]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/vfs/vfs_cache.c
xnu-4903.231.4.tar.gz
[apple/xnu.git] / bsd / vfs / vfs_cache.c
index a08ffe235607b3f6b9e37ecdc4f9e4f76bbea80d..56c69754c777d576f84a2cf98aee950068274545 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000-2012 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2015 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
@@ -82,6 +82,7 @@
 #include <sys/kauth.h>
 #include <sys/user.h>
 #include <sys/paths.h>
+#include <os/overflow.h>
 
 #if CONFIG_MACF
 #include <security/mac_framework.h>
@@ -178,15 +179,222 @@ static unsigned int crc32tab[256];
 #define NCHHASH(dvp, hash_val) \
        (&nchashtbl[(dvp->v_id ^ (hash_val)) & nchashmask])
 
+/*
+ * This function tries to check if a directory vp is a subdirectory of dvp
+ * only from valid v_parent pointers. It is called with the name cache lock
+ * held and does not drop the lock anytime inside the function.
+ *
+ * It returns a boolean that indicates whether or not it was able to
+ * successfully infer the parent/descendent relationship via the v_parent
+ * pointers, or if it could not infer such relationship and that the decision
+ * must be delegated to the owning filesystem.
+ *
+ * If it does not defer the decision, i.e. it was successfuly able to determine
+ * the parent/descendent relationship,  *is_subdir tells the caller if vp is a
+ * subdirectory of dvp.
+ *
+ * If the decision is deferred, *next_vp is where it stopped i.e. *next_vp
+ * is the vnode whose parent is to be determined from the filesystem.
+ * *is_subdir, in this case, is not indicative of anything and should be
+ * ignored.
+ *
+ * The return value and output args should be used as follows :
+ *
+ * defer = cache_check_vnode_issubdir(vp, dvp, is_subdir, next_vp);
+ * if (!defer) {
+ *     if (*is_subdir)
+ *             vp is subdirectory;
+ *     else
+ *             vp is not a subdirectory;
+ * } else {
+ *     if (*next_vp)
+ *             check this vnode's parent from the filesystem
+ *     else
+ *             error (likely because of forced unmount).
+ * }
+ *
+ */
+static boolean_t
+cache_check_vnode_issubdir(vnode_t vp, vnode_t dvp, boolean_t *is_subdir,
+    vnode_t *next_vp)
+{
+       vnode_t tvp = vp;
+       int defer = FALSE;
+
+       *is_subdir = FALSE;
+       *next_vp = NULLVP;
+       while (1) {
+               mount_t tmp;
+
+               if (tvp == dvp) {
+                       *is_subdir = TRUE;
+                       break;
+               } else if (tvp == rootvnode) {
+                       /* *is_subdir = FALSE */
+                       break;
+               }
+
+               tmp = tvp->v_mount;
+               while ((tvp->v_flag & VROOT) && tmp && tmp->mnt_vnodecovered &&
+                   tvp != dvp && tvp != rootvnode) {
+                       tvp = tmp->mnt_vnodecovered;
+                       tmp = tvp->v_mount;
+               }
+
+               /*
+                * If dvp is not at the top of a mount "stack" then
+                * vp is not a subdirectory of dvp either.
+                */
+               if (tvp == dvp || tvp == rootvnode) {
+                       /* *is_subdir = FALSE */
+                       break;
+               }
+
+               if (!tmp) {
+                       defer = TRUE;
+                       *next_vp = NULLVP;
+                       break;
+               }
+
+               if ((tvp->v_flag & VISHARDLINK) || !(tvp->v_parent)) {
+                       defer = TRUE;
+                       *next_vp = tvp;
+                       break;
+               }
+
+               tvp = tvp->v_parent;
+       }
+
+       return (defer);
+}
+
+/* maximum times retry from potentially transient errors in vnode_issubdir */
+#define MAX_ERROR_RETRY 3
+
+/*
+ * This function checks if a given directory (vp) is a subdirectory of dvp.
+ * It walks backwards from vp and if it hits dvp in its parent chain,
+ * it is a subdirectory. If it encounters the root directory, it is not
+ * a subdirectory.
+ *
+ * This function returns an error if it is unsuccessful and 0 on success.
+ *
+ * On entry (and exit) vp has an iocount and if this function has to take
+ * any iocounts on other vnodes in the parent chain traversal, it releases them.
+ */
+int
+vnode_issubdir(vnode_t vp, vnode_t dvp, int *is_subdir, vfs_context_t ctx)
+{
+       vnode_t start_vp, tvp;
+       vnode_t vp_with_iocount;
+       int error = 0;
+       char dotdotbuf[] = "..";
+       int error_retry_count = 0; /* retry count for potentially transient
+                                     errors */
+
+       *is_subdir = FALSE;
+       tvp = start_vp = vp;
+       /*
+        * Anytime we acquire an iocount in this function, we save the vnode
+        * in this variable and release it before exiting.
+        */
+       vp_with_iocount = NULLVP;
+
+       while (1) {
+               boolean_t defer;
+               vnode_t pvp;
+               uint32_t vid;
+               struct componentname cn;
+               boolean_t is_subdir_locked = FALSE;
 
+               if (tvp == dvp) {
+                       *is_subdir = TRUE;
+                       break;
+               } else if (tvp == rootvnode) {
+                       /* *is_subdir = FALSE */
+                       break;
+               }
+
+               NAME_CACHE_LOCK_SHARED();
+
+               defer = cache_check_vnode_issubdir(tvp, dvp, &is_subdir_locked,
+                   &tvp);
+
+               if (defer && tvp)
+                       vid = vnode_vid(tvp);
+
+               NAME_CACHE_UNLOCK();
+
+               if (!defer) {
+                       *is_subdir = is_subdir_locked;
+                       break;
+               }
+
+               if (!tvp) {
+                       if (error_retry_count++ < MAX_ERROR_RETRY) {
+                               tvp = vp;
+                               continue;
+                       }
+                       error = ENOENT;
+                       break;
+               }
+
+               if (tvp != start_vp) {
+                       if (vp_with_iocount) {
+                               vnode_put(vp_with_iocount);
+                               vp_with_iocount = NULLVP;
+                       }
+
+                       error = vnode_getwithvid(tvp, vid);
+                       if (error) {
+                               if (error_retry_count++ < MAX_ERROR_RETRY) {
+                                       tvp = vp;
+                                       error = 0;
+                                       continue;
+                               }
+                               break;
+                       }
+
+                       vp_with_iocount = tvp;
+               }
+
+               bzero(&cn, sizeof(cn));
+               cn.cn_nameiop = LOOKUP;
+               cn.cn_flags = ISLASTCN | ISDOTDOT;
+               cn.cn_context = ctx;
+               cn.cn_pnbuf = &dotdotbuf[0];
+               cn.cn_pnlen = sizeof(dotdotbuf);
+               cn.cn_nameptr = cn.cn_pnbuf;
+               cn.cn_namelen = 2;
+
+               pvp = NULLVP;
+               if ((error = VNOP_LOOKUP(tvp, &pvp, &cn, ctx)))
+                       break;
+
+               if (!(tvp->v_flag & VISHARDLINK) && tvp->v_parent != pvp) {
+                       (void)vnode_update_identity(tvp, pvp, NULL, 0, 0,
+                           VNODE_UPDATE_PARENT);
+               }
+
+               if (vp_with_iocount)
+                       vnode_put(vp_with_iocount);
+
+               vp_with_iocount = tvp = pvp;
+       }
+
+       if (vp_with_iocount)
+               vnode_put(vp_with_iocount);
+
+       return (error);
+}
 
 /*
- * This function builds the path to a filename in "buff".  The
- * length of the buffer *INCLUDING* the trailing zero byte is
- * returned in outlen.  NOTE: the length includes the trailing
- * zero byte and thus the length is one greater than what strlen
- * would return.  This is important and lots of code elsewhere
- * in the kernel assumes this behavior.
+ * This function builds the path in "buff" from the supplied vnode.
+ * The length of the buffer *INCLUDING* the trailing zero byte is
+ * returned in outlen.  NOTE: the length includes the trailing zero
+ * byte and thus the length is one greater than what strlen would
+ * return.  This is important and lots of code elsewhere in the kernel
+ * assumes this behavior.
  * 
  * This function can call vnop in file system if the parent vnode 
  * does not exist or when called for hardlinks via volfs path.  
@@ -203,9 +411,19 @@ static unsigned int crc32tab[256];
  * cross over mount points during building the path. 
  *
  * passed in vp must have a valid io_count reference
+ *
+ * If parent vnode is non-NULL it also must have an io count.  This
+ * allows build_path_with_parent to be safely called for operations
+ * unlink, rmdir and rename that already have io counts on the target
+ * and the directory. In this way build_path_with_parent does not have
+ * to try and obtain an additional io count on the parent.  Taking an
+ * io count ont the parent can lead to dead lock if a forced unmount
+ * occures at the right moment. For a fuller explaination on how this
+ * can occur see the comment for vn_getpath_with_parent.
+ *
  */
 int
-build_path(vnode_t first_vp, char *buff, int buflen, int *outlen, int flags, vfs_context_t ctx)
+build_path_with_parent(vnode_t first_vp, vnode_t parent_vp, char *buff, int buflen, int *outlen, int flags, vfs_context_t ctx)
 {
         vnode_t vp, tvp;
        vnode_t vp_with_iocount;
@@ -342,8 +560,12 @@ again:
                         * and disallow further path construction
                         */
                        if ((vp->v_parent == NULLVP) && (rootvnode != vp)) {
-                               /* Only '/' is allowed to have a NULL parent pointer */
-                               ret = EINVAL;
+                               /*
+                                * Only '/' is allowed to have a NULL parent
+                                * pointer. Upper level callers should ideally
+                                * re-drive name lookup on receiving a ENOENT.
+                                */
+                               ret = ENOENT;
 
                                /* The code below will exit early if 'tvp = vp' == NULL */
                        }
@@ -376,7 +598,7 @@ again:
 
                        NAME_CACHE_UNLOCK();
 
-                       if (vp != first_vp && vp != vp_with_iocount) {
+                       if (vp != first_vp && vp != parent_vp && vp != vp_with_iocount) {
                                if (vp_with_iocount) {
                                        vnode_put(vp_with_iocount);
                                        vp_with_iocount = NULLVP;
@@ -462,6 +684,26 @@ bad_news:
                                vp = vp->v_parent;
                }
 
+               if (vp && (flags & BUILDPATH_CHECKACCESS)) {
+                       vid = vp->v_id;
+
+                       NAME_CACHE_UNLOCK();
+
+                       if (vp != first_vp && vp != parent_vp && vp != vp_with_iocount) {
+                               if (vp_with_iocount) {
+                                       vnode_put(vp_with_iocount);
+                                       vp_with_iocount = NULLVP;
+                               }
+                               if (vnode_getwithvid(vp, vid))
+                                       goto again;
+                               vp_with_iocount = vp;
+                       }
+                       if ((ret = vnode_authorize(vp, NULL, KAUTH_VNODE_SEARCH, ctx)))
+                               goto out;       /* no peeking */
+
+                       NAME_CACHE_LOCK_SHARED();
+               }
+
                /*
                 * When a mount point is crossed switch the vp.
                 * Continue until we find the root or we find
@@ -487,26 +729,6 @@ bad_news:
                if (tvp == NULLVP)
                        goto out_unlock;
                vp = tvp;
-
-               if (vp && (flags & BUILDPATH_CHECKACCESS)) {
-                       vid = vp->v_id;
-
-                       NAME_CACHE_UNLOCK();
-
-                       if (vp != first_vp && vp != vp_with_iocount) {
-                               if (vp_with_iocount) {
-                                       vnode_put(vp_with_iocount);
-                                       vp_with_iocount = NULLVP;
-                               }
-                               if (vnode_getwithvid(vp, vid))
-                                       goto again;
-                               vp_with_iocount = vp;
-                       }
-                       if ((ret = vnode_authorize(vp, NULL, KAUTH_VNODE_SEARCH, ctx)))
-                               goto out;       /* no peeking */
-
-                       NAME_CACHE_LOCK_SHARED();
-               }
        }
 out_unlock:
        NAME_CACHE_UNLOCK();
@@ -534,6 +756,11 @@ out:
        return (ret);
 }
 
+int
+build_path(vnode_t first_vp, char *buff, int buflen, int *outlen, int flags, vfs_context_t ctx)
+{
+       return (build_path_with_parent(first_vp, NULL, buff, buflen, outlen, flags, ctx));
+}
 
 /*
  * return NULLVP if vp's parent doesn't
@@ -650,10 +877,8 @@ vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, u
 {
        struct  namecache *ncp;
         vnode_t        old_parentvp = NULLVP;
-#if NAMEDSTREAMS
        int isstream = (vp->v_flag & VISNAMEDSTREAM);
        int kusecountbumped = 0;
-#endif
        kauth_cred_t tcred = NULL;
        const char *vname = NULL;
        const char *tname = NULL;
@@ -662,7 +887,6 @@ vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, u
                if (dvp && vnode_ref(dvp) != 0) {
                        dvp = NULLVP;
                }
-#if NAMEDSTREAMS
                /* Don't count a stream's parent ref during unmounts */
                if (isstream && dvp && (dvp != vp) && (dvp != vp->v_parent) && (dvp->v_type == VREG)) {
                        vnode_lock_spin(dvp);
@@ -670,7 +894,6 @@ vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, u
                        kusecountbumped = 1;
                        vnode_unlock(dvp);
                }
-#endif
        } else {
                dvp = NULLVP;
        }
@@ -696,7 +919,7 @@ vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, u
                        while ( (ncp = LIST_FIRST(&vp->v_nclinks)) )
                                cache_delete(ncp, 1);
 
-                       while ( (ncp = LIST_FIRST(&vp->v_ncchildren)) )
+                       while ( (ncp = TAILQ_FIRST(&vp->v_ncchildren)) )
                                cache_delete(ncp, 1);
 
                        /*
@@ -705,6 +928,7 @@ vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, u
                        tcred = vp->v_cred;
                        vp->v_cred = NOCRED;
                        vp->v_authorized_actions = 0;
+                       vp->v_cred_timestamp = 0;
                }
                if ( (flags & VNODE_UPDATE_NAME) ) {
                        vname = vp->v_name;
@@ -733,7 +957,6 @@ vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, u
                        kauth_cred_unref(&tcred);
        }
        if (dvp != NULLVP) {
-#if NAMEDSTREAMS
                /* Back-out the ref we took if we lost a race for vp->v_parent. */
                if (kusecountbumped) {
                        vnode_lock_spin(dvp);
@@ -741,20 +964,17 @@ vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, u
                                --dvp->v_kusecount;  
                        vnode_unlock(dvp);
                }
-#endif
                vnode_rele(dvp);
        }
        if (old_parentvp) {
                struct  uthread *ut;
 
-#if NAMEDSTREAMS
                if (isstream) {
                        vnode_lock_spin(old_parentvp);
                        if ((old_parentvp->v_type != VDIR) && (old_parentvp->v_kusecount > 0))
                                --old_parentvp->v_kusecount;
                        vnode_unlock(old_parentvp);
                }
-#endif
                ut = get_bsdthread_info(current_thread());
 
                /*
@@ -1056,6 +1276,7 @@ cache_lookup_path(struct nameidata *ndp, struct componentname *cnp, vnode_t dp,
         mount_t                mp;
        unsigned int    hash;
        int             error = 0;
+       boolean_t       dotdotchecked = FALSE;
 
 #if CONFIG_TRIGGERS
        vnode_t         trigger_vp;
@@ -1149,7 +1370,7 @@ skiprsrcfork:
 
 #if CONFIG_MACF
 
-               /* 
+               /*
                 * Name cache provides authorization caching (see below)
                 * that will short circuit MAC checks in lookup().
                 * We must perform MAC check here.  On denial
@@ -1164,15 +1385,30 @@ skiprsrcfork:
                        }
                }
 #endif /* MAC */
-               if (ttl_enabled && ((tv.tv_sec - dp->v_cred_timestamp) > dp->v_mount->mnt_authcache_ttl))
+               if (ttl_enabled &&
+                   (dp->v_mount->mnt_authcache_ttl == 0 ||
+                   ((tv.tv_sec - dp->v_cred_timestamp) > dp->v_mount->mnt_authcache_ttl))) {
                        break;
+               }
 
                /*
                 * NAME_CACHE_LOCK holds these fields stable
+                *
+                * We can't cache KAUTH_VNODE_SEARCHBYANYONE for root correctly
+                * so we make an ugly check for root here. root is always
+                * allowed and breaking out of here only to find out that is
+                * authorized by virtue of being root is very very expensive.
+                * However, the check for not root is valid only for filesystems
+                * which use local authorization.
+                *
+                * XXX: Remove the check for root when we can reliably set
+                * KAUTH_VNODE_SEARCHBYANYONE as root.
                 */
                if ((dp->v_cred != ucred || !(dp->v_authorized_actions & KAUTH_VNODE_SEARCH)) &&
-                   !(dp->v_authorized_actions & KAUTH_VNODE_SEARCHBYANYONE))
+                   !(dp->v_authorized_actions & KAUTH_VNODE_SEARCHBYANYONE) &&
+                   (ttl_enabled || !vfs_context_issuser(ctx)))  {
                        break;
+               }
 
                /*
                 * indicate that we're allowed to traverse this directory...
@@ -1194,7 +1430,7 @@ skiprsrcfork:
                                 * Force directory hardlinks to go to
                                 * file system for ".." requests.
                                 */
-                               if (dp && (dp->v_flag & VISHARDLINK)) {
+                               if ((dp->v_flag & VISHARDLINK)) {
                                        break;
                                }
                                /*
@@ -1224,9 +1460,53 @@ skiprsrcfork:
                 */
                if (cnp->cn_namelen == 1 && cnp->cn_nameptr[0] == '.')
                        vp = dp;
-               else if ( (cnp->cn_flags & ISDOTDOT) )
-                       vp = dp->v_parent;
-               else {
+               else if ( (cnp->cn_flags & ISDOTDOT) ) {
+                       /*
+                        * If this is a chrooted process, we need to check if
+                        * the process is trying to break out of its chrooted
+                        * jail. We do that by trying to determine if dp is
+                        * a subdirectory of ndp->ni_rootdir. If we aren't
+                        * able to determine that by the v_parent pointers, we
+                        * will leave the fast path.
+                        *
+                        * Since this function may see dotdot components
+                        * many times and it has the name cache lock held for
+                        * the entire duration, we optimise this by doing this
+                        * check only once per cache_lookup_path call.
+                        * If dotdotchecked is set, it means we've done this
+                        * check once already and don't need to do it again.
+                        */
+                       if (!dotdotchecked && (ndp->ni_rootdir != rootvnode)) {
+                               vnode_t tvp = dp;
+                               boolean_t defer = FALSE;
+                               boolean_t is_subdir = FALSE;
+
+                               defer = cache_check_vnode_issubdir(tvp,
+                                   ndp->ni_rootdir, &is_subdir, &tvp);
+
+                               if (defer) {
+                                       /* defer to Filesystem */
+                                       break;
+                               } else if (!is_subdir) {
+                                       /*
+                                        * This process is trying to break  out
+                                        * of its chrooted jail, so all its
+                                        * dotdot accesses will be translated to
+                                        * its root directory.
+                                        */
+                                       vp = ndp->ni_rootdir;
+                               } else {
+                                       /*
+                                        * All good, let this dotdot access
+                                        * proceed normally
+                                        */
+                                       vp = dp->v_parent;
+                               }
+                               dotdotchecked = TRUE;
+                       } else {
+                               vp = dp->v_parent;
+                       }
+               } else {
                        if ( (vp = cache_lookup_locked(dp, cnp)) == NULLVP)
                                break;
 
@@ -1248,11 +1528,11 @@ skiprsrcfork:
                }
 
                if ( (mp = vp->v_mountedhere) && ((cnp->cn_flags & NOCROSSMOUNT) == 0)) {
-
-                       if (mp->mnt_realrootvp == NULLVP || mp->mnt_generation != mount_generation ||
-                               mp->mnt_realrootvp_vid != mp->mnt_realrootvp->v_id)
-                               break;
-                       vp = mp->mnt_realrootvp;
+                       vnode_t tmp_vp = mp->mnt_realrootvp;
+                       if (tmp_vp == NULLVP || mp->mnt_generation != mount_generation ||
+                               mp->mnt_realrootvp_vid != tmp_vp->v_id)
+                               break;
+                       vp = tmp_vp;
                }
 
 #if CONFIG_TRIGGERS
@@ -1261,10 +1541,8 @@ skiprsrcfork:
                 * trigger in hand, resolve it.  Note that we don't need to 
                 * leave the fast path if the mount has already happened.
                 */
-               if ((vp->v_resolve != NULL) && 
-                               (vp->v_resolve->vr_resolve_func != NULL)) {
+               if (vp->v_resolve)
                        break;
-               } 
 #endif /* CONFIG_TRIGGERS */
 
 
@@ -1415,7 +1693,7 @@ cache_lookup_locked(vnode_t dvp, struct componentname *cnp)
        ncpp = NCHHASH(dvp, cnp->cn_hash);
        LIST_FOREACH(ncp, ncpp, nc_hash) {
                if ((ncp->nc_dvp == dvp) && (ncp->nc_hashval == hashval)) {
-                       if (memcmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
+                       if (strncmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
                                break;
                }
        }
@@ -1502,7 +1780,7 @@ relook:
        ncpp = NCHHASH(dvp, cnp->cn_hash);
        LIST_FOREACH(ncp, ncpp, nc_hash) {
                if ((ncp->nc_dvp == dvp) && (ncp->nc_hashval == hashval)) {
-                       if (memcmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
+                       if (strncmp(ncp->nc_name, cnp->cn_nameptr, namelen) == 0 && ncp->nc_name[namelen] == 0)
                                break;
                }
        }
@@ -1707,6 +1985,25 @@ cache_enter_locked(struct vnode *dvp, struct vnode *vp, struct componentname *cn
                ncp->nc_name = add_name_internal(cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, FALSE, 0);
        else
                ncp->nc_name = strname;
+
+       //
+       // If the bytes of the name associated with the vnode differ,
+       // use the name associated with the vnode since the file system
+       // may have set that explicitly in the case of a lookup on a
+       // case-insensitive file system where the case of the looked up
+       // name differs from what is on disk.  For more details, see:
+       //   <rdar://problem/8044697> FSEvents doesn't always decompose diacritical unicode chars in the paths of the changed directories
+       // 
+       const char *vn_name = vp ? vp->v_name : NULL;
+       unsigned int len = vn_name ? strlen(vn_name) : 0;
+       if (vn_name && ncp && ncp->nc_name && strncmp(ncp->nc_name, vn_name, len) != 0) {
+               unsigned int hash = hash_string(vn_name, len);
+               
+               vfs_removename(ncp->nc_name);
+               ncp->nc_name = add_name_internal(vn_name, len, hash, FALSE, 0);
+               ncp->nc_hashval = hash;
+       }
+
        /*
         * make us the newest entry in the cache
         * i.e. we'll be the last to be stolen
@@ -1757,7 +2054,10 @@ cache_enter_locked(struct vnode *dvp, struct vnode *vp, struct componentname *cn
         * add us to the list of name cache entries that
         * are children of dvp
         */
-       LIST_INSERT_HEAD(&dvp->v_ncchildren, ncp, nc_child);
+       if (vp)
+               TAILQ_INSERT_TAIL(&dvp->v_ncchildren, ncp, nc_child);
+       else
+               TAILQ_INSERT_HEAD(&dvp->v_ncchildren, ncp, nc_child);
 }
 
 
@@ -1860,28 +2160,35 @@ name_cache_unlock(void)
 
 
 int
-resize_namecache(u_int newsize)
+resize_namecache(int newsize)
 {
     struct nchashhead  *new_table;
     struct nchashhead  *old_table;
     struct nchashhead  *old_head, *head;
     struct namecache   *entry, *next;
     uint32_t           i, hashval;
-    int                        dNodes, dNegNodes;
+    int                        dNodes, dNegNodes, nelements;
     u_long             new_size, old_size;
 
+    if (newsize < 0)
+        return EINVAL;
+
     dNegNodes = (newsize / 10);
     dNodes = newsize + dNegNodes;
-
     // we don't support shrinking yet
     if (dNodes <= desiredNodes) {
-       return 0;
+        return 0;
+    }
+
+    if (os_mul_overflow(dNodes, 2, &nelements)) {
+        return EINVAL;
     }
-    new_table = hashinit(2 * dNodes, M_CACHE, &nchashmask);
+
+    new_table = hashinit(nelements, M_CACHE, &nchashmask);
     new_size  = nchashmask + 1;
 
     if (new_table == NULL) {
-       return ENOMEM;
+        return ENOMEM;
     }
 
     NAME_CACHE_LOCK();
@@ -1919,7 +2226,7 @@ resize_namecache(u_int newsize)
 }
 
 static void
-cache_delete(struct namecache *ncp, int age_entry)
+cache_delete(struct namecache *ncp, int free_entry)
 {
         NCHSTAT(ncs_deletes);
 
@@ -1929,7 +2236,7 @@ cache_delete(struct namecache *ncp, int age_entry)
                TAILQ_REMOVE(&neghead, ncp, nc_un.nc_negentry);
                ncs_negtotal--;
        }
-        LIST_REMOVE(ncp, nc_child);
+        TAILQ_REMOVE(&(ncp->nc_dvp->v_ncchildren), ncp, nc_child);
 
        LIST_REMOVE(ncp, nc_hash);
        /*
@@ -1940,16 +2247,13 @@ cache_delete(struct namecache *ncp, int age_entry)
         */
        ncp->nc_hash.le_prev = NULL;
 
-       if (age_entry) {
-               /*
-                * make it the next one available
-                * for cache_enter's use
-                */
-               TAILQ_REMOVE(&nchead, ncp, nc_entry);
-               TAILQ_INSERT_HEAD(&nchead, ncp, nc_entry);
-       }
        vfs_removename(ncp->nc_name);
        ncp->nc_name = NULL;
+       if (free_entry) {
+               TAILQ_REMOVE(&nchead, ncp, nc_entry);
+               FREE_ZONE(ncp, sizeof(*ncp), M_CACHE);
+               numcache--;
+       }
 }
 
 
@@ -1964,7 +2268,7 @@ cache_purge(vnode_t vp)
        kauth_cred_t tcred = NULL;
 
        if ((LIST_FIRST(&vp->v_nclinks) == NULL) && 
-                       (LIST_FIRST(&vp->v_ncchildren) == NULL) && 
+                       (TAILQ_FIRST(&vp->v_ncchildren) == NULL) &&
                        (vp->v_cred == NOCRED) &&
                        (vp->v_parent == NULLVP))
                return;
@@ -1977,7 +2281,7 @@ cache_purge(vnode_t vp)
        while ( (ncp = LIST_FIRST(&vp->v_nclinks)) )
                cache_delete(ncp, 1);
 
-       while ( (ncp = LIST_FIRST(&vp->v_ncchildren)) )
+       while ( (ncp = TAILQ_FIRST(&vp->v_ncchildren)) )
                cache_delete(ncp, 1);
 
        /*
@@ -2007,9 +2311,12 @@ cache_purge_negatives(vnode_t vp)
 
        NAME_CACHE_LOCK();
 
-       LIST_FOREACH_SAFE(ncp, &vp->v_ncchildren, nc_child, next_ncp)
-               if (ncp->nc_vp == NULL)
-                       cache_delete(ncp , 1);
+       TAILQ_FOREACH_SAFE(ncp, &vp->v_ncchildren, nc_child, next_ncp) {
+               if (ncp->nc_vp)
+                       break;
+
+               cache_delete(ncp, 1);
+       }
 
        NAME_CACHE_UNLOCK();
 }
@@ -2140,6 +2447,9 @@ add_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t need_
         uint32_t         lock_index;
        char              *ptr;
     
+       if (len > MAXPATHLEN)
+               len = MAXPATHLEN;
+
        /*
         * if the length already accounts for the null-byte, then
         * subtract one so later on we don't index past the end
@@ -2177,7 +2487,7 @@ add_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t need_
        lck_mtx_lock_spin(&strcache_mtx_locks[lock_index]);
 
        for (entry = head->lh_first; entry != NULL; chain_len++, entry = entry->hash_chain.le_next) {
-               if (memcmp(entry->str, name, len) == 0 && entry->str[len] == 0) {
+               if (strncmp(entry->str, name, len) == 0 && entry->str[len] == 0) {
                        entry->refcount++;
                        break;
                }