[PATCH v6 0/3] Fix opendir regression on some FS

[PATCH v6 0/3] Fix opendir regression on some FS

[Adhemerval Zanella]

Some filesystem might return a non-representable d_off on getdents
call, even if there are few entries in the directories (for instance
ext4, which returns an internal FS hash).  This trigger issues with
non-LFS readdir when it finds the first non representable entry, and
also for LFS interface when used along with telldir (which return a
'long int', while d_off is potentially off64_t).

For instance, arm32 dirent and io tests running on qemu-user show the
following failures:

  FAIL: dirent/list
  FAIL: dirent/tst-scandir
  FAIL: io/tst-fts
  FAIL: io/tst-fts-lfs
  FAIL: io/tst-fts-time64

This patch changes non-LFS readdir so it clamps the d_off value if
it overflows.  It now uses getdents64 and maintains an internal map
between d_off that can not be represented by 'long int' (telldir
returned value).  seekdir will then set the correct offset by
using the input argument as a key to the internal list.

I have checked on x86_64-linux-gnu, i686-linux-gnu, and
arm-linux-gnueabihf.

Changes from v5:
  * Use non-LFS getdents logic on non-LFS readdir.
  * Clamp overflow d_off values.
  * Removed unrequired readdir64 refactor.

Changes from v4:
  * Allocate the telldir map an readdir, thus avoid telldir failure.
  * The translation buffer now uses a fixed size struct.
  * Fixed the condition to use the long to off64_t map.

Changes from v3:
  * Rebase against master.
  * Fixed a missing lock unlock on telldir.
  * Renamed tst-seekdir2 to tst-opendir-nolfs and check the opendir
    result against getdents64.


Adhemerval Zanella (3):
  linux: Use getdents64 on non-LFS readdir
  support: Add xreallocarray
  linux: Set internal DIR filepos as off64_t (BZ #23960, BZ #24050)

 include/dirent.h                            |   2 +-
 support/Makefile                            |   1 +
 support/support.h                           |   2 +
 support/xreallocarray.c                     |  29 ++++
 sysdeps/unix/sysv/linux/Makefile            |   2 +
 sysdeps/unix/sysv/linux/alpha/bits/dirent.h |   3 +
 sysdeps/unix/sysv/linux/bits/dirent.h       |   4 +
 sysdeps/unix/sysv/linux/closedir.c          |   4 +
 sysdeps/unix/sysv/linux/dirstream.h         |   9 +-
 sysdeps/unix/sysv/linux/opendir.c           |   3 +
 sysdeps/unix/sysv/linux/readdir.c           | 107 +++++++++++----
 sysdeps/unix/sysv/linux/readdir64.c         |  11 ++
 sysdeps/unix/sysv/linux/rewinddir.c         |   5 +
 sysdeps/unix/sysv/linux/seekdir.c           |  30 +++-
 sysdeps/unix/sysv/linux/telldir.c           |  36 +++++
 sysdeps/unix/sysv/linux/telldir.h           |  67 +++++++++
 sysdeps/unix/sysv/linux/tst-opendir-lfs.c   |   2 +
 sysdeps/unix/sysv/linux/tst-opendir.c       | 145 ++++++++++++++++++++
 18 files changed, 432 insertions(+), 30 deletions(-)
 create mode 100644 support/xreallocarray.c
 create mode 100644 sysdeps/unix/sysv/linux/telldir.h
 create mode 100644 sysdeps/unix/sysv/linux/tst-opendir-lfs.c
 create mode 100644 sysdeps/unix/sysv/linux/tst-opendir.c

-- 
2.34.1

[PATCH v6 1/3] linux: Use getdents64 on non-LFS readdir

[Adhemerval Zanella]

It is similar to what non-LFS getdents do (including overflow check).

Checked on x86_64-linux-gnu and i686-linux-gnu.
---
 sysdeps/unix/sysv/linux/readdir.c | 97 +++++++++++++++++++++++--------
 1 file changed, 73 insertions(+), 24 deletions(-)

diff --git a/sysdeps/unix/sysv/linux/readdir.c b/sysdeps/unix/sysv/linux/readdir.c
index 4a4c00ea07..72ba895afe 100644
--- a/sysdeps/unix/sysv/linux/readdir.c
+++ b/sysdeps/unix/sysv/linux/readdir.c
@@ -20,43 +20,92 @@
 
 #if !_DIRENT_MATCHES_DIRENT64
 #include <dirstream.h>
+#include <unistd.h>
+
+# ifndef DIRENT_SET_DP_INO
+#  define DIRENT_SET_DP_INO(dp, value) (dp)->d_ino = (value)
+# endif
 
 /* Read a directory entry from DIRP.  */
 struct dirent *
 __readdir_unlocked (DIR *dirp)
 {
-  struct dirent *dp;
   int saved_errno = errno;
 
-  if (dirp->offset >= dirp->size)
+  while (1)
     {
-      /* We've emptied out our buffer.  Refill it.  */
-
-      size_t maxread = dirp->allocation;
-      ssize_t bytes;
-
-      bytes = __getdents (dirp->fd, dirp->data, maxread);
-      if (bytes <= 0)
+      if (dirp->offset >= dirp->size)
 	{
-	  /* Linux may fail with ENOENT on some file systems if the
-	     directory inode is marked as dead (deleted).  POSIX
-	     treats this as a regular end-of-directory condition, so
-	     do not set errno in that case, to indicate success.  */
-	  if (bytes == 0 || errno == ENOENT)
-	    __set_errno (saved_errno);
+	  ssize_t bytes = __getdents64 (dirp->fd, dirp->data,
+					dirp->allocation);
+	  if (bytes <= 0)
+	    {
+	      /* Linux may fail with ENOENT on some file systems if the
+		 directory inode is marked as dead (deleted).  POSIX
+		 treats this as a regular end-of-directory condition, so
+		 do not set errno in that case, to indicate success.  */
+	      if (bytes < 0 && errno == ENOENT)
+		__set_errno (saved_errno);
+	      return NULL;
+	    }
+	  dirp->size = bytes;
+
+ 	  /* Reset the offset into the buffer.  */
+	  dirp->offset = 0;
+ 	}
+
+    /* These two pointers might alias the same memory buffer.  Standard C
+       requires that we always use the same type for them, so we must use the
+       union type.  */
+      union
+      {
+	struct dirent64 dp64;
+	struct dirent dp;
+	char *b;
+      } *inp, *outp;
+      inp = (void*) &dirp->data[dirp->offset];
+      outp = (void*) &dirp->data[dirp->offset];
+
+      const size_t size_diff = offsetof (struct dirent64, d_name)
+	- offsetof (struct dirent, d_name);
+
+      /* Since inp->dp64.d_reclen is already aligned for the kernel structure
+	 this may compute a value that is bigger than necessary.  */
+      size_t old_reclen = inp->dp64.d_reclen;
+      size_t new_reclen = ALIGN_UP (old_reclen - size_diff,
+				    _Alignof (struct dirent));
+
+      if (!in_ino_t_range (inp->dp64.d_ino)
+	  || !in_off_t_range (inp->dp64.d_off))
+	{
+	  /* Overflow.  If there was at least one entry before this one,
+	     return them without error, otherwise signal overflow.  */
+	  if (dirp->offset != 0)
+	    {
+	      __lseek64 (dirp->fd, dirp->offset, SEEK_SET);
+	      outp = (void*)(outp->b - dirp->data);
+	      return &outp->dp;
+	    }
+	  __set_errno (EOVERFLOW);
 	  return NULL;
 	}
-      dirp->size = (size_t) bytes;
 
-      /* Reset the offset into the buffer.  */
-      dirp->offset = 0;
+      /* Copy the data from INP and access only OUTP.  */
+      const uint64_t d_ino = inp->dp64.d_ino;
+      const int64_t d_off = inp->dp64.d_off;
+      const uint8_t d_type = inp->dp64.d_type;
+      outp->dp.d_ino = d_ino;
+      outp->dp.d_off = d_off;
+      outp->dp.d_reclen = new_reclen;
+      outp->dp.d_type = d_type;
+      memmove (outp->dp.d_name, inp->dp64.d_name,
+	       old_reclen - offsetof (struct dirent64, d_name));
+
+      dirp->filepos = d_off;
+      dirp->offset += old_reclen;
+
+      return &outp->dp;
     }
-
-  dp = (struct dirent *) &dirp->data[dirp->offset];
-  dirp->offset += dp->d_reclen;
-  dirp->filepos = dp->d_off;
-
-  return dp;
 }
 
 struct dirent *
-- 
2.34.1

[PATCH v6 2/3] support: Add xreallocarray

[Adhemerval Zanella]

As a wrapper over reallocarray.
---
 support/Makefile        |  1 +
 support/support.h       |  2 ++
 support/xreallocarray.c | 29 +++++++++++++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 support/xreallocarray.c

diff --git a/support/Makefile b/support/Makefile
index a304c5cdc0..1ca4a9567e 100644
--- a/support/Makefile
+++ b/support/Makefile
@@ -191,6 +191,7 @@ libsupport-routines = \
   xraise \
   xreadlink \
   xrealloc \
+  xreallocarray \
   xrecvfrom \
   xsendto \
   xsetlocale \
diff --git a/support/support.h b/support/support.h
index 525ff1ebce..741e4c5c2a 100644
--- a/support/support.h
+++ b/support/support.h
@@ -107,6 +107,8 @@ extern void *xcalloc (size_t n, size_t s)
   __returns_nonnull;
 extern void *xrealloc (void *o, size_t n)
   __attribute_malloc__ __attribute_alloc_size__ ((2)) __attr_dealloc_free;
+extern void *xreallocarray (void *p, size_t n, size_t s)
+  __attribute_alloc_size__ ((2, 3)) __attr_dealloc_free;
 extern char *xstrdup (const char *) __attribute_malloc__ __attr_dealloc_free
   __returns_nonnull;
 void *xposix_memalign (size_t alignment, size_t n)
diff --git a/support/xreallocarray.c b/support/xreallocarray.c
new file mode 100644
index 0000000000..6478725c9c
--- /dev/null
+++ b/support/xreallocarray.c
@@ -0,0 +1,29 @@
+/* Error-checking wrapper for reallocarray
+   Copyright (C) 2016-2023 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdlib.h>
+#include <support/support.h>
+
+void *
+xreallocarray (void *p, size_t n, size_t s)
+{
+  void *r = reallocarray (p, n, s);
+  if (r == NULL)
+    oom_error ("reallocarray", n);
+  return r;
+}
-- 
2.34.1

[PATCH v6 3/3] linux: Set internal DIR filepos as off64_t (BZ #23960, BZ #24050)

[Adhemerval Zanella]

It allows to obtain the expected entry offset on telldir and set
it correctly on seekdir on platforms where long int is smaller
than off64_t.

On such cases opendir creates a map entry between the DIR d_off
offset and the returned long int (the telldir return value).
seekdir will then set the correct offset from the internal list
using the telldir as the list key.

It also removes the overflow check on readdir and the returned value
will be truncated by the non-LFS off_t size.  As Joseph has noted
in BZ #23960 comment #22, d_off is an opaque value and since
telldir/seekdir works regardless of the returned dirent d_off value.

Finally it removes the requirement to check for overflow values on
telldir (BZ #24050).

Checked on x86_64-linux-gnu, i686-linux-gnu, powerpc-linux-gnu,
and arm-linux-gnueabihf.
---
 include/dirent.h                            |   2 +-
 sysdeps/unix/sysv/linux/Makefile            |   2 +
 sysdeps/unix/sysv/linux/alpha/bits/dirent.h |   3 +
 sysdeps/unix/sysv/linux/bits/dirent.h       |   4 +
 sysdeps/unix/sysv/linux/closedir.c          |   4 +
 sysdeps/unix/sysv/linux/dirstream.h         |   9 +-
 sysdeps/unix/sysv/linux/opendir.c           |   3 +
 sysdeps/unix/sysv/linux/readdir.c           |  14 +-
 sysdeps/unix/sysv/linux/readdir64.c         |  11 ++
 sysdeps/unix/sysv/linux/rewinddir.c         |   5 +
 sysdeps/unix/sysv/linux/seekdir.c           |  30 +++-
 sysdeps/unix/sysv/linux/telldir.c           |  36 +++++
 sysdeps/unix/sysv/linux/telldir.h           |  67 +++++++++
 sysdeps/unix/sysv/linux/tst-opendir-lfs.c   |   2 +
 sysdeps/unix/sysv/linux/tst-opendir.c       | 145 ++++++++++++++++++++
 15 files changed, 329 insertions(+), 8 deletions(-)
 create mode 100644 sysdeps/unix/sysv/linux/telldir.h
 create mode 100644 sysdeps/unix/sysv/linux/tst-opendir-lfs.c
 create mode 100644 sysdeps/unix/sysv/linux/tst-opendir.c

diff --git a/include/dirent.h b/include/dirent.h
index d7567f5e86..17827176ba 100644
--- a/include/dirent.h
+++ b/include/dirent.h
@@ -1,8 +1,8 @@
 #ifndef _DIRENT_H
+# include <dirent/dirent.h>
 # ifndef _ISOMAC
 #  include <dirstream.h>
 # endif
-# include <dirent/dirent.h>
 # ifndef _ISOMAC
 # include <sys/stat.h>
 # include <stdbool.h>
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index f8bd12d991..116ecf6fff 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -464,6 +464,8 @@ ifeq ($(subdir),dirent)
 sysdep_routines += getdirentries getdirentries64
 tests += \
   tst-getdents64 \
+  tst-opendir \
+  tst-opendir-lfs \
   tst-readdir64-compat \
   # tests
 endif # $(subdir) == dirent
diff --git a/sysdeps/unix/sysv/linux/alpha/bits/dirent.h b/sysdeps/unix/sysv/linux/alpha/bits/dirent.h
index c8a0cfe93f..586d75586a 100644
--- a/sysdeps/unix/sysv/linux/alpha/bits/dirent.h
+++ b/sysdeps/unix/sysv/linux/alpha/bits/dirent.h
@@ -54,4 +54,7 @@ struct dirent64
 /* Inform libc code that these two types are effectively identical.  */
 #define _DIRENT_MATCHES_DIRENT64	1
 
+/* alpha 'long int' is enough to handle off64_t.  */
+#define _DIRENT_OFFSET_TRANSLATION	0
+
 #endif /* bits/dirent.h */
diff --git a/sysdeps/unix/sysv/linux/bits/dirent.h b/sysdeps/unix/sysv/linux/bits/dirent.h
index ab34d986ff..bb02dcb70a 100644
--- a/sysdeps/unix/sysv/linux/bits/dirent.h
+++ b/sysdeps/unix/sysv/linux/bits/dirent.h
@@ -57,3 +57,7 @@ struct dirent64
 #else
 # define _DIRENT_MATCHES_DIRENT64	0
 #endif
+
+/* The telldir function returns long int, which may not be large enough to
+   store off64_t values.  In this case, translation is required.  */
+#define _DIRENT_OFFSET_TRANSLATION (LONG_WIDTH < 64)
diff --git a/sysdeps/unix/sysv/linux/closedir.c b/sysdeps/unix/sysv/linux/closedir.c
index f1c2608642..9585a6ca3a 100644
--- a/sysdeps/unix/sysv/linux/closedir.c
+++ b/sysdeps/unix/sysv/linux/closedir.c
@@ -47,6 +47,10 @@ __closedir (DIR *dirp)
   __libc_lock_fini (dirp->lock);
 #endif
 
+#if _DIRENT_OFFSET_TRANSLATION
+  dirstream_loc_clear (&dirp->locs);
+#endif
+
   free ((void *) dirp);
 
   return __close_nocancel (fd);
diff --git a/sysdeps/unix/sysv/linux/dirstream.h b/sysdeps/unix/sysv/linux/dirstream.h
index 3cb313b410..27193b54dc 100644
--- a/sysdeps/unix/sysv/linux/dirstream.h
+++ b/sysdeps/unix/sysv/linux/dirstream.h
@@ -21,6 +21,7 @@
 #include <sys/types.h>
 
 #include <libc-lock.h>
+#include <telldir.h>
 
 /* Directory stream type.
 
@@ -37,10 +38,16 @@ struct __dirstream
     size_t size;		/* Total valid data in the block.  */
     size_t offset;		/* Current offset into the block.  */
 
-    off_t filepos;		/* Position of next entry to read.  */
+    off64_t filepos;		/* Position of next entry to read.  */
 
     int errcode;		/* Delayed error code.  */
 
+#if _DIRENT_OFFSET_TRANSLATION
+    /* The array is used to map long to off_64 for telldir/seekdir for ABIs
+       where long can not fully represend a LFS off_t value.  */
+    struct dirstream_loc_t locs;
+#endif
+
     /* Directory block.  We must make sure that this block starts
        at an address that is aligned adequately enough to store
        dirent entries.  Using the alignment of "void *" is not
diff --git a/sysdeps/unix/sysv/linux/opendir.c b/sysdeps/unix/sysv/linux/opendir.c
index 4336196a4d..3e2caabb9d 100644
--- a/sysdeps/unix/sysv/linux/opendir.c
+++ b/sysdeps/unix/sysv/linux/opendir.c
@@ -129,6 +129,9 @@ __alloc_dir (int fd, bool close_fd, int flags,
   dirp->offset = 0;
   dirp->filepos = 0;
   dirp->errcode = 0;
+#if _DIRENT_OFFSET_TRANSLATION
+  dirstream_loc_init (&dirp->locs);
+#endif
 
   return dirp;
 }
diff --git a/sysdeps/unix/sysv/linux/readdir.c b/sysdeps/unix/sysv/linux/readdir.c
index 72ba895afe..d57bb9ff2a 100644
--- a/sysdeps/unix/sysv/linux/readdir.c
+++ b/sysdeps/unix/sysv/linux/readdir.c
@@ -75,8 +75,7 @@ __readdir_unlocked (DIR *dirp)
       size_t new_reclen = ALIGN_UP (old_reclen - size_diff,
 				    _Alignof (struct dirent));
 
-      if (!in_ino_t_range (inp->dp64.d_ino)
-	  || !in_off_t_range (inp->dp64.d_off))
+      if (!in_ino_t_range (inp->dp64.d_ino))
 	{
 	  /* Overflow.  If there was at least one entry before this one,
 	     return them without error, otherwise signal overflow.  */
@@ -90,11 +89,22 @@ __readdir_unlocked (DIR *dirp)
 	  return NULL;
 	}
 
+      /* telldir can not return an error, so preallocate a map entry if
+	 d_off can not be used directly.  */
+      if (telldir_need_dirstream (inp->dp64.d_off))
+	{
+	  dirstream_loc_add (&dirp->locs, inp->dp64.d_off);
+	  if (dirstream_loc_has_failed (&dirp->locs))
+	    return NULL;
+	}
+
       /* Copy the data from INP and access only OUTP.  */
       const uint64_t d_ino = inp->dp64.d_ino;
       const int64_t d_off = inp->dp64.d_off;
       const uint8_t d_type = inp->dp64.d_type;
       outp->dp.d_ino = d_ino;
+      /* This will clamp the inp off64_t d_off value, however telldir/seekdir
+	 will use the 'locs' value if the value overflows.  */
       outp->dp.d_off = d_off;
       outp->dp.d_reclen = new_reclen;
       outp->dp.d_type = d_type;
diff --git a/sysdeps/unix/sysv/linux/readdir64.c b/sysdeps/unix/sysv/linux/readdir64.c
index db1c6214d8..306728b27b 100644
--- a/sysdeps/unix/sysv/linux/readdir64.c
+++ b/sysdeps/unix/sysv/linux/readdir64.c
@@ -68,6 +68,17 @@ __readdir64 (DIR *dirp)
   dirp->offset += dp->d_reclen;
   dirp->filepos = dp->d_off;
 
+#if _DIRENT_OFFSET_TRANSLATION
+  /* telldir can not return an error, so preallocate a map entry if
+     d_off can not be used directly.  */
+  if (telldir_need_dirstream (dp->d_off))
+    {
+      dirstream_loc_add (&dirp->locs, dp->d_off);
+      if (dirstream_loc_has_failed (&dirp->locs))
+	dp = NULL;
+    }
+#endif
+
 #if IS_IN (libc)
   __libc_lock_unlock (dirp->lock);
 #endif
diff --git a/sysdeps/unix/sysv/linux/rewinddir.c b/sysdeps/unix/sysv/linux/rewinddir.c
index c0fb7aa765..1b158a584f 100644
--- a/sysdeps/unix/sysv/linux/rewinddir.c
+++ b/sysdeps/unix/sysv/linux/rewinddir.c
@@ -33,6 +33,11 @@ __rewinddir (DIR *dirp)
   dirp->offset = 0;
   dirp->size = 0;
   dirp->errcode = 0;
+
+#ifndef __LP64__
+  dirstream_loc_clear (&dirp->locs);
+#endif
+
 #if IS_IN (libc)
   __libc_lock_unlock (dirp->lock);
 #endif
diff --git a/sysdeps/unix/sysv/linux/seekdir.c b/sysdeps/unix/sysv/linux/seekdir.c
index 939ccc4447..38b632964a 100644
--- a/sysdeps/unix/sysv/linux/seekdir.c
+++ b/sysdeps/unix/sysv/linux/seekdir.c
@@ -22,14 +22,36 @@
 #include <dirstream.h>
 
 /* Seek to position POS in DIRP.  */
-/* XXX should be __seekdir ? */
 void
 seekdir (DIR *dirp, long int pos)
 {
+  off64_t filepos;
+
   __libc_lock_lock (dirp->lock);
-  (void) __lseek (dirp->fd, pos, SEEK_SET);
-  dirp->size = 0;
+
+#if _DIRENT_OFFSET_TRANSLATION
+  union dirstream_packed dsp = { .l = pos };
+  if (dsp.p.is_packed == 1)
+    filepos = dsp.p.info;
+  else
+    {
+      size_t index = dsp.p.info;
+
+      if (index >= dirstream_loc_size (&dirp->locs))
+	{
+	  __libc_lock_unlock (dirp->lock);
+	  return;
+	}
+      filepos = *dirstream_loc_at (&dirp->locs, index);
+    }
+#else
+  filepos = pos;
+#endif
+
+  __lseek64 (dirp->fd, filepos, SEEK_SET);
+  dirp->filepos = filepos;
   dirp->offset = 0;
-  dirp->filepos = pos;
+  dirp->size = 0;
+
   __libc_lock_unlock (dirp->lock);
 }
diff --git a/sysdeps/unix/sysv/linux/telldir.c b/sysdeps/unix/sysv/linux/telldir.c
index 1e5c129e9f..04b2e76775 100644
--- a/sysdeps/unix/sysv/linux/telldir.c
+++ b/sysdeps/unix/sysv/linux/telldir.c
@@ -15,9 +15,12 @@
    License along with the GNU C Library; if not, see
    <https://www.gnu.org/licenses/>.  */
 
+#include <stdio.h>
+#include <assert.h>
 #include <dirent.h>
 
 #include <dirstream.h>
+#include <telldir.h>
 
 /* Return the current position of DIRP.  */
 long int
@@ -26,7 +29,40 @@ telldir (DIR *dirp)
   long int ret;
 
   __libc_lock_lock (dirp->lock);
+
+#if _DIRENT_OFFSET_TRANSLATION
+  /* If the directory position fits in the packet structure, returns it.
+     Otherwise, check if the position is already been recorded in the
+     dynamic array.  If not, add the new record.  */
+
+  union dirstream_packed dsp;
+
+  if (!telldir_need_dirstream (dirp->filepos))
+    {
+      dsp.p.is_packed = 1;
+      dsp.p.info = dirp->filepos;
+    }
+  else
+    {
+      dsp.l = -1;
+
+      size_t i;
+      for (i = 0; i < dirstream_loc_size (&dirp->locs); i++)
+	if (*dirstream_loc_at (&dirp->locs, i) == dirp->filepos)
+	  break;
+      /* It should be pre-allocated on readdir.  */
+      assert (i != dirstream_loc_size (&dirp->locs));
+
+      dsp.p.is_packed = 0;
+      /* This assignment might overflow, however most likely ENOME would
+	 happen long before.  */
+      dsp.p.info = i;
+    }
+
+  ret = dsp.l;
+#else
   ret = dirp->filepos;
+#endif
   __libc_lock_unlock (dirp->lock);
 
   return ret;
diff --git a/sysdeps/unix/sysv/linux/telldir.h b/sysdeps/unix/sysv/linux/telldir.h
new file mode 100644
index 0000000000..033bf97040
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/telldir.h
@@ -0,0 +1,67 @@
+/* Linux internal telldir definitions.
+   Copyright (C) 2023 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#ifndef _TELLDIR_H
+#define _TELLDIR_H 1
+
+#include <dirent.h>
+
+#if _DIRENT_OFFSET_TRANSLATION
+/* On platforms where 'long int' is smaller than 'off64_t' this is how the
+   returned value is encoded and returned by 'telldir'.  If the directory
+   offset can be enconded in 31 bits it is returned in the 'info' member
+   with 'is_packed' set to 1.
+
+   Otherwise, the 'info' member describes an index in a dynamic array at
+   'DIR' structure.  */
+
+union dirstream_packed
+{
+  long int l;
+  struct
+  {
+    unsigned long int is_packed:1;
+    unsigned long int info:31;
+  } p;
+};
+
+_Static_assert (sizeof (long int) == sizeof (union dirstream_packed),
+		"sizeof (long int) != sizeof (union dirstream_packed)");
+
+/* telldir maintains a list of offsets that describe the obtained diretory
+   position if it can fit this information in the returned 'dirstream_packed'
+   struct.  */
+
+# define DYNARRAY_STRUCT  dirstream_loc_t
+# define DYNARRAY_ELEMENT off64_t
+# define DYNARRAY_PREFIX  dirstream_loc_
+# include <malloc/dynarray-skeleton.c>
+
+static __always_inline bool
+telldir_need_dirstream (__off64_t d_off)
+{
+  return d_off >= 1UL << 31;
+}
+#else
+
+_Static_assert (sizeof (long int) == sizeof (off64_t),
+		"sizeof (long int) != sizeof (off64_t)");
+
+#endif /* __LP64__  */
+
+#endif /* _TELLDIR_H  */
diff --git a/sysdeps/unix/sysv/linux/tst-opendir-lfs.c b/sysdeps/unix/sysv/linux/tst-opendir-lfs.c
new file mode 100644
index 0000000000..1de1891fb4
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-opendir-lfs.c
@@ -0,0 +1,2 @@
+#define _FILE_OFFSET_BITS 64
+#include "tst-opendir.c"
diff --git a/sysdeps/unix/sysv/linux/tst-opendir.c b/sysdeps/unix/sysv/linux/tst-opendir.c
new file mode 100644
index 0000000000..216ecf123f
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/tst-opendir.c
@@ -0,0 +1,145 @@
+/* Check multiple telldir and seekdir.
+   Copyright (C) 2023 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <dirent.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <support/check.h>
+#include <support/support.h>
+#include <support/temp_file.h>
+#include <support/xunistd.h>
+
+/* Some filesystems returns an arbitrary value for d_off direnty entry (ext4
+   for instance, where the value is an internal hash key).  The idea of create
+   a large number of file is to try trigger a overflow d_off value in a entry
+   to check if telldir/seekdir does work corretly in such case.  */
+static const char *dirname;
+/* The 2 extra files are '.' and '..'.  */
+static const size_t nfiles = (1<<14) + 2;
+
+static inline bool
+in_ino_t_range (ino64_t v)
+{
+  ino_t s = v;
+  return s == v;
+}
+
+static inline bool
+in_off_t_range (off64_t v)
+{
+  off_t s = v;
+  return s == v;
+}
+
+static void
+do_prepare (int argc, char *argv[])
+{
+  dirname = support_create_temp_directory ("tst-opendir-nolfs-");
+
+  for (size_t i = 0; i < nfiles - 2; i++)
+    {
+      int fd = create_temp_file_in_dir ("tempfile.", dirname, NULL);
+      TEST_VERIFY_EXIT (fd > 0);
+      close (fd);
+    }
+}
+#define PREPARE do_prepare
+
+static int
+do_test (void)
+{
+  DIR *dirp = opendir (dirname);
+  TEST_VERIFY_EXIT (dirp != NULL);
+
+  long int *tdirp = xreallocarray (NULL, nfiles, sizeof (long int));
+  struct dirent **ddirp = xreallocarray (NULL, nfiles,
+					 sizeof (struct dirent *));
+
+  /* For non-LFS, the entry is skipped if it can not be converted.  */
+  int count = 0;
+  for (; count < nfiles; count++)
+    {
+      struct dirent *dp = readdir (dirp);
+      if (dp == NULL)
+	break;
+      tdirp[count] = telldir (dirp);
+      ddirp[count] = xmalloc (dp->d_reclen);
+      memcpy (ddirp[count], dp, dp->d_reclen);
+    }
+
+  closedir (dirp);
+
+  /* Check against the getdents64 syscall.  */
+  int fd = xopen (dirname, O_RDONLY | O_DIRECTORY, 0);
+  int i = 0;
+  while (true)
+    {
+      struct
+      {
+	char buffer[1024];
+	struct dirent64 pad;
+      } data;
+
+      ssize_t ret = getdents64 (fd, &data.buffer, sizeof (data.buffer));
+      if (ret < 0)
+	FAIL_EXIT1 ("getdents64: %m");
+      if (ret == 0)
+	break;
+
+      char *current = data.buffer;
+      char *end = data.buffer + ret;
+      while (current != end)
+	{
+	  struct dirent64 entry;
+          memcpy (&entry, current, sizeof (entry));
+          /* Truncate overlong strings.  */
+          entry.d_name[sizeof (entry.d_name) - 1] = '\0';
+          TEST_VERIFY (strlen (entry.d_name) < sizeof (entry.d_name) - 1);
+
+	  if (in_ino_t_range (entry.d_ino))
+	    {
+	      TEST_COMPARE_STRING (entry.d_name, ddirp[i]->d_name);
+	      TEST_COMPARE (entry.d_ino, ddirp[i]->d_ino);
+	      TEST_COMPARE (entry.d_type, ddirp[i]->d_type);
+
+	      /* Offset zero is reserved for the first entry.  */
+	      TEST_VERIFY (entry.d_off != 0);
+
+	      TEST_VERIFY_EXIT (entry.d_reclen <= end - current);
+	      i++;
+	    }
+
+	  current += entry.d_reclen;
+	}
+    }
+
+  TEST_COMPARE (count, i);
+
+  free (tdirp);
+  for (int i = 0; i < count; i++)
+    free (ddirp[i]);
+  free (ddirp);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
-- 
2.34.1

Re: [PATCH v6 2/3] support: Add xreallocarray

[Florian Weimer]

* Adhemerval Zanella:

> +void *
> +xreallocarray (void *p, size_t n, size_t s)
> +{
> +  void *r = reallocarray (p, n, s);
> +  if (r == NULL)
> +    oom_error ("reallocarray", n);
> +  return r;
> +}

Isn't the failure condition more complicated?  See xrealloc.

Thanks,
Florian

Re: [PATCH v6 2/3] support: Add xreallocarray

[Adhemerval Zanella Netto]

On 10/03/23 13:49, Florian Weimer wrote:
> * Adhemerval Zanella:
> 
>> +void *
>> +xreallocarray (void *p, size_t n, size_t s)
>> +{
>> +  void *r = reallocarray (p, n, s);
>> +  if (r == NULL)
>> +    oom_error ("reallocarray", n);
>> +  return r;
>> +}
> 
> Isn't the failure condition more complicated?  See xrealloc.

Indeed, I will update the patch.

Re: [PATCH v6 2/3] support: Add xreallocarray

[Paul Eggert]

On 2023-03-10 10:44, Adhemerval Zanella Netto wrote:
> 
> 
> On 10/03/23 13:49, Florian Weimer wrote:
>> * Adhemerval Zanella:
>>
>>> +void *
>>> +xreallocarray (void *p, size_t n, size_t s)
>>> +{
>>> +  void *r = reallocarray (p, n, s);
>>> +  if (r == NULL)
>>> +    oom_error ("reallocarray", n);
>>> +  return r;
>>> +}
>>
>> Isn't the failure condition more complicated?  See xrealloc.
> 
> Indeed, I will update the patch.

You can steal the source code from Gnulib, which already has 
xreallocarray in lib/xmalloc.c.

(Gnulib also has an xireallocarray which is better if you're worried 
about integer overflow, but one step at a time.)

Re: [PATCH v6 3/3] linux: Set internal DIR filepos as off64_t (BZ #23960, BZ #24050)

[Paul Eggert]

On 2023-03-02 06:57, Adhemerval Zanella wrote:
> +      for (i = 0; i < dirstream_loc_size (&dirp->locs); i++)
> +	if (*dirstream_loc_at (&dirp->locs, i) == dirp->filepos)
> +	  break;
> +      /* It should be pre-allocated on readdir.  */
> +      assert (i != dirstream_loc_size (&dirp->locs));

This should be something like the following, to avoid unnecessary work 
when assertions are disabled:

   for (long int i = 0; ; i++)
     {
       assert (i < dirstream_loc_size (&dirp->locs));
       if (*dirstream_loc_at (&dirp->locs, i) == dirp->filepos)
	break;
     }

> +      /* This assignment might overflow, however most likely ENOME would
> +	 happen long before.  */
> +      dsp.p.info = i;

This doesn't sound right. The allocator should never create a table with 
more than LONG_MAX entries because the upper part of any such table 
would be useless. If that is done right, the assignment cannot overflow.

> +_Static_assert (sizeof (long int) == sizeof (off64_t),
> +		"sizeof (long int) != sizeof (off64_t)");

This is confusing. First, we need require only that long int be at least 
as wide as off64_t; it doesn't have to be exactly the same width. 
Second, why both "==" and "!="? Third, why not use plain "static_assert" 
with one arg instead of the old-fashioned "_Static_assert" with two? We 
can support this form of static_assert on older compilers - see how 
Gnulib does it.


> +static __always_inline bool
> +telldir_need_dirstream (__off64_t d_off)
> +{
> +  return d_off >= 1UL << 31;
> +}

Safer would be '! (TYPE_MINIMUM (off_t) <= d_off && d_off <= 
TYPE_MAXIMUM (off_t))', in case d_off is negative (or off_t isn't 32-bit 
:-).

Re: [PATCH v6 3/3] linux: Set internal DIR filepos as off64_t (BZ #23960, BZ #24050)

[Adhemerval Zanella Netto]

On 10/03/23 18:41, Paul Eggert wrote:
> On 2023-03-02 06:57, Adhemerval Zanella wrote:
>> +      for (i = 0; i < dirstream_loc_size (&dirp->locs); i++)
>> +    if (*dirstream_loc_at (&dirp->locs, i) == dirp->filepos)
>> +      break;
>> +      /* It should be pre-allocated on readdir.  */
>> +      assert (i != dirstream_loc_size (&dirp->locs));
> 
> This should be something like the following, to avoid unnecessary work when assertions are disabled:
> 
>   for (long int i = 0; ; i++)
>     {
>       assert (i < dirstream_loc_size (&dirp->locs));
>       if (*dirstream_loc_at (&dirp->locs, i) == dirp->filepos)
>     break;
>     }
> 

Ack, it works for me.


>> +      /* This assignment might overflow, however most likely ENOME would
>> +     happen long before.  */
>> +      dsp.p.info = i;
> 
> This doesn't sound right. The allocator should never create a table with more than LONG_MAX entries because the upper part of any such table would be useless. If that is done right, the assignment cannot overflow.

Indeed it does not make sense since it is based on malloc anyway. I will remove
the comment.

> 
>> +_Static_assert (sizeof (long int) == sizeof (off64_t),
>> +        "sizeof (long int) != sizeof (off64_t)");
> 
> This is confusing. First, we need require only that long int be at least as wide as off64_t; it doesn't have to be exactly the same width. Second, why both "==" and "!="? Third, why not use plain "static_assert" with one arg instead of the old-fashioned "_Static_assert" with two? We can support this form of static_assert on older compilers - see how Gnulib does it.

Indeed, we already set _DIRENT_OFFSET_TRANSLATION for (LONG_WIDTH < 64)
so maybe I think we should replace with 64 with sizeof (off_64) and
remove the static assert. 

> 
> 
>> +static __always_inline bool
>> +telldir_need_dirstream (__off64_t d_off)
>> +{
>> +  return d_off >= 1UL << 31;
>> +}
> 
> Safer would be '! (TYPE_MINIMUM (off_t) <= d_off && d_off <= TYPE_MAXIMUM (off_t))', in case d_off is negative (or off_t isn't 32-bit :-).

Ack.

Re: [PATCH v6 3/3] linux: Set internal DIR filepos as off64_t (BZ #23960, BZ #24050)

[Adhemerval Zanella Netto]

On 13/03/23 09:40, Adhemerval Zanella Netto wrote:
>>
>>> +_Static_assert (sizeof (long int) == sizeof (off64_t),
>>> +        "sizeof (long int) != sizeof (off64_t)");
>>
>> This is confusing. First, we need require only that long int be at least as wide as off64_t; it doesn't have to be exactly the same width. Second, why both "==" and "!="? Third, why not use plain "static_assert" with one arg instead of the old-fashioned "_Static_assert" with two? We can support this form of static_assert on older compilers - see how Gnulib does it.
> 
> Indeed, we already set _DIRENT_OFFSET_TRANSLATION for (LONG_WIDTH < 64)
> so maybe I think we should replace with 64 with sizeof (off_64) and
> remove the static assert. 

And I just realized that sizeof is not usable on preprocessor context,
so I will fix the static assert.  And I don't really want to pull another
huge gnulib header that we might eventually phase out once we start to use
a std that provides static_assert (we might revise it later).