorted enumeration.
396 * Sorted enumeration may result infinite loop if names tree contains loop.
397 */
ntfs_readdir(struct file * file,struct dir_context * ctx)398 static int ntfs_readdir(struct file *file, struct dir_context *ctx)
399 {
400 const struct INDEX_ROOT *root;
401 size_t bit;
402 int err = 0;
403 struct inode *dir = file_inode(file);
404 struct ntfs_inode *ni = ntfs_i(dir);
405 struct super_block *sb = dir->i_sb;
406 struct ntfs_sb_info *sbi = sb->s_fs_info;
407 loff_t i_size = i_size_read(dir);
408 u64 pos = ctx->pos;
409 u8 *name = NULL;
410 struct indx_node *node = NULL;
411 u8 index_bits = ni->dir.index_bits;
412 size_t max_bit = i_size >> ni->dir.index_bits;
413 loff_t eod = i_size + sbi->record_size;
414
415 /* Name is a buffer of PATH_MAX length. */
416 static_assert(NTFS_NAME_LEN * 4 < PATH_MAX);
417
418 if (!pos) {
419 /*
420 * ni->dir.version increments each directory change.
421 * Save the initial value of ni->dir.version.
422 */
423 file->private_data = (void *)ni->dir.version;
424 }
425
426 if (pos >= eod) {
427 if (file->private_data == (void *)ni->dir.version) {
428 /* No changes since first readdir. */
429 return 0;
430 }
431
432 /*
433 * Handle directories that changed after the initial readdir().
434 *
435 * Some user space code implements recursive removal like this instead
436 * of calling rmdir(2) directly:
437 *
438 * fd = opendir(path);
439 * while ((dent = readdir(fd)))
440 * unlinkat(dirfd(fd), dent->d_name, 0);
441 * closedir(fd);
442 *
443 * POSIX leaves unspecified what readdir() should return once the
444 * directory has been modified after opendir()/rewinddir(), so this
445 * pattern is not guaranteed to work on all filesystems or platforms.
446 *
447 * In ntfs3 the internal name tree may be reshaped while entries are
448 * being removed, so there is no stable anchor for continuing a
449 * single-pass walk based on the original readdir() order.
450 *
451 * In practice some widely used tools (for example certain rm(1)
452 * implementations) have used this readdir()/unlink() loop, and some
453 * filesystems behave in a way that effectively makes it work in the
454 * common case.
455 *
456 * The code below follows that practice and tries to provide
457 * "rmdir-like" behaviour for such callers on ntfs3, even though the
458 * situation is not strictly defined by the APIs.
459 *
460 * Apple documents the same readdir()/unlink() issue and a workaround
461 * for HFS file systems in:
462 * https://web.archive.org/web/20220122122948/https:/support.apple.com/kb/TA21420?locale=en_US
463 */
464 ctx->pos = pos = 3;
465 file->private_data = (void *)ni->dir.version;
466 }
467
468 if (!dir_emit_dots(file, ctx))
469 return 0;
470
471 name = kmalloc(PATH_MAX, GFP_KERNEL);
472 if (!name)
473 return -ENOMEM;
474
475 if (!ni->mi_loaded && ni->attr_list.size) {
476 /*
477 * Directory inode is locked for read.
478 * Load all subrecords to avoid 'write' access to 'ni' during
479 * directory reading.
480 */
481 ni_lock(ni);
482 if (!ni->mi_loaded && ni->attr_list.size) {
483 err = ni_load_all_mi(ni);
484 if (!err)
485 ni->mi_loaded = true;
486 }
487 ni_unlock(ni);
488 if (err)
489 goto out;
490 }
491
492 root = indx_get_root(&ni->dir, ni, NULL, NULL);
493 if (!root) {
494 err = -EINVAL;
495 goto out;
496 }
497
498 if (pos >= sbi->record_size) {
499 bit = (pos - sbi->record_size) >> index_bits;
500 } else {
501 /*
502 * Add each name from root in 'ctx'.
503 */
504 err = ntfs_read_hdr(sbi, ni, &root->ihdr, 0, pos, name, ctx);
505 if (err)
506 goto out;
507 bit = 0;
508 }
509
510 /*
511 * Enumerate indexes until the end of dir.
512 */
513 for (; bit < max_bit; bit += 1) {
514 /* Get the next used index. */
515 err = indx_used_bit(&ni->dir, ni, &bit);
516 if (err)
517 goto out;
518
519 if (bit == MINUS_ONE_T) {
520 /* no more used indexes. end of dir. */
521 break;
522 }
523
524 if (bit >= max_bit) {
525 /* Corrupted directory. */
526 err = -EINVAL;
527 goto out;
528 }
529
530 err = indx_read_ra(&ni->dir, ni, bit << ni->dir.idx2vbn_bits,
531 &node, &file->f_ra);
532 if (err)
533 goto out;
534
535 /*
536 * Add each name from index in 'ctx'.
537 */
538 err = ntfs_read_hdr(sbi, ni, &node->index->ihdr,
539 ((u64)bit << index_bits) + sbi->record_size,
540 pos, name, ctx);
541 if (err)
542 goto out;
543 }
544
545 out:
546 kfree(name);
547 put_indx_node(node);
548
549 if (!err) {
550 /* End of directory. */
551 ctx->pos = eod;
552 } else if (err == 1) {
553 /* 'ctx' is full. */
554 err = 0;
555 } else if (err == -ENOENT) {
556 err = 0;
557 ctx->pos = pos;
558 } else if (err < 0) {
559 if (err == -EINVAL)
560 _ntfs_bad_inode(dir);
561 ctx->pos = eod;
562 }
563
564 return err;
565 }
566
ntfs_dir_count(struct inode * dir,bool * is_empty,size_t * dirs,size_t * files)567 static int ntfs_dir_count(struct inode *dir, bool *is_empty, size_t *dirs,
568 size_t *files)
569 {
570 int err = 0;
571 struct ntfs_inode *ni = ntfs_i(dir);
572 struct NTFS_DE *e = NULL;
573 struct INDEX_ROOT *root;
574 struct INDEX_HDR *hdr;
575 const struct ATTR_FILE_NAME *fname;
576 u32 e_size, off, end;
577 size_t drs = 0, fles = 0, bit = 0;
578 struct indx_node *node = NULL;
579 size_t max_indx = i_size_read(&ni->vfs_inode) >> ni->dir.index_bits;
580
581 if (is_empty)
582 *is_empty = true;
583
584 root = indx_get_root(&ni->dir, ni, NULL, NULL);
585 if (!root)
586 return -EINVAL;
587
588 hdr = &root->ihdr;
589
590 for (;;) {
591 end = le32_to_cpu(hdr->used);
592 off = le32_to_cpu(hdr->de_off);
593
594 for (; off + sizeof(struct NTFS_DE) <= end; off += e_size) {
595 e = Add2Ptr(hdr, off);
596 e_size = le16_to_cpu(e->size);
597 if (e_size < sizeof(struct NTFS_DE) ||
598 off + e_size > end) {
599 /* Looks like corruption. */
600 break;
601 }
602
603 if (de_is_last(e))
604 break;
605
606 fname = de_get_fname(e);
607 if (!fname)
608 continue;
609
610 if (fname->type == FILE_NAME_DOS)
611 continue;
612
613 if (is_empty) {
614 *is_empty = false;
615 if (!dirs && !files)
616 goto out;
617 }
618
619 if (fname->dup.fa & FILE_ATTRIBUTE_DIRECTORY)
620 drs += 1;
621 else
622 fles += 1;
623 }
624
625 if (bit >= max_indx)
626 goto out;
627
628 err = indx_used_bit(&ni->dir, ni, &bit);
629 if (err)
630 goto out;
631
632 if (bit == MINUS_ONE_T)
633 goto out;
634
635 if (bit >= max_indx)
636 goto out;
637
638 err = indx_read(&ni->dir, ni, bit << ni->dir.idx2vbn_bits,
639 &node);
640 if (err)
641 goto out;
642
643 hdr = &node->index->ihdr;
644 bit += 1;
645 }
646
647 out:
648 put_indx_node(node);
649 if (dirs)
650 *dirs = drs;
651 if (files)
652 *files = fles;
653
654 return err;
655 }
656
dir_is_empty(struct inode * dir)657 bool dir_is_empty(struct inode *dir)
658 {
659 bool is_empty = false;
660
661 ntfs_dir_count(dir, &is_empty, NULL, NULL);
662
663 return is_empty;
664 }
665
666 // clang-format off
667 const struct file_operations ntfs_dir_operations = {
668 .llseek = generic_file_llseek,
669 .read = generic_read_dir,
670 .iterate_shared = ntfs_readdir,
671 .fsync = ntfs_file_fsync,
672 .open = ntfs_file_open,
673 .unlocked_ioctl = ntfs_ioctl,
674 #ifdef CONFIG_COMPAT
675 .compat_ioctl = ntfs_compat_ioctl,
676 #endif
677 .setlease = generic_setlease,
678 };
679
680 #if IS_ENABLED(CONFIG_NTFS_FS)
681 const struct file_operations ntfs_legacy_dir_operations = {
682 .llseek = generic_file_llseek,
683 .read = generic_read_dir,
684 .iterate_shared = ntfs_readdir,
685 .open = ntfs_file_open,
686 .setlease = generic_setlease,
687 };
688 #endif
689 // clang-format on
690