linux/fs/exec.c
<<
>>
Prefs
   1/*
   2 *  linux/fs/exec.c
   3 *
   4 *  Copyright (C) 1991, 1992  Linus Torvalds
   5 */
   6
   7/*
   8 * #!-checking implemented by tytso.
   9 */
  10/*
  11 * Demand-loading implemented 01.12.91 - no need to read anything but
  12 * the header into memory. The inode of the executable is put into
  13 * "current->executable", and page faults do the actual loading. Clean.
  14 *
  15 * Once more I can proudly say that linux stood up to being changed: it
  16 * was less than 2 hours work to get demand-loading completely implemented.
  17 *
  18 * Demand loading changed July 1993 by Eric Youngdale.   Use mmap instead,
  19 * current->executable is only used by the procfs.  This allows a dispatch
  20 * table to check for several different types  of binary formats.  We keep
  21 * trying until we recognize the file or we run out of supported binary
  22 * formats. 
  23 */
  24
  25#include <linux/slab.h>
  26#include <linux/file.h>
  27#include <linux/fdtable.h>
  28#include <linux/mm.h>
  29#include <linux/stat.h>
  30#include <linux/fcntl.h>
  31#include <linux/smp_lock.h>
  32#include <linux/swap.h>
  33#include <linux/string.h>
  34#include <linux/init.h>
  35#include <linux/pagemap.h>
  36#include <linux/highmem.h>
  37#include <linux/spinlock.h>
  38#include <linux/key.h>
  39#include <linux/personality.h>
  40#include <linux/binfmts.h>
  41#include <linux/utsname.h>
  42#include <linux/pid_namespace.h>
  43#include <linux/module.h>
  44#include <linux/namei.h>
  45#include <linux/proc_fs.h>
  46#include <linux/mount.h>
  47#include <linux/security.h>
  48#include <linux/ima.h>
  49#include <linux/syscalls.h>
  50#include <linux/tsacct_kern.h>
  51#include <linux/cn_proc.h>
  52#include <linux/audit.h>
  53#include <linux/tracehook.h>
  54#include <linux/kmod.h>
  55#include <linux/fsnotify.h>
  56#include <linux/fs_struct.h>
  57
  58#include <asm/uaccess.h>
  59#include <asm/mmu_context.h>
  60#include <asm/tlb.h>
  61#include "internal.h"
  62
  63int core_uses_pid;
  64char core_pattern[CORENAME_MAX_SIZE] = "core";
  65int suid_dumpable = 0;
  66
  67/* The maximal length of core_pattern is also specified in sysctl.c */
  68
  69static LIST_HEAD(formats);
  70static DEFINE_RWLOCK(binfmt_lock);
  71
  72int __register_binfmt(struct linux_binfmt * fmt, int insert)
  73{
  74        if (!fmt)
  75                return -EINVAL;
  76        write_lock(&binfmt_lock);
  77        insert ? list_add(&fmt->lh, &formats) :
  78                 list_add_tail(&fmt->lh, &formats);
  79        write_unlock(&binfmt_lock);
  80        return 0;       
  81}
  82
  83EXPORT_SYMBOL(__register_binfmt);
  84
  85void unregister_binfmt(struct linux_binfmt * fmt)
  86{
  87        write_lock(&binfmt_lock);
  88        list_del(&fmt->lh);
  89        write_unlock(&binfmt_lock);
  90}
  91
  92EXPORT_SYMBOL(unregister_binfmt);
  93
  94static inline void put_binfmt(struct linux_binfmt * fmt)
  95{
  96        module_put(fmt->module);
  97}
  98
  99/*
 100 * Note that a shared library must be both readable and executable due to
 101 * security reasons.
 102 *
 103 * Also note that we take the address to load from from the file itself.
 104 */
 105SYSCALL_DEFINE1(uselib, const char __user *, library)
 106{
 107        struct file *file;
 108        char *tmp = getname(library);
 109        int error = PTR_ERR(tmp);
 110
 111        if (IS_ERR(tmp))
 112                goto out;
 113
 114        file = do_filp_open(AT_FDCWD, tmp,
 115                                O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
 116                                MAY_READ | MAY_EXEC | MAY_OPEN);
 117        putname(tmp);
 118        error = PTR_ERR(file);
 119        if (IS_ERR(file))
 120                goto out;
 121
 122        error = -EINVAL;
 123        if (!S_ISREG(file->f_path.dentry->d_inode->i_mode))
 124                goto exit;
 125
 126        error = -EACCES;
 127        if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
 128                goto exit;
 129
 130        fsnotify_open(file->f_path.dentry);
 131
 132        error = -ENOEXEC;
 133        if(file->f_op) {
 134                struct linux_binfmt * fmt;
 135
 136                read_lock(&binfmt_lock);
 137                list_for_each_entry(fmt, &formats, lh) {
 138                        if (!fmt->load_shlib)
 139                                continue;
 140                        if (!try_module_get(fmt->module))
 141                                continue;
 142                        read_unlock(&binfmt_lock);
 143                        error = fmt->load_shlib(file);
 144                        read_lock(&binfmt_lock);
 145                        put_binfmt(fmt);
 146                        if (error != -ENOEXEC)
 147                                break;
 148                }
 149                read_unlock(&binfmt_lock);
 150        }
 151exit:
 152        fput(file);
 153out:
 154        return error;
 155}
 156
 157#ifdef CONFIG_MMU
 158
 159static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 160                int write)
 161{
 162        struct page *page;
 163        int ret;
 164
 165#ifdef CONFIG_STACK_GROWSUP
 166        if (write) {
 167                ret = expand_stack_downwards(bprm->vma, pos);
 168                if (ret < 0)
 169                        return NULL;
 170        }
 171#endif
 172        ret = get_user_pages(current, bprm->mm, pos,
 173                        1, write, 1, &page, NULL);
 174        if (ret <= 0)
 175                return NULL;
 176
 177        if (write) {
 178                unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
 179                struct rlimit *rlim;
 180
 181                /*
 182                 * We've historically supported up to 32 pages (ARG_MAX)
 183                 * of argument strings even with small stacks
 184                 */
 185                if (size <= ARG_MAX)
 186                        return page;
 187
 188                /*
 189                 * Limit to 1/4-th the stack size for the argv+env strings.
 190                 * This ensures that:
 191                 *  - the remaining binfmt code will not run out of stack space,
 192                 *  - the program will have a reasonable amount of stack left
 193                 *    to work from.
 194                 */
 195                rlim = current->signal->rlim;
 196                if (size > rlim[RLIMIT_STACK].rlim_cur / 4) {
 197                        put_page(page);
 198                        return NULL;
 199                }
 200        }
 201
 202        return page;
 203}
 204
 205static void put_arg_page(struct page *page)
 206{
 207        put_page(page);
 208}
 209
 210static void free_arg_page(struct linux_binprm *bprm, int i)
 211{
 212}
 213
 214static void free_arg_pages(struct linux_binprm *bprm)
 215{
 216}
 217
 218static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos,
 219                struct page *page)
 220{
 221        flush_cache_page(bprm->vma, pos, page_to_pfn(page));
 222}
 223
 224static int __bprm_mm_init(struct linux_binprm *bprm)
 225{
 226        int err;
 227        struct vm_area_struct *vma = NULL;
 228        struct mm_struct *mm = bprm->mm;
 229
 230        bprm->vma = vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
 231        if (!vma)
 232                return -ENOMEM;
 233
 234        down_write(&mm->mmap_sem);
 235        vma->vm_mm = mm;
 236
 237        /*
 238         * Place the stack at the largest stack address the architecture
 239         * supports. Later, we'll move this to an appropriate place. We don't
 240         * use STACK_TOP because that can depend on attributes which aren't
 241         * configured yet.
 242         */
 243        vma->vm_end = STACK_TOP_MAX;
 244        vma->vm_start = vma->vm_end - PAGE_SIZE;
 245        vma->vm_flags = VM_STACK_FLAGS;
 246        vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
 247        err = insert_vm_struct(mm, vma);
 248        if (err)
 249                goto err;
 250
 251        mm->stack_vm = mm->total_vm = 1;
 252        up_write(&mm->mmap_sem);
 253        bprm->p = vma->vm_end - sizeof(void *);
 254        return 0;
 255err:
 256        up_write(&mm->mmap_sem);
 257        bprm->vma = NULL;
 258        kmem_cache_free(vm_area_cachep, vma);
 259        return err;
 260}
 261
 262static bool valid_arg_len(struct linux_binprm *bprm, long len)
 263{
 264        return len <= MAX_ARG_STRLEN;
 265}
 266
 267#else
 268
 269static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 270                int write)
 271{
 272        struct page *page;
 273
 274        page = bprm->page[pos / PAGE_SIZE];
 275        if (!page && write) {
 276                page = alloc_page(GFP_HIGHUSER|__GFP_ZERO);
 277                if (!page)
 278                        return NULL;
 279                bprm->page[pos / PAGE_SIZE] = page;
 280        }
 281
 282        return page;
 283}
 284
 285static void put_arg_page(struct page *page)
 286{
 287}
 288
 289static void free_arg_page(struct linux_binprm *bprm, int i)
 290{
 291        if (bprm->page[i]) {
 292                __free_page(bprm->page[i]);
 293                bprm->page[i] = NULL;
 294        }
 295}
 296
 297static void free_arg_pages(struct linux_binprm *bprm)
 298{
 299        int i;
 300
 301        for (i = 0; i < MAX_ARG_PAGES; i++)
 302                free_arg_page(bprm, i);
 303}
 304
 305static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos,
 306                struct page *page)
 307{
 308}
 309
 310static int __bprm_mm_init(struct linux_binprm *bprm)
 311{
 312        bprm->p = PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *);
 313        return 0;
 314}
 315
 316static bool valid_arg_len(struct linux_binprm *bprm, long len)
 317{
 318        return len <= bprm->p;
 319}
 320
 321#endif /* CONFIG_MMU */
 322
 323/*
 324 * Create a new mm_struct and populate it with a temporary stack
 325 * vm_area_struct.  We don't have enough context at this point to set the stack
 326 * flags, permissions, and offset, so we use temporary values.  We'll update
 327 * them later in setup_arg_pages().
 328 */
 329int bprm_mm_init(struct linux_binprm *bprm)
 330{
 331        int err;
 332        struct mm_struct *mm = NULL;
 333
 334        bprm->mm = mm = mm_alloc();
 335        err = -ENOMEM;
 336        if (!mm)
 337                goto err;
 338
 339        err = init_new_context(current, mm);
 340        if (err)
 341                goto err;
 342
 343        err = __bprm_mm_init(bprm);
 344        if (err)
 345                goto err;
 346
 347        return 0;
 348
 349err:
 350        if (mm) {
 351                bprm->mm = NULL;
 352                mmdrop(mm);
 353        }
 354
 355        return err;
 356}
 357
 358/*
 359 * count() counts the number of strings in array ARGV.
 360 */
 361static int count(char __user * __user * argv, int max)
 362{
 363        int i = 0;
 364
 365        if (argv != NULL) {
 366                for (;;) {
 367                        char __user * p;
 368
 369                        if (get_user(p, argv))
 370                                return -EFAULT;
 371                        if (!p)
 372                                break;
 373                        argv++;
 374                        if (i++ >= max)
 375                                return -E2BIG;
 376                        cond_resched();
 377                }
 378        }
 379        return i;
 380}
 381
 382/*
 383 * 'copy_strings()' copies argument/environment strings from the old
 384 * processes's memory to the new process's stack.  The call to get_user_pages()
 385 * ensures the destination page is created and not swapped out.
 386 */
 387static int copy_strings(int argc, char __user * __user * argv,
 388                        struct linux_binprm *bprm)
 389{
 390        struct page *kmapped_page = NULL;
 391        char *kaddr = NULL;
 392        unsigned long kpos = 0;
 393        int ret;
 394
 395        while (argc-- > 0) {
 396                char __user *str;
 397                int len;
 398                unsigned long pos;
 399
 400                if (get_user(str, argv+argc) ||
 401                                !(len = strnlen_user(str, MAX_ARG_STRLEN))) {
 402                        ret = -EFAULT;
 403                        goto out;
 404                }
 405
 406                if (!valid_arg_len(bprm, len)) {
 407                        ret = -E2BIG;
 408                        goto out;
 409                }
 410
 411                /* We're going to work our way backwords. */
 412                pos = bprm->p;
 413                str += len;
 414                bprm->p -= len;
 415
 416                while (len > 0) {
 417                        int offset, bytes_to_copy;
 418
 419                        offset = pos % PAGE_SIZE;
 420                        if (offset == 0)
 421                                offset = PAGE_SIZE;
 422
 423                        bytes_to_copy = offset;
 424                        if (bytes_to_copy > len)
 425                                bytes_to_copy = len;
 426
 427                        offset -= bytes_to_copy;
 428                        pos -= bytes_to_copy;
 429                        str -= bytes_to_copy;
 430                        len -= bytes_to_copy;
 431
 432                        if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
 433                                struct page *page;
 434
 435                                page = get_arg_page(bprm, pos, 1);
 436                                if (!page) {
 437                                        ret = -E2BIG;
 438                                        goto out;
 439                                }
 440
 441                                if (kmapped_page) {
 442                                        flush_kernel_dcache_page(kmapped_page);
 443                                        kunmap(kmapped_page);
 444                                        put_arg_page(kmapped_page);
 445                                }
 446                                kmapped_page = page;
 447                                kaddr = kmap(kmapped_page);
 448                                kpos = pos & PAGE_MASK;
 449                                flush_arg_page(bprm, kpos, kmapped_page);
 450                        }
 451                        if (copy_from_user(kaddr+offset, str, bytes_to_copy)) {
 452                                ret = -EFAULT;
 453                                goto out;
 454                        }
 455                }
 456        }
 457        ret = 0;
 458out:
 459        if (kmapped_page) {
 460                flush_kernel_dcache_page(kmapped_page);
 461                kunmap(kmapped_page);
 462                put_arg_page(kmapped_page);
 463        }
 464        return ret;
 465}
 466
 467/*
 468 * Like copy_strings, but get argv and its values from kernel memory.
 469 */
 470int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm)
 471{
 472        int r;
 473        mm_segment_t oldfs = get_fs();
 474        set_fs(KERNEL_DS);
 475        r = copy_strings(argc, (char __user * __user *)argv, bprm);
 476        set_fs(oldfs);
 477        return r;
 478}
 479EXPORT_SYMBOL(copy_strings_kernel);
 480
 481#ifdef CONFIG_MMU
 482
 483/*
 484 * During bprm_mm_init(), we create a temporary stack at STACK_TOP_MAX.  Once
 485 * the binfmt code determines where the new stack should reside, we shift it to
 486 * its final location.  The process proceeds as follows:
 487 *
 488 * 1) Use shift to calculate the new vma endpoints.
 489 * 2) Extend vma to cover both the old and new ranges.  This ensures the
 490 *    arguments passed to subsequent functions are consistent.
 491 * 3) Move vma's page tables to the new range.
 492 * 4) Free up any cleared pgd range.
 493 * 5) Shrink the vma to cover only the new range.
 494 */
 495static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
 496{
 497        struct mm_struct *mm = vma->vm_mm;
 498        unsigned long old_start = vma->vm_start;
 499        unsigned long old_end = vma->vm_end;
 500        unsigned long length = old_end - old_start;
 501        unsigned long new_start = old_start - shift;
 502        unsigned long new_end = old_end - shift;
 503        struct mmu_gather *tlb;
 504
 505        BUG_ON(new_start > new_end);
 506
 507        /*
 508         * ensure there are no vmas between where we want to go
 509         * and where we are
 510         */
 511        if (vma != find_vma(mm, new_start))
 512                return -EFAULT;
 513
 514        /*
 515         * cover the whole range: [new_start, old_end)
 516         */
 517        vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL);
 518
 519        /*
 520         * move the page tables downwards, on failure we rely on
 521         * process cleanup to remove whatever mess we made.
 522         */
 523        if (length != move_page_tables(vma, old_start,
 524                                       vma, new_start, length))
 525                return -ENOMEM;
 526
 527        lru_add_drain();
 528        tlb = tlb_gather_mmu(mm, 0);
 529        if (new_end > old_start) {
 530                /*
 531                 * when the old and new regions overlap clear from new_end.
 532                 */
 533                free_pgd_range(tlb, new_end, old_end, new_end,
 534                        vma->vm_next ? vma->vm_next->vm_start : 0);
 535        } else {
 536                /*
 537                 * otherwise, clean from old_start; this is done to not touch
 538                 * the address space in [new_end, old_start) some architectures
 539                 * have constraints on va-space that make this illegal (IA64) -
 540                 * for the others its just a little faster.
 541                 */
 542                free_pgd_range(tlb, old_start, old_end, new_end,
 543                        vma->vm_next ? vma->vm_next->vm_start : 0);
 544        }
 545        tlb_finish_mmu(tlb, new_end, old_end);
 546
 547        /*
 548         * shrink the vma to just the new range.
 549         */
 550        vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL);
 551
 552        return 0;
 553}
 554
 555#define EXTRA_STACK_VM_PAGES    20      /* random */
 556
 557/*
 558 * Finalizes the stack vm_area_struct. The flags and permissions are updated,
 559 * the stack is optionally relocated, and some extra space is added.
 560 */
 561int setup_arg_pages(struct linux_binprm *bprm,
 562                    unsigned long stack_top,
 563                    int executable_stack)
 564{
 565        unsigned long ret;
 566        unsigned long stack_shift;
 567        struct mm_struct *mm = current->mm;
 568        struct vm_area_struct *vma = bprm->vma;
 569        struct vm_area_struct *prev = NULL;
 570        unsigned long vm_flags;
 571        unsigned long stack_base;
 572
 573#ifdef CONFIG_STACK_GROWSUP
 574        /* Limit stack size to 1GB */
 575        stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max;
 576        if (stack_base > (1 << 30))
 577                stack_base = 1 << 30;
 578
 579        /* Make sure we didn't let the argument array grow too large. */
 580        if (vma->vm_end - vma->vm_start > stack_base)
 581                return -ENOMEM;
 582
 583        stack_base = PAGE_ALIGN(stack_top - stack_base);
 584
 585        stack_shift = vma->vm_start - stack_base;
 586        mm->arg_start = bprm->p - stack_shift;
 587        bprm->p = vma->vm_end - stack_shift;
 588#else
 589        stack_top = arch_align_stack(stack_top);
 590        stack_top = PAGE_ALIGN(stack_top);
 591        stack_shift = vma->vm_end - stack_top;
 592
 593        bprm->p -= stack_shift;
 594        mm->arg_start = bprm->p;
 595#endif
 596
 597        if (bprm->loader)
 598                bprm->loader -= stack_shift;
 599        bprm->exec -= stack_shift;
 600
 601        down_write(&mm->mmap_sem);
 602        vm_flags = VM_STACK_FLAGS;
 603
 604        /*
 605         * Adjust stack execute permissions; explicitly enable for
 606         * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
 607         * (arch default) otherwise.
 608         */
 609        if (unlikely(executable_stack == EXSTACK_ENABLE_X))
 610                vm_flags |= VM_EXEC;
 611        else if (executable_stack == EXSTACK_DISABLE_X)
 612                vm_flags &= ~VM_EXEC;
 613        vm_flags |= mm->def_flags;
 614
 615        ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
 616                        vm_flags);
 617        if (ret)
 618                goto out_unlock;
 619        BUG_ON(prev != vma);
 620
 621        /* Move stack pages down in memory. */
 622        if (stack_shift) {
 623                ret = shift_arg_pages(vma, stack_shift);
 624                if (ret) {
 625                        up_write(&mm->mmap_sem);
 626                        return ret;
 627                }
 628        }
 629
 630#ifdef CONFIG_STACK_GROWSUP
 631        stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
 632#else
 633        stack_base = vma->vm_start - EXTRA_STACK_VM_PAGES * PAGE_SIZE;
 634#endif
 635        ret = expand_stack(vma, stack_base);
 636        if (ret)
 637                ret = -EFAULT;
 638
 639out_unlock:
 640        up_write(&mm->mmap_sem);
 641        return 0;
 642}
 643EXPORT_SYMBOL(setup_arg_pages);
 644
 645#endif /* CONFIG_MMU */
 646
 647struct file *open_exec(const char *name)
 648{
 649        struct file *file;
 650        int err;
 651
 652        file = do_filp_open(AT_FDCWD, name,
 653                                O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
 654                                MAY_EXEC | MAY_OPEN);
 655        if (IS_ERR(file))
 656                goto out;
 657
 658        err = -EACCES;
 659        if (!S_ISREG(file->f_path.dentry->d_inode->i_mode))
 660                goto exit;
 661
 662        if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
 663                goto exit;
 664
 665        fsnotify_open(file->f_path.dentry);
 666
 667        err = deny_write_access(file);
 668        if (err)
 669                goto exit;
 670
 671out:
 672        return file;
 673
 674exit:
 675        fput(file);
 676        return ERR_PTR(err);
 677}
 678EXPORT_SYMBOL(open_exec);
 679
 680int kernel_read(struct file *file, loff_t offset,
 681                char *addr, unsigned long count)
 682{
 683        mm_segment_t old_fs;
 684        loff_t pos = offset;
 685        int result;
 686
 687        old_fs = get_fs();
 688        set_fs(get_ds());
 689        /* The cast to a user pointer is valid due to the set_fs() */
 690        result = vfs_read(file, (void __user *)addr, count, &pos);
 691        set_fs(old_fs);
 692        return result;
 693}
 694
 695EXPORT_SYMBOL(kernel_read);
 696
 697static int exec_mmap(struct mm_struct *mm)
 698{
 699        struct task_struct *tsk;
 700        struct mm_struct * old_mm, *active_mm;
 701
 702        /* Notify parent that we're no longer interested in the old VM */
 703        tsk = current;
 704        old_mm = current->mm;
 705        mm_release(tsk, old_mm);
 706
 707        if (old_mm) {
 708                /*
 709                 * Make sure that if there is a core dump in progress
 710                 * for the old mm, we get out and die instead of going
 711                 * through with the exec.  We must hold mmap_sem around
 712                 * checking core_state and changing tsk->mm.
 713                 */
 714                down_read(&old_mm->mmap_sem);
 715                if (unlikely(old_mm->core_state)) {
 716                        up_read(&old_mm->mmap_sem);
 717                        return -EINTR;
 718                }
 719        }
 720        task_lock(tsk);
 721        active_mm = tsk->active_mm;
 722        tsk->mm = mm;
 723        tsk->active_mm = mm;
 724        activate_mm(active_mm, mm);
 725        task_unlock(tsk);
 726        arch_pick_mmap_layout(mm);
 727        if (old_mm) {
 728                up_read(&old_mm->mmap_sem);
 729                BUG_ON(active_mm != old_mm);
 730                mm_update_next_owner(old_mm);
 731                mmput(old_mm);
 732                return 0;
 733        }
 734        mmdrop(active_mm);
 735        return 0;
 736}
 737
 738/*
 739 * This function makes sure the current process has its own signal table,
 740 * so that flush_signal_handlers can later reset the handlers without
 741 * disturbing other processes.  (Other processes might share the signal
 742 * table via the CLONE_SIGHAND option to clone().)
 743 */
 744static int de_thread(struct task_struct *tsk)
 745{
 746        struct signal_struct *sig = tsk->signal;
 747        struct sighand_struct *oldsighand = tsk->sighand;
 748        spinlock_t *lock = &oldsighand->siglock;
 749        int count;
 750
 751        if (thread_group_empty(tsk))
 752                goto no_thread_group;
 753
 754        /*
 755         * Kill all other threads in the thread group.
 756         */
 757        spin_lock_irq(lock);
 758        if (signal_group_exit(sig)) {
 759                /*
 760                 * Another group action in progress, just
 761                 * return so that the signal is processed.
 762                 */
 763                spin_unlock_irq(lock);
 764                return -EAGAIN;
 765        }
 766        sig->group_exit_task = tsk;
 767        zap_other_threads(tsk);
 768
 769        /* Account for the thread group leader hanging around: */
 770        count = thread_group_leader(tsk) ? 1 : 2;
 771        sig->notify_count = count;
 772        while (atomic_read(&sig->count) > count) {
 773                __set_current_state(TASK_UNINTERRUPTIBLE);
 774                spin_unlock_irq(lock);
 775                schedule();
 776                spin_lock_irq(lock);
 777        }
 778        spin_unlock_irq(lock);
 779
 780        /*
 781         * At this point all other threads have exited, all we have to
 782         * do is to wait for the thread group leader to become inactive,
 783         * and to assume its PID:
 784         */
 785        if (!thread_group_leader(tsk)) {
 786                struct task_struct *leader = tsk->group_leader;
 787
 788                sig->notify_count = -1; /* for exit_notify() */
 789                for (;;) {
 790                        write_lock_irq(&tasklist_lock);
 791                        if (likely(leader->exit_state))
 792                                break;
 793                        __set_current_state(TASK_UNINTERRUPTIBLE);
 794                        write_unlock_irq(&tasklist_lock);
 795                        schedule();
 796                }
 797
 798                /*
 799                 * The only record we have of the real-time age of a
 800                 * process, regardless of execs it's done, is start_time.
 801                 * All the past CPU time is accumulated in signal_struct
 802                 * from sister threads now dead.  But in this non-leader
 803                 * exec, nothing survives from the original leader thread,
 804                 * whose birth marks the true age of this process now.
 805                 * When we take on its identity by switching to its PID, we
 806                 * also take its birthdate (always earlier than our own).
 807                 */
 808                tsk->start_time = leader->start_time;
 809
 810                BUG_ON(!same_thread_group(leader, tsk));
 811                BUG_ON(has_group_leader_pid(tsk));
 812                /*
 813                 * An exec() starts a new thread group with the
 814                 * TGID of the previous thread group. Rehash the
 815                 * two threads with a switched PID, and release
 816                 * the former thread group leader:
 817                 */
 818
 819                /* Become a process group leader with the old leader's pid.
 820                 * The old leader becomes a thread of the this thread group.
 821                 * Note: The old leader also uses this pid until release_task
 822                 *       is called.  Odd but simple and correct.
 823                 */
 824                detach_pid(tsk, PIDTYPE_PID);
 825                tsk->pid = leader->pid;
 826                attach_pid(tsk, PIDTYPE_PID,  task_pid(leader));
 827                transfer_pid(leader, tsk, PIDTYPE_PGID);
 828                transfer_pid(leader, tsk, PIDTYPE_SID);
 829                list_replace_rcu(&leader->tasks, &tsk->tasks);
 830
 831                tsk->group_leader = tsk;
 832                leader->group_leader = tsk;
 833
 834                tsk->exit_signal = SIGCHLD;
 835
 836                BUG_ON(leader->exit_state != EXIT_ZOMBIE);
 837                leader->exit_state = EXIT_DEAD;
 838                write_unlock_irq(&tasklist_lock);
 839
 840                release_task(leader);
 841        }
 842
 843        sig->group_exit_task = NULL;
 844        sig->notify_count = 0;
 845
 846no_thread_group:
 847        exit_itimers(sig);
 848        flush_itimer_signals();
 849
 850        if (atomic_read(&oldsighand->count) != 1) {
 851                struct sighand_struct *newsighand;
 852                /*
 853                 * This ->sighand is shared with the CLONE_SIGHAND
 854                 * but not CLONE_THREAD task, switch to the new one.
 855                 */
 856                newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
 857                if (!newsighand)
 858                        return -ENOMEM;
 859
 860                atomic_set(&newsighand->count, 1);
 861                memcpy(newsighand->action, oldsighand->action,
 862                       sizeof(newsighand->action));
 863
 864                write_lock_irq(&tasklist_lock);
 865                spin_lock(&oldsighand->siglock);
 866                rcu_assign_pointer(tsk->sighand, newsighand);
 867                spin_unlock(&oldsighand->siglock);
 868                write_unlock_irq(&tasklist_lock);
 869
 870                __cleanup_sighand(oldsighand);
 871        }
 872
 873        BUG_ON(!thread_group_leader(tsk));
 874        return 0;
 875}
 876
 877/*
 878 * These functions flushes out all traces of the currently running executable
 879 * so that a new one can be started
 880 */
 881static void flush_old_files(struct files_struct * files)
 882{
 883        long j = -1;
 884        struct fdtable *fdt;
 885
 886        spin_lock(&files->file_lock);
 887        for (;;) {
 888                unsigned long set, i;
 889
 890                j++;
 891                i = j * __NFDBITS;
 892                fdt = files_fdtable(files);
 893                if (i >= fdt->max_fds)
 894                        break;
 895                set = fdt->close_on_exec->fds_bits[j];
 896                if (!set)
 897                        continue;
 898                fdt->close_on_exec->fds_bits[j] = 0;
 899                spin_unlock(&files->file_lock);
 900                for ( ; set ; i++,set >>= 1) {
 901                        if (set & 1) {
 902                                sys_close(i);
 903                        }
 904                }
 905                spin_lock(&files->file_lock);
 906
 907        }
 908        spin_unlock(&files->file_lock);
 909}
 910
 911char *get_task_comm(char *buf, struct task_struct *tsk)
 912{
 913        /* buf must be at least sizeof(tsk->comm) in size */
 914        task_lock(tsk);
 915        strncpy(buf, tsk->comm, sizeof(tsk->comm));
 916        task_unlock(tsk);
 917        return buf;
 918}
 919
 920void set_task_comm(struct task_struct *tsk, char *buf)
 921{
 922        task_lock(tsk);
 923        strlcpy(tsk->comm, buf, sizeof(tsk->comm));
 924        task_unlock(tsk);
 925}
 926
 927int flush_old_exec(struct linux_binprm * bprm)
 928{
 929        char * name;
 930        int i, ch, retval;
 931        char tcomm[sizeof(current->comm)];
 932
 933        /*
 934         * Make sure we have a private signal table and that
 935         * we are unassociated from the previous thread group.
 936         */
 937        retval = de_thread(current);
 938        if (retval)
 939                goto out;
 940
 941        set_mm_exe_file(bprm->mm, bprm->file);
 942
 943        /*
 944         * Release all of the old mmap stuff
 945         */
 946        retval = exec_mmap(bprm->mm);
 947        if (retval)
 948                goto out;
 949
 950        bprm->mm = NULL;                /* We're using it now */
 951
 952        /* This is the point of no return */
 953        current->sas_ss_sp = current->sas_ss_size = 0;
 954
 955        if (current_euid() == current_uid() && current_egid() == current_gid())
 956                set_dumpable(current->mm, 1);
 957        else
 958                set_dumpable(current->mm, suid_dumpable);
 959
 960        name = bprm->filename;
 961
 962        /* Copies the binary name from after last slash */
 963        for (i=0; (ch = *(name++)) != '\0';) {
 964                if (ch == '/')
 965                        i = 0; /* overwrite what we wrote */
 966                else
 967                        if (i < (sizeof(tcomm) - 1))
 968                                tcomm[i++] = ch;
 969        }
 970        tcomm[i] = '\0';
 971        set_task_comm(current, tcomm);
 972
 973        current->flags &= ~PF_RANDOMIZE;
 974        flush_thread();
 975
 976        /* Set the new mm task size. We have to do that late because it may
 977         * depend on TIF_32BIT which is only updated in flush_thread() on
 978         * some architectures like powerpc
 979         */
 980        current->mm->task_size = TASK_SIZE;
 981
 982        /* install the new credentials */
 983        if (bprm->cred->uid != current_euid() ||
 984            bprm->cred->gid != current_egid()) {
 985                current->pdeath_signal = 0;
 986        } else if (file_permission(bprm->file, MAY_READ) ||
 987                   bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP) {
 988                set_dumpable(current->mm, suid_dumpable);
 989        }
 990
 991        current->personality &= ~bprm->per_clear;
 992
 993        /* An exec changes our domain. We are no longer part of the thread
 994           group */
 995
 996        current->self_exec_id++;
 997                        
 998        flush_signal_handlers(current, 0);
 999        flush_old_files(current->files);
1000
1001        return 0;
1002
1003out:
1004        return retval;
1005}
1006
1007EXPORT_SYMBOL(flush_old_exec);
1008
1009/*
1010 * install the new credentials for this executable
1011 */
1012void install_exec_creds(struct linux_binprm *bprm)
1013{
1014        security_bprm_committing_creds(bprm);
1015
1016        commit_creds(bprm->cred);
1017        bprm->cred = NULL;
1018
1019        /* cred_exec_mutex must be held at least to this point to prevent
1020         * ptrace_attach() from altering our determination of the task's
1021         * credentials; any time after this it may be unlocked */
1022
1023        security_bprm_committed_creds(bprm);
1024}
1025EXPORT_SYMBOL(install_exec_creds);
1026
1027/*
1028 * determine how safe it is to execute the proposed program
1029 * - the caller must hold current->cred_exec_mutex to protect against
1030 *   PTRACE_ATTACH
1031 */
1032int check_unsafe_exec(struct linux_binprm *bprm)
1033{
1034        struct task_struct *p = current, *t;
1035        unsigned n_fs;
1036        int res = 0;
1037
1038        bprm->unsafe = tracehook_unsafe_exec(p);
1039
1040        n_fs = 1;
1041        write_lock(&p->fs->lock);
1042        rcu_read_lock();
1043        for (t = next_thread(p); t != p; t = next_thread(t)) {
1044                if (t->fs == p->fs)
1045                        n_fs++;
1046        }
1047        rcu_read_unlock();
1048
1049        if (p->fs->users > n_fs) {
1050                bprm->unsafe |= LSM_UNSAFE_SHARE;
1051        } else {
1052                res = -EAGAIN;
1053                if (!p->fs->in_exec) {
1054                        p->fs->in_exec = 1;
1055                        res = 1;
1056                }
1057        }
1058        write_unlock(&p->fs->lock);
1059
1060        return res;
1061}
1062
1063/* 
1064 * Fill the binprm structure from the inode. 
1065 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
1066 *
1067 * This may be called multiple times for binary chains (scripts for example).
1068 */
1069int prepare_binprm(struct linux_binprm *bprm)
1070{
1071        umode_t mode;
1072        struct inode * inode = bprm->file->f_path.dentry->d_inode;
1073        int retval;
1074
1075        mode = inode->i_mode;
1076        if (bprm->file->f_op == NULL)
1077                return -EACCES;
1078
1079        /* clear any previous set[ug]id data from a previous binary */
1080        bprm->cred->euid = current_euid();
1081        bprm->cred->egid = current_egid();
1082
1083        if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
1084                /* Set-uid? */
1085                if (mode & S_ISUID) {
1086                        bprm->per_clear |= PER_CLEAR_ON_SETID;
1087                        bprm->cred->euid = inode->i_uid;
1088                }
1089
1090                /* Set-gid? */
1091                /*
1092                 * If setgid is set but no group execute bit then this
1093                 * is a candidate for mandatory locking, not a setgid
1094                 * executable.
1095                 */
1096                if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
1097                        bprm->per_clear |= PER_CLEAR_ON_SETID;
1098                        bprm->cred->egid = inode->i_gid;
1099                }
1100        }
1101
1102        /* fill in binprm security blob */
1103        retval = security_bprm_set_creds(bprm);
1104        if (retval)
1105                return retval;
1106        bprm->cred_prepared = 1;
1107
1108        memset(bprm->buf, 0, BINPRM_BUF_SIZE);
1109        return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
1110}
1111
1112EXPORT_SYMBOL(prepare_binprm);
1113
1114/*
1115 * Arguments are '\0' separated strings found at the location bprm->p
1116 * points to; chop off the first by relocating brpm->p to right after
1117 * the first '\0' encountered.
1118 */
1119int remove_arg_zero(struct linux_binprm *bprm)
1120{
1121        int ret = 0;
1122        unsigned long offset;
1123        char *kaddr;
1124        struct page *page;
1125
1126        if (!bprm->argc)
1127                return 0;
1128
1129        do {
1130                offset = bprm->p & ~PAGE_MASK;
1131                page = get_arg_page(bprm, bprm->p, 0);
1132                if (!page) {
1133                        ret = -EFAULT;
1134                        goto out;
1135                }
1136                kaddr = kmap_atomic(page, KM_USER0);
1137
1138                for (; offset < PAGE_SIZE && kaddr[offset];
1139                                offset++, bprm->p++)
1140                        ;
1141
1142                kunmap_atomic(kaddr, KM_USER0);
1143                put_arg_page(page);
1144
1145                if (offset == PAGE_SIZE)
1146                        free_arg_page(bprm, (bprm->p >> PAGE_SHIFT) - 1);
1147        } while (offset == PAGE_SIZE);
1148
1149        bprm->p++;
1150        bprm->argc--;
1151        ret = 0;
1152
1153out:
1154        return ret;
1155}
1156EXPORT_SYMBOL(remove_arg_zero);
1157
1158/*
1159 * cycle the list of binary formats handler, until one recognizes the image
1160 */
1161int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1162{
1163        unsigned int depth = bprm->recursion_depth;
1164        int try,retval;
1165        struct linux_binfmt *fmt;
1166
1167        retval = security_bprm_check(bprm);
1168        if (retval)
1169                return retval;
1170        retval = ima_bprm_check(bprm);
1171        if (retval)
1172                return retval;
1173
1174        /* kernel module loader fixup */
1175        /* so we don't try to load run modprobe in kernel space. */
1176        set_fs(USER_DS);
1177
1178        retval = audit_bprm(bprm);
1179        if (retval)
1180                return retval;
1181
1182        retval = -ENOENT;
1183        for (try=0; try<2; try++) {
1184                read_lock(&binfmt_lock);
1185                list_for_each_entry(fmt, &formats, lh) {
1186                        int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary;
1187                        if (!fn)
1188                                continue;
1189                        if (!try_module_get(fmt->module))
1190                                continue;
1191                        read_unlock(&binfmt_lock);
1192                        retval = fn(bprm, regs);
1193                        /*
1194                         * Restore the depth counter to its starting value
1195                         * in this call, so we don't have to rely on every
1196                         * load_binary function to restore it on return.
1197                         */
1198                        bprm->recursion_depth = depth;
1199                        if (retval >= 0) {
1200                                if (depth == 0)
1201                                        tracehook_report_exec(fmt, bprm, regs);
1202                                put_binfmt(fmt);
1203                                allow_write_access(bprm->file);
1204                                if (bprm->file)
1205                                        fput(bprm->file);
1206                                bprm->file = NULL;
1207                                current->did_exec = 1;
1208                                proc_exec_connector(current);
1209                                return retval;
1210                        }
1211                        read_lock(&binfmt_lock);
1212                        put_binfmt(fmt);
1213                        if (retval != -ENOEXEC || bprm->mm == NULL)
1214                                break;
1215                        if (!bprm->file) {
1216                                read_unlock(&binfmt_lock);
1217                                return retval;
1218                        }
1219                }
1220                read_unlock(&binfmt_lock);
1221                if (retval != -ENOEXEC || bprm->mm == NULL) {
1222                        break;
1223#ifdef CONFIG_MODULES
1224                } else {
1225#define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e))
1226                        if (printable(bprm->buf[0]) &&
1227                            printable(bprm->buf[1]) &&
1228                            printable(bprm->buf[2]) &&
1229                            printable(bprm->buf[3]))
1230                                break; /* -ENOEXEC */
1231                        request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2]));
1232#endif
1233                }
1234        }
1235        return retval;
1236}
1237
1238EXPORT_SYMBOL(search_binary_handler);
1239
1240void free_bprm(struct linux_binprm *bprm)
1241{
1242        free_arg_pages(bprm);
1243        if (bprm->cred)
1244                abort_creds(bprm->cred);
1245        kfree(bprm);
1246}
1247
1248/*
1249 * sys_execve() executes a new program.
1250 */
1251int do_execve(char * filename,
1252        char __user *__user *argv,
1253        char __user *__user *envp,
1254        struct pt_regs * regs)
1255{
1256        struct linux_binprm *bprm;
1257        struct file *file;
1258        struct files_struct *displaced;
1259        bool clear_in_exec;
1260        int retval;
1261
1262        retval = unshare_files(&displaced);
1263        if (retval)
1264                goto out_ret;
1265
1266        retval = -ENOMEM;
1267        bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
1268        if (!bprm)
1269                goto out_files;
1270
1271        retval = mutex_lock_interruptible(&current->cred_exec_mutex);
1272        if (retval < 0)
1273                goto out_free;
1274        current->in_execve = 1;
1275
1276        retval = -ENOMEM;
1277        bprm->cred = prepare_exec_creds();
1278        if (!bprm->cred)
1279                goto out_unlock;
1280
1281        retval = check_unsafe_exec(bprm);
1282        if (retval < 0)
1283                goto out_unlock;
1284        clear_in_exec = retval;
1285
1286        file = open_exec(filename);
1287        retval = PTR_ERR(file);
1288        if (IS_ERR(file))
1289                goto out_unmark;
1290
1291        sched_exec();
1292
1293        bprm->file = file;
1294        bprm->filename = filename;
1295        bprm->interp = filename;
1296
1297        retval = bprm_mm_init(bprm);
1298        if (retval)
1299                goto out_file;
1300
1301        bprm->argc = count(argv, MAX_ARG_STRINGS);
1302        if ((retval = bprm->argc) < 0)
1303                goto out;
1304
1305        bprm->envc = count(envp, MAX_ARG_STRINGS);
1306        if ((retval = bprm->envc) < 0)
1307                goto out;
1308
1309        retval = prepare_binprm(bprm);
1310        if (retval < 0)
1311                goto out;
1312
1313        retval = copy_strings_kernel(1, &bprm->filename, bprm);
1314        if (retval < 0)
1315                goto out;
1316
1317        bprm->exec = bprm->p;
1318        retval = copy_strings(bprm->envc, envp, bprm);
1319        if (retval < 0)
1320                goto out;
1321
1322        retval = copy_strings(bprm->argc, argv, bprm);
1323        if (retval < 0)
1324                goto out;
1325
1326        current->flags &= ~PF_KTHREAD;
1327        retval = search_binary_handler(bprm,regs);
1328        if (retval < 0)
1329                goto out;
1330
1331        /* execve succeeded */
1332        current->fs->in_exec = 0;
1333        current->in_execve = 0;
1334        mutex_unlock(&current->cred_exec_mutex);
1335        acct_update_integrals(current);
1336        free_bprm(bprm);
1337        if (displaced)
1338                put_files_struct(displaced);
1339        return retval;
1340
1341out:
1342        if (bprm->mm)
1343                mmput (bprm->mm);
1344
1345out_file:
1346        if (bprm->file) {
1347                allow_write_access(bprm->file);
1348                fput(bprm->file);
1349        }
1350
1351out_unmark:
1352        if (clear_in_exec)
1353                current->fs->in_exec = 0;
1354
1355out_unlock:
1356        current->in_execve = 0;
1357        mutex_unlock(&current->cred_exec_mutex);
1358
1359out_free:
1360        free_bprm(bprm);
1361
1362out_files:
1363        if (displaced)
1364                reset_files_struct(displaced);
1365out_ret:
1366        return retval;
1367}
1368
1369int set_binfmt(struct linux_binfmt *new)
1370{
1371        struct linux_binfmt *old = current->binfmt;
1372
1373        if (new) {
1374                if (!try_module_get(new->module))
1375                        return -1;
1376        }
1377        current->binfmt = new;
1378        if (old)
1379                module_put(old->module);
1380        return 0;
1381}
1382
1383EXPORT_SYMBOL(set_binfmt);
1384
1385/* format_corename will inspect the pattern parameter, and output a
1386 * name into corename, which must have space for at least
1387 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
1388 */
1389static int format_corename(char *corename, long signr)
1390{
1391        const struct cred *cred = current_cred();
1392        const char *pat_ptr = core_pattern;
1393        int ispipe = (*pat_ptr == '|');
1394        char *out_ptr = corename;
1395        char *const out_end = corename + CORENAME_MAX_SIZE;
1396        int rc;
1397        int pid_in_pattern = 0;
1398
1399        /* Repeat as long as we have more pattern to process and more output
1400           space */
1401        while (*pat_ptr) {
1402                if (*pat_ptr != '%') {
1403                        if (out_ptr == out_end)
1404                                goto out;
1405                        *out_ptr++ = *pat_ptr++;
1406                } else {
1407                        switch (*++pat_ptr) {
1408                        case 0:
1409                                goto out;
1410                        /* Double percent, output one percent */
1411                        case '%':
1412                                if (out_ptr == out_end)
1413                                        goto out;
1414                                *out_ptr++ = '%';
1415                                break;
1416                        /* pid */
1417                        case 'p':
1418                                pid_in_pattern = 1;
1419                                rc = snprintf(out_ptr, out_end - out_ptr,
1420                                              "%d", task_tgid_vnr(current));
1421                                if (rc > out_end - out_ptr)
1422                                        goto out;
1423                                out_ptr += rc;
1424                                break;
1425                        /* uid */
1426                        case 'u':
1427                                rc = snprintf(out_ptr, out_end - out_ptr,
1428                                              "%d", cred->uid);
1429                                if (rc > out_end - out_ptr)
1430                                        goto out;
1431                                out_ptr += rc;
1432                                break;
1433                        /* gid */
1434                        case 'g':
1435                                rc = snprintf(out_ptr, out_end - out_ptr,
1436                                              "%d", cred->gid);
1437                                if (rc > out_end - out_ptr)
1438                                        goto out;
1439                                out_ptr += rc;
1440                                break;
1441                        /* signal that caused the coredump */
1442                        case 's':
1443                                rc = snprintf(out_ptr, out_end - out_ptr,
1444                                              "%ld", signr);
1445                                if (rc > out_end - out_ptr)
1446                                        goto out;
1447                                out_ptr += rc;
1448                                break;
1449                        /* UNIX time of coredump */
1450                        case 't': {
1451                                struct timeval tv;
1452                                do_gettimeofday(&tv);
1453                                rc = snprintf(out_ptr, out_end - out_ptr,
1454                                              "%lu", tv.tv_sec);
1455                                if (rc > out_end - out_ptr)
1456                                        goto out;
1457                                out_ptr += rc;
1458                                break;
1459                        }
1460                        /* hostname */
1461                        case 'h':
1462                                down_read(&uts_sem);
1463                                rc = snprintf(out_ptr, out_end - out_ptr,
1464                                              "%s", utsname()->nodename);
1465                                up_read(&uts_sem);
1466                                if (rc > out_end - out_ptr)
1467                                        goto out;
1468                                out_ptr += rc;
1469                                break;
1470                        /* executable */
1471                        case 'e':
1472                                rc = snprintf(out_ptr, out_end - out_ptr,
1473                                              "%s", current->comm);
1474                                if (rc > out_end - out_ptr)
1475                                        goto out;
1476                                out_ptr += rc;
1477                                break;
1478                        /* core limit size */
1479                        case 'c':
1480                                rc = snprintf(out_ptr, out_end - out_ptr,
1481                                              "%lu", current->signal->rlim[RLIMIT_CORE].rlim_cur);
1482                                if (rc > out_end - out_ptr)
1483                                        goto out;
1484                                out_ptr += rc;
1485                                break;
1486                        default:
1487                                break;
1488                        }
1489                        ++pat_ptr;
1490                }
1491        }
1492        /* Backward compatibility with core_uses_pid:
1493         *
1494         * If core_pattern does not include a %p (as is the default)
1495         * and core_uses_pid is set, then .%pid will be appended to
1496         * the filename. Do not do this for piped commands. */
1497        if (!ispipe && !pid_in_pattern && core_uses_pid) {
1498                rc = snprintf(out_ptr, out_end - out_ptr,
1499                              ".%d", task_tgid_vnr(current));
1500                if (rc > out_end - out_ptr)
1501                        goto out;
1502                out_ptr += rc;
1503        }
1504out:
1505        *out_ptr = 0;
1506        return ispipe;
1507}
1508
1509static int zap_process(struct task_struct *start)
1510{
1511        struct task_struct *t;
1512        int nr = 0;
1513
1514        start->signal->flags = SIGNAL_GROUP_EXIT;
1515        start->signal->group_stop_count = 0;
1516
1517        t = start;
1518        do {
1519                if (t != current && t->mm) {
1520                        sigaddset(&t->pending.signal, SIGKILL);
1521                        signal_wake_up(t, 1);
1522                        nr++;
1523                }
1524        } while_each_thread(start, t);
1525
1526        return nr;
1527}
1528
1529static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
1530                                struct core_state *core_state, int exit_code)
1531{
1532        struct task_struct *g, *p;
1533        unsigned long flags;
1534        int nr = -EAGAIN;
1535
1536        spin_lock_irq(&tsk->sighand->siglock);
1537        if (!signal_group_exit(tsk->signal)) {
1538                mm->core_state = core_state;
1539                tsk->signal->group_exit_code = exit_code;
1540                nr = zap_process(tsk);
1541        }
1542        spin_unlock_irq(&tsk->sighand->siglock);
1543        if (unlikely(nr < 0))
1544                return nr;
1545
1546        if (atomic_read(&mm->mm_users) == nr + 1)
1547                goto done;
1548        /*
1549         * We should find and kill all tasks which use this mm, and we should
1550         * count them correctly into ->nr_threads. We don't take tasklist
1551         * lock, but this is safe wrt:
1552         *
1553         * fork:
1554         *      None of sub-threads can fork after zap_process(leader). All
1555         *      processes which were created before this point should be
1556         *      visible to zap_threads() because copy_process() adds the new
1557         *      process to the tail of init_task.tasks list, and lock/unlock
1558         *      of ->siglock provides a memory barrier.
1559         *
1560         * do_exit:
1561         *      The caller holds mm->mmap_sem. This means that the task which
1562         *      uses this mm can't pass exit_mm(), so it can't exit or clear
1563         *      its ->mm.
1564         *
1565         * de_thread:
1566         *      It does list_replace_rcu(&leader->tasks, &current->tasks),
1567         *      we must see either old or new leader, this does not matter.
1568         *      However, it can change p->sighand, so lock_task_sighand(p)
1569         *      must be used. Since p->mm != NULL and we hold ->mmap_sem
1570         *      it can't fail.
1571         *
1572         *      Note also that "g" can be the old leader with ->mm == NULL
1573         *      and already unhashed and thus removed from ->thread_group.
1574         *      This is OK, __unhash_process()->list_del_rcu() does not
1575         *      clear the ->next pointer, we will find the new leader via
1576         *      next_thread().
1577         */
1578        rcu_read_lock();
1579        for_each_process(g) {
1580                if (g == tsk->group_leader)
1581                        continue;
1582                if (g->flags & PF_KTHREAD)
1583                        continue;
1584                p = g;
1585                do {
1586                        if (p->mm) {
1587                                if (unlikely(p->mm == mm)) {
1588                                        lock_task_sighand(p, &flags);
1589                                        nr += zap_process(p);
1590                                        unlock_task_sighand(p, &flags);
1591                                }
1592                                break;
1593                        }
1594                } while_each_thread(g, p);
1595        }
1596        rcu_read_unlock();
1597done:
1598        atomic_set(&core_state->nr_threads, nr);
1599        return nr;
1600}
1601
1602static int coredump_wait(int exit_code, struct core_state *core_state)
1603{
1604        struct task_struct *tsk = current;
1605        struct mm_struct *mm = tsk->mm;
1606        struct completion *vfork_done;
1607        int core_waiters;
1608
1609        init_completion(&core_state->startup);
1610        core_state->dumper.task = tsk;
1611        core_state->dumper.next = NULL;
1612        core_waiters = zap_threads(tsk, mm, core_state, exit_code);
1613        up_write(&mm->mmap_sem);
1614
1615        if (unlikely(core_waiters < 0))
1616                goto fail;
1617
1618        /*
1619         * Make sure nobody is waiting for us to release the VM,
1620         * otherwise we can deadlock when we wait on each other
1621         */
1622        vfork_done = tsk->vfork_done;
1623        if (vfork_done) {
1624                tsk->vfork_done = NULL;
1625                complete(vfork_done);
1626        }
1627
1628        if (core_waiters)
1629                wait_for_completion(&core_state->startup);
1630fail:
1631        return core_waiters;
1632}
1633
1634static void coredump_finish(struct mm_struct *mm)
1635{
1636        struct core_thread *curr, *next;
1637        struct task_struct *task;
1638
1639        next = mm->core_state->dumper.next;
1640        while ((curr = next) != NULL) {
1641                next = curr->next;
1642                task = curr->task;
1643                /*
1644                 * see exit_mm(), curr->task must not see
1645                 * ->task == NULL before we read ->next.
1646                 */
1647                smp_mb();
1648                curr->task = NULL;
1649                wake_up_process(task);
1650        }
1651
1652        mm->core_state = NULL;
1653}
1654
1655/*
1656 * set_dumpable converts traditional three-value dumpable to two flags and
1657 * stores them into mm->flags.  It modifies lower two bits of mm->flags, but
1658 * these bits are not changed atomically.  So get_dumpable can observe the
1659 * intermediate state.  To avoid doing unexpected behavior, get get_dumpable
1660 * return either old dumpable or new one by paying attention to the order of
1661 * modifying the bits.
1662 *
1663 * dumpable |   mm->flags (binary)
1664 * old  new | initial interim  final
1665 * ---------+-----------------------
1666 *  0    1  |   00      01      01
1667 *  0    2  |   00      10(*)   11
1668 *  1    0  |   01      00      00
1669 *  1    2  |   01      11      11
1670 *  2    0  |   11      10(*)   00
1671 *  2    1  |   11      11      01
1672 *
1673 * (*) get_dumpable regards interim value of 10 as 11.
1674 */
1675void set_dumpable(struct mm_struct *mm, int value)
1676{
1677        switch (value) {
1678        case 0:
1679                clear_bit(MMF_DUMPABLE, &mm->flags);
1680                smp_wmb();
1681                clear_bit(MMF_DUMP_SECURELY, &mm->flags);
1682                break;
1683        case 1:
1684                set_bit(MMF_DUMPABLE, &mm->flags);
1685                smp_wmb();
1686                clear_bit(MMF_DUMP_SECURELY, &mm->flags);
1687                break;
1688        case 2:
1689                set_bit(MMF_DUMP_SECURELY, &mm->flags);
1690                smp_wmb();
1691                set_bit(MMF_DUMPABLE, &mm->flags);
1692                break;
1693        }
1694}
1695
1696int get_dumpable(struct mm_struct *mm)
1697{
1698        int ret;
1699
1700        ret = mm->flags & 0x3;
1701        return (ret >= 2) ? 2 : ret;
1702}
1703
1704void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1705{
1706        struct core_state core_state;
1707        char corename[CORENAME_MAX_SIZE + 1];
1708        struct mm_struct *mm = current->mm;
1709        struct linux_binfmt * binfmt;
1710        struct inode * inode;
1711        struct file * file;
1712        const struct cred *old_cred;
1713        struct cred *cred;
1714        int retval = 0;
1715        int flag = 0;
1716        int ispipe = 0;
1717        unsigned long core_limit = current->signal->rlim[RLIMIT_CORE].rlim_cur;
1718        char **helper_argv = NULL;
1719        int helper_argc = 0;
1720        char *delimit;
1721
1722        audit_core_dumps(signr);
1723
1724        binfmt = current->binfmt;
1725        if (!binfmt || !binfmt->core_dump)
1726                goto fail;
1727
1728        cred = prepare_creds();
1729        if (!cred) {
1730                retval = -ENOMEM;
1731                goto fail;
1732        }
1733
1734        down_write(&mm->mmap_sem);
1735        /*
1736         * If another thread got here first, or we are not dumpable, bail out.
1737         */
1738        if (mm->core_state || !get_dumpable(mm)) {
1739                up_write(&mm->mmap_sem);
1740                put_cred(cred);
1741                goto fail;
1742        }
1743
1744        /*
1745         *      We cannot trust fsuid as being the "true" uid of the
1746         *      process nor do we know its entire history. We only know it
1747         *      was tainted so we dump it as root in mode 2.
1748         */
1749        if (get_dumpable(mm) == 2) {    /* Setuid core dump mode */
1750                flag = O_EXCL;          /* Stop rewrite attacks */
1751                cred->fsuid = 0;        /* Dump root private */
1752        }
1753
1754        retval = coredump_wait(exit_code, &core_state);
1755        if (retval < 0) {
1756                put_cred(cred);
1757                goto fail;
1758        }
1759
1760        old_cred = override_creds(cred);
1761
1762        /*
1763         * Clear any false indication of pending signals that might
1764         * be seen by the filesystem code called to write the core file.
1765         */
1766        clear_thread_flag(TIF_SIGPENDING);
1767
1768        /*
1769         * lock_kernel() because format_corename() is controlled by sysctl, which
1770         * uses lock_kernel()
1771         */
1772        lock_kernel();
1773        ispipe = format_corename(corename, signr);
1774        unlock_kernel();
1775        /*
1776         * Don't bother to check the RLIMIT_CORE value if core_pattern points
1777         * to a pipe.  Since we're not writing directly to the filesystem
1778         * RLIMIT_CORE doesn't really apply, as no actual core file will be
1779         * created unless the pipe reader choses to write out the core file
1780         * at which point file size limits and permissions will be imposed
1781         * as it does with any other process
1782         */
1783        if ((!ispipe) && (core_limit < binfmt->min_coredump))
1784                goto fail_unlock;
1785
1786        if (ispipe) {
1787                helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc);
1788                if (!helper_argv) {
1789                        printk(KERN_WARNING "%s failed to allocate memory\n",
1790                               __func__);
1791                        goto fail_unlock;
1792                }
1793                /* Terminate the string before the first option */
1794                delimit = strchr(corename, ' ');
1795                if (delimit)
1796                        *delimit = '\0';
1797                delimit = strrchr(helper_argv[0], '/');
1798                if (delimit)
1799                        delimit++;
1800                else
1801                        delimit = helper_argv[0];
1802                if (!strcmp(delimit, current->comm)) {
1803                        printk(KERN_NOTICE "Recursive core dump detected, "
1804                                        "aborting\n");
1805                        goto fail_unlock;
1806                }
1807
1808                core_limit = RLIM_INFINITY;
1809
1810                /* SIGPIPE can happen, but it's just never processed */
1811                if (call_usermodehelper_pipe(corename+1, helper_argv, NULL,
1812                                &file)) {
1813                        printk(KERN_INFO "Core dump to %s pipe failed\n",
1814                               corename);
1815                        goto fail_unlock;
1816                }
1817        } else
1818                file = filp_open(corename,
1819                                 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
1820                                 0600);
1821        if (IS_ERR(file))
1822                goto fail_unlock;
1823        inode = file->f_path.dentry->d_inode;
1824        if (inode->i_nlink > 1)
1825                goto close_fail;        /* multiple links - don't dump */
1826        if (!ispipe && d_unhashed(file->f_path.dentry))
1827                goto close_fail;
1828
1829        /* AK: actually i see no reason to not allow this for named pipes etc.,
1830           but keep the previous behaviour for now. */
1831        if (!ispipe && !S_ISREG(inode->i_mode))
1832                goto close_fail;
1833        /*
1834         * Dont allow local users get cute and trick others to coredump
1835         * into their pre-created files:
1836         */
1837        if (inode->i_uid != current_fsuid())
1838                goto close_fail;
1839        if (!file->f_op)
1840                goto close_fail;
1841        if (!file->f_op->write)
1842                goto close_fail;
1843        if (!ispipe && do_truncate(file->f_path.dentry, 0, 0, file) != 0)
1844                goto close_fail;
1845
1846        retval = binfmt->core_dump(signr, regs, file, core_limit);
1847
1848        if (retval)
1849                current->signal->group_exit_code |= 0x80;
1850close_fail:
1851        filp_close(file, NULL);
1852fail_unlock:
1853        if (helper_argv)
1854                argv_free(helper_argv);
1855
1856        revert_creds(old_cred);
1857        put_cred(cred);
1858        coredump_finish(mm);
1859fail:
1860        return;
1861}
1862