!15613 CVE-2024-57952

};

EXPORT_SYMBOL(simple_dir_inode_operations);

/* 0 is '.', 1 is '..', so always start with offset 2 or more */

/* simple_offset_add() never assigns these to a dentry */

enum {

	DIR_OFFSET_MIN	= 2,

	DIR_OFFSET_FIRST	= 2,		/* Find first real entry */

	DIR_OFFSET_EOD		= S32_MAX,

};

/* simple_offset_add() allocation range */

enum {

	DIR_OFFSET_MIN		= DIR_OFFSET_FIRST + 1,

	DIR_OFFSET_MAX		= DIR_OFFSET_EOD - 1,

};

static void offset_set(struct dentry *dentry, long offset)

		return -EBUSY;

	ret = mtree_alloc_cyclic(&octx->mt, &offset, dentry, DIR_OFFSET_MIN,

				 LONG_MAX, &octx->next_offset, GFP_KERNEL);

	if (ret < 0)

		return ret;

				 DIR_OFFSET_MAX, &octx->next_offset,

				 GFP_KERNEL);

	if (unlikely(ret < 0))

		return ret == -EBUSY ? -ENOSPC : ret;

	offset_set(dentry, offset);

	return 0;

	offset_set(dentry, 0);

}

/**

 * simple_offset_empty - Check if a dentry can be unlinked

 * @dentry: dentry to be tested

 *

 * Returns 0 if @dentry is a non-empty directory; otherwise returns 1.

 */

int simple_offset_empty(struct dentry *dentry)

{

	struct inode *inode = d_inode(dentry);

	struct offset_ctx *octx;

	struct dentry *child;

	unsigned long index;

	int ret = 1;

	if (!inode || !S_ISDIR(inode->i_mode))

		return ret;

	index = DIR_OFFSET_MIN;

	octx = inode->i_op->get_offset_ctx(inode);

	mt_for_each(&octx->mt, child, index, LONG_MAX) {

		spin_lock(&child->d_lock);

		if (simple_positive(child)) {

			spin_unlock(&child->d_lock);

			ret = 0;

			break;

		}

		spin_unlock(&child->d_lock);

	}

	return ret;

}

/**

 * simple_offset_rename - handle directory offsets for rename

 * @old_dir: parent directory of source entry

	mtree_destroy(&octx->mt);

}

static int offset_dir_open(struct inode *inode, struct file *file)

{

	struct offset_ctx *ctx = inode->i_op->get_offset_ctx(inode);

	file->private_data = (void *)ctx->next_offset;

	return 0;

}

/**

 * offset_dir_llseek - Advance the read position of a directory descriptor

 * @file: an open directory whose position is to be updated

 */

static loff_t offset_dir_llseek(struct file *file, loff_t offset, int whence)

{

	struct inode *inode = file->f_inode;

	struct offset_ctx *ctx = inode->i_op->get_offset_ctx(inode);

	switch (whence) {

	case SEEK_CUR:

		offset += file->f_pos;

		return -EINVAL;

	}

	/* In this case, ->private_data is protected by f_pos_lock */

	if (!offset)

		file->private_data = (void *)ctx->next_offset;

	return vfs_setpos(file, offset, LONG_MAX);

}

static struct dentry *offset_find_next(struct offset_ctx *octx, loff_t offset)

static struct dentry *find_positive_dentry(struct dentry *parent,

					   struct dentry *dentry,

					   bool next)

{

	MA_STATE(mas, &octx->mt, offset, offset);

	struct dentry *found = NULL;

	spin_lock(&parent->d_lock);

	if (next)

		dentry = list_next_entry(dentry, d_child);

	else if (!dentry)

		dentry = list_first_entry_or_null(&parent->d_subdirs,

						  struct dentry, d_child);

	for (; dentry && !list_entry_is_head(dentry, &parent->d_subdirs, d_child);

	     dentry = list_next_entry(dentry, d_child)) {

		if (!simple_positive(dentry))

			continue;

		spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);

		if (simple_positive(dentry))

			found = dget_dlock(dentry);

		spin_unlock(&dentry->d_lock);

		if (likely(found))

			break;

	}

	spin_unlock(&parent->d_lock);

	return found;

}

static noinline_for_stack struct dentry *

offset_dir_lookup(struct dentry *parent, loff_t offset)

{

	struct inode *inode = d_inode(parent);

	struct offset_ctx *octx = inode->i_op->get_offset_ctx(inode);

	struct dentry *child, *found = NULL;

	MA_STATE(mas, &octx->mt, offset, offset);

	if (offset == DIR_OFFSET_FIRST)

		found = find_positive_dentry(parent, NULL, false);

	else {

		rcu_read_lock();

	child = mas_find(&mas, LONG_MAX);

	if (!child)

		goto out;

	spin_lock(&child->d_lock);

	if (simple_positive(child))

		found = dget_dlock(child);

	spin_unlock(&child->d_lock);

out:

		child = mas_find_rev(&mas, DIR_OFFSET_MIN);

		found = find_positive_dentry(parent, child, false);

		rcu_read_unlock();

	}

	return found;

}

static bool offset_dir_emit(struct dir_context *ctx, struct dentry *dentry)

{

	struct inode *inode = d_inode(dentry);

	long offset = dentry2offset(dentry);

	return ctx->actor(ctx, dentry->d_name.name, dentry->d_name.len, offset,

	return dir_emit(ctx, dentry->d_name.name, dentry->d_name.len,

			inode->i_ino, fs_umode_to_dtype(inode->i_mode));

}

static void offset_iterate_dir(struct inode *inode, struct dir_context *ctx, long last_index)

static void offset_iterate_dir(struct file *file, struct dir_context *ctx)

{

	struct offset_ctx *octx = inode->i_op->get_offset_ctx(inode);

	struct dentry *dir = file->f_path.dentry;

	struct dentry *dentry;

	while (true) {

		dentry = offset_find_next(octx, ctx->pos);

	dentry = offset_dir_lookup(dir, ctx->pos);

	if (!dentry)

			return;

		goto out_eod;

	while (true) {

		struct dentry *next;

		ctx->pos = dentry2offset(dentry);

		if (!offset_dir_emit(ctx, dentry))

			break;

		if (dentry2offset(dentry) >= last_index) {

		next = find_positive_dentry(dir, dentry, true);

		dput(dentry);

			return;

		}

		if (!offset_dir_emit(ctx, dentry)) {

		if (!next)

			goto out_eod;

		dentry = next;

	}

	dput(dentry);

	return;

		}

		ctx->pos = dentry2offset(dentry) + 1;

		dput(dentry);

	}

out_eod:

	ctx->pos = DIR_OFFSET_EOD;

}

/**

 *

 * On return, @ctx->pos contains an offset that will read the next entry

 * in this directory when offset_readdir() is called again with @ctx.

 * Caller places this value in the d_off field of the last entry in the

 * user's buffer.

 *

 * Return values:

 *   %0 - Complete

static int offset_readdir(struct file *file, struct dir_context *ctx)

{

	struct dentry *dir = file->f_path.dentry;

	long last_index = (long)file->private_data;

	lockdep_assert_held(&d_inode(dir)->i_rwsem);

	if (!dir_emit_dots(file, ctx))

		return 0;

	offset_iterate_dir(d_inode(dir), ctx, last_index);

	if (ctx->pos != DIR_OFFSET_EOD)

		offset_iterate_dir(file, ctx);

	return 0;

}

const struct file_operations simple_offset_dir_operations = {

	.open		= offset_dir_open,

	.llseek		= offset_dir_llseek,

	.iterate_shared	= offset_readdir,

	.read		= generic_read_dir,

void simple_offset_init(struct offset_ctx *octx);

int simple_offset_add(struct offset_ctx *octx, struct dentry *dentry);

void simple_offset_remove(struct offset_ctx *octx, struct dentry *dentry);

int simple_offset_empty(struct dentry *dentry);

int simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry,

			 struct inode *new_dir, struct dentry *new_dentry);

int simple_offset_rename_exchange(struct inode *old_dir,

static int shmem_rmdir(struct inode *dir, struct dentry *dentry)

{

	if (!simple_offset_empty(dentry))

	if (!simple_empty(dentry))

		return -ENOTEMPTY;

	drop_nlink(d_inode(dentry));

		return simple_offset_rename_exchange(old_dir, old_dentry,

						     new_dir, new_dentry);

	if (!simple_offset_empty(new_dentry))

	if (!simple_empty(new_dentry))

		return -ENOTEMPTY;

	if (flags & RENAME_WHITEOUT) {