linux/fs/exec.c
<<
>>
Prefs
   1/*
   2 *  linux/fs/exec.c
   3 *
   4 *  Copyright (C) 1991, 1992  Linus Torvalds
   5 */
   6
   7/*
   8 * #!-checking implemented by tytso.
   9 */
  10/*
  11 * Demand-loading implemented 01.12.91 - no need to read anything but
  12 * the header into memory. The inode of the executable is put into
  13 * "current->executable", and page faults do the actual loading. Clean.
  14 *
  15 * Once more I can proudly say that linux stood up to being changed: it
  16 * was less than 2 hours work to get demand-loading completely implemented.
  17 *
  18 * Demand loading changed July 1993 by Eric Youngdale.   Use mmap instead,
  19 * current->executable is only used by the procfs.  This allows a dispatch
  20 * table to check for several different types  of binary formats.  We keep
  21 * trying until we recognize the file or we run out of supported binary
  22 * formats. 
  23 */
  24
  25#include <linux/slab.h>
  26#include <linux/file.h>
  27#include <linux/fdtable.h>
  28#include <linux/mm.h>
  29#include <linux/stat.h>
  30#include <linux/fcntl.h>
  31#include <linux/swap.h>
  32#include <linux/string.h>
  33#include <linux/init.h>
  34#include <linux/pagemap.h>
  35#include <linux/perf_event.h>
  36#include <linux/highmem.h>
  37#include <linux/spinlock.h>
  38#include <linux/key.h>
  39#include <linux/personality.h>
  40#include <linux/binfmts.h>
  41#include <linux/utsname.h>
  42#include <linux/pid_namespace.h>
  43#include <linux/module.h>
  44#include <linux/namei.h>
  45#include <linux/mount.h>
  46#include <linux/security.h>
  47#include <linux/syscalls.h>
  48#include <linux/tsacct_kern.h>
  49#include <linux/cn_proc.h>
  50#include <linux/audit.h>
  51#include <linux/tracehook.h>
  52#include <linux/kmod.h>
  53#include <linux/fsnotify.h>
  54#include <linux/fs_struct.h>
  55#include <linux/pipe_fs_i.h>
  56#include <linux/oom.h>
  57#include <linux/compat.h>
  58
  59#include <asm/uaccess.h>
  60#include <asm/mmu_context.h>
  61#include <asm/tlb.h>
  62
  63#include <trace/events/task.h>
  64#include "internal.h"
  65
  66int core_uses_pid;
  67char core_pattern[CORENAME_MAX_SIZE] = "core";
  68unsigned int core_pipe_limit;
  69int suid_dumpable = 0;
  70
  71struct core_name {
  72        char *corename;
  73        int used, size;
  74};
  75static atomic_t call_count = ATOMIC_INIT(1);
  76
  77/* The maximal length of core_pattern is also specified in sysctl.c */
  78
  79static LIST_HEAD(formats);
  80static DEFINE_RWLOCK(binfmt_lock);
  81
  82int __register_binfmt(struct linux_binfmt * fmt, int insert)
  83{
  84        if (!fmt)
  85                return -EINVAL;
  86        write_lock(&binfmt_lock);
  87        insert ? list_add(&fmt->lh, &formats) :
  88                 list_add_tail(&fmt->lh, &formats);
  89        write_unlock(&binfmt_lock);
  90        return 0;       
  91}
  92
  93EXPORT_SYMBOL(__register_binfmt);
  94
  95void unregister_binfmt(struct linux_binfmt * fmt)
  96{
  97        write_lock(&binfmt_lock);
  98        list_del(&fmt->lh);
  99        write_unlock(&binfmt_lock);
 100}
 101
 102EXPORT_SYMBOL(unregister_binfmt);
 103
 104static inline void put_binfmt(struct linux_binfmt * fmt)
 105{
 106        module_put(fmt->module);
 107}
 108
 109/*
 110 * Note that a shared library must be both readable and executable due to
 111 * security reasons.
 112 *
 113 * Also note that we take the address to load from from the file itself.
 114 */
 115SYSCALL_DEFINE1(uselib, const char __user *, library)
 116{
 117        struct file *file;
 118        char *tmp = getname(library);
 119        int error = PTR_ERR(tmp);
 120        static const struct open_flags uselib_flags = {
 121                .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
 122                .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
 123                .intent = LOOKUP_OPEN
 124        };
 125
 126        if (IS_ERR(tmp))
 127                goto out;
 128
 129        file = do_filp_open(AT_FDCWD, tmp, &uselib_flags, LOOKUP_FOLLOW);
 130        putname(tmp);
 131        error = PTR_ERR(file);
 132        if (IS_ERR(file))
 133                goto out;
 134
 135        error = -EINVAL;
 136        if (!S_ISREG(file->f_path.dentry->d_inode->i_mode))
 137                goto exit;
 138
 139        error = -EACCES;
 140        if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
 141                goto exit;
 142
 143        fsnotify_open(file);
 144
 145        error = -ENOEXEC;
 146        if(file->f_op) {
 147                struct linux_binfmt * fmt;
 148
 149                read_lock(&binfmt_lock);
 150                list_for_each_entry(fmt, &formats, lh) {
 151                        if (!fmt->load_shlib)
 152                                continue;
 153                        if (!try_module_get(fmt->module))
 154                                continue;
 155                        read_unlock(&binfmt_lock);
 156                        error = fmt->load_shlib(file);
 157                        read_lock(&binfmt_lock);
 158                        put_binfmt(fmt);
 159                        if (error != -ENOEXEC)
 160                                break;
 161                }
 162                read_unlock(&binfmt_lock);
 163        }
 164exit:
 165        fput(file);
 166out:
 167        return error;
 168}
 169
 170#ifdef CONFIG_MMU
 171/*
 172 * The nascent bprm->mm is not visible until exec_mmap() but it can
 173 * use a lot of memory, account these pages in current->mm temporary
 174 * for oom_badness()->get_mm_rss(). Once exec succeeds or fails, we
 175 * change the counter back via acct_arg_size(0).
 176 */
 177static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
 178{
 179        struct mm_struct *mm = current->mm;
 180        long diff = (long)(pages - bprm->vma_pages);
 181
 182        if (!mm || !diff)
 183                return;
 184
 185        bprm->vma_pages = pages;
 186        add_mm_counter(mm, MM_ANONPAGES, diff);
 187}
 188
 189static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 190                int write)
 191{
 192        struct page *page;
 193        int ret;
 194
 195#ifdef CONFIG_STACK_GROWSUP
 196        if (write) {
 197                ret = expand_downwards(bprm->vma, pos);
 198                if (ret < 0)
 199                        return NULL;
 200        }
 201#endif
 202        ret = get_user_pages(current, bprm->mm, pos,
 203                        1, write, 1, &page, NULL);
 204        if (ret <= 0)
 205                return NULL;
 206
 207        if (write) {
 208                unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
 209                struct rlimit *rlim;
 210
 211                acct_arg_size(bprm, size / PAGE_SIZE);
 212
 213                /*
 214                 * We've historically supported up to 32 pages (ARG_MAX)
 215                 * of argument strings even with small stacks
 216                 */
 217                if (size <= ARG_MAX)
 218                        return page;
 219
 220                /*
 221                 * Limit to 1/4-th the stack size for the argv+env strings.
 222                 * This ensures that:
 223                 *  - the remaining binfmt code will not run out of stack space,
 224                 *  - the program will have a reasonable amount of stack left
 225                 *    to work from.
 226                 */
 227                rlim = current->signal->rlim;
 228                if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
 229                        put_page(page);
 230                        return NULL;
 231                }
 232        }
 233
 234        return page;
 235}
 236
 237static void put_arg_page(struct page *page)
 238{
 239        put_page(page);
 240}
 241
 242static void free_arg_page(struct linux_binprm *bprm, int i)
 243{
 244}
 245
 246static void free_arg_pages(struct linux_binprm *bprm)
 247{
 248}
 249
 250static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos,
 251                struct page *page)
 252{
 253        flush_cache_page(bprm->vma, pos, page_to_pfn(page));
 254}
 255
 256static int __bprm_mm_init(struct linux_binprm *bprm)
 257{
 258        int err;
 259        struct vm_area_struct *vma = NULL;
 260        struct mm_struct *mm = bprm->mm;
 261
 262        bprm->vma = vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
 263        if (!vma)
 264                return -ENOMEM;
 265
 266        down_write(&mm->mmap_sem);
 267        vma->vm_mm = mm;
 268
 269        /*
 270         * Place the stack at the largest stack address the architecture
 271         * supports. Later, we'll move this to an appropriate place. We don't
 272         * use STACK_TOP because that can depend on attributes which aren't
 273         * configured yet.
 274         */
 275        BUILD_BUG_ON(VM_STACK_FLAGS & VM_STACK_INCOMPLETE_SETUP);
 276        vma->vm_end = STACK_TOP_MAX;
 277        vma->vm_start = vma->vm_end - PAGE_SIZE;
 278        vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
 279        vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
 280        INIT_LIST_HEAD(&vma->anon_vma_chain);
 281
 282        err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
 283        if (err)
 284                goto err;
 285
 286        err = insert_vm_struct(mm, vma);
 287        if (err)
 288                goto err;
 289
 290        mm->stack_vm = mm->total_vm = 1;
 291        up_write(&mm->mmap_sem);
 292        bprm->p = vma->vm_end - sizeof(void *);
 293        return 0;
 294err:
 295        up_write(&mm->mmap_sem);
 296        bprm->vma = NULL;
 297        kmem_cache_free(vm_area_cachep, vma);
 298        return err;
 299}
 300
 301static bool valid_arg_len(struct linux_binprm *bprm, long len)
 302{
 303        return len <= MAX_ARG_STRLEN;
 304}
 305
 306#else
 307
 308static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
 309{
 310}
 311
 312static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 313                int write)
 314{
 315        struct page *page;
 316
 317        page = bprm->page[pos / PAGE_SIZE];
 318        if (!page && write) {
 319                page = alloc_page(GFP_HIGHUSER|__GFP_ZERO);
 320                if (!page)
 321                        return NULL;
 322                bprm->page[pos / PAGE_SIZE] = page;
 323        }
 324
 325        return page;
 326}
 327
 328static void put_arg_page(struct page *page)
 329{
 330}
 331
 332static void free_arg_page(struct linux_binprm *bprm, int i)
 333{
 334        if (bprm->page[i]) {
 335                __free_page(bprm->page[i]);
 336                bprm->page[i] = NULL;
 337        }
 338}
 339
 340static void free_arg_pages(struct linux_binprm *bprm)
 341{
 342        int i;
 343
 344        for (i = 0; i < MAX_ARG_PAGES; i++)
 345                free_arg_page(bprm, i);
 346}
 347
 348static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos,
 349                struct page *page)
 350{
 351}
 352
 353static int __bprm_mm_init(struct linux_binprm *bprm)
 354{
 355        bprm->p = PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *);
 356        return 0;
 357}
 358
 359static bool valid_arg_len(struct linux_binprm *bprm, long len)
 360{
 361        return len <= bprm->p;
 362}
 363
 364#endif /* CONFIG_MMU */
 365
 366/*
 367 * Create a new mm_struct and populate it with a temporary stack
 368 * vm_area_struct.  We don't have enough context at this point to set the stack
 369 * flags, permissions, and offset, so we use temporary values.  We'll update
 370 * them later in setup_arg_pages().
 371 */
 372int bprm_mm_init(struct linux_binprm *bprm)
 373{
 374        int err;
 375        struct mm_struct *mm = NULL;
 376
 377        bprm->mm = mm = mm_alloc();
 378        err = -ENOMEM;
 379        if (!mm)
 380                goto err;
 381
 382        err = init_new_context(current, mm);
 383        if (err)
 384                goto err;
 385
 386        err = __bprm_mm_init(bprm);
 387        if (err)
 388                goto err;
 389
 390        return 0;
 391
 392err:
 393        if (mm) {
 394                bprm->mm = NULL;
 395                mmdrop(mm);
 396        }
 397
 398        return err;
 399}
 400
 401struct user_arg_ptr {
 402#ifdef CONFIG_COMPAT
 403        bool is_compat;
 404#endif
 405        union {
 406                const char __user *const __user *native;
 407#ifdef CONFIG_COMPAT
 408                compat_uptr_t __user *compat;
 409#endif
 410        } ptr;
 411};
 412
 413static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
 414{
 415        const char __user *native;
 416
 417#ifdef CONFIG_COMPAT
 418        if (unlikely(argv.is_compat)) {
 419                compat_uptr_t compat;
 420
 421                if (get_user(compat, argv.ptr.compat + nr))
 422                        return ERR_PTR(-EFAULT);
 423
 424                return compat_ptr(compat);
 425        }
 426#endif
 427
 428        if (get_user(native, argv.ptr.native + nr))
 429                return ERR_PTR(-EFAULT);
 430
 431        return native;
 432}
 433
 434/*
 435 * count() counts the number of strings in array ARGV.
 436 */
 437static int count(struct user_arg_ptr argv, int max)
 438{
 439        int i = 0;
 440
 441        if (argv.ptr.native != NULL) {
 442                for (;;) {
 443                        const char __user *p = get_user_arg_ptr(argv, i);
 444
 445                        if (!p)
 446                                break;
 447
 448                        if (IS_ERR(p))
 449                                return -EFAULT;
 450
 451                        if (i++ >= max)
 452                                return -E2BIG;
 453
 454                        if (fatal_signal_pending(current))
 455                                return -ERESTARTNOHAND;
 456                        cond_resched();
 457                }
 458        }
 459        return i;
 460}
 461
 462/*
 463 * 'copy_strings()' copies argument/environment strings from the old
 464 * processes's memory to the new process's stack.  The call to get_user_pages()
 465 * ensures the destination page is created and not swapped out.
 466 */
 467static int copy_strings(int argc, struct user_arg_ptr argv,
 468                        struct linux_binprm *bprm)
 469{
 470        struct page *kmapped_page = NULL;
 471        char *kaddr = NULL;
 472        unsigned long kpos = 0;
 473        int ret;
 474
 475        while (argc-- > 0) {
 476                const char __user *str;
 477                int len;
 478                unsigned long pos;
 479
 480                ret = -EFAULT;
 481                str = get_user_arg_ptr(argv, argc);
 482                if (IS_ERR(str))
 483                        goto out;
 484
 485                len = strnlen_user(str, MAX_ARG_STRLEN);
 486                if (!len)
 487                        goto out;
 488
 489                ret = -E2BIG;
 490                if (!valid_arg_len(bprm, len))
 491                        goto out;
 492
 493                /* We're going to work our way backwords. */
 494                pos = bprm->p;
 495                str += len;
 496                bprm->p -= len;
 497
 498                while (len > 0) {
 499                        int offset, bytes_to_copy;
 500
 501                        if (fatal_signal_pending(current)) {
 502                                ret = -ERESTARTNOHAND;
 503                                goto out;
 504                        }
 505                        cond_resched();
 506
 507                        offset = pos % PAGE_SIZE;
 508                        if (offset == 0)
 509                                offset = PAGE_SIZE;
 510
 511                        bytes_to_copy = offset;
 512                        if (bytes_to_copy > len)
 513                                bytes_to_copy = len;
 514
 515                        offset -= bytes_to_copy;
 516                        pos -= bytes_to_copy;
 517                        str -= bytes_to_copy;
 518                        len -= bytes_to_copy;
 519
 520                        if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
 521                                struct page *page;
 522
 523                                page = get_arg_page(bprm, pos, 1);
 524                                if (!page) {
 525                                        ret = -E2BIG;
 526                                        goto out;
 527                                }
 528
 529                                if (kmapped_page) {
 530                                        flush_kernel_dcache_page(kmapped_page);
 531                                        kunmap(kmapped_page);
 532                                        put_arg_page(kmapped_page);
 533                                }
 534                                kmapped_page = page;
 535                                kaddr = kmap(kmapped_page);
 536                                kpos = pos & PAGE_MASK;
 537                                flush_arg_page(bprm, kpos, kmapped_page);
 538                        }
 539                        if (copy_from_user(kaddr+offset, str, bytes_to_copy)) {
 540                                ret = -EFAULT;
 541                                goto out;
 542                        }
 543                }
 544        }
 545        ret = 0;
 546out:
 547        if (kmapped_page) {
 548                flush_kernel_dcache_page(kmapped_page);
 549                kunmap(kmapped_page);
 550                put_arg_page(kmapped_page);
 551        }
 552        return ret;
 553}
 554
 555/*
 556 * Like copy_strings, but get argv and its values from kernel memory.
 557 */
 558int copy_strings_kernel(int argc, const char *const *__argv,
 559                        struct linux_binprm *bprm)
 560{
 561        int r;
 562        mm_segment_t oldfs = get_fs();
 563        struct user_arg_ptr argv = {
 564                .ptr.native = (const char __user *const  __user *)__argv,
 565        };
 566
 567        set_fs(KERNEL_DS);
 568        r = copy_strings(argc, argv, bprm);
 569        set_fs(oldfs);
 570
 571        return r;
 572}
 573EXPORT_SYMBOL(copy_strings_kernel);
 574
 575#ifdef CONFIG_MMU
 576
 577/*
 578 * During bprm_mm_init(), we create a temporary stack at STACK_TOP_MAX.  Once
 579 * the binfmt code determines where the new stack should reside, we shift it to
 580 * its final location.  The process proceeds as follows:
 581 *
 582 * 1) Use shift to calculate the new vma endpoints.
 583 * 2) Extend vma to cover both the old and new ranges.  This ensures the
 584 *    arguments passed to subsequent functions are consistent.
 585 * 3) Move vma's page tables to the new range.
 586 * 4) Free up any cleared pgd range.
 587 * 5) Shrink the vma to cover only the new range.
 588 */
 589static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
 590{
 591        struct mm_struct *mm = vma->vm_mm;
 592        unsigned long old_start = vma->vm_start;
 593        unsigned long old_end = vma->vm_end;
 594        unsigned long length = old_end - old_start;
 595        unsigned long new_start = old_start - shift;
 596        unsigned long new_end = old_end - shift;
 597        struct mmu_gather tlb;
 598
 599        BUG_ON(new_start > new_end);
 600
 601        /*
 602         * ensure there are no vmas between where we want to go
 603         * and where we are
 604         */
 605        if (vma != find_vma(mm, new_start))
 606                return -EFAULT;
 607
 608        /*
 609         * cover the whole range: [new_start, old_end)
 610         */
 611        if (vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL))
 612                return -ENOMEM;
 613
 614        /*
 615         * move the page tables downwards, on failure we rely on
 616         * process cleanup to remove whatever mess we made.
 617         */
 618        if (length != move_page_tables(vma, old_start,
 619                                       vma, new_start, length))
 620                return -ENOMEM;
 621
 622        lru_add_drain();
 623        tlb_gather_mmu(&tlb, mm, 0);
 624        if (new_end > old_start) {
 625                /*
 626                 * when the old and new regions overlap clear from new_end.
 627                 */
 628                free_pgd_range(&tlb, new_end, old_end, new_end,
 629                        vma->vm_next ? vma->vm_next->vm_start : 0);
 630        } else {
 631                /*
 632                 * otherwise, clean from old_start; this is done to not touch
 633                 * the address space in [new_end, old_start) some architectures
 634                 * have constraints on va-space that make this illegal (IA64) -
 635                 * for the others its just a little faster.
 636                 */
 637                free_pgd_range(&tlb, old_start, old_end, new_end,
 638                        vma->vm_next ? vma->vm_next->vm_start : 0);
 639        }
 640        tlb_finish_mmu(&tlb, new_end, old_end);
 641
 642        /*
 643         * Shrink the vma to just the new range.  Always succeeds.
 644         */
 645        vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL);
 646
 647        return 0;
 648}
 649
 650/*
 651 * Finalizes the stack vm_area_struct. The flags and permissions are updated,
 652 * the stack is optionally relocated, and some extra space is added.
 653 */
 654int setup_arg_pages(struct linux_binprm *bprm,
 655                    unsigned long stack_top,
 656                    int executable_stack)
 657{
 658        unsigned long ret;
 659        unsigned long stack_shift;
 660        struct mm_struct *mm = current->mm;
 661        struct vm_area_struct *vma = bprm->vma;
 662        struct vm_area_struct *prev = NULL;
 663        unsigned long vm_flags;
 664        unsigned long stack_base;
 665        unsigned long stack_size;
 666        unsigned long stack_expand;
 667        unsigned long rlim_stack;
 668
 669#ifdef CONFIG_STACK_GROWSUP
 670        /* Limit stack size to 1GB */
 671        stack_base = rlimit_max(RLIMIT_STACK);
 672        if (stack_base > (1 << 30))
 673                stack_base = 1 << 30;
 674
 675        /* Make sure we didn't let the argument array grow too large. */
 676        if (vma->vm_end - vma->vm_start > stack_base)
 677                return -ENOMEM;
 678
 679        stack_base = PAGE_ALIGN(stack_top - stack_base);
 680
 681        stack_shift = vma->vm_start - stack_base;
 682        mm->arg_start = bprm->p - stack_shift;
 683        bprm->p = vma->vm_end - stack_shift;
 684#else
 685        stack_top = arch_align_stack(stack_top);
 686        stack_top = PAGE_ALIGN(stack_top);
 687
 688        if (unlikely(stack_top < mmap_min_addr) ||
 689            unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
 690                return -ENOMEM;
 691
 692        stack_shift = vma->vm_end - stack_top;
 693
 694        bprm->p -= stack_shift;
 695        mm->arg_start = bprm->p;
 696#endif
 697
 698        if (bprm->loader)
 699                bprm->loader -= stack_shift;
 700        bprm->exec -= stack_shift;
 701
 702        down_write(&mm->mmap_sem);
 703        vm_flags = VM_STACK_FLAGS;
 704
 705        /*
 706         * Adjust stack execute permissions; explicitly enable for
 707         * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
 708         * (arch default) otherwise.
 709         */
 710        if (unlikely(executable_stack == EXSTACK_ENABLE_X))
 711                vm_flags |= VM_EXEC;
 712        else if (executable_stack == EXSTACK_DISABLE_X)
 713                vm_flags &= ~VM_EXEC;
 714        vm_flags |= mm->def_flags;
 715        vm_flags |= VM_STACK_INCOMPLETE_SETUP;
 716
 717        ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
 718                        vm_flags);
 719        if (ret)
 720                goto out_unlock;
 721        BUG_ON(prev != vma);
 722
 723        /* Move stack pages down in memory. */
 724        if (stack_shift) {
 725                ret = shift_arg_pages(vma, stack_shift);
 726                if (ret)
 727                        goto out_unlock;
 728        }
 729
 730        /* mprotect_fixup is overkill to remove the temporary stack flags */
 731        vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
 732
 733        stack_expand = 131072UL; /* randomly 32*4k (or 2*64k) pages */
 734        stack_size = vma->vm_end - vma->vm_start;
 735        /*
 736         * Align this down to a page boundary as expand_stack
 737         * will align it up.
 738         */
 739        rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
 740#ifdef CONFIG_STACK_GROWSUP
 741        if (stack_size + stack_expand > rlim_stack)
 742                stack_base = vma->vm_start + rlim_stack;
 743        else
 744                stack_base = vma->vm_end + stack_expand;
 745#else
 746        if (stack_size + stack_expand > rlim_stack)
 747                stack_base = vma->vm_end - rlim_stack;
 748        else
 749                stack_base = vma->vm_start - stack_expand;
 750#endif
 751        current->mm->start_stack = bprm->p;
 752        ret = expand_stack(vma, stack_base);
 753        if (ret)
 754                ret = -EFAULT;
 755
 756out_unlock:
 757        up_write(&mm->mmap_sem);
 758        return ret;
 759}
 760EXPORT_SYMBOL(setup_arg_pages);
 761
 762#endif /* CONFIG_MMU */
 763
 764struct file *open_exec(const char *name)
 765{
 766        struct file *file;
 767        int err;
 768        static const struct open_flags open_exec_flags = {
 769                .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
 770                .acc_mode = MAY_EXEC | MAY_OPEN,
 771                .intent = LOOKUP_OPEN
 772        };
 773
 774        file = do_filp_open(AT_FDCWD, name, &open_exec_flags, LOOKUP_FOLLOW);
 775        if (IS_ERR(file))
 776                goto out;
 777
 778        err = -EACCES;
 779        if (!S_ISREG(file->f_path.dentry->d_inode->i_mode))
 780                goto exit;
 781
 782        if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
 783                goto exit;
 784
 785        fsnotify_open(file);
 786
 787        err = deny_write_access(file);
 788        if (err)
 789                goto exit;
 790
 791out:
 792        return file;
 793
 794exit:
 795        fput(file);
 796        return ERR_PTR(err);
 797}
 798EXPORT_SYMBOL(open_exec);
 799
 800int kernel_read(struct file *file, loff_t offset,
 801                char *addr, unsigned long count)
 802{
 803        mm_segment_t old_fs;
 804        loff_t pos = offset;
 805        int result;
 806
 807        old_fs = get_fs();
 808        set_fs(get_ds());
 809        /* The cast to a user pointer is valid due to the set_fs() */
 810        result = vfs_read(file, (void __user *)addr, count, &pos);
 811        set_fs(old_fs);
 812        return result;
 813}
 814
 815EXPORT_SYMBOL(kernel_read);
 816
 817static int exec_mmap(struct mm_struct *mm)
 818{
 819        struct task_struct *tsk;
 820        struct mm_struct * old_mm, *active_mm;
 821
 822        /* Notify parent that we're no longer interested in the old VM */
 823        tsk = current;
 824        old_mm = current->mm;
 825        sync_mm_rss(tsk, old_mm);
 826        mm_release(tsk, old_mm);
 827
 828        if (old_mm) {
 829                /*
 830                 * Make sure that if there is a core dump in progress
 831                 * for the old mm, we get out and die instead of going
 832                 * through with the exec.  We must hold mmap_sem around
 833                 * checking core_state and changing tsk->mm.
 834                 */
 835                down_read(&old_mm->mmap_sem);
 836                if (unlikely(old_mm->core_state)) {
 837                        up_read(&old_mm->mmap_sem);
 838                        return -EINTR;
 839                }
 840        }
 841        task_lock(tsk);
 842        active_mm = tsk->active_mm;
 843        tsk->mm = mm;
 844        tsk->active_mm = mm;
 845        activate_mm(active_mm, mm);
 846        task_unlock(tsk);
 847        arch_pick_mmap_layout(mm);
 848        if (old_mm) {
 849                up_read(&old_mm->mmap_sem);
 850                BUG_ON(active_mm != old_mm);
 851                mm_update_next_owner(old_mm);
 852                mmput(old_mm);
 853                return 0;
 854        }
 855        mmdrop(active_mm);
 856        return 0;
 857}
 858
 859/*
 860 * This function makes sure the current process has its own signal table,
 861 * so that flush_signal_handlers can later reset the handlers without
 862 * disturbing other processes.  (Other processes might share the signal
 863 * table via the CLONE_SIGHAND option to clone().)
 864 */
 865static int de_thread(struct task_struct *tsk)
 866{
 867        struct signal_struct *sig = tsk->signal;
 868        struct sighand_struct *oldsighand = tsk->sighand;
 869        spinlock_t *lock = &oldsighand->siglock;
 870
 871        if (thread_group_empty(tsk))
 872                goto no_thread_group;
 873
 874        /*
 875         * Kill all other threads in the thread group.
 876         */
 877        spin_lock_irq(lock);
 878        if (signal_group_exit(sig)) {
 879                /*
 880                 * Another group action in progress, just
 881                 * return so that the signal is processed.
 882                 */
 883                spin_unlock_irq(lock);
 884                return -EAGAIN;
 885        }
 886
 887        sig->group_exit_task = tsk;
 888        sig->notify_count = zap_other_threads(tsk);
 889        if (!thread_group_leader(tsk))
 890                sig->notify_count--;
 891
 892        while (sig->notify_count) {
 893                __set_current_state(TASK_UNINTERRUPTIBLE);
 894                spin_unlock_irq(lock);
 895                schedule();
 896                spin_lock_irq(lock);
 897        }
 898        spin_unlock_irq(lock);
 899
 900        /*
 901         * At this point all other threads have exited, all we have to
 902         * do is to wait for the thread group leader to become inactive,
 903         * and to assume its PID:
 904         */
 905        if (!thread_group_leader(tsk)) {
 906                struct task_struct *leader = tsk->group_leader;
 907
 908                sig->notify_count = -1; /* for exit_notify() */
 909                for (;;) {
 910                        write_lock_irq(&tasklist_lock);
 911                        if (likely(leader->exit_state))
 912                                break;
 913                        __set_current_state(TASK_UNINTERRUPTIBLE);
 914                        write_unlock_irq(&tasklist_lock);
 915                        schedule();
 916                }
 917
 918                /*
 919                 * The only record we have of the real-time age of a
 920                 * process, regardless of execs it's done, is start_time.
 921                 * All the past CPU time is accumulated in signal_struct
 922                 * from sister threads now dead.  But in this non-leader
 923                 * exec, nothing survives from the original leader thread,
 924                 * whose birth marks the true age of this process now.
 925                 * When we take on its identity by switching to its PID, we
 926                 * also take its birthdate (always earlier than our own).
 927                 */
 928                tsk->start_time = leader->start_time;
 929
 930                BUG_ON(!same_thread_group(leader, tsk));
 931                BUG_ON(has_group_leader_pid(tsk));
 932                /*
 933                 * An exec() starts a new thread group with the
 934                 * TGID of the previous thread group. Rehash the
 935                 * two threads with a switched PID, and release
 936                 * the former thread group leader:
 937                 */
 938
 939                /* Become a process group leader with the old leader's pid.
 940                 * The old leader becomes a thread of the this thread group.
 941                 * Note: The old leader also uses this pid until release_task
 942                 *       is called.  Odd but simple and correct.
 943                 */
 944                detach_pid(tsk, PIDTYPE_PID);
 945                tsk->pid = leader->pid;
 946                attach_pid(tsk, PIDTYPE_PID,  task_pid(leader));
 947                transfer_pid(leader, tsk, PIDTYPE_PGID);
 948                transfer_pid(leader, tsk, PIDTYPE_SID);
 949
 950                list_replace_rcu(&leader->tasks, &tsk->tasks);
 951                list_replace_init(&leader->sibling, &tsk->sibling);
 952
 953                tsk->group_leader = tsk;
 954                leader->group_leader = tsk;
 955
 956                tsk->exit_signal = SIGCHLD;
 957                leader->exit_signal = -1;
 958
 959                BUG_ON(leader->exit_state != EXIT_ZOMBIE);
 960                leader->exit_state = EXIT_DEAD;
 961
 962                /*
 963                 * We are going to release_task()->ptrace_unlink() silently,
 964                 * the tracer can sleep in do_wait(). EXIT_DEAD guarantees
 965                 * the tracer wont't block again waiting for this thread.
 966                 */
 967                if (unlikely(leader->ptrace))
 968                        __wake_up_parent(leader, leader->parent);
 969                write_unlock_irq(&tasklist_lock);
 970
 971                release_task(leader);
 972        }
 973
 974        sig->group_exit_task = NULL;
 975        sig->notify_count = 0;
 976
 977no_thread_group:
 978        if (current->mm)
 979                setmax_mm_hiwater_rss(&sig->maxrss, current->mm);
 980
 981        exit_itimers(sig);
 982        flush_itimer_signals();
 983
 984        if (atomic_read(&oldsighand->count) != 1) {
 985                struct sighand_struct *newsighand;
 986                /*
 987                 * This ->sighand is shared with the CLONE_SIGHAND
 988                 * but not CLONE_THREAD task, switch to the new one.
 989                 */
 990                newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
 991                if (!newsighand)
 992                        return -ENOMEM;
 993
 994                atomic_set(&newsighand->count, 1);
 995                memcpy(newsighand->action, oldsighand->action,
 996                       sizeof(newsighand->action));
 997
 998                write_lock_irq(&tasklist_lock);
 999                spin_lock(&oldsighand->siglock);
1000                rcu_assign_pointer(tsk->sighand, newsighand);
1001                spin_unlock(&oldsighand->siglock);
1002                write_unlock_irq(&tasklist_lock);
1003
1004                __cleanup_sighand(oldsighand);
1005        }
1006
1007        BUG_ON(!thread_group_leader(tsk));
1008        return 0;
1009}
1010
1011/*
1012 * These functions flushes out all traces of the currently running executable
1013 * so that a new one can be started
1014 */
1015static void flush_old_files(struct files_struct * files)
1016{
1017        long j = -1;
1018        struct fdtable *fdt;
1019
1020        spin_lock(&files->file_lock);
1021        for (;;) {
1022                unsigned long set, i;
1023
1024                j++;
1025                i = j * __NFDBITS;
1026                fdt = files_fdtable(files);
1027                if (i >= fdt->max_fds)
1028                        break;
1029                set = fdt->close_on_exec->fds_bits[j];
1030                if (!set)
1031                        continue;
1032                fdt->close_on_exec->fds_bits[j] = 0;
1033                spin_unlock(&files->file_lock);
1034                for ( ; set ; i++,set >>= 1) {
1035                        if (set & 1) {
1036                                sys_close(i);
1037                        }
1038                }
1039                spin_lock(&files->file_lock);
1040
1041        }
1042        spin_unlock(&files->file_lock);
1043}
1044
1045char *get_task_comm(char *buf, struct task_struct *tsk)
1046{
1047        /* buf must be at least sizeof(tsk->comm) in size */
1048        task_lock(tsk);
1049        strncpy(buf, tsk->comm, sizeof(tsk->comm));
1050        task_unlock(tsk);
1051        return buf;
1052}
1053EXPORT_SYMBOL_GPL(get_task_comm);
1054
1055void set_task_comm(struct task_struct *tsk, char *buf)
1056{
1057        task_lock(tsk);
1058
1059        trace_task_rename(tsk, buf);
1060
1061        /*
1062         * Threads may access current->comm without holding
1063         * the task lock, so write the string carefully.
1064         * Readers without a lock may see incomplete new
1065         * names but are safe from non-terminating string reads.
1066         */
1067        memset(tsk->comm, 0, TASK_COMM_LEN);
1068        wmb();
1069        strlcpy(tsk->comm, buf, sizeof(tsk->comm));
1070        task_unlock(tsk);
1071        perf_event_comm(tsk);
1072}
1073
1074static void filename_to_taskname(char *tcomm, const char *fn, unsigned int len)
1075{
1076        int i, ch;
1077
1078        /* Copies the binary name from after last slash */
1079        for (i = 0; (ch = *(fn++)) != '\0';) {
1080                if (ch == '/')
1081                        i = 0; /* overwrite what we wrote */
1082                else
1083                        if (i < len - 1)
1084                                tcomm[i++] = ch;
1085        }
1086        tcomm[i] = '\0';
1087}
1088
1089int flush_old_exec(struct linux_binprm * bprm)
1090{
1091        int retval;
1092
1093        /*
1094         * Make sure we have a private signal table and that
1095         * we are unassociated from the previous thread group.
1096         */
1097        retval = de_thread(current);
1098        if (retval)
1099                goto out;
1100
1101        set_mm_exe_file(bprm->mm, bprm->file);
1102
1103        filename_to_taskname(bprm->tcomm, bprm->filename, sizeof(bprm->tcomm));
1104        /*
1105         * Release all of the old mmap stuff
1106         */
1107        acct_arg_size(bprm, 0);
1108        retval = exec_mmap(bprm->mm);
1109        if (retval)
1110                goto out;
1111
1112        bprm->mm = NULL;                /* We're using it now */
1113
1114        set_fs(USER_DS);
1115        current->flags &= ~(PF_RANDOMIZE | PF_KTHREAD);
1116        flush_thread();
1117        current->personality &= ~bprm->per_clear;
1118
1119        return 0;
1120
1121out:
1122        return retval;
1123}
1124EXPORT_SYMBOL(flush_old_exec);
1125
1126void would_dump(struct linux_binprm *bprm, struct file *file)
1127{
1128        if (inode_permission(file->f_path.dentry->d_inode, MAY_READ) < 0)
1129                bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
1130}
1131EXPORT_SYMBOL(would_dump);
1132
1133void setup_new_exec(struct linux_binprm * bprm)
1134{
1135        arch_pick_mmap_layout(current->mm);
1136
1137        /* This is the point of no return */
1138        current->sas_ss_sp = current->sas_ss_size = 0;
1139
1140        if (current_euid() == current_uid() && current_egid() == current_gid())
1141                set_dumpable(current->mm, 1);
1142        else
1143                set_dumpable(current->mm, suid_dumpable);
1144
1145        set_task_comm(current, bprm->tcomm);
1146
1147        /* Set the new mm task size. We have to do that late because it may
1148         * depend on TIF_32BIT which is only updated in flush_thread() on
1149         * some architectures like powerpc
1150         */
1151        current->mm->task_size = TASK_SIZE;
1152
1153        /* install the new credentials */
1154        if (bprm->cred->uid != current_euid() ||
1155            bprm->cred->gid != current_egid()) {
1156                current->pdeath_signal = 0;
1157        } else {
1158                would_dump(bprm, bprm->file);
1159                if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)
1160                        set_dumpable(current->mm, suid_dumpable);
1161        }
1162
1163        /*
1164         * Flush performance counters when crossing a
1165         * security domain:
1166         */
1167        if (!get_dumpable(current->mm))
1168                perf_event_exit_task(current);
1169
1170        /* An exec changes our domain. We are no longer part of the thread
1171           group */
1172
1173        current->self_exec_id++;
1174                        
1175        flush_signal_handlers(current, 0);
1176        flush_old_files(current->files);
1177}
1178EXPORT_SYMBOL(setup_new_exec);
1179
1180/*
1181 * Prepare credentials and lock ->cred_guard_mutex.
1182 * install_exec_creds() commits the new creds and drops the lock.
1183 * Or, if exec fails before, free_bprm() should release ->cred and
1184 * and unlock.
1185 */
1186int prepare_bprm_creds(struct linux_binprm *bprm)
1187{
1188        if (mutex_lock_interruptible(&current->signal->cred_guard_mutex))
1189                return -ERESTARTNOINTR;
1190
1191        bprm->cred = prepare_exec_creds();
1192        if (likely(bprm->cred))
1193                return 0;
1194
1195        mutex_unlock(&current->signal->cred_guard_mutex);
1196        return -ENOMEM;
1197}
1198
1199void free_bprm(struct linux_binprm *bprm)
1200{
1201        free_arg_pages(bprm);
1202        if (bprm->cred) {
1203                mutex_unlock(&current->signal->cred_guard_mutex);
1204                abort_creds(bprm->cred);
1205        }
1206        kfree(bprm);
1207}
1208
1209/*
1210 * install the new credentials for this executable
1211 */
1212void install_exec_creds(struct linux_binprm *bprm)
1213{
1214        security_bprm_committing_creds(bprm);
1215
1216        commit_creds(bprm->cred);
1217        bprm->cred = NULL;
1218        /*
1219         * cred_guard_mutex must be held at least to this point to prevent
1220         * ptrace_attach() from altering our determination of the task's
1221         * credentials; any time after this it may be unlocked.
1222         */
1223        security_bprm_committed_creds(bprm);
1224        mutex_unlock(&current->signal->cred_guard_mutex);
1225}
1226EXPORT_SYMBOL(install_exec_creds);
1227
1228/*
1229 * determine how safe it is to execute the proposed program
1230 * - the caller must hold ->cred_guard_mutex to protect against
1231 *   PTRACE_ATTACH
1232 */
1233static int check_unsafe_exec(struct linux_binprm *bprm)
1234{
1235        struct task_struct *p = current, *t;
1236        unsigned n_fs;
1237        int res = 0;
1238
1239        if (p->ptrace) {
1240                if (p->ptrace & PT_PTRACE_CAP)
1241                        bprm->unsafe |= LSM_UNSAFE_PTRACE_CAP;
1242                else
1243                        bprm->unsafe |= LSM_UNSAFE_PTRACE;
1244        }
1245
1246        n_fs = 1;
1247        spin_lock(&p->fs->lock);
1248        rcu_read_lock();
1249        for (t = next_thread(p); t != p; t = next_thread(t)) {
1250                if (t->fs == p->fs)
1251                        n_fs++;
1252        }
1253        rcu_read_unlock();
1254
1255        if (p->fs->users > n_fs) {
1256                bprm->unsafe |= LSM_UNSAFE_SHARE;
1257        } else {
1258                res = -EAGAIN;
1259                if (!p->fs->in_exec) {
1260                        p->fs->in_exec = 1;
1261                        res = 1;
1262                }
1263        }
1264        spin_unlock(&p->fs->lock);
1265
1266        return res;
1267}
1268
1269/* 
1270 * Fill the binprm structure from the inode. 
1271 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
1272 *
1273 * This may be called multiple times for binary chains (scripts for example).
1274 */
1275int prepare_binprm(struct linux_binprm *bprm)
1276{
1277        umode_t mode;
1278        struct inode * inode = bprm->file->f_path.dentry->d_inode;
1279        int retval;
1280
1281        mode = inode->i_mode;
1282        if (bprm->file->f_op == NULL)
1283                return -EACCES;
1284
1285        /* clear any previous set[ug]id data from a previous binary */
1286        bprm->cred->euid = current_euid();
1287        bprm->cred->egid = current_egid();
1288
1289        if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
1290                /* Set-uid? */
1291                if (mode & S_ISUID) {
1292                        bprm->per_clear |= PER_CLEAR_ON_SETID;
1293                        bprm->cred->euid = inode->i_uid;
1294                }
1295
1296                /* Set-gid? */
1297                /*
1298                 * If setgid is set but no group execute bit then this
1299                 * is a candidate for mandatory locking, not a setgid
1300                 * executable.
1301                 */
1302                if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
1303                        bprm->per_clear |= PER_CLEAR_ON_SETID;
1304                        bprm->cred->egid = inode->i_gid;
1305                }
1306        }
1307
1308        /* fill in binprm security blob */
1309        retval = security_bprm_set_creds(bprm);
1310        if (retval)
1311                return retval;
1312        bprm->cred_prepared = 1;
1313
1314        memset(bprm->buf, 0, BINPRM_BUF_SIZE);
1315        return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
1316}
1317
1318EXPORT_SYMBOL(prepare_binprm);
1319
1320/*
1321 * Arguments are '\0' separated strings found at the location bprm->p
1322 * points to; chop off the first by relocating brpm->p to right after
1323 * the first '\0' encountered.
1324 */
1325int remove_arg_zero(struct linux_binprm *bprm)
1326{
1327        int ret = 0;
1328        unsigned long offset;
1329        char *kaddr;
1330        struct page *page;
1331
1332        if (!bprm->argc)
1333                return 0;
1334
1335        do {
1336                offset = bprm->p & ~PAGE_MASK;
1337                page = get_arg_page(bprm, bprm->p, 0);
1338                if (!page) {
1339                        ret = -EFAULT;
1340                        goto out;
1341                }
1342                kaddr = kmap_atomic(page, KM_USER0);
1343
1344                for (; offset < PAGE_SIZE && kaddr[offset];
1345                                offset++, bprm->p++)
1346                        ;
1347
1348                kunmap_atomic(kaddr, KM_USER0);
1349                put_arg_page(page);
1350
1351                if (offset == PAGE_SIZE)
1352                        free_arg_page(bprm, (bprm->p >> PAGE_SHIFT) - 1);
1353        } while (offset == PAGE_SIZE);
1354
1355        bprm->p++;
1356        bprm->argc--;
1357        ret = 0;
1358
1359out:
1360        return ret;
1361}
1362EXPORT_SYMBOL(remove_arg_zero);
1363
1364/*
1365 * cycle the list of binary formats handler, until one recognizes the image
1366 */
1367int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1368{
1369        unsigned int depth = bprm->recursion_depth;
1370        int try,retval;
1371        struct linux_binfmt *fmt;
1372        pid_t old_pid;
1373
1374        retval = security_bprm_check(bprm);
1375        if (retval)
1376                return retval;
1377
1378        retval = audit_bprm(bprm);
1379        if (retval)
1380                return retval;
1381
1382        /* Need to fetch pid before load_binary changes it */
1383        rcu_read_lock();
1384        old_pid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
1385        rcu_read_unlock();
1386
1387        retval = -ENOENT;
1388        for (try=0; try<2; try++) {
1389                read_lock(&binfmt_lock);
1390                list_for_each_entry(fmt, &formats, lh) {
1391                        int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary;
1392                        if (!fn)
1393                                continue;
1394                        if (!try_module_get(fmt->module))
1395                                continue;
1396                        read_unlock(&binfmt_lock);
1397                        retval = fn(bprm, regs);
1398                        /*
1399                         * Restore the depth counter to its starting value
1400                         * in this call, so we don't have to rely on every
1401                         * load_binary function to restore it on return.
1402                         */
1403                        bprm->recursion_depth = depth;
1404                        if (retval >= 0) {
1405                                if (depth == 0)
1406                                        ptrace_event(PTRACE_EVENT_EXEC,
1407                                                        old_pid);
1408                                put_binfmt(fmt);
1409                                allow_write_access(bprm->file);
1410                                if (bprm->file)
1411                                        fput(bprm->file);
1412                                bprm->file = NULL;
1413                                current->did_exec = 1;
1414                                proc_exec_connector(current);
1415                                return retval;
1416                        }
1417                        read_lock(&binfmt_lock);
1418                        put_binfmt(fmt);
1419                        if (retval != -ENOEXEC || bprm->mm == NULL)
1420                                break;
1421                        if (!bprm->file) {
1422                                read_unlock(&binfmt_lock);
1423                                return retval;
1424                        }
1425                }
1426                read_unlock(&binfmt_lock);
1427#ifdef CONFIG_MODULES
1428                if (retval != -ENOEXEC || bprm->mm == NULL) {
1429                        break;
1430                } else {
1431#define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
1432                        if (printable(bprm->buf[0]) &&
1433                            printable(bprm->buf[1]) &&
1434                            printable(bprm->buf[2]) &&
1435                            printable(bprm->buf[3]))
1436                                break; /* -ENOEXEC */
1437                        if (try)
1438                                break; /* -ENOEXEC */
1439                        request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2]));
1440                }
1441#else
1442                break;
1443#endif
1444        }
1445        return retval;
1446}
1447
1448EXPORT_SYMBOL(search_binary_handler);
1449
1450/*
1451 * sys_execve() executes a new program.
1452 */
1453static int do_execve_common(const char *filename,
1454                                struct user_arg_ptr argv,
1455                                struct user_arg_ptr envp,
1456                                struct pt_regs *regs)
1457{
1458        struct linux_binprm *bprm;
1459        struct file *file;
1460        struct files_struct *displaced;
1461        bool clear_in_exec;
1462        int retval;
1463        const struct cred *cred = current_cred();
1464
1465        /*
1466         * We move the actual failure in case of RLIMIT_NPROC excess from
1467         * set*uid() to execve() because too many poorly written programs
1468         * don't check setuid() return code.  Here we additionally recheck
1469         * whether NPROC limit is still exceeded.
1470         */
1471        if ((current->flags & PF_NPROC_EXCEEDED) &&
1472            atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
1473                retval = -EAGAIN;
1474                goto out_ret;
1475        }
1476
1477        /* We're below the limit (still or again), so we don't want to make
1478         * further execve() calls fail. */
1479        current->flags &= ~PF_NPROC_EXCEEDED;
1480
1481        retval = unshare_files(&displaced);
1482        if (retval)
1483                goto out_ret;
1484
1485        retval = -ENOMEM;
1486        bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
1487        if (!bprm)
1488                goto out_files;
1489
1490        retval = prepare_bprm_creds(bprm);
1491        if (retval)
1492                goto out_free;
1493
1494        retval = check_unsafe_exec(bprm);
1495        if (retval < 0)
1496                goto out_free;
1497        clear_in_exec = retval;
1498        current->in_execve = 1;
1499
1500        file = open_exec(filename);
1501        retval = PTR_ERR(file);
1502        if (IS_ERR(file))
1503                goto out_unmark;
1504
1505        sched_exec();
1506
1507        bprm->file = file;
1508        bprm->filename = filename;
1509        bprm->interp = filename;
1510
1511        retval = bprm_mm_init(bprm);
1512        if (retval)
1513                goto out_file;
1514
1515        bprm->argc = count(argv, MAX_ARG_STRINGS);
1516        if ((retval = bprm->argc) < 0)
1517                goto out;
1518
1519        bprm->envc = count(envp, MAX_ARG_STRINGS);
1520        if ((retval = bprm->envc) < 0)
1521                goto out;
1522
1523        retval = prepare_binprm(bprm);
1524        if (retval < 0)
1525                goto out;
1526
1527        retval = copy_strings_kernel(1, &bprm->filename, bprm);
1528        if (retval < 0)
1529                goto out;
1530
1531        bprm->exec = bprm->p;
1532        retval = copy_strings(bprm->envc, envp, bprm);
1533        if (retval < 0)
1534                goto out;
1535
1536        retval = copy_strings(bprm->argc, argv, bprm);
1537        if (retval < 0)
1538                goto out;
1539
1540        retval = search_binary_handler(bprm,regs);
1541        if (retval < 0)
1542                goto out;
1543
1544        /* execve succeeded */
1545        current->fs->in_exec = 0;
1546        current->in_execve = 0;
1547        acct_update_integrals(current);
1548        free_bprm(bprm);
1549        if (displaced)
1550                put_files_struct(displaced);
1551        return retval;
1552
1553out:
1554        if (bprm->mm) {
1555                acct_arg_size(bprm, 0);
1556                mmput(bprm->mm);
1557        }
1558
1559out_file:
1560        if (bprm->file) {
1561                allow_write_access(bprm->file);
1562                fput(bprm->file);
1563        }
1564
1565out_unmark:
1566        if (clear_in_exec)
1567                current->fs->in_exec = 0;
1568        current->in_execve = 0;
1569
1570out_free:
1571        free_bprm(bprm);
1572
1573out_files:
1574        if (displaced)
1575                reset_files_struct(displaced);
1576out_ret:
1577        return retval;
1578}
1579
1580int do_execve(const char *filename,
1581        const char __user *const __user *__argv,
1582        const char __user *const __user *__envp,
1583        struct pt_regs *regs)
1584{
1585        struct user_arg_ptr argv = { .ptr.native = __argv };
1586        struct user_arg_ptr envp = { .ptr.native = __envp };
1587        return do_execve_common(filename, argv, envp, regs);
1588}
1589
1590#ifdef CONFIG_COMPAT
1591int compat_do_execve(char *filename,
1592        compat_uptr_t __user *__argv,
1593        compat_uptr_t __user *__envp,
1594        struct pt_regs *regs)
1595{
1596        struct user_arg_ptr argv = {
1597                .is_compat = true,
1598                .ptr.compat = __argv,
1599        };
1600        struct user_arg_ptr envp = {
1601                .is_compat = true,
1602                .ptr.compat = __envp,
1603        };
1604        return do_execve_common(filename, argv, envp, regs);
1605}
1606#endif
1607
1608void set_binfmt(struct linux_binfmt *new)
1609{
1610        struct mm_struct *mm = current->mm;
1611
1612        if (mm->binfmt)
1613                module_put(mm->binfmt->module);
1614
1615        mm->binfmt = new;
1616        if (new)
1617                __module_get(new->module);
1618}
1619
1620EXPORT_SYMBOL(set_binfmt);
1621
1622static int expand_corename(struct core_name *cn)
1623{
1624        char *old_corename = cn->corename;
1625
1626        cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
1627        cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
1628
1629        if (!cn->corename) {
1630                kfree(old_corename);
1631                return -ENOMEM;
1632        }
1633
1634        return 0;
1635}
1636
1637static int cn_printf(struct core_name *cn, const char *fmt, ...)
1638{
1639        char *cur;
1640        int need;
1641        int ret;
1642        va_list arg;
1643
1644        va_start(arg, fmt);
1645        need = vsnprintf(NULL, 0, fmt, arg);
1646        va_end(arg);
1647
1648        if (likely(need < cn->size - cn->used - 1))
1649                goto out_printf;
1650
1651        ret = expand_corename(cn);
1652        if (ret)
1653                goto expand_fail;
1654
1655out_printf:
1656        cur = cn->corename + cn->used;
1657        va_start(arg, fmt);
1658        vsnprintf(cur, need + 1, fmt, arg);
1659        va_end(arg);
1660        cn->used += need;
1661        return 0;
1662
1663expand_fail:
1664        return ret;
1665}
1666
1667static void cn_escape(char *str)
1668{
1669        for (; *str; str++)
1670                if (*str == '/')
1671                        *str = '!';
1672}
1673
1674static int cn_print_exe_file(struct core_name *cn)
1675{
1676        struct file *exe_file;
1677        char *pathbuf, *path;
1678        int ret;
1679
1680        exe_file = get_mm_exe_file(current->mm);
1681        if (!exe_file) {
1682                char *commstart = cn->corename + cn->used;
1683                ret = cn_printf(cn, "%s (path unknown)", current->comm);
1684                cn_escape(commstart);
1685                return ret;
1686        }
1687
1688        pathbuf = kmalloc(PATH_MAX, GFP_TEMPORARY);
1689        if (!pathbuf) {
1690                ret = -ENOMEM;
1691                goto put_exe_file;
1692        }
1693
1694        path = d_path(&exe_file->f_path, pathbuf, PATH_MAX);
1695        if (IS_ERR(path)) {
1696                ret = PTR_ERR(path);
1697                goto free_buf;
1698        }
1699
1700        cn_escape(path);
1701
1702        ret = cn_printf(cn, "%s", path);
1703
1704free_buf:
1705        kfree(pathbuf);
1706put_exe_file:
1707        fput(exe_file);
1708        return ret;
1709}
1710
1711/* format_corename will inspect the pattern parameter, and output a
1712 * name into corename, which must have space for at least
1713 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
1714 */
1715static int format_corename(struct core_name *cn, long signr)
1716{
1717        const struct cred *cred = current_cred();
1718        const char *pat_ptr = core_pattern;
1719        int ispipe = (*pat_ptr == '|');
1720        int pid_in_pattern = 0;
1721        int err = 0;
1722
1723        cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
1724        cn->corename = kmalloc(cn->size, GFP_KERNEL);
1725        cn->used = 0;
1726
1727        if (!cn->corename)
1728                return -ENOMEM;
1729
1730        /* Repeat as long as we have more pattern to process and more output
1731           space */
1732        while (*pat_ptr) {
1733                if (*pat_ptr != '%') {
1734                        if (*pat_ptr == 0)
1735                                goto out;
1736                        err = cn_printf(cn, "%c", *pat_ptr++);
1737                } else {
1738                        switch (*++pat_ptr) {
1739                        /* single % at the end, drop that */
1740                        case 0:
1741                                goto out;
1742                        /* Double percent, output one percent */
1743                        case '%':
1744                                err = cn_printf(cn, "%c", '%');
1745                                break;
1746                        /* pid */
1747                        case 'p':
1748                                pid_in_pattern = 1;
1749                                err = cn_printf(cn, "%d",
1750                                              task_tgid_vnr(current));
1751                                break;
1752                        /* uid */
1753                        case 'u':
1754                                err = cn_printf(cn, "%d", cred->uid);
1755                                break;
1756                        /* gid */
1757                        case 'g':
1758                                err = cn_printf(cn, "%d", cred->gid);
1759                                break;
1760                        /* signal that caused the coredump */
1761                        case 's':
1762                                err = cn_printf(cn, "%ld", signr);
1763                                break;
1764                        /* UNIX time of coredump */
1765                        case 't': {
1766                                struct timeval tv;
1767                                do_gettimeofday(&tv);
1768                                err = cn_printf(cn, "%lu", tv.tv_sec);
1769                                break;
1770                        }
1771                        /* hostname */
1772                        case 'h': {
1773                                char *namestart = cn->corename + cn->used;
1774                                down_read(&uts_sem);
1775                                err = cn_printf(cn, "%s",
1776                                              utsname()->nodename);
1777                                up_read(&uts_sem);
1778                                cn_escape(namestart);
1779                                break;
1780                        }
1781                        /* executable */
1782                        case 'e': {
1783                                char *commstart = cn->corename + cn->used;
1784                                err = cn_printf(cn, "%s", current->comm);
1785                                cn_escape(commstart);
1786                                break;
1787                        }
1788                        case 'E':
1789                                err = cn_print_exe_file(cn);
1790                                break;
1791                        /* core limit size */
1792                        case 'c':
1793                                err = cn_printf(cn, "%lu",
1794                                              rlimit(RLIMIT_CORE));
1795                                break;
1796                        default:
1797                                break;
1798                        }
1799                        ++pat_ptr;
1800                }
1801
1802                if (err)
1803                        return err;
1804        }
1805
1806        /* Backward compatibility with core_uses_pid:
1807         *
1808         * If core_pattern does not include a %p (as is the default)
1809         * and core_uses_pid is set, then .%pid will be appended to
1810         * the filename. Do not do this for piped commands. */
1811        if (!ispipe && !pid_in_pattern && core_uses_pid) {
1812                err = cn_printf(cn, ".%d", task_tgid_vnr(current));
1813                if (err)
1814                        return err;
1815        }
1816out:
1817        return ispipe;
1818}
1819
1820static int zap_process(struct task_struct *start, int exit_code)
1821{
1822        struct task_struct *t;
1823        int nr = 0;
1824
1825        start->signal->flags = SIGNAL_GROUP_EXIT;
1826        start->signal->group_exit_code = exit_code;
1827        start->signal->group_stop_count = 0;
1828
1829        t = start;
1830        do {
1831                task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
1832                if (t != current && t->mm) {
1833                        sigaddset(&t->pending.signal, SIGKILL);
1834                        signal_wake_up(t, 1);
1835                        nr++;
1836                }
1837        } while_each_thread(start, t);
1838
1839        return nr;
1840}
1841
1842static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
1843                                struct core_state *core_state, int exit_code)
1844{
1845        struct task_struct *g, *p;
1846        unsigned long flags;
1847        int nr = -EAGAIN;
1848
1849        spin_lock_irq(&tsk->sighand->siglock);
1850        if (!signal_group_exit(tsk->signal)) {
1851                mm->core_state = core_state;
1852                nr = zap_process(tsk, exit_code);
1853        }
1854        spin_unlock_irq(&tsk->sighand->siglock);
1855        if (unlikely(nr < 0))
1856                return nr;
1857
1858        if (atomic_read(&mm->mm_users) == nr + 1)
1859                goto done;
1860        /*
1861         * We should find and kill all tasks which use this mm, and we should
1862         * count them correctly into ->nr_threads. We don't take tasklist
1863         * lock, but this is safe wrt:
1864         *
1865         * fork:
1866         *      None of sub-threads can fork after zap_process(leader). All
1867         *      processes which were created before this point should be
1868         *      visible to zap_threads() because copy_process() adds the new
1869         *      process to the tail of init_task.tasks list, and lock/unlock
1870         *      of ->siglock provides a memory barrier.
1871         *
1872         * do_exit:
1873         *      The caller holds mm->mmap_sem. This means that the task which
1874         *      uses this mm can't pass exit_mm(), so it can't exit or clear
1875         *      its ->mm.
1876         *
1877         * de_thread:
1878         *      It does list_replace_rcu(&leader->tasks, &current->tasks),
1879         *      we must see either old or new leader, this does not matter.
1880         *      However, it can change p->sighand, so lock_task_sighand(p)
1881         *      must be used. Since p->mm != NULL and we hold ->mmap_sem
1882         *      it can't fail.
1883         *
1884         *      Note also that "g" can be the old leader with ->mm == NULL
1885         *      and already unhashed and thus removed from ->thread_group.
1886         *      This is OK, __unhash_process()->list_del_rcu() does not
1887         *      clear the ->next pointer, we will find the new leader via
1888         *      next_thread().
1889         */
1890        rcu_read_lock();
1891        for_each_process(g) {
1892                if (g == tsk->group_leader)
1893                        continue;
1894                if (g->flags & PF_KTHREAD)
1895                        continue;
1896                p = g;
1897                do {
1898                        if (p->mm) {
1899                                if (unlikely(p->mm == mm)) {
1900                                        lock_task_sighand(p, &flags);
1901                                        nr += zap_process(p, exit_code);
1902                                        unlock_task_sighand(p, &flags);
1903                                }
1904                                break;
1905                        }
1906                } while_each_thread(g, p);
1907        }
1908        rcu_read_unlock();
1909done:
1910        atomic_set(&core_state->nr_threads, nr);
1911        return nr;
1912}
1913
1914static int coredump_wait(int exit_code, struct core_state *core_state)
1915{
1916        struct task_struct *tsk = current;
1917        struct mm_struct *mm = tsk->mm;
1918        int core_waiters = -EBUSY;
1919
1920        init_completion(&core_state->startup);
1921        core_state->dumper.task = tsk;
1922        core_state->dumper.next = NULL;
1923
1924        down_write(&mm->mmap_sem);
1925        if (!mm->core_state)
1926                core_waiters = zap_threads(tsk, mm, core_state, exit_code);
1927        up_write(&mm->mmap_sem);
1928
1929        if (core_waiters > 0)
1930                wait_for_completion(&core_state->startup);
1931
1932        return core_waiters;
1933}
1934
1935static void coredump_finish(struct mm_struct *mm)
1936{
1937        struct core_thread *curr, *next;
1938        struct task_struct *task;
1939
1940        next = mm->core_state->dumper.next;
1941        while ((curr = next) != NULL) {
1942                next = curr->next;
1943                task = curr->task;
1944                /*
1945                 * see exit_mm(), curr->task must not see
1946                 * ->task == NULL before we read ->next.
1947                 */
1948                smp_mb();
1949                curr->task = NULL;
1950                wake_up_process(task);
1951        }
1952
1953        mm->core_state = NULL;
1954}
1955
1956/*
1957 * set_dumpable converts traditional three-value dumpable to two flags and
1958 * stores them into mm->flags.  It modifies lower two bits of mm->flags, but
1959 * these bits are not changed atomically.  So get_dumpable can observe the
1960 * intermediate state.  To avoid doing unexpected behavior, get get_dumpable
1961 * return either old dumpable or new one by paying attention to the order of
1962 * modifying the bits.
1963 *
1964 * dumpable |   mm->flags (binary)
1965 * old  new | initial interim  final
1966 * ---------+-----------------------
1967 *  0    1  |   00      01      01
1968 *  0    2  |   00      10(*)   11
1969 *  1    0  |   01      00      00
1970 *  1    2  |   01      11      11
1971 *  2    0  |   11      10(*)   00
1972 *  2    1  |   11      11      01
1973 *
1974 * (*) get_dumpable regards interim value of 10 as 11.
1975 */
1976void set_dumpable(struct mm_struct *mm, int value)
1977{
1978        switch (value) {
1979        case 0:
1980                clear_bit(MMF_DUMPABLE, &mm->flags);
1981                smp_wmb();
1982                clear_bit(MMF_DUMP_SECURELY, &mm->flags);
1983                break;
1984        case 1:
1985                set_bit(MMF_DUMPABLE, &mm->flags);
1986                smp_wmb();
1987                clear_bit(MMF_DUMP_SECURELY, &mm->flags);
1988                break;
1989        case 2:
1990                set_bit(MMF_DUMP_SECURELY, &mm->flags);
1991                smp_wmb();
1992                set_bit(MMF_DUMPABLE, &mm->flags);
1993                break;
1994        }
1995}
1996
1997static int __get_dumpable(unsigned long mm_flags)
1998{
1999        int ret;
2000
2001        ret = mm_flags & MMF_DUMPABLE_MASK;
2002        return (ret >= 2) ? 2 : ret;
2003}
2004
2005int get_dumpable(struct mm_struct *mm)
2006{
2007        return __get_dumpable(mm->flags);
2008}
2009
2010static void wait_for_dump_helpers(struct file *file)
2011{
2012        struct pipe_inode_info *pipe;
2013
2014        pipe = file->f_path.dentry->d_inode->i_pipe;
2015
2016        pipe_lock(pipe);
2017        pipe->readers++;
2018        pipe->writers--;
2019
2020        while ((pipe->readers > 1) && (!signal_pending(current))) {
2021                wake_up_interruptible_sync(&pipe->wait);
2022                kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
2023                pipe_wait(pipe);
2024        }
2025
2026        pipe->readers--;
2027        pipe->writers++;
2028        pipe_unlock(pipe);
2029
2030}
2031
2032
2033/*
2034 * umh_pipe_setup
2035 * helper function to customize the process used
2036 * to collect the core in userspace.  Specifically
2037 * it sets up a pipe and installs it as fd 0 (stdin)
2038 * for the process.  Returns 0 on success, or
2039 * PTR_ERR on failure.
2040 * Note that it also sets the core limit to 1.  This
2041 * is a special value that we use to trap recursive
2042 * core dumps
2043 */
2044static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
2045{
2046        struct file *rp, *wp;
2047        struct fdtable *fdt;
2048        struct coredump_params *cp = (struct coredump_params *)info->data;
2049        struct files_struct *cf = current->files;
2050
2051        wp = create_write_pipe(0);
2052        if (IS_ERR(wp))
2053                return PTR_ERR(wp);
2054
2055        rp = create_read_pipe(wp, 0);
2056        if (IS_ERR(rp)) {
2057                free_write_pipe(wp);
2058                return PTR_ERR(rp);
2059        }
2060
2061        cp->file = wp;
2062
2063        sys_close(0);
2064        fd_install(0, rp);
2065        spin_lock(&cf->file_lock);
2066        fdt = files_fdtable(cf);
2067        FD_SET(0, fdt->open_fds);
2068        FD_CLR(0, fdt->close_on_exec);
2069        spin_unlock(&cf->file_lock);
2070
2071        /* and disallow core files too */
2072        current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
2073
2074        return 0;
2075}
2076
2077void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2078{
2079        struct core_state core_state;
2080        struct core_name cn;
2081        struct mm_struct *mm = current->mm;
2082        struct linux_binfmt * binfmt;
2083        const struct cred *old_cred;
2084        struct cred *cred;
2085        int retval = 0;
2086        int flag = 0;
2087        int ispipe;
2088        static atomic_t core_dump_count = ATOMIC_INIT(0);
2089        struct coredump_params cprm = {
2090                .signr = signr,
2091                .regs = regs,
2092                .limit = rlimit(RLIMIT_CORE),
2093                /*
2094                 * We must use the same mm->flags while dumping core to avoid
2095                 * inconsistency of bit flags, since this flag is not protected
2096                 * by any locks.
2097                 */
2098                .mm_flags = mm->flags,
2099        };
2100
2101        audit_core_dumps(signr);
2102
2103        binfmt = mm->binfmt;
2104        if (!binfmt || !binfmt->core_dump)
2105                goto fail;
2106        if (!__get_dumpable(cprm.mm_flags))
2107                goto fail;
2108
2109        cred = prepare_creds();
2110        if (!cred)
2111                goto fail;
2112        /*
2113         *      We cannot trust fsuid as being the "true" uid of the
2114         *      process nor do we know its entire history. We only know it
2115         *      was tainted so we dump it as root in mode 2.
2116         */
2117        if (__get_dumpable(cprm.mm_flags) == 2) {
2118                /* Setuid core dump mode */
2119                flag = O_EXCL;          /* Stop rewrite attacks */
2120                cred->fsuid = 0;        /* Dump root private */
2121        }
2122
2123        retval = coredump_wait(exit_code, &core_state);
2124        if (retval < 0)
2125                goto fail_creds;
2126
2127        old_cred = override_creds(cred);
2128
2129        /*
2130         * Clear any false indication of pending signals that might
2131         * be seen by the filesystem code called to write the core file.
2132         */
2133        clear_thread_flag(TIF_SIGPENDING);
2134
2135        ispipe = format_corename(&cn, signr);
2136
2137        if (ispipe) {
2138                int dump_count;
2139                char **helper_argv;
2140
2141                if (ispipe < 0) {
2142                        printk(KERN_WARNING "format_corename failed\n");
2143                        printk(KERN_WARNING "Aborting core\n");
2144                        goto fail_corename;
2145                }
2146
2147                if (cprm.limit == 1) {
2148                        /*
2149                         * Normally core limits are irrelevant to pipes, since
2150                         * we're not writing to the file system, but we use
2151                         * cprm.limit of 1 here as a speacial value. Any
2152                         * non-1 limit gets set to RLIM_INFINITY below, but
2153                         * a limit of 0 skips the dump.  This is a consistent
2154                         * way to catch recursive crashes.  We can still crash
2155                         * if the core_pattern binary sets RLIM_CORE =  !1
2156                         * but it runs as root, and can do lots of stupid things
2157                         * Note that we use task_tgid_vnr here to grab the pid
2158                         * of the process group leader.  That way we get the
2159                         * right pid if a thread in a multi-threaded
2160                         * core_pattern process dies.
2161                         */
2162                        printk(KERN_WARNING
2163                                "Process %d(%s) has RLIMIT_CORE set to 1\n",
2164                                task_tgid_vnr(current), current->comm);
2165                        printk(KERN_WARNING "Aborting core\n");
2166                        goto fail_unlock;
2167                }
2168                cprm.limit = RLIM_INFINITY;
2169
2170                dump_count = atomic_inc_return(&core_dump_count);
2171                if (core_pipe_limit && (core_pipe_limit < dump_count)) {
2172                        printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
2173                               task_tgid_vnr(current), current->comm);
2174                        printk(KERN_WARNING "Skipping core dump\n");
2175                        goto fail_dropcount;
2176                }
2177
2178                helper_argv = argv_split(GFP_KERNEL, cn.corename+1, NULL);
2179                if (!helper_argv) {
2180                        printk(KERN_WARNING "%s failed to allocate memory\n",
2181                               __func__);
2182                        goto fail_dropcount;
2183                }
2184
2185                retval = call_usermodehelper_fns(helper_argv[0], helper_argv,
2186                                        NULL, UMH_WAIT_EXEC, umh_pipe_setup,
2187                                        NULL, &cprm);
2188                argv_free(helper_argv);
2189                if (retval) {
2190                        printk(KERN_INFO "Core dump to %s pipe failed\n",
2191                               cn.corename);
2192                        goto close_fail;
2193                }
2194        } else {
2195                struct inode *inode;
2196
2197                if (cprm.limit < binfmt->min_coredump)
2198                        goto fail_unlock;
2199
2200                cprm.file = filp_open(cn.corename,
2201                                 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
2202                                 0600);
2203                if (IS_ERR(cprm.file))
2204                        goto fail_unlock;
2205
2206                inode = cprm.file->f_path.dentry->d_inode;
2207                if (inode->i_nlink > 1)
2208                        goto close_fail;
2209                if (d_unhashed(cprm.file->f_path.dentry))
2210                        goto close_fail;
2211                /*
2212                 * AK: actually i see no reason to not allow this for named
2213                 * pipes etc, but keep the previous behaviour for now.
2214                 */
2215                if (!S_ISREG(inode->i_mode))
2216                        goto close_fail;
2217                /*
2218                 * Dont allow local users get cute and trick others to coredump
2219                 * into their pre-created files.
2220                 */
2221                if (inode->i_uid != current_fsuid())
2222                        goto close_fail;
2223                if (!cprm.file->f_op || !cprm.file->f_op->write)
2224                        goto close_fail;
2225                if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file))
2226                        goto close_fail;
2227        }
2228
2229        retval = binfmt->core_dump(&cprm);
2230        if (retval)
2231                current->signal->group_exit_code |= 0x80;
2232
2233        if (ispipe && core_pipe_limit)
2234                wait_for_dump_helpers(cprm.file);
2235close_fail:
2236        if (cprm.file)
2237                filp_close(cprm.file, NULL);
2238fail_dropcount:
2239        if (ispipe)
2240                atomic_dec(&core_dump_count);
2241fail_unlock:
2242        kfree(cn.corename);
2243fail_corename:
2244        coredump_finish(mm);
2245        revert_creds(old_cred);
2246fail_creds:
2247        put_cred(cred);
2248fail:
2249        return;
2250}
2251
2252/*
2253 * Core dumping helper functions.  These are the only things you should
2254 * do on a core-file: use only these functions to write out all the
2255 * necessary info.
2256 */
2257int dump_write(struct file *file, const void *addr, int nr)
2258{
2259        return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, addr, nr, &file->f_pos) == nr;
2260}
2261EXPORT_SYMBOL(dump_write);
2262
2263int dump_seek(struct file *file, loff_t off)
2264{
2265        int ret = 1;
2266
2267        if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
2268                if (file->f_op->llseek(file, off, SEEK_CUR) < 0)
2269                        return 0;
2270        } else {
2271                char *buf = (char *)get_zeroed_page(GFP_KERNEL);
2272
2273                if (!buf)
2274                        return 0;
2275                while (off > 0) {
2276                        unsigned long n = off;
2277
2278                        if (n > PAGE_SIZE)
2279                                n = PAGE_SIZE;
2280                        if (!dump_write(file, buf, n)) {
2281                                ret = 0;
2282                                break;
2283                        }
2284                        off -= n;
2285                }
2286                free_page((unsigned long)buf);
2287        }
2288        return ret;
2289}
2290EXPORT_SYMBOL(dump_seek);
2291