ksmbd: fix racy issue from using ->d_parent and ->d_name

			return rc;

	}

	rc = ksmbd_vfs_kern_path(work, name, 0, path, 0);

	rc = ksmbd_vfs_kern_path_locked(work, name, 0, path, 0);

	if (rc) {

		pr_err("cannot get linux path (%s), err = %d\n",

		       name, rc);

		goto err_out1;

	}

	rc = ksmbd_vfs_kern_path(work, name, LOOKUP_NO_SYMLINKS, &path, 1);

	rc = ksmbd_vfs_kern_path_locked(work, name, LOOKUP_NO_SYMLINKS, &path, 1);

	if (!rc) {

		file_present = true;

		if (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE) {

			/*

			 * If file exists with under flags, return access

			if (req->CreateDisposition == FILE_OVERWRITE_IF_LE ||

			    req->CreateDisposition == FILE_OPEN_IF_LE) {

				rc = -EACCES;

				path_put(&path);

				goto err_out;

			}

				ksmbd_debug(SMB,

					    "User does not have write permission\n");

				rc = -EACCES;

				path_put(&path);

				goto err_out;

			}

		} else if (d_is_symlink(path.dentry)) {

			rc = -EACCES;

			path_put(&path);

			goto err_out;

		}

	}

	if (rc) {

		file_present = true;

		idmap = mnt_idmap(path.mnt);

	} else {

		if (rc != -ENOENT)

			goto err_out;

		ksmbd_debug(SMB, "can not get linux path for %s, rc = %d\n",

			    name, rc);

		rc = 0;

	} else {

		file_present = true;

		idmap = mnt_idmap(path.mnt);

	}

	if (stream_name) {

		if (req->CreateOptions & FILE_DIRECTORY_FILE_LE) {

			if (s_type == DATA_STREAM) {

			if ((daccess & FILE_DELETE_LE) ||

			    (req->CreateOptions & FILE_DELETE_ON_CLOSE_LE)) {

				rc = ksmbd_vfs_may_delete(idmap,

							  path.dentry);

				rc = inode_permission(idmap,

						      d_inode(path.dentry->d_parent),

						      MAY_EXEC | MAY_WRITE);

				if (rc)

					goto err_out;

			}

	}

err_out:

	if (file_present || created)

		path_put(&path);

	if (file_present || created) {

		inode_unlock(d_inode(path.dentry->d_parent));

		dput(path.dentry);

	}

	ksmbd_revert_fsids(work);

err_out1:

	if (rc) {

		if (rc == -EINVAL)

			rsp->hdr.Status = STATUS_INVALID_PARAMETER;

static int smb2_rename(struct ksmbd_work *work,

		       struct ksmbd_file *fp,

		       struct mnt_idmap *idmap,

		       struct smb2_file_rename_info *file_info,

		       struct nls_table *local_nls)

{

	struct ksmbd_share_config *share = fp->tcon->share_conf;

	char *new_name = NULL, *abs_oldname = NULL, *old_name = NULL;

	char *pathname = NULL;

	struct path path;

	bool file_present = true;

	int rc;

	char *new_name = NULL;

	int rc, flags = 0;

	ksmbd_debug(SMB, "setting FILE_RENAME_INFO\n");

	pathname = kmalloc(PATH_MAX, GFP_KERNEL);

	if (!pathname)

		return -ENOMEM;

	abs_oldname = file_path(fp->filp, pathname, PATH_MAX);

	if (IS_ERR(abs_oldname)) {

		rc = -EINVAL;

		goto out;

	}

	old_name = strrchr(abs_oldname, '/');

	if (old_name && old_name[1] != '\0') {

		old_name++;

	} else {

		ksmbd_debug(SMB, "can't get last component in path %s\n",

			    abs_oldname);

		rc = -ENOENT;

		goto out;

	}

	new_name = smb2_get_name(file_info->FileName,

				 le32_to_cpu(file_info->FileNameLength),

				 local_nls);

	if (IS_ERR(new_name)) {

		rc = PTR_ERR(new_name);

		goto out;

	}

	if (IS_ERR(new_name))

		return PTR_ERR(new_name);

	if (strchr(new_name, ':')) {

		int s_type;

		if (rc)

			goto out;

		rc = ksmbd_vfs_setxattr(idmap,

		rc = ksmbd_vfs_setxattr(file_mnt_idmap(fp->filp),

					fp->filp->f_path.dentry,

					xattr_stream_name,

					NULL, 0, 0);

	}

	ksmbd_debug(SMB, "new name %s\n", new_name);

	rc = ksmbd_vfs_kern_path(work, new_name, LOOKUP_NO_SYMLINKS, &path, 1);

	if (rc) {

		if (rc != -ENOENT)

			goto out;

		file_present = false;

	} else {

		path_put(&path);

	}

	if (ksmbd_share_veto_filename(share, new_name)) {

		rc = -ENOENT;

		ksmbd_debug(SMB, "Can't rename vetoed file: %s\n", new_name);

		goto out;

	}

	if (file_info->ReplaceIfExists) {

		if (file_present) {

			rc = ksmbd_vfs_remove_file(work, new_name);

			if (rc) {

				if (rc != -ENOTEMPTY)

					rc = -EINVAL;

				ksmbd_debug(SMB, "cannot delete %s, rc %d\n",

					    new_name, rc);

				goto out;

			}

		}

	} else {

		if (file_present &&

		    strncmp(old_name, path.dentry->d_name.name, strlen(old_name))) {

			rc = -EEXIST;

			ksmbd_debug(SMB,

				    "cannot rename already existing file\n");

			goto out;

		}

	}

	if (!file_info->ReplaceIfExists)

		flags = RENAME_NOREPLACE;

	rc = ksmbd_vfs_fp_rename(work, fp, new_name);

	rc = ksmbd_vfs_rename(work, &fp->filp->f_path, new_name, flags);

out:

	kfree(pathname);

	if (!IS_ERR(new_name))

	kfree(new_name);

	return rc;

}

	}

	ksmbd_debug(SMB, "target name is %s\n", target_name);

	rc = ksmbd_vfs_kern_path(work, link_name, LOOKUP_NO_SYMLINKS, &path, 0);

	rc = ksmbd_vfs_kern_path_locked(work, link_name, LOOKUP_NO_SYMLINKS,

					&path, 0);

	if (rc) {

		if (rc != -ENOENT)

			goto out;

		file_present = false;

	} else {

		path_put(&path);

	}

	if (file_info->ReplaceIfExists) {

		if (file_present) {

			rc = ksmbd_vfs_remove_file(work, link_name);

			rc = ksmbd_vfs_remove_file(work, &path);

			if (rc) {

				rc = -EINVAL;

				ksmbd_debug(SMB, "cannot delete %s\n",

	if (rc)

		rc = -EINVAL;

out:

	if (file_present) {

		inode_unlock(d_inode(path.dentry->d_parent));

		path_put(&path);

	}

	if (!IS_ERR(link_name))

		kfree(link_name);

	kfree(pathname);

			   struct smb2_file_rename_info *rename_info,

			   unsigned int buf_len)

{

	struct mnt_idmap *idmap;

	struct ksmbd_file *parent_fp;

	struct dentry *parent;

	struct dentry *dentry = fp->filp->f_path.dentry;

	int ret;

	if (!(fp->daccess & FILE_DELETE_LE)) {

		pr_err("no right to delete : 0x%x\n", fp->daccess);

		return -EACCES;

			le32_to_cpu(rename_info->FileNameLength))

		return -EINVAL;

	idmap = file_mnt_idmap(fp->filp);

	if (ksmbd_stream_fd(fp))

		goto next;

	parent = dget_parent(dentry);

	ret = ksmbd_vfs_lock_parent(idmap, parent, dentry);

	if (ret) {

		dput(parent);

		return ret;

	}

	parent_fp = ksmbd_lookup_fd_inode(d_inode(parent));

	inode_unlock(d_inode(parent));

	dput(parent);

	if (!le32_to_cpu(rename_info->FileNameLength))

		return -EINVAL;

	if (parent_fp) {

		if (parent_fp->daccess & FILE_DELETE_LE) {

			pr_err("parent dir is opened with delete access\n");

			ksmbd_fd_put(work, parent_fp);

			return -ESHARE;

		}

		ksmbd_fd_put(work, parent_fp);

	}

next:

	return smb2_rename(work, fp, idmap, rename_info,

			   work->conn->local_nls);

	return smb2_rename(work, fp, rename_info, work->conn->local_nls);

}

static int set_file_disposition_info(struct ksmbd_file *fp,

#include <linux/vmalloc.h>

#include <linux/sched/xacct.h>

#include <linux/crc32c.h>

#include <linux/namei.h>

#include "glob.h"

#include "oplock.h"

#include "mgmt/user_session.h"

#include "mgmt/user_config.h"

static char *extract_last_component(char *path)

{

	char *p = strrchr(path, '/');

	if (p && p[1] != '\0') {

		*p = '\0';

		p++;

	} else {

		p = NULL;

	}

	return p;

}

static void ksmbd_vfs_inherit_owner(struct ksmbd_work *work,

				    struct inode *parent_inode,

				    struct inode *inode)

/**

 * ksmbd_vfs_lock_parent() - lock parent dentry if it is stable

 *

 * the parent dentry got by dget_parent or @parent could be

 * unstable, we try to lock a parent inode and lookup the

 * child dentry again.

 *

 * the reference count of @parent isn't incremented.

 */

int ksmbd_vfs_lock_parent(struct mnt_idmap *idmap, struct dentry *parent,

			  struct dentry *child)

int ksmbd_vfs_lock_parent(struct dentry *parent, struct dentry *child)

{

	struct dentry *dentry;

	int ret = 0;

	inode_lock_nested(d_inode(parent), I_MUTEX_PARENT);

	dentry = lookup_one(idmap, child->d_name.name, parent,

			    child->d_name.len);

	if (IS_ERR(dentry)) {

		ret = PTR_ERR(dentry);

		goto out_err;

	}

	if (dentry != child) {

		ret = -ESTALE;

		dput(dentry);

		goto out_err;

	if (child->d_parent != parent) {

		inode_unlock(d_inode(parent));

		return -ENOENT;

	}

	dput(dentry);

	return 0;

out_err:

	inode_unlock(d_inode(parent));

	return ret;

}

int ksmbd_vfs_may_delete(struct mnt_idmap *idmap,

			 struct dentry *dentry)

static int ksmbd_vfs_path_lookup_locked(struct ksmbd_share_config *share_conf,

					char *pathname, unsigned int flags,

					struct path *path)

{

	struct dentry *parent;

	int ret;

	struct qstr last;

	struct filename *filename;

	struct path *root_share_path = &share_conf->vfs_path;

	int err, type;

	struct path parent_path;

	struct dentry *d;

	parent = dget_parent(dentry);

	ret = ksmbd_vfs_lock_parent(idmap, parent, dentry);

	if (ret) {

		dput(parent);

		return ret;

	if (pathname[0] == '\0') {

		pathname = share_conf->path;

		root_share_path = NULL;

	} else {

		flags |= LOOKUP_BENEATH;

	}

	ret = inode_permission(idmap, d_inode(parent),

			       MAY_EXEC | MAY_WRITE);

	filename = getname_kernel(pathname);

	if (IS_ERR(filename))

		return PTR_ERR(filename);

	inode_unlock(d_inode(parent));

	dput(parent);

	return ret;

	err = vfs_path_parent_lookup(filename, flags,

				     &parent_path, &last, &type,

				     root_share_path);

	putname(filename);

	if (err)

		return err;

	if (unlikely(type != LAST_NORM)) {

		path_put(&parent_path);

		return -ENOENT;

	}

	inode_lock_nested(parent_path.dentry->d_inode, I_MUTEX_PARENT);

	d = lookup_one_qstr_excl(&last, parent_path.dentry, 0);

	if (IS_ERR(d))

		goto err_out;

	if (d_is_negative(d)) {

		dput(d);

		goto err_out;

	}

	path->dentry = d;

	path->mnt = share_conf->vfs_path.mnt;

	path_put(&parent_path);

	return 0;

err_out:

	inode_unlock(parent_path.dentry->d_inode);

	path_put(&parent_path);

	return -ENOENT;

}

int ksmbd_vfs_query_maximal_access(struct mnt_idmap *idmap,

				   struct dentry *dentry, __le32 *daccess)

{

	struct dentry *parent;

	int ret = 0;

	*daccess = cpu_to_le32(FILE_READ_ATTRIBUTES | READ_CONTROL);

	if (!inode_permission(idmap, d_inode(dentry), MAY_OPEN | MAY_EXEC))

		*daccess |= FILE_EXECUTE_LE;

	parent = dget_parent(dentry);

	ret = ksmbd_vfs_lock_parent(idmap, parent, dentry);

	if (ret) {

		dput(parent);

		return ret;

	}

	if (!inode_permission(idmap, d_inode(parent), MAY_EXEC | MAY_WRITE))

	if (!inode_permission(idmap, d_inode(dentry->d_parent), MAY_EXEC | MAY_WRITE))

		*daccess |= FILE_DELETE_LE;

	inode_unlock(d_inode(parent));

	dput(parent);

	return ret;

}

 *

 * Return:	0 on success, otherwise error

 */

int ksmbd_vfs_remove_file(struct ksmbd_work *work, char *name)

int ksmbd_vfs_remove_file(struct ksmbd_work *work, const struct path *path)

{

	struct mnt_idmap *idmap;

	struct path path;

	struct dentry *parent;

	struct dentry *parent = path->dentry->d_parent;

	int err;

	if (ksmbd_override_fsids(work))

		return -ENOMEM;

	err = ksmbd_vfs_kern_path(work, name, LOOKUP_NO_SYMLINKS, &path, false);

	if (err) {

		ksmbd_debug(VFS, "can't get %s, err %d\n", name, err);

		ksmbd_revert_fsids(work);

		return err;

	}

	idmap = mnt_idmap(path.mnt);

	parent = dget_parent(path.dentry);

	err = ksmbd_vfs_lock_parent(idmap, parent, path.dentry);

	if (err) {

		dput(parent);

		path_put(&path);

		ksmbd_revert_fsids(work);

		return err;

	}

	if (!d_inode(path.dentry)->i_nlink) {

	if (!d_inode(path->dentry)->i_nlink) {

		err = -ENOENT;

		goto out_err;

	}

	if (S_ISDIR(d_inode(path.dentry)->i_mode)) {

		err = vfs_rmdir(idmap, d_inode(parent), path.dentry);

	idmap = mnt_idmap(path->mnt);

	if (S_ISDIR(d_inode(path->dentry)->i_mode)) {

		err = vfs_rmdir(idmap, d_inode(parent), path->dentry);

		if (err && err != -ENOTEMPTY)

			ksmbd_debug(VFS, "%s: rmdir failed, err %d\n", name,

				    err);

			ksmbd_debug(VFS, "rmdir failed, err %d\n", err);

	} else {

		err = vfs_unlink(idmap, d_inode(parent), path.dentry, NULL);

		err = vfs_unlink(idmap, d_inode(parent), path->dentry, NULL);

		if (err)

			ksmbd_debug(VFS, "%s: unlink failed, err %d\n", name,

				    err);

			ksmbd_debug(VFS, "unlink failed, err %d\n", err);

	}

out_err:

	inode_unlock(d_inode(parent));

	dput(parent);

	path_put(&path);

	ksmbd_revert_fsids(work);

	return err;

}

	return err;

}

static int ksmbd_validate_entry_in_use(struct dentry *src_dent)

int ksmbd_vfs_rename(struct ksmbd_work *work, const struct path *old_path,

		     char *newname, int flags)

{

	struct dentry *dst_dent;

	spin_lock(&src_dent->d_lock);

	list_for_each_entry(dst_dent, &src_dent->d_subdirs, d_child) {

		struct ksmbd_file *child_fp;

	struct dentry *old_parent, *new_dentry, *trap;

	struct dentry *old_child = old_path->dentry;

	struct path new_path;

	struct qstr new_last;

	struct renamedata rd;

	struct filename *to;

	struct ksmbd_share_config *share_conf = work->tcon->share_conf;

	struct ksmbd_file *parent_fp;

	int new_type;

	int err, lookup_flags = LOOKUP_NO_SYMLINKS;

		if (d_really_is_negative(dst_dent))

			continue;

	if (ksmbd_override_fsids(work))

		return -ENOMEM;

		child_fp = ksmbd_lookup_fd_inode(d_inode(dst_dent));

		if (child_fp) {

			spin_unlock(&src_dent->d_lock);

			ksmbd_debug(VFS, "Forbid rename, sub file/dir is in use\n");

			return -EACCES;

		}

	to = getname_kernel(newname);

	if (IS_ERR(to)) {

		err = PTR_ERR(to);

		goto revert_fsids;

	}

	spin_unlock(&src_dent->d_lock);

	return 0;

retry:

	err = vfs_path_parent_lookup(to, lookup_flags | LOOKUP_BENEATH,

				     &new_path, &new_last, &new_type,

				     &share_conf->vfs_path);

	if (err)

		goto out1;

	if (old_path->mnt != new_path.mnt) {

		err = -EXDEV;

		goto out2;

	}

static int __ksmbd_vfs_rename(struct ksmbd_work *work,

			      struct mnt_idmap *src_idmap,

			      struct dentry *src_dent_parent,

			      struct dentry *src_dent,

			      struct mnt_idmap *dst_idmap,

			      struct dentry *dst_dent_parent,

			      struct dentry *trap_dent,

			      char *dst_name)

{

	struct dentry *dst_dent;

	int err;

	trap = lock_rename_child(old_child, new_path.dentry);

	if (!work->tcon->posix_extensions) {

		err = ksmbd_validate_entry_in_use(src_dent);

		if (err)

			return err;

	old_parent = dget(old_child->d_parent);

	if (d_unhashed(old_child)) {

		err = -EINVAL;

		goto out3;

	}

	if (d_really_is_negative(src_dent_parent))

		return -ENOENT;

	if (d_really_is_negative(dst_dent_parent))

		return -ENOENT;

	if (d_really_is_negative(src_dent))

		return -ENOENT;

	if (src_dent == trap_dent)

		return -EINVAL;

	if (ksmbd_override_fsids(work))

		return -ENOMEM;

	parent_fp = ksmbd_lookup_fd_inode(d_inode(old_child->d_parent));

	if (parent_fp) {

		if (parent_fp->daccess & FILE_DELETE_LE) {

			pr_err("parent dir is opened with delete access\n");

			err = -ESHARE;

			ksmbd_fd_put(work, parent_fp);

			goto out3;

		}

		ksmbd_fd_put(work, parent_fp);

	}

	dst_dent = lookup_one(dst_idmap, dst_name,

			      dst_dent_parent, strlen(dst_name));

	err = PTR_ERR(dst_dent);

	if (IS_ERR(dst_dent)) {

		pr_err("lookup failed %s [%d]\n", dst_name, err);

		goto out;

	new_dentry = lookup_one_qstr_excl(&new_last, new_path.dentry,

					  lookup_flags | LOOKUP_RENAME_TARGET);

	if (IS_ERR(new_dentry)) {

		err = PTR_ERR(new_dentry);

		goto out3;

	}

	err = -ENOTEMPTY;

	if (dst_dent != trap_dent && !d_really_is_positive(dst_dent)) {

		struct renamedata rd = {