11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * linux/fs/exec.c 31da177e4SLinus Torvalds * 41da177e4SLinus Torvalds * Copyright (C) 1991, 1992 Linus Torvalds 51da177e4SLinus Torvalds */ 61da177e4SLinus Torvalds 71da177e4SLinus Torvalds /* 81da177e4SLinus Torvalds * #!-checking implemented by tytso. 91da177e4SLinus Torvalds */ 101da177e4SLinus Torvalds /* 111da177e4SLinus Torvalds * Demand-loading implemented 01.12.91 - no need to read anything but 121da177e4SLinus Torvalds * the header into memory. The inode of the executable is put into 131da177e4SLinus Torvalds * "current->executable", and page faults do the actual loading. Clean. 141da177e4SLinus Torvalds * 151da177e4SLinus Torvalds * Once more I can proudly say that linux stood up to being changed: it 161da177e4SLinus Torvalds * was less than 2 hours work to get demand-loading completely implemented. 171da177e4SLinus Torvalds * 181da177e4SLinus Torvalds * Demand loading changed July 1993 by Eric Youngdale. Use mmap instead, 191da177e4SLinus Torvalds * current->executable is only used by the procfs. This allows a dispatch 201da177e4SLinus Torvalds * table to check for several different types of binary formats. We keep 211da177e4SLinus Torvalds * trying until we recognize the file or we run out of supported binary 221da177e4SLinus Torvalds * formats. 231da177e4SLinus Torvalds */ 241da177e4SLinus Torvalds 251da177e4SLinus Torvalds #include <linux/slab.h> 261da177e4SLinus Torvalds #include <linux/file.h> 279f3acc31SAl Viro #include <linux/fdtable.h> 28ba92a43dSHugh Dickins #include <linux/mm.h> 291da177e4SLinus Torvalds #include <linux/stat.h> 301da177e4SLinus Torvalds #include <linux/fcntl.h> 311da177e4SLinus Torvalds #include <linux/smp_lock.h> 32ba92a43dSHugh Dickins #include <linux/swap.h> 3374aadce9SNeil Horman #include <linux/string.h> 341da177e4SLinus Torvalds #include <linux/init.h> 35ca5b172bSHugh Dickins #include <linux/pagemap.h> 36cdd6c482SIngo Molnar #include <linux/perf_event.h> 371da177e4SLinus Torvalds #include <linux/highmem.h> 381da177e4SLinus Torvalds #include <linux/spinlock.h> 391da177e4SLinus Torvalds #include <linux/key.h> 401da177e4SLinus Torvalds #include <linux/personality.h> 411da177e4SLinus Torvalds #include <linux/binfmts.h> 421da177e4SLinus Torvalds #include <linux/utsname.h> 4384d73786SSukadev Bhattiprolu #include <linux/pid_namespace.h> 441da177e4SLinus Torvalds #include <linux/module.h> 451da177e4SLinus Torvalds #include <linux/namei.h> 461da177e4SLinus Torvalds #include <linux/proc_fs.h> 471da177e4SLinus Torvalds #include <linux/mount.h> 481da177e4SLinus Torvalds #include <linux/security.h> 491da177e4SLinus Torvalds #include <linux/syscalls.h> 508f0ab514SJay Lan #include <linux/tsacct_kern.h> 519f46080cSMatt Helsley #include <linux/cn_proc.h> 52473ae30bSAl Viro #include <linux/audit.h> 536341c393SRoland McGrath #include <linux/tracehook.h> 545f4123beSJohannes Berg #include <linux/kmod.h> 556110e3abSEric Paris #include <linux/fsnotify.h> 565ad4e53bSAl Viro #include <linux/fs_struct.h> 5761be228aSNeil Horman #include <linux/pipe_fs_i.h> 581da177e4SLinus Torvalds 591da177e4SLinus Torvalds #include <asm/uaccess.h> 601da177e4SLinus Torvalds #include <asm/mmu_context.h> 61b6a2fea3SOllie Wild #include <asm/tlb.h> 62a6f76f23SDavid Howells #include "internal.h" 631da177e4SLinus Torvalds 641da177e4SLinus Torvalds int core_uses_pid; 6571ce92f3SDan Aloni char core_pattern[CORENAME_MAX_SIZE] = "core"; 66a293980cSNeil Horman unsigned int core_pipe_limit; 67d6e71144SAlan Cox int suid_dumpable = 0; 68d6e71144SAlan Cox 691da177e4SLinus Torvalds /* The maximal length of core_pattern is also specified in sysctl.c */ 701da177e4SLinus Torvalds 71e4dc1b14SAlexey Dobriyan static LIST_HEAD(formats); 721da177e4SLinus Torvalds static DEFINE_RWLOCK(binfmt_lock); 731da177e4SLinus Torvalds 7474641f58SIvan Kokshaysky int __register_binfmt(struct linux_binfmt * fmt, int insert) 751da177e4SLinus Torvalds { 761da177e4SLinus Torvalds if (!fmt) 771da177e4SLinus Torvalds return -EINVAL; 781da177e4SLinus Torvalds write_lock(&binfmt_lock); 7974641f58SIvan Kokshaysky insert ? list_add(&fmt->lh, &formats) : 8074641f58SIvan Kokshaysky list_add_tail(&fmt->lh, &formats); 811da177e4SLinus Torvalds write_unlock(&binfmt_lock); 821da177e4SLinus Torvalds return 0; 831da177e4SLinus Torvalds } 841da177e4SLinus Torvalds 8574641f58SIvan Kokshaysky EXPORT_SYMBOL(__register_binfmt); 861da177e4SLinus Torvalds 87f6b450d4SAlexey Dobriyan void unregister_binfmt(struct linux_binfmt * fmt) 881da177e4SLinus Torvalds { 891da177e4SLinus Torvalds write_lock(&binfmt_lock); 90e4dc1b14SAlexey Dobriyan list_del(&fmt->lh); 911da177e4SLinus Torvalds write_unlock(&binfmt_lock); 921da177e4SLinus Torvalds } 931da177e4SLinus Torvalds 941da177e4SLinus Torvalds EXPORT_SYMBOL(unregister_binfmt); 951da177e4SLinus Torvalds 961da177e4SLinus Torvalds static inline void put_binfmt(struct linux_binfmt * fmt) 971da177e4SLinus Torvalds { 981da177e4SLinus Torvalds module_put(fmt->module); 991da177e4SLinus Torvalds } 1001da177e4SLinus Torvalds 1011da177e4SLinus Torvalds /* 1021da177e4SLinus Torvalds * Note that a shared library must be both readable and executable due to 1031da177e4SLinus Torvalds * security reasons. 1041da177e4SLinus Torvalds * 1051da177e4SLinus Torvalds * Also note that we take the address to load from from the file itself. 1061da177e4SLinus Torvalds */ 1071e7bfb21SHeiko Carstens SYSCALL_DEFINE1(uselib, const char __user *, library) 1081da177e4SLinus Torvalds { 1091da177e4SLinus Torvalds struct file *file; 110964bd183SAl Viro char *tmp = getname(library); 111964bd183SAl Viro int error = PTR_ERR(tmp); 1121da177e4SLinus Torvalds 1136e8341a1SAl Viro if (IS_ERR(tmp)) 1141da177e4SLinus Torvalds goto out; 1151da177e4SLinus Torvalds 1166e8341a1SAl Viro file = do_filp_open(AT_FDCWD, tmp, 1176e8341a1SAl Viro O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0, 118cb23beb5SChristoph Hellwig MAY_READ | MAY_EXEC | MAY_OPEN); 1196e8341a1SAl Viro putname(tmp); 1201da177e4SLinus Torvalds error = PTR_ERR(file); 1211da177e4SLinus Torvalds if (IS_ERR(file)) 1221da177e4SLinus Torvalds goto out; 1231da177e4SLinus Torvalds 1246e8341a1SAl Viro error = -EINVAL; 1256e8341a1SAl Viro if (!S_ISREG(file->f_path.dentry->d_inode->i_mode)) 1266e8341a1SAl Viro goto exit; 1276e8341a1SAl Viro 1286e8341a1SAl Viro error = -EACCES; 1296e8341a1SAl Viro if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) 1306e8341a1SAl Viro goto exit; 1316e8341a1SAl Viro 1326110e3abSEric Paris fsnotify_open(file->f_path.dentry); 1336110e3abSEric Paris 1341da177e4SLinus Torvalds error = -ENOEXEC; 1351da177e4SLinus Torvalds if(file->f_op) { 1361da177e4SLinus Torvalds struct linux_binfmt * fmt; 1371da177e4SLinus Torvalds 1381da177e4SLinus Torvalds read_lock(&binfmt_lock); 139e4dc1b14SAlexey Dobriyan list_for_each_entry(fmt, &formats, lh) { 1401da177e4SLinus Torvalds if (!fmt->load_shlib) 1411da177e4SLinus Torvalds continue; 1421da177e4SLinus Torvalds if (!try_module_get(fmt->module)) 1431da177e4SLinus Torvalds continue; 1441da177e4SLinus Torvalds read_unlock(&binfmt_lock); 1451da177e4SLinus Torvalds error = fmt->load_shlib(file); 1461da177e4SLinus Torvalds read_lock(&binfmt_lock); 1471da177e4SLinus Torvalds put_binfmt(fmt); 1481da177e4SLinus Torvalds if (error != -ENOEXEC) 1491da177e4SLinus Torvalds break; 1501da177e4SLinus Torvalds } 1511da177e4SLinus Torvalds read_unlock(&binfmt_lock); 1521da177e4SLinus Torvalds } 1536e8341a1SAl Viro exit: 1541da177e4SLinus Torvalds fput(file); 1551da177e4SLinus Torvalds out: 1561da177e4SLinus Torvalds return error; 1571da177e4SLinus Torvalds } 1581da177e4SLinus Torvalds 159b6a2fea3SOllie Wild #ifdef CONFIG_MMU 160b6a2fea3SOllie Wild 161b6a2fea3SOllie Wild static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, 162b6a2fea3SOllie Wild int write) 163b6a2fea3SOllie Wild { 164b6a2fea3SOllie Wild struct page *page; 165b6a2fea3SOllie Wild int ret; 166b6a2fea3SOllie Wild 167b6a2fea3SOllie Wild #ifdef CONFIG_STACK_GROWSUP 168b6a2fea3SOllie Wild if (write) { 169b6a2fea3SOllie Wild ret = expand_stack_downwards(bprm->vma, pos); 170b6a2fea3SOllie Wild if (ret < 0) 171b6a2fea3SOllie Wild return NULL; 172b6a2fea3SOllie Wild } 173b6a2fea3SOllie Wild #endif 174b6a2fea3SOllie Wild ret = get_user_pages(current, bprm->mm, pos, 175b6a2fea3SOllie Wild 1, write, 1, &page, NULL); 176b6a2fea3SOllie Wild if (ret <= 0) 177b6a2fea3SOllie Wild return NULL; 178b6a2fea3SOllie Wild 179b6a2fea3SOllie Wild if (write) { 180b6a2fea3SOllie Wild unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; 181a64e715fSLinus Torvalds struct rlimit *rlim; 182a64e715fSLinus Torvalds 183a64e715fSLinus Torvalds /* 184a64e715fSLinus Torvalds * We've historically supported up to 32 pages (ARG_MAX) 185a64e715fSLinus Torvalds * of argument strings even with small stacks 186a64e715fSLinus Torvalds */ 187a64e715fSLinus Torvalds if (size <= ARG_MAX) 188a64e715fSLinus Torvalds return page; 189b6a2fea3SOllie Wild 190b6a2fea3SOllie Wild /* 191b6a2fea3SOllie Wild * Limit to 1/4-th the stack size for the argv+env strings. 192b6a2fea3SOllie Wild * This ensures that: 193b6a2fea3SOllie Wild * - the remaining binfmt code will not run out of stack space, 194b6a2fea3SOllie Wild * - the program will have a reasonable amount of stack left 195b6a2fea3SOllie Wild * to work from. 196b6a2fea3SOllie Wild */ 197a64e715fSLinus Torvalds rlim = current->signal->rlim; 198b6a2fea3SOllie Wild if (size > rlim[RLIMIT_STACK].rlim_cur / 4) { 199b6a2fea3SOllie Wild put_page(page); 200b6a2fea3SOllie Wild return NULL; 201b6a2fea3SOllie Wild } 202b6a2fea3SOllie Wild } 203b6a2fea3SOllie Wild 204b6a2fea3SOllie Wild return page; 205b6a2fea3SOllie Wild } 206b6a2fea3SOllie Wild 207b6a2fea3SOllie Wild static void put_arg_page(struct page *page) 208b6a2fea3SOllie Wild { 209b6a2fea3SOllie Wild put_page(page); 210b6a2fea3SOllie Wild } 211b6a2fea3SOllie Wild 212b6a2fea3SOllie Wild static void free_arg_page(struct linux_binprm *bprm, int i) 213b6a2fea3SOllie Wild { 214b6a2fea3SOllie Wild } 215b6a2fea3SOllie Wild 216b6a2fea3SOllie Wild static void free_arg_pages(struct linux_binprm *bprm) 217b6a2fea3SOllie Wild { 218b6a2fea3SOllie Wild } 219b6a2fea3SOllie Wild 220b6a2fea3SOllie Wild static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos, 221b6a2fea3SOllie Wild struct page *page) 222b6a2fea3SOllie Wild { 223b6a2fea3SOllie Wild flush_cache_page(bprm->vma, pos, page_to_pfn(page)); 224b6a2fea3SOllie Wild } 225b6a2fea3SOllie Wild 226b6a2fea3SOllie Wild static int __bprm_mm_init(struct linux_binprm *bprm) 227b6a2fea3SOllie Wild { 228eaccbfa5SLuiz Fernando N. Capitulino int err; 229b6a2fea3SOllie Wild struct vm_area_struct *vma = NULL; 230b6a2fea3SOllie Wild struct mm_struct *mm = bprm->mm; 231b6a2fea3SOllie Wild 232b6a2fea3SOllie Wild bprm->vma = vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); 233b6a2fea3SOllie Wild if (!vma) 234eaccbfa5SLuiz Fernando N. Capitulino return -ENOMEM; 235b6a2fea3SOllie Wild 236b6a2fea3SOllie Wild down_write(&mm->mmap_sem); 237b6a2fea3SOllie Wild vma->vm_mm = mm; 238b6a2fea3SOllie Wild 239b6a2fea3SOllie Wild /* 240b6a2fea3SOllie Wild * Place the stack at the largest stack address the architecture 241b6a2fea3SOllie Wild * supports. Later, we'll move this to an appropriate place. We don't 242b6a2fea3SOllie Wild * use STACK_TOP because that can depend on attributes which aren't 243b6a2fea3SOllie Wild * configured yet. 244b6a2fea3SOllie Wild */ 245b6a2fea3SOllie Wild vma->vm_end = STACK_TOP_MAX; 246b6a2fea3SOllie Wild vma->vm_start = vma->vm_end - PAGE_SIZE; 247b6a2fea3SOllie Wild vma->vm_flags = VM_STACK_FLAGS; 2483ed75eb8SColy Li vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); 249b6a2fea3SOllie Wild err = insert_vm_struct(mm, vma); 250eaccbfa5SLuiz Fernando N. Capitulino if (err) 251b6a2fea3SOllie Wild goto err; 252b6a2fea3SOllie Wild 253b6a2fea3SOllie Wild mm->stack_vm = mm->total_vm = 1; 254b6a2fea3SOllie Wild up_write(&mm->mmap_sem); 255b6a2fea3SOllie Wild bprm->p = vma->vm_end - sizeof(void *); 256b6a2fea3SOllie Wild return 0; 257b6a2fea3SOllie Wild err: 258eaccbfa5SLuiz Fernando N. Capitulino up_write(&mm->mmap_sem); 259b6a2fea3SOllie Wild bprm->vma = NULL; 260b6a2fea3SOllie Wild kmem_cache_free(vm_area_cachep, vma); 261b6a2fea3SOllie Wild return err; 262b6a2fea3SOllie Wild } 263b6a2fea3SOllie Wild 264b6a2fea3SOllie Wild static bool valid_arg_len(struct linux_binprm *bprm, long len) 265b6a2fea3SOllie Wild { 266b6a2fea3SOllie Wild return len <= MAX_ARG_STRLEN; 267b6a2fea3SOllie Wild } 268b6a2fea3SOllie Wild 269b6a2fea3SOllie Wild #else 270b6a2fea3SOllie Wild 271b6a2fea3SOllie Wild static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, 272b6a2fea3SOllie Wild int write) 273b6a2fea3SOllie Wild { 274b6a2fea3SOllie Wild struct page *page; 275b6a2fea3SOllie Wild 276b6a2fea3SOllie Wild page = bprm->page[pos / PAGE_SIZE]; 277b6a2fea3SOllie Wild if (!page && write) { 278b6a2fea3SOllie Wild page = alloc_page(GFP_HIGHUSER|__GFP_ZERO); 279b6a2fea3SOllie Wild if (!page) 280b6a2fea3SOllie Wild return NULL; 281b6a2fea3SOllie Wild bprm->page[pos / PAGE_SIZE] = page; 282b6a2fea3SOllie Wild } 283b6a2fea3SOllie Wild 284b6a2fea3SOllie Wild return page; 285b6a2fea3SOllie Wild } 286b6a2fea3SOllie Wild 287b6a2fea3SOllie Wild static void put_arg_page(struct page *page) 288b6a2fea3SOllie Wild { 289b6a2fea3SOllie Wild } 290b6a2fea3SOllie Wild 291b6a2fea3SOllie Wild static void free_arg_page(struct linux_binprm *bprm, int i) 292b6a2fea3SOllie Wild { 293b6a2fea3SOllie Wild if (bprm->page[i]) { 294b6a2fea3SOllie Wild __free_page(bprm->page[i]); 295b6a2fea3SOllie Wild bprm->page[i] = NULL; 296b6a2fea3SOllie Wild } 297b6a2fea3SOllie Wild } 298b6a2fea3SOllie Wild 299b6a2fea3SOllie Wild static void free_arg_pages(struct linux_binprm *bprm) 300b6a2fea3SOllie Wild { 301b6a2fea3SOllie Wild int i; 302b6a2fea3SOllie Wild 303b6a2fea3SOllie Wild for (i = 0; i < MAX_ARG_PAGES; i++) 304b6a2fea3SOllie Wild free_arg_page(bprm, i); 305b6a2fea3SOllie Wild } 306b6a2fea3SOllie Wild 307b6a2fea3SOllie Wild static void flush_arg_page(struct linux_binprm *bprm, unsigned long pos, 308b6a2fea3SOllie Wild struct page *page) 309b6a2fea3SOllie Wild { 310b6a2fea3SOllie Wild } 311b6a2fea3SOllie Wild 312b6a2fea3SOllie Wild static int __bprm_mm_init(struct linux_binprm *bprm) 313b6a2fea3SOllie Wild { 314b6a2fea3SOllie Wild bprm->p = PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *); 315b6a2fea3SOllie Wild return 0; 316b6a2fea3SOllie Wild } 317b6a2fea3SOllie Wild 318b6a2fea3SOllie Wild static bool valid_arg_len(struct linux_binprm *bprm, long len) 319b6a2fea3SOllie Wild { 320b6a2fea3SOllie Wild return len <= bprm->p; 321b6a2fea3SOllie Wild } 322b6a2fea3SOllie Wild 323b6a2fea3SOllie Wild #endif /* CONFIG_MMU */ 324b6a2fea3SOllie Wild 325b6a2fea3SOllie Wild /* 326b6a2fea3SOllie Wild * Create a new mm_struct and populate it with a temporary stack 327b6a2fea3SOllie Wild * vm_area_struct. We don't have enough context at this point to set the stack 328b6a2fea3SOllie Wild * flags, permissions, and offset, so we use temporary values. We'll update 329b6a2fea3SOllie Wild * them later in setup_arg_pages(). 330b6a2fea3SOllie Wild */ 331b6a2fea3SOllie Wild int bprm_mm_init(struct linux_binprm *bprm) 332b6a2fea3SOllie Wild { 333b6a2fea3SOllie Wild int err; 334b6a2fea3SOllie Wild struct mm_struct *mm = NULL; 335b6a2fea3SOllie Wild 336b6a2fea3SOllie Wild bprm->mm = mm = mm_alloc(); 337b6a2fea3SOllie Wild err = -ENOMEM; 338b6a2fea3SOllie Wild if (!mm) 339b6a2fea3SOllie Wild goto err; 340b6a2fea3SOllie Wild 341b6a2fea3SOllie Wild err = init_new_context(current, mm); 342b6a2fea3SOllie Wild if (err) 343b6a2fea3SOllie Wild goto err; 344b6a2fea3SOllie Wild 345b6a2fea3SOllie Wild err = __bprm_mm_init(bprm); 346b6a2fea3SOllie Wild if (err) 347b6a2fea3SOllie Wild goto err; 348b6a2fea3SOllie Wild 349b6a2fea3SOllie Wild return 0; 350b6a2fea3SOllie Wild 351b6a2fea3SOllie Wild err: 352b6a2fea3SOllie Wild if (mm) { 353b6a2fea3SOllie Wild bprm->mm = NULL; 354b6a2fea3SOllie Wild mmdrop(mm); 355b6a2fea3SOllie Wild } 356b6a2fea3SOllie Wild 357b6a2fea3SOllie Wild return err; 358b6a2fea3SOllie Wild } 359b6a2fea3SOllie Wild 3601da177e4SLinus Torvalds /* 3611da177e4SLinus Torvalds * count() counts the number of strings in array ARGV. 3621da177e4SLinus Torvalds */ 3631da177e4SLinus Torvalds static int count(char __user * __user * argv, int max) 3641da177e4SLinus Torvalds { 3651da177e4SLinus Torvalds int i = 0; 3661da177e4SLinus Torvalds 3671da177e4SLinus Torvalds if (argv != NULL) { 3681da177e4SLinus Torvalds for (;;) { 3691da177e4SLinus Torvalds char __user * p; 3701da177e4SLinus Torvalds 3711da177e4SLinus Torvalds if (get_user(p, argv)) 3721da177e4SLinus Torvalds return -EFAULT; 3731da177e4SLinus Torvalds if (!p) 3741da177e4SLinus Torvalds break; 3751da177e4SLinus Torvalds argv++; 376362e6663SJason Baron if (i++ >= max) 3771da177e4SLinus Torvalds return -E2BIG; 3781da177e4SLinus Torvalds cond_resched(); 3791da177e4SLinus Torvalds } 3801da177e4SLinus Torvalds } 3811da177e4SLinus Torvalds return i; 3821da177e4SLinus Torvalds } 3831da177e4SLinus Torvalds 3841da177e4SLinus Torvalds /* 385b6a2fea3SOllie Wild * 'copy_strings()' copies argument/environment strings from the old 386b6a2fea3SOllie Wild * processes's memory to the new process's stack. The call to get_user_pages() 387b6a2fea3SOllie Wild * ensures the destination page is created and not swapped out. 3881da177e4SLinus Torvalds */ 38975c96f85SAdrian Bunk static int copy_strings(int argc, char __user * __user * argv, 39075c96f85SAdrian Bunk struct linux_binprm *bprm) 3911da177e4SLinus Torvalds { 3921da177e4SLinus Torvalds struct page *kmapped_page = NULL; 3931da177e4SLinus Torvalds char *kaddr = NULL; 394b6a2fea3SOllie Wild unsigned long kpos = 0; 3951da177e4SLinus Torvalds int ret; 3961da177e4SLinus Torvalds 3971da177e4SLinus Torvalds while (argc-- > 0) { 3981da177e4SLinus Torvalds char __user *str; 3991da177e4SLinus Torvalds int len; 4001da177e4SLinus Torvalds unsigned long pos; 4011da177e4SLinus Torvalds 4021da177e4SLinus Torvalds if (get_user(str, argv+argc) || 403b6a2fea3SOllie Wild !(len = strnlen_user(str, MAX_ARG_STRLEN))) { 4041da177e4SLinus Torvalds ret = -EFAULT; 4051da177e4SLinus Torvalds goto out; 4061da177e4SLinus Torvalds } 4071da177e4SLinus Torvalds 408b6a2fea3SOllie Wild if (!valid_arg_len(bprm, len)) { 4091da177e4SLinus Torvalds ret = -E2BIG; 4101da177e4SLinus Torvalds goto out; 4111da177e4SLinus Torvalds } 4121da177e4SLinus Torvalds 413b6a2fea3SOllie Wild /* We're going to work our way backwords. */ 4141da177e4SLinus Torvalds pos = bprm->p; 415b6a2fea3SOllie Wild str += len; 416b6a2fea3SOllie Wild bprm->p -= len; 4171da177e4SLinus Torvalds 4181da177e4SLinus Torvalds while (len > 0) { 4191da177e4SLinus Torvalds int offset, bytes_to_copy; 4201da177e4SLinus Torvalds 4211da177e4SLinus Torvalds offset = pos % PAGE_SIZE; 422b6a2fea3SOllie Wild if (offset == 0) 423b6a2fea3SOllie Wild offset = PAGE_SIZE; 424b6a2fea3SOllie Wild 425b6a2fea3SOllie Wild bytes_to_copy = offset; 426b6a2fea3SOllie Wild if (bytes_to_copy > len) 427b6a2fea3SOllie Wild bytes_to_copy = len; 428b6a2fea3SOllie Wild 429b6a2fea3SOllie Wild offset -= bytes_to_copy; 430b6a2fea3SOllie Wild pos -= bytes_to_copy; 431b6a2fea3SOllie Wild str -= bytes_to_copy; 432b6a2fea3SOllie Wild len -= bytes_to_copy; 433b6a2fea3SOllie Wild 434b6a2fea3SOllie Wild if (!kmapped_page || kpos != (pos & PAGE_MASK)) { 435b6a2fea3SOllie Wild struct page *page; 436b6a2fea3SOllie Wild 437b6a2fea3SOllie Wild page = get_arg_page(bprm, pos, 1); 4381da177e4SLinus Torvalds if (!page) { 439b6a2fea3SOllie Wild ret = -E2BIG; 4401da177e4SLinus Torvalds goto out; 4411da177e4SLinus Torvalds } 4421da177e4SLinus Torvalds 443b6a2fea3SOllie Wild if (kmapped_page) { 444b6a2fea3SOllie Wild flush_kernel_dcache_page(kmapped_page); 4451da177e4SLinus Torvalds kunmap(kmapped_page); 446b6a2fea3SOllie Wild put_arg_page(kmapped_page); 447b6a2fea3SOllie Wild } 4481da177e4SLinus Torvalds kmapped_page = page; 4491da177e4SLinus Torvalds kaddr = kmap(kmapped_page); 450b6a2fea3SOllie Wild kpos = pos & PAGE_MASK; 451b6a2fea3SOllie Wild flush_arg_page(bprm, kpos, kmapped_page); 4521da177e4SLinus Torvalds } 453b6a2fea3SOllie Wild if (copy_from_user(kaddr+offset, str, bytes_to_copy)) { 4541da177e4SLinus Torvalds ret = -EFAULT; 4551da177e4SLinus Torvalds goto out; 4561da177e4SLinus Torvalds } 4571da177e4SLinus Torvalds } 4581da177e4SLinus Torvalds } 4591da177e4SLinus Torvalds ret = 0; 4601da177e4SLinus Torvalds out: 461b6a2fea3SOllie Wild if (kmapped_page) { 462b6a2fea3SOllie Wild flush_kernel_dcache_page(kmapped_page); 4631da177e4SLinus Torvalds kunmap(kmapped_page); 464b6a2fea3SOllie Wild put_arg_page(kmapped_page); 465b6a2fea3SOllie Wild } 4661da177e4SLinus Torvalds return ret; 4671da177e4SLinus Torvalds } 4681da177e4SLinus Torvalds 4691da177e4SLinus Torvalds /* 4701da177e4SLinus Torvalds * Like copy_strings, but get argv and its values from kernel memory. 4711da177e4SLinus Torvalds */ 4721da177e4SLinus Torvalds int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) 4731da177e4SLinus Torvalds { 4741da177e4SLinus Torvalds int r; 4751da177e4SLinus Torvalds mm_segment_t oldfs = get_fs(); 4761da177e4SLinus Torvalds set_fs(KERNEL_DS); 4771da177e4SLinus Torvalds r = copy_strings(argc, (char __user * __user *)argv, bprm); 4781da177e4SLinus Torvalds set_fs(oldfs); 4791da177e4SLinus Torvalds return r; 4801da177e4SLinus Torvalds } 4811da177e4SLinus Torvalds EXPORT_SYMBOL(copy_strings_kernel); 4821da177e4SLinus Torvalds 4831da177e4SLinus Torvalds #ifdef CONFIG_MMU 484b6a2fea3SOllie Wild 4851da177e4SLinus Torvalds /* 486b6a2fea3SOllie Wild * During bprm_mm_init(), we create a temporary stack at STACK_TOP_MAX. Once 487b6a2fea3SOllie Wild * the binfmt code determines where the new stack should reside, we shift it to 488b6a2fea3SOllie Wild * its final location. The process proceeds as follows: 4891da177e4SLinus Torvalds * 490b6a2fea3SOllie Wild * 1) Use shift to calculate the new vma endpoints. 491b6a2fea3SOllie Wild * 2) Extend vma to cover both the old and new ranges. This ensures the 492b6a2fea3SOllie Wild * arguments passed to subsequent functions are consistent. 493b6a2fea3SOllie Wild * 3) Move vma's page tables to the new range. 494b6a2fea3SOllie Wild * 4) Free up any cleared pgd range. 495b6a2fea3SOllie Wild * 5) Shrink the vma to cover only the new range. 4961da177e4SLinus Torvalds */ 497b6a2fea3SOllie Wild static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) 4981da177e4SLinus Torvalds { 4991da177e4SLinus Torvalds struct mm_struct *mm = vma->vm_mm; 500b6a2fea3SOllie Wild unsigned long old_start = vma->vm_start; 501b6a2fea3SOllie Wild unsigned long old_end = vma->vm_end; 502b6a2fea3SOllie Wild unsigned long length = old_end - old_start; 503b6a2fea3SOllie Wild unsigned long new_start = old_start - shift; 504b6a2fea3SOllie Wild unsigned long new_end = old_end - shift; 505b6a2fea3SOllie Wild struct mmu_gather *tlb; 5061da177e4SLinus Torvalds 507b6a2fea3SOllie Wild BUG_ON(new_start > new_end); 5081da177e4SLinus Torvalds 509b6a2fea3SOllie Wild /* 510b6a2fea3SOllie Wild * ensure there are no vmas between where we want to go 511b6a2fea3SOllie Wild * and where we are 5121da177e4SLinus Torvalds */ 513b6a2fea3SOllie Wild if (vma != find_vma(mm, new_start)) 514b6a2fea3SOllie Wild return -EFAULT; 5151da177e4SLinus Torvalds 516b6a2fea3SOllie Wild /* 517b6a2fea3SOllie Wild * cover the whole range: [new_start, old_end) 518b6a2fea3SOllie Wild */ 519b6a2fea3SOllie Wild vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL); 5201da177e4SLinus Torvalds 521b6a2fea3SOllie Wild /* 522b6a2fea3SOllie Wild * move the page tables downwards, on failure we rely on 523b6a2fea3SOllie Wild * process cleanup to remove whatever mess we made. 524b6a2fea3SOllie Wild */ 525b6a2fea3SOllie Wild if (length != move_page_tables(vma, old_start, 526b6a2fea3SOllie Wild vma, new_start, length)) 5271da177e4SLinus Torvalds return -ENOMEM; 5281da177e4SLinus Torvalds 529b6a2fea3SOllie Wild lru_add_drain(); 530b6a2fea3SOllie Wild tlb = tlb_gather_mmu(mm, 0); 531b6a2fea3SOllie Wild if (new_end > old_start) { 532b6a2fea3SOllie Wild /* 533b6a2fea3SOllie Wild * when the old and new regions overlap clear from new_end. 534b6a2fea3SOllie Wild */ 53542b77728SJan Beulich free_pgd_range(tlb, new_end, old_end, new_end, 536b6a2fea3SOllie Wild vma->vm_next ? vma->vm_next->vm_start : 0); 537b6a2fea3SOllie Wild } else { 538b6a2fea3SOllie Wild /* 539b6a2fea3SOllie Wild * otherwise, clean from old_start; this is done to not touch 540b6a2fea3SOllie Wild * the address space in [new_end, old_start) some architectures 541b6a2fea3SOllie Wild * have constraints on va-space that make this illegal (IA64) - 542b6a2fea3SOllie Wild * for the others its just a little faster. 543b6a2fea3SOllie Wild */ 54442b77728SJan Beulich free_pgd_range(tlb, old_start, old_end, new_end, 545b6a2fea3SOllie Wild vma->vm_next ? vma->vm_next->vm_start : 0); 5461da177e4SLinus Torvalds } 547b6a2fea3SOllie Wild tlb_finish_mmu(tlb, new_end, old_end); 5481da177e4SLinus Torvalds 549b6a2fea3SOllie Wild /* 550b6a2fea3SOllie Wild * shrink the vma to just the new range. 551b6a2fea3SOllie Wild */ 552b6a2fea3SOllie Wild vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL); 5531da177e4SLinus Torvalds 5541da177e4SLinus Torvalds return 0; 5551da177e4SLinus Torvalds } 5561da177e4SLinus Torvalds 557b6a2fea3SOllie Wild #define EXTRA_STACK_VM_PAGES 20 /* random */ 5581da177e4SLinus Torvalds 559b6a2fea3SOllie Wild /* 560b6a2fea3SOllie Wild * Finalizes the stack vm_area_struct. The flags and permissions are updated, 561b6a2fea3SOllie Wild * the stack is optionally relocated, and some extra space is added. 562b6a2fea3SOllie Wild */ 563b6a2fea3SOllie Wild int setup_arg_pages(struct linux_binprm *bprm, 564b6a2fea3SOllie Wild unsigned long stack_top, 565b6a2fea3SOllie Wild int executable_stack) 5661da177e4SLinus Torvalds { 567b6a2fea3SOllie Wild unsigned long ret; 568b6a2fea3SOllie Wild unsigned long stack_shift; 569b6a2fea3SOllie Wild struct mm_struct *mm = current->mm; 570b6a2fea3SOllie Wild struct vm_area_struct *vma = bprm->vma; 571b6a2fea3SOllie Wild struct vm_area_struct *prev = NULL; 572b6a2fea3SOllie Wild unsigned long vm_flags; 573b6a2fea3SOllie Wild unsigned long stack_base; 574*803bf5ecSMichael Neuling unsigned long stack_size; 575*803bf5ecSMichael Neuling unsigned long stack_expand; 576*803bf5ecSMichael Neuling unsigned long rlim_stack; 5771da177e4SLinus Torvalds 578b6a2fea3SOllie Wild #ifdef CONFIG_STACK_GROWSUP 579b6a2fea3SOllie Wild /* Limit stack size to 1GB */ 580b6a2fea3SOllie Wild stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max; 581b6a2fea3SOllie Wild if (stack_base > (1 << 30)) 582b6a2fea3SOllie Wild stack_base = 1 << 30; 583b6a2fea3SOllie Wild 584b6a2fea3SOllie Wild /* Make sure we didn't let the argument array grow too large. */ 585b6a2fea3SOllie Wild if (vma->vm_end - vma->vm_start > stack_base) 586b6a2fea3SOllie Wild return -ENOMEM; 587b6a2fea3SOllie Wild 588b6a2fea3SOllie Wild stack_base = PAGE_ALIGN(stack_top - stack_base); 589b6a2fea3SOllie Wild 590b6a2fea3SOllie Wild stack_shift = vma->vm_start - stack_base; 591b6a2fea3SOllie Wild mm->arg_start = bprm->p - stack_shift; 592b6a2fea3SOllie Wild bprm->p = vma->vm_end - stack_shift; 593b6a2fea3SOllie Wild #else 594b6a2fea3SOllie Wild stack_top = arch_align_stack(stack_top); 595b6a2fea3SOllie Wild stack_top = PAGE_ALIGN(stack_top); 596b6a2fea3SOllie Wild stack_shift = vma->vm_end - stack_top; 597b6a2fea3SOllie Wild 598b6a2fea3SOllie Wild bprm->p -= stack_shift; 599b6a2fea3SOllie Wild mm->arg_start = bprm->p; 600b6a2fea3SOllie Wild #endif 601b6a2fea3SOllie Wild 602b6a2fea3SOllie Wild if (bprm->loader) 603b6a2fea3SOllie Wild bprm->loader -= stack_shift; 604b6a2fea3SOllie Wild bprm->exec -= stack_shift; 605b6a2fea3SOllie Wild 606b6a2fea3SOllie Wild down_write(&mm->mmap_sem); 60796a8e13eSHugh Dickins vm_flags = VM_STACK_FLAGS; 608b6a2fea3SOllie Wild 609b6a2fea3SOllie Wild /* 610b6a2fea3SOllie Wild * Adjust stack execute permissions; explicitly enable for 611b6a2fea3SOllie Wild * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone 612b6a2fea3SOllie Wild * (arch default) otherwise. 613b6a2fea3SOllie Wild */ 614b6a2fea3SOllie Wild if (unlikely(executable_stack == EXSTACK_ENABLE_X)) 615b6a2fea3SOllie Wild vm_flags |= VM_EXEC; 616b6a2fea3SOllie Wild else if (executable_stack == EXSTACK_DISABLE_X) 617b6a2fea3SOllie Wild vm_flags &= ~VM_EXEC; 618b6a2fea3SOllie Wild vm_flags |= mm->def_flags; 619b6a2fea3SOllie Wild 620b6a2fea3SOllie Wild ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, 621b6a2fea3SOllie Wild vm_flags); 622b6a2fea3SOllie Wild if (ret) 623b6a2fea3SOllie Wild goto out_unlock; 624b6a2fea3SOllie Wild BUG_ON(prev != vma); 625b6a2fea3SOllie Wild 626b6a2fea3SOllie Wild /* Move stack pages down in memory. */ 627b6a2fea3SOllie Wild if (stack_shift) { 628b6a2fea3SOllie Wild ret = shift_arg_pages(vma, stack_shift); 629fc63cf23SAnton Blanchard if (ret) 630fc63cf23SAnton Blanchard goto out_unlock; 6311da177e4SLinus Torvalds } 6321da177e4SLinus Torvalds 633*803bf5ecSMichael Neuling stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE; 634*803bf5ecSMichael Neuling stack_size = vma->vm_end - vma->vm_start; 635*803bf5ecSMichael Neuling /* 636*803bf5ecSMichael Neuling * Align this down to a page boundary as expand_stack 637*803bf5ecSMichael Neuling * will align it up. 638*803bf5ecSMichael Neuling */ 639*803bf5ecSMichael Neuling rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK; 640*803bf5ecSMichael Neuling rlim_stack = min(rlim_stack, stack_size); 641b6a2fea3SOllie Wild #ifdef CONFIG_STACK_GROWSUP 642*803bf5ecSMichael Neuling if (stack_size + stack_expand > rlim_stack) 643*803bf5ecSMichael Neuling stack_base = vma->vm_start + rlim_stack; 644*803bf5ecSMichael Neuling else 645*803bf5ecSMichael Neuling stack_base = vma->vm_end + stack_expand; 646b6a2fea3SOllie Wild #else 647*803bf5ecSMichael Neuling if (stack_size + stack_expand > rlim_stack) 648*803bf5ecSMichael Neuling stack_base = vma->vm_end - rlim_stack; 649*803bf5ecSMichael Neuling else 650*803bf5ecSMichael Neuling stack_base = vma->vm_start - stack_expand; 651b6a2fea3SOllie Wild #endif 652b6a2fea3SOllie Wild ret = expand_stack(vma, stack_base); 653b6a2fea3SOllie Wild if (ret) 654b6a2fea3SOllie Wild ret = -EFAULT; 655b6a2fea3SOllie Wild 656b6a2fea3SOllie Wild out_unlock: 657b6a2fea3SOllie Wild up_write(&mm->mmap_sem); 658fc63cf23SAnton Blanchard return ret; 659b6a2fea3SOllie Wild } 660b6a2fea3SOllie Wild EXPORT_SYMBOL(setup_arg_pages); 661b6a2fea3SOllie Wild 6621da177e4SLinus Torvalds #endif /* CONFIG_MMU */ 6631da177e4SLinus Torvalds 6641da177e4SLinus Torvalds struct file *open_exec(const char *name) 6651da177e4SLinus Torvalds { 6661da177e4SLinus Torvalds struct file *file; 667e56b6a5dSChristoph Hellwig int err; 6681da177e4SLinus Torvalds 6696e8341a1SAl Viro file = do_filp_open(AT_FDCWD, name, 6706e8341a1SAl Viro O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0, 6716e8341a1SAl Viro MAY_EXEC | MAY_OPEN); 6726e8341a1SAl Viro if (IS_ERR(file)) 673e56b6a5dSChristoph Hellwig goto out; 6741da177e4SLinus Torvalds 675e56b6a5dSChristoph Hellwig err = -EACCES; 6766e8341a1SAl Viro if (!S_ISREG(file->f_path.dentry->d_inode->i_mode)) 6776e8341a1SAl Viro goto exit; 678e56b6a5dSChristoph Hellwig 6796e8341a1SAl Viro if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) 6806e8341a1SAl Viro goto exit; 681e56b6a5dSChristoph Hellwig 6826110e3abSEric Paris fsnotify_open(file->f_path.dentry); 6836110e3abSEric Paris 6841da177e4SLinus Torvalds err = deny_write_access(file); 6856e8341a1SAl Viro if (err) 6866e8341a1SAl Viro goto exit; 6871da177e4SLinus Torvalds 6886e8341a1SAl Viro out: 689e56b6a5dSChristoph Hellwig return file; 690e56b6a5dSChristoph Hellwig 6916e8341a1SAl Viro exit: 6926e8341a1SAl Viro fput(file); 693e56b6a5dSChristoph Hellwig return ERR_PTR(err); 694e56b6a5dSChristoph Hellwig } 6951da177e4SLinus Torvalds EXPORT_SYMBOL(open_exec); 6961da177e4SLinus Torvalds 6976777d773SMimi Zohar int kernel_read(struct file *file, loff_t offset, 6981da177e4SLinus Torvalds char *addr, unsigned long count) 6991da177e4SLinus Torvalds { 7001da177e4SLinus Torvalds mm_segment_t old_fs; 7011da177e4SLinus Torvalds loff_t pos = offset; 7021da177e4SLinus Torvalds int result; 7031da177e4SLinus Torvalds 7041da177e4SLinus Torvalds old_fs = get_fs(); 7051da177e4SLinus Torvalds set_fs(get_ds()); 7061da177e4SLinus Torvalds /* The cast to a user pointer is valid due to the set_fs() */ 7071da177e4SLinus Torvalds result = vfs_read(file, (void __user *)addr, count, &pos); 7081da177e4SLinus Torvalds set_fs(old_fs); 7091da177e4SLinus Torvalds return result; 7101da177e4SLinus Torvalds } 7111da177e4SLinus Torvalds 7121da177e4SLinus Torvalds EXPORT_SYMBOL(kernel_read); 7131da177e4SLinus Torvalds 7141da177e4SLinus Torvalds static int exec_mmap(struct mm_struct *mm) 7151da177e4SLinus Torvalds { 7161da177e4SLinus Torvalds struct task_struct *tsk; 7171da177e4SLinus Torvalds struct mm_struct * old_mm, *active_mm; 7181da177e4SLinus Torvalds 7191da177e4SLinus Torvalds /* Notify parent that we're no longer interested in the old VM */ 7201da177e4SLinus Torvalds tsk = current; 7211da177e4SLinus Torvalds old_mm = current->mm; 7221da177e4SLinus Torvalds mm_release(tsk, old_mm); 7231da177e4SLinus Torvalds 7241da177e4SLinus Torvalds if (old_mm) { 7251da177e4SLinus Torvalds /* 7261da177e4SLinus Torvalds * Make sure that if there is a core dump in progress 7271da177e4SLinus Torvalds * for the old mm, we get out and die instead of going 7281da177e4SLinus Torvalds * through with the exec. We must hold mmap_sem around 729999d9fc1SOleg Nesterov * checking core_state and changing tsk->mm. 7301da177e4SLinus Torvalds */ 7311da177e4SLinus Torvalds down_read(&old_mm->mmap_sem); 732999d9fc1SOleg Nesterov if (unlikely(old_mm->core_state)) { 7331da177e4SLinus Torvalds up_read(&old_mm->mmap_sem); 7341da177e4SLinus Torvalds return -EINTR; 7351da177e4SLinus Torvalds } 7361da177e4SLinus Torvalds } 7371da177e4SLinus Torvalds task_lock(tsk); 7381da177e4SLinus Torvalds active_mm = tsk->active_mm; 7391da177e4SLinus Torvalds tsk->mm = mm; 7401da177e4SLinus Torvalds tsk->active_mm = mm; 7411da177e4SLinus Torvalds activate_mm(active_mm, mm); 7421da177e4SLinus Torvalds task_unlock(tsk); 7431da177e4SLinus Torvalds arch_pick_mmap_layout(mm); 7441da177e4SLinus Torvalds if (old_mm) { 7451da177e4SLinus Torvalds up_read(&old_mm->mmap_sem); 7467dddb12cSEric Sesterhenn BUG_ON(active_mm != old_mm); 74731a78f23SBalbir Singh mm_update_next_owner(old_mm); 7481da177e4SLinus Torvalds mmput(old_mm); 7491da177e4SLinus Torvalds return 0; 7501da177e4SLinus Torvalds } 7511da177e4SLinus Torvalds mmdrop(active_mm); 7521da177e4SLinus Torvalds return 0; 7531da177e4SLinus Torvalds } 7541da177e4SLinus Torvalds 7551da177e4SLinus Torvalds /* 7561da177e4SLinus Torvalds * This function makes sure the current process has its own signal table, 7571da177e4SLinus Torvalds * so that flush_signal_handlers can later reset the handlers without 7581da177e4SLinus Torvalds * disturbing other processes. (Other processes might share the signal 7591da177e4SLinus Torvalds * table via the CLONE_SIGHAND option to clone().) 7601da177e4SLinus Torvalds */ 761858119e1SArjan van de Ven static int de_thread(struct task_struct *tsk) 7621da177e4SLinus Torvalds { 7631da177e4SLinus Torvalds struct signal_struct *sig = tsk->signal; 764b2c903b8SOleg Nesterov struct sighand_struct *oldsighand = tsk->sighand; 7651da177e4SLinus Torvalds spinlock_t *lock = &oldsighand->siglock; 7661da177e4SLinus Torvalds int count; 7671da177e4SLinus Torvalds 768aafe6c2aSEric W. Biederman if (thread_group_empty(tsk)) 7691da177e4SLinus Torvalds goto no_thread_group; 7701da177e4SLinus Torvalds 7711da177e4SLinus Torvalds /* 7721da177e4SLinus Torvalds * Kill all other threads in the thread group. 7731da177e4SLinus Torvalds */ 7741da177e4SLinus Torvalds spin_lock_irq(lock); 775ed5d2cacSOleg Nesterov if (signal_group_exit(sig)) { 7761da177e4SLinus Torvalds /* 7771da177e4SLinus Torvalds * Another group action in progress, just 7781da177e4SLinus Torvalds * return so that the signal is processed. 7791da177e4SLinus Torvalds */ 7801da177e4SLinus Torvalds spin_unlock_irq(lock); 7811da177e4SLinus Torvalds return -EAGAIN; 7821da177e4SLinus Torvalds } 783ed5d2cacSOleg Nesterov sig->group_exit_task = tsk; 784aafe6c2aSEric W. Biederman zap_other_threads(tsk); 7851da177e4SLinus Torvalds 786fea9d175SOleg Nesterov /* Account for the thread group leader hanging around: */ 787fea9d175SOleg Nesterov count = thread_group_leader(tsk) ? 1 : 2; 7881da177e4SLinus Torvalds sig->notify_count = count; 7896db840faSOleg Nesterov while (atomic_read(&sig->count) > count) { 7901da177e4SLinus Torvalds __set_current_state(TASK_UNINTERRUPTIBLE); 7911da177e4SLinus Torvalds spin_unlock_irq(lock); 7921da177e4SLinus Torvalds schedule(); 7931da177e4SLinus Torvalds spin_lock_irq(lock); 7941da177e4SLinus Torvalds } 7951da177e4SLinus Torvalds spin_unlock_irq(lock); 7961da177e4SLinus Torvalds 7971da177e4SLinus Torvalds /* 7981da177e4SLinus Torvalds * At this point all other threads have exited, all we have to 7991da177e4SLinus Torvalds * do is to wait for the thread group leader to become inactive, 8001da177e4SLinus Torvalds * and to assume its PID: 8011da177e4SLinus Torvalds */ 802aafe6c2aSEric W. Biederman if (!thread_group_leader(tsk)) { 8038187926bSOleg Nesterov struct task_struct *leader = tsk->group_leader; 8046db840faSOleg Nesterov 8052800d8d1SOleg Nesterov sig->notify_count = -1; /* for exit_notify() */ 8066db840faSOleg Nesterov for (;;) { 8076db840faSOleg Nesterov write_lock_irq(&tasklist_lock); 8086db840faSOleg Nesterov if (likely(leader->exit_state)) 8096db840faSOleg Nesterov break; 8106db840faSOleg Nesterov __set_current_state(TASK_UNINTERRUPTIBLE); 8116db840faSOleg Nesterov write_unlock_irq(&tasklist_lock); 8126db840faSOleg Nesterov schedule(); 8136db840faSOleg Nesterov } 8141da177e4SLinus Torvalds 815f5e90281SRoland McGrath /* 816f5e90281SRoland McGrath * The only record we have of the real-time age of a 817f5e90281SRoland McGrath * process, regardless of execs it's done, is start_time. 818f5e90281SRoland McGrath * All the past CPU time is accumulated in signal_struct 819f5e90281SRoland McGrath * from sister threads now dead. But in this non-leader 820f5e90281SRoland McGrath * exec, nothing survives from the original leader thread, 821f5e90281SRoland McGrath * whose birth marks the true age of this process now. 822f5e90281SRoland McGrath * When we take on its identity by switching to its PID, we 823f5e90281SRoland McGrath * also take its birthdate (always earlier than our own). 824f5e90281SRoland McGrath */ 825aafe6c2aSEric W. Biederman tsk->start_time = leader->start_time; 826f5e90281SRoland McGrath 827bac0abd6SPavel Emelyanov BUG_ON(!same_thread_group(leader, tsk)); 828bac0abd6SPavel Emelyanov BUG_ON(has_group_leader_pid(tsk)); 8291da177e4SLinus Torvalds /* 8301da177e4SLinus Torvalds * An exec() starts a new thread group with the 8311da177e4SLinus Torvalds * TGID of the previous thread group. Rehash the 8321da177e4SLinus Torvalds * two threads with a switched PID, and release 8331da177e4SLinus Torvalds * the former thread group leader: 8341da177e4SLinus Torvalds */ 835d73d6529SEric W. Biederman 836d73d6529SEric W. Biederman /* Become a process group leader with the old leader's pid. 837c18258c6SEric W. Biederman * The old leader becomes a thread of the this thread group. 838d73d6529SEric W. Biederman * Note: The old leader also uses this pid until release_task 839d73d6529SEric W. Biederman * is called. Odd but simple and correct. 840d73d6529SEric W. Biederman */ 841aafe6c2aSEric W. Biederman detach_pid(tsk, PIDTYPE_PID); 842aafe6c2aSEric W. Biederman tsk->pid = leader->pid; 8433743ca05SSukadev Bhattiprolu attach_pid(tsk, PIDTYPE_PID, task_pid(leader)); 844aafe6c2aSEric W. Biederman transfer_pid(leader, tsk, PIDTYPE_PGID); 845aafe6c2aSEric W. Biederman transfer_pid(leader, tsk, PIDTYPE_SID); 8469cd80bbbSOleg Nesterov 847aafe6c2aSEric W. Biederman list_replace_rcu(&leader->tasks, &tsk->tasks); 8489cd80bbbSOleg Nesterov list_replace_init(&leader->sibling, &tsk->sibling); 8491da177e4SLinus Torvalds 850aafe6c2aSEric W. Biederman tsk->group_leader = tsk; 851aafe6c2aSEric W. Biederman leader->group_leader = tsk; 852de12a787SEric W. Biederman 853aafe6c2aSEric W. Biederman tsk->exit_signal = SIGCHLD; 854962b564cSOleg Nesterov 855962b564cSOleg Nesterov BUG_ON(leader->exit_state != EXIT_ZOMBIE); 856962b564cSOleg Nesterov leader->exit_state = EXIT_DEAD; 8571da177e4SLinus Torvalds write_unlock_irq(&tasklist_lock); 8588187926bSOleg Nesterov 8598187926bSOleg Nesterov release_task(leader); 8601da177e4SLinus Torvalds } 8611da177e4SLinus Torvalds 8626db840faSOleg Nesterov sig->group_exit_task = NULL; 8636db840faSOleg Nesterov sig->notify_count = 0; 8641da177e4SLinus Torvalds 8651da177e4SLinus Torvalds no_thread_group: 8661f10206cSJiri Pirko if (current->mm) 8671f10206cSJiri Pirko setmax_mm_hiwater_rss(&sig->maxrss, current->mm); 8681f10206cSJiri Pirko 8691da177e4SLinus Torvalds exit_itimers(sig); 870cbaffba1SOleg Nesterov flush_itimer_signals(); 871329f7dbaSOleg Nesterov 872b2c903b8SOleg Nesterov if (atomic_read(&oldsighand->count) != 1) { 873b2c903b8SOleg Nesterov struct sighand_struct *newsighand; 8741da177e4SLinus Torvalds /* 875b2c903b8SOleg Nesterov * This ->sighand is shared with the CLONE_SIGHAND 876b2c903b8SOleg Nesterov * but not CLONE_THREAD task, switch to the new one. 8771da177e4SLinus Torvalds */ 878b2c903b8SOleg Nesterov newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL); 879b2c903b8SOleg Nesterov if (!newsighand) 880b2c903b8SOleg Nesterov return -ENOMEM; 881b2c903b8SOleg Nesterov 8821da177e4SLinus Torvalds atomic_set(&newsighand->count, 1); 8831da177e4SLinus Torvalds memcpy(newsighand->action, oldsighand->action, 8841da177e4SLinus Torvalds sizeof(newsighand->action)); 8851da177e4SLinus Torvalds 8861da177e4SLinus Torvalds write_lock_irq(&tasklist_lock); 8871da177e4SLinus Torvalds spin_lock(&oldsighand->siglock); 888aafe6c2aSEric W. Biederman rcu_assign_pointer(tsk->sighand, newsighand); 8891da177e4SLinus Torvalds spin_unlock(&oldsighand->siglock); 8901da177e4SLinus Torvalds write_unlock_irq(&tasklist_lock); 8911da177e4SLinus Torvalds 892fba2afaaSDavide Libenzi __cleanup_sighand(oldsighand); 8931da177e4SLinus Torvalds } 8941da177e4SLinus Torvalds 895aafe6c2aSEric W. Biederman BUG_ON(!thread_group_leader(tsk)); 8961da177e4SLinus Torvalds return 0; 8971da177e4SLinus Torvalds } 8981da177e4SLinus Torvalds 8991da177e4SLinus Torvalds /* 9001da177e4SLinus Torvalds * These functions flushes out all traces of the currently running executable 9011da177e4SLinus Torvalds * so that a new one can be started 9021da177e4SLinus Torvalds */ 903858119e1SArjan van de Ven static void flush_old_files(struct files_struct * files) 9041da177e4SLinus Torvalds { 9051da177e4SLinus Torvalds long j = -1; 906badf1662SDipankar Sarma struct fdtable *fdt; 9071da177e4SLinus Torvalds 9081da177e4SLinus Torvalds spin_lock(&files->file_lock); 9091da177e4SLinus Torvalds for (;;) { 9101da177e4SLinus Torvalds unsigned long set, i; 9111da177e4SLinus Torvalds 9121da177e4SLinus Torvalds j++; 9131da177e4SLinus Torvalds i = j * __NFDBITS; 914badf1662SDipankar Sarma fdt = files_fdtable(files); 915bbea9f69SVadim Lobanov if (i >= fdt->max_fds) 9161da177e4SLinus Torvalds break; 917badf1662SDipankar Sarma set = fdt->close_on_exec->fds_bits[j]; 9181da177e4SLinus Torvalds if (!set) 9191da177e4SLinus Torvalds continue; 920badf1662SDipankar Sarma fdt->close_on_exec->fds_bits[j] = 0; 9211da177e4SLinus Torvalds spin_unlock(&files->file_lock); 9221da177e4SLinus Torvalds for ( ; set ; i++,set >>= 1) { 9231da177e4SLinus Torvalds if (set & 1) { 9241da177e4SLinus Torvalds sys_close(i); 9251da177e4SLinus Torvalds } 9261da177e4SLinus Torvalds } 9271da177e4SLinus Torvalds spin_lock(&files->file_lock); 9281da177e4SLinus Torvalds 9291da177e4SLinus Torvalds } 9301da177e4SLinus Torvalds spin_unlock(&files->file_lock); 9311da177e4SLinus Torvalds } 9321da177e4SLinus Torvalds 93359714d65SAndrew Morton char *get_task_comm(char *buf, struct task_struct *tsk) 9341da177e4SLinus Torvalds { 9351da177e4SLinus Torvalds /* buf must be at least sizeof(tsk->comm) in size */ 9361da177e4SLinus Torvalds task_lock(tsk); 9371da177e4SLinus Torvalds strncpy(buf, tsk->comm, sizeof(tsk->comm)); 9381da177e4SLinus Torvalds task_unlock(tsk); 93959714d65SAndrew Morton return buf; 9401da177e4SLinus Torvalds } 9411da177e4SLinus Torvalds 9421da177e4SLinus Torvalds void set_task_comm(struct task_struct *tsk, char *buf) 9431da177e4SLinus Torvalds { 9441da177e4SLinus Torvalds task_lock(tsk); 9454614a696Sjohn stultz 9464614a696Sjohn stultz /* 9474614a696Sjohn stultz * Threads may access current->comm without holding 9484614a696Sjohn stultz * the task lock, so write the string carefully. 9494614a696Sjohn stultz * Readers without a lock may see incomplete new 9504614a696Sjohn stultz * names but are safe from non-terminating string reads. 9514614a696Sjohn stultz */ 9524614a696Sjohn stultz memset(tsk->comm, 0, TASK_COMM_LEN); 9534614a696Sjohn stultz wmb(); 9541da177e4SLinus Torvalds strlcpy(tsk->comm, buf, sizeof(tsk->comm)); 9551da177e4SLinus Torvalds task_unlock(tsk); 956cdd6c482SIngo Molnar perf_event_comm(tsk); 9571da177e4SLinus Torvalds } 9581da177e4SLinus Torvalds 9591da177e4SLinus Torvalds int flush_old_exec(struct linux_binprm * bprm) 9601da177e4SLinus Torvalds { 961221af7f8SLinus Torvalds int retval; 9621da177e4SLinus Torvalds 9631da177e4SLinus Torvalds /* 9641da177e4SLinus Torvalds * Make sure we have a private signal table and that 9651da177e4SLinus Torvalds * we are unassociated from the previous thread group. 9661da177e4SLinus Torvalds */ 9671da177e4SLinus Torvalds retval = de_thread(current); 9681da177e4SLinus Torvalds if (retval) 9691da177e4SLinus Torvalds goto out; 9701da177e4SLinus Torvalds 971925d1c40SMatt Helsley set_mm_exe_file(bprm->mm, bprm->file); 972925d1c40SMatt Helsley 9731da177e4SLinus Torvalds /* 9741da177e4SLinus Torvalds * Release all of the old mmap stuff 9751da177e4SLinus Torvalds */ 9761da177e4SLinus Torvalds retval = exec_mmap(bprm->mm); 9771da177e4SLinus Torvalds if (retval) 978fd8328beSAl Viro goto out; 9791da177e4SLinus Torvalds 9801da177e4SLinus Torvalds bprm->mm = NULL; /* We're using it now */ 9817ab02af4SLinus Torvalds 9827ab02af4SLinus Torvalds current->flags &= ~PF_RANDOMIZE; 9837ab02af4SLinus Torvalds flush_thread(); 9847ab02af4SLinus Torvalds current->personality &= ~bprm->per_clear; 9857ab02af4SLinus Torvalds 986221af7f8SLinus Torvalds return 0; 987221af7f8SLinus Torvalds 988221af7f8SLinus Torvalds out: 989221af7f8SLinus Torvalds return retval; 990221af7f8SLinus Torvalds } 991221af7f8SLinus Torvalds EXPORT_SYMBOL(flush_old_exec); 992221af7f8SLinus Torvalds 993221af7f8SLinus Torvalds void setup_new_exec(struct linux_binprm * bprm) 994221af7f8SLinus Torvalds { 995221af7f8SLinus Torvalds int i, ch; 996221af7f8SLinus Torvalds char * name; 997221af7f8SLinus Torvalds char tcomm[sizeof(current->comm)]; 998221af7f8SLinus Torvalds 999221af7f8SLinus Torvalds arch_pick_mmap_layout(current->mm); 10001da177e4SLinus Torvalds 10011da177e4SLinus Torvalds /* This is the point of no return */ 10021da177e4SLinus Torvalds current->sas_ss_sp = current->sas_ss_size = 0; 10031da177e4SLinus Torvalds 1004da9592edSDavid Howells if (current_euid() == current_uid() && current_egid() == current_gid()) 10056c5d5238SKawai, Hidehiro set_dumpable(current->mm, 1); 1006d6e71144SAlan Cox else 10076c5d5238SKawai, Hidehiro set_dumpable(current->mm, suid_dumpable); 1008d6e71144SAlan Cox 10091da177e4SLinus Torvalds name = bprm->filename; 101036772092SPaolo 'Blaisorblade' Giarrusso 101136772092SPaolo 'Blaisorblade' Giarrusso /* Copies the binary name from after last slash */ 10121da177e4SLinus Torvalds for (i=0; (ch = *(name++)) != '\0';) { 10131da177e4SLinus Torvalds if (ch == '/') 101436772092SPaolo 'Blaisorblade' Giarrusso i = 0; /* overwrite what we wrote */ 10151da177e4SLinus Torvalds else 10161da177e4SLinus Torvalds if (i < (sizeof(tcomm) - 1)) 10171da177e4SLinus Torvalds tcomm[i++] = ch; 10181da177e4SLinus Torvalds } 10191da177e4SLinus Torvalds tcomm[i] = '\0'; 10201da177e4SLinus Torvalds set_task_comm(current, tcomm); 10211da177e4SLinus Torvalds 10220551fbd2SBenjamin Herrenschmidt /* Set the new mm task size. We have to do that late because it may 10230551fbd2SBenjamin Herrenschmidt * depend on TIF_32BIT which is only updated in flush_thread() on 10240551fbd2SBenjamin Herrenschmidt * some architectures like powerpc 10250551fbd2SBenjamin Herrenschmidt */ 10260551fbd2SBenjamin Herrenschmidt current->mm->task_size = TASK_SIZE; 10270551fbd2SBenjamin Herrenschmidt 1028a6f76f23SDavid Howells /* install the new credentials */ 1029a6f76f23SDavid Howells if (bprm->cred->uid != current_euid() || 1030a6f76f23SDavid Howells bprm->cred->gid != current_egid()) { 1031d2d56c5fSMarcel Holtmann current->pdeath_signal = 0; 1032d2d56c5fSMarcel Holtmann } else if (file_permission(bprm->file, MAY_READ) || 1033a6f76f23SDavid Howells bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP) { 10346c5d5238SKawai, Hidehiro set_dumpable(current->mm, suid_dumpable); 10351da177e4SLinus Torvalds } 10361da177e4SLinus Torvalds 1037f65cb45cSIngo Molnar /* 1038f65cb45cSIngo Molnar * Flush performance counters when crossing a 1039f65cb45cSIngo Molnar * security domain: 1040f65cb45cSIngo Molnar */ 1041f65cb45cSIngo Molnar if (!get_dumpable(current->mm)) 1042cdd6c482SIngo Molnar perf_event_exit_task(current); 1043f65cb45cSIngo Molnar 10441da177e4SLinus Torvalds /* An exec changes our domain. We are no longer part of the thread 10451da177e4SLinus Torvalds group */ 10461da177e4SLinus Torvalds 10471da177e4SLinus Torvalds current->self_exec_id++; 10481da177e4SLinus Torvalds 10491da177e4SLinus Torvalds flush_signal_handlers(current, 0); 10501da177e4SLinus Torvalds flush_old_files(current->files); 10511da177e4SLinus Torvalds } 1052221af7f8SLinus Torvalds EXPORT_SYMBOL(setup_new_exec); 10531da177e4SLinus Torvalds 10541da177e4SLinus Torvalds /* 1055a2a8474cSOleg Nesterov * Prepare credentials and lock ->cred_guard_mutex. 1056a2a8474cSOleg Nesterov * install_exec_creds() commits the new creds and drops the lock. 1057a2a8474cSOleg Nesterov * Or, if exec fails before, free_bprm() should release ->cred and 1058a2a8474cSOleg Nesterov * and unlock. 1059a2a8474cSOleg Nesterov */ 1060a2a8474cSOleg Nesterov int prepare_bprm_creds(struct linux_binprm *bprm) 1061a2a8474cSOleg Nesterov { 1062a2a8474cSOleg Nesterov if (mutex_lock_interruptible(¤t->cred_guard_mutex)) 1063a2a8474cSOleg Nesterov return -ERESTARTNOINTR; 1064a2a8474cSOleg Nesterov 1065a2a8474cSOleg Nesterov bprm->cred = prepare_exec_creds(); 1066a2a8474cSOleg Nesterov if (likely(bprm->cred)) 1067a2a8474cSOleg Nesterov return 0; 1068a2a8474cSOleg Nesterov 1069a2a8474cSOleg Nesterov mutex_unlock(¤t->cred_guard_mutex); 1070a2a8474cSOleg Nesterov return -ENOMEM; 1071a2a8474cSOleg Nesterov } 1072a2a8474cSOleg Nesterov 1073a2a8474cSOleg Nesterov void free_bprm(struct linux_binprm *bprm) 1074a2a8474cSOleg Nesterov { 1075a2a8474cSOleg Nesterov free_arg_pages(bprm); 1076a2a8474cSOleg Nesterov if (bprm->cred) { 1077a2a8474cSOleg Nesterov mutex_unlock(¤t->cred_guard_mutex); 1078a2a8474cSOleg Nesterov abort_creds(bprm->cred); 1079a2a8474cSOleg Nesterov } 1080a2a8474cSOleg Nesterov kfree(bprm); 1081a2a8474cSOleg Nesterov } 1082a2a8474cSOleg Nesterov 1083a2a8474cSOleg Nesterov /* 1084a6f76f23SDavid Howells * install the new credentials for this executable 1085a6f76f23SDavid Howells */ 1086a6f76f23SDavid Howells void install_exec_creds(struct linux_binprm *bprm) 1087a6f76f23SDavid Howells { 1088a6f76f23SDavid Howells security_bprm_committing_creds(bprm); 1089a6f76f23SDavid Howells 1090a6f76f23SDavid Howells commit_creds(bprm->cred); 1091a6f76f23SDavid Howells bprm->cred = NULL; 1092a2a8474cSOleg Nesterov /* 1093a2a8474cSOleg Nesterov * cred_guard_mutex must be held at least to this point to prevent 1094a6f76f23SDavid Howells * ptrace_attach() from altering our determination of the task's 1095a2a8474cSOleg Nesterov * credentials; any time after this it may be unlocked. 1096a2a8474cSOleg Nesterov */ 1097a6f76f23SDavid Howells security_bprm_committed_creds(bprm); 1098a2a8474cSOleg Nesterov mutex_unlock(¤t->cred_guard_mutex); 1099a6f76f23SDavid Howells } 1100a6f76f23SDavid Howells EXPORT_SYMBOL(install_exec_creds); 1101a6f76f23SDavid Howells 1102a6f76f23SDavid Howells /* 1103a6f76f23SDavid Howells * determine how safe it is to execute the proposed program 11045e751e99SDavid Howells * - the caller must hold current->cred_guard_mutex to protect against 1105a6f76f23SDavid Howells * PTRACE_ATTACH 1106a6f76f23SDavid Howells */ 1107498052bbSAl Viro int check_unsafe_exec(struct linux_binprm *bprm) 1108a6f76f23SDavid Howells { 11090bf2f3aeSDavid Howells struct task_struct *p = current, *t; 1110f1191b50SAl Viro unsigned n_fs; 1111498052bbSAl Viro int res = 0; 1112a6f76f23SDavid Howells 1113a6f76f23SDavid Howells bprm->unsafe = tracehook_unsafe_exec(p); 1114a6f76f23SDavid Howells 11150bf2f3aeSDavid Howells n_fs = 1; 1116498052bbSAl Viro write_lock(&p->fs->lock); 1117437f7fdbSOleg Nesterov rcu_read_lock(); 11180bf2f3aeSDavid Howells for (t = next_thread(p); t != p; t = next_thread(t)) { 11190bf2f3aeSDavid Howells if (t->fs == p->fs) 11200bf2f3aeSDavid Howells n_fs++; 11210bf2f3aeSDavid Howells } 1122437f7fdbSOleg Nesterov rcu_read_unlock(); 11230bf2f3aeSDavid Howells 1124f1191b50SAl Viro if (p->fs->users > n_fs) { 1125a6f76f23SDavid Howells bprm->unsafe |= LSM_UNSAFE_SHARE; 1126498052bbSAl Viro } else { 1127498052bbSAl Viro res = -EAGAIN; 11288c652f96SOleg Nesterov if (!p->fs->in_exec) { 1129498052bbSAl Viro p->fs->in_exec = 1; 11308c652f96SOleg Nesterov res = 1; 11318c652f96SOleg Nesterov } 1132498052bbSAl Viro } 1133498052bbSAl Viro write_unlock(&p->fs->lock); 1134498052bbSAl Viro 1135498052bbSAl Viro return res; 1136a6f76f23SDavid Howells } 1137a6f76f23SDavid Howells 1138a6f76f23SDavid Howells /* 11391da177e4SLinus Torvalds * Fill the binprm structure from the inode. 11401da177e4SLinus Torvalds * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes 1141a6f76f23SDavid Howells * 1142a6f76f23SDavid Howells * This may be called multiple times for binary chains (scripts for example). 11431da177e4SLinus Torvalds */ 11441da177e4SLinus Torvalds int prepare_binprm(struct linux_binprm *bprm) 11451da177e4SLinus Torvalds { 1146a6f76f23SDavid Howells umode_t mode; 11470f7fc9e4SJosef "Jeff" Sipek struct inode * inode = bprm->file->f_path.dentry->d_inode; 11481da177e4SLinus Torvalds int retval; 11491da177e4SLinus Torvalds 11501da177e4SLinus Torvalds mode = inode->i_mode; 11511da177e4SLinus Torvalds if (bprm->file->f_op == NULL) 11521da177e4SLinus Torvalds return -EACCES; 11531da177e4SLinus Torvalds 1154a6f76f23SDavid Howells /* clear any previous set[ug]id data from a previous binary */ 1155a6f76f23SDavid Howells bprm->cred->euid = current_euid(); 1156a6f76f23SDavid Howells bprm->cred->egid = current_egid(); 11571da177e4SLinus Torvalds 11580f7fc9e4SJosef "Jeff" Sipek if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { 11591da177e4SLinus Torvalds /* Set-uid? */ 11601da177e4SLinus Torvalds if (mode & S_ISUID) { 1161a6f76f23SDavid Howells bprm->per_clear |= PER_CLEAR_ON_SETID; 1162a6f76f23SDavid Howells bprm->cred->euid = inode->i_uid; 11631da177e4SLinus Torvalds } 11641da177e4SLinus Torvalds 11651da177e4SLinus Torvalds /* Set-gid? */ 11661da177e4SLinus Torvalds /* 11671da177e4SLinus Torvalds * If setgid is set but no group execute bit then this 11681da177e4SLinus Torvalds * is a candidate for mandatory locking, not a setgid 11691da177e4SLinus Torvalds * executable. 11701da177e4SLinus Torvalds */ 11711da177e4SLinus Torvalds if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { 1172a6f76f23SDavid Howells bprm->per_clear |= PER_CLEAR_ON_SETID; 1173a6f76f23SDavid Howells bprm->cred->egid = inode->i_gid; 11741da177e4SLinus Torvalds } 11751da177e4SLinus Torvalds } 11761da177e4SLinus Torvalds 11771da177e4SLinus Torvalds /* fill in binprm security blob */ 1178a6f76f23SDavid Howells retval = security_bprm_set_creds(bprm); 11791da177e4SLinus Torvalds if (retval) 11801da177e4SLinus Torvalds return retval; 1181a6f76f23SDavid Howells bprm->cred_prepared = 1; 11821da177e4SLinus Torvalds 11831da177e4SLinus Torvalds memset(bprm->buf, 0, BINPRM_BUF_SIZE); 11841da177e4SLinus Torvalds return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE); 11851da177e4SLinus Torvalds } 11861da177e4SLinus Torvalds 11871da177e4SLinus Torvalds EXPORT_SYMBOL(prepare_binprm); 11881da177e4SLinus Torvalds 11894fc75ff4SNick Piggin /* 11904fc75ff4SNick Piggin * Arguments are '\0' separated strings found at the location bprm->p 11914fc75ff4SNick Piggin * points to; chop off the first by relocating brpm->p to right after 11924fc75ff4SNick Piggin * the first '\0' encountered. 11934fc75ff4SNick Piggin */ 1194b6a2fea3SOllie Wild int remove_arg_zero(struct linux_binprm *bprm) 11951da177e4SLinus Torvalds { 1196b6a2fea3SOllie Wild int ret = 0; 11971da177e4SLinus Torvalds unsigned long offset; 11981da177e4SLinus Torvalds char *kaddr; 11991da177e4SLinus Torvalds struct page *page; 12001da177e4SLinus Torvalds 1201b6a2fea3SOllie Wild if (!bprm->argc) 1202b6a2fea3SOllie Wild return 0; 12031da177e4SLinus Torvalds 1204b6a2fea3SOllie Wild do { 1205b6a2fea3SOllie Wild offset = bprm->p & ~PAGE_MASK; 1206b6a2fea3SOllie Wild page = get_arg_page(bprm, bprm->p, 0); 1207b6a2fea3SOllie Wild if (!page) { 1208b6a2fea3SOllie Wild ret = -EFAULT; 1209b6a2fea3SOllie Wild goto out; 1210b6a2fea3SOllie Wild } 12111da177e4SLinus Torvalds kaddr = kmap_atomic(page, KM_USER0); 12124fc75ff4SNick Piggin 1213b6a2fea3SOllie Wild for (; offset < PAGE_SIZE && kaddr[offset]; 1214b6a2fea3SOllie Wild offset++, bprm->p++) 1215b6a2fea3SOllie Wild ; 12164fc75ff4SNick Piggin 12171da177e4SLinus Torvalds kunmap_atomic(kaddr, KM_USER0); 1218b6a2fea3SOllie Wild put_arg_page(page); 12194fc75ff4SNick Piggin 1220b6a2fea3SOllie Wild if (offset == PAGE_SIZE) 1221b6a2fea3SOllie Wild free_arg_page(bprm, (bprm->p >> PAGE_SHIFT) - 1); 1222b6a2fea3SOllie Wild } while (offset == PAGE_SIZE); 12234fc75ff4SNick Piggin 1224b6a2fea3SOllie Wild bprm->p++; 12251da177e4SLinus Torvalds bprm->argc--; 1226b6a2fea3SOllie Wild ret = 0; 1227b6a2fea3SOllie Wild 1228b6a2fea3SOllie Wild out: 1229b6a2fea3SOllie Wild return ret; 12301da177e4SLinus Torvalds } 12311da177e4SLinus Torvalds EXPORT_SYMBOL(remove_arg_zero); 12321da177e4SLinus Torvalds 12331da177e4SLinus Torvalds /* 12341da177e4SLinus Torvalds * cycle the list of binary formats handler, until one recognizes the image 12351da177e4SLinus Torvalds */ 12361da177e4SLinus Torvalds int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) 12371da177e4SLinus Torvalds { 123885f33466SRoland McGrath unsigned int depth = bprm->recursion_depth; 12391da177e4SLinus Torvalds int try,retval; 12401da177e4SLinus Torvalds struct linux_binfmt *fmt; 12411da177e4SLinus Torvalds 12421da177e4SLinus Torvalds retval = security_bprm_check(bprm); 12431da177e4SLinus Torvalds if (retval) 12441da177e4SLinus Torvalds return retval; 12451da177e4SLinus Torvalds 12461da177e4SLinus Torvalds /* kernel module loader fixup */ 12471da177e4SLinus Torvalds /* so we don't try to load run modprobe in kernel space. */ 12481da177e4SLinus Torvalds set_fs(USER_DS); 1249473ae30bSAl Viro 1250473ae30bSAl Viro retval = audit_bprm(bprm); 1251473ae30bSAl Viro if (retval) 1252473ae30bSAl Viro return retval; 1253473ae30bSAl Viro 12541da177e4SLinus Torvalds retval = -ENOENT; 12551da177e4SLinus Torvalds for (try=0; try<2; try++) { 12561da177e4SLinus Torvalds read_lock(&binfmt_lock); 1257e4dc1b14SAlexey Dobriyan list_for_each_entry(fmt, &formats, lh) { 12581da177e4SLinus Torvalds int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary; 12591da177e4SLinus Torvalds if (!fn) 12601da177e4SLinus Torvalds continue; 12611da177e4SLinus Torvalds if (!try_module_get(fmt->module)) 12621da177e4SLinus Torvalds continue; 12631da177e4SLinus Torvalds read_unlock(&binfmt_lock); 12641da177e4SLinus Torvalds retval = fn(bprm, regs); 126585f33466SRoland McGrath /* 126685f33466SRoland McGrath * Restore the depth counter to its starting value 126785f33466SRoland McGrath * in this call, so we don't have to rely on every 126885f33466SRoland McGrath * load_binary function to restore it on return. 126985f33466SRoland McGrath */ 127085f33466SRoland McGrath bprm->recursion_depth = depth; 12711da177e4SLinus Torvalds if (retval >= 0) { 127285f33466SRoland McGrath if (depth == 0) 12736341c393SRoland McGrath tracehook_report_exec(fmt, bprm, regs); 12741da177e4SLinus Torvalds put_binfmt(fmt); 12751da177e4SLinus Torvalds allow_write_access(bprm->file); 12761da177e4SLinus Torvalds if (bprm->file) 12771da177e4SLinus Torvalds fput(bprm->file); 12781da177e4SLinus Torvalds bprm->file = NULL; 12791da177e4SLinus Torvalds current->did_exec = 1; 12809f46080cSMatt Helsley proc_exec_connector(current); 12811da177e4SLinus Torvalds return retval; 12821da177e4SLinus Torvalds } 12831da177e4SLinus Torvalds read_lock(&binfmt_lock); 12841da177e4SLinus Torvalds put_binfmt(fmt); 12851da177e4SLinus Torvalds if (retval != -ENOEXEC || bprm->mm == NULL) 12861da177e4SLinus Torvalds break; 12871da177e4SLinus Torvalds if (!bprm->file) { 12881da177e4SLinus Torvalds read_unlock(&binfmt_lock); 12891da177e4SLinus Torvalds return retval; 12901da177e4SLinus Torvalds } 12911da177e4SLinus Torvalds } 12921da177e4SLinus Torvalds read_unlock(&binfmt_lock); 12931da177e4SLinus Torvalds if (retval != -ENOEXEC || bprm->mm == NULL) { 12941da177e4SLinus Torvalds break; 12955f4123beSJohannes Berg #ifdef CONFIG_MODULES 12961da177e4SLinus Torvalds } else { 12971da177e4SLinus Torvalds #define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e)) 12981da177e4SLinus Torvalds if (printable(bprm->buf[0]) && 12991da177e4SLinus Torvalds printable(bprm->buf[1]) && 13001da177e4SLinus Torvalds printable(bprm->buf[2]) && 13011da177e4SLinus Torvalds printable(bprm->buf[3])) 13021da177e4SLinus Torvalds break; /* -ENOEXEC */ 13031da177e4SLinus Torvalds request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2])); 13041da177e4SLinus Torvalds #endif 13051da177e4SLinus Torvalds } 13061da177e4SLinus Torvalds } 13071da177e4SLinus Torvalds return retval; 13081da177e4SLinus Torvalds } 13091da177e4SLinus Torvalds 13101da177e4SLinus Torvalds EXPORT_SYMBOL(search_binary_handler); 13111da177e4SLinus Torvalds 13121da177e4SLinus Torvalds /* 13131da177e4SLinus Torvalds * sys_execve() executes a new program. 13141da177e4SLinus Torvalds */ 13151da177e4SLinus Torvalds int do_execve(char * filename, 13161da177e4SLinus Torvalds char __user *__user *argv, 13171da177e4SLinus Torvalds char __user *__user *envp, 13181da177e4SLinus Torvalds struct pt_regs * regs) 13191da177e4SLinus Torvalds { 13201da177e4SLinus Torvalds struct linux_binprm *bprm; 13211da177e4SLinus Torvalds struct file *file; 13223b125388SAl Viro struct files_struct *displaced; 13238c652f96SOleg Nesterov bool clear_in_exec; 13241da177e4SLinus Torvalds int retval; 13251da177e4SLinus Torvalds 13263b125388SAl Viro retval = unshare_files(&displaced); 1327fd8328beSAl Viro if (retval) 1328fd8328beSAl Viro goto out_ret; 1329fd8328beSAl Viro 13301da177e4SLinus Torvalds retval = -ENOMEM; 133111b0b5abSOliver Neukum bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); 13321da177e4SLinus Torvalds if (!bprm) 1333fd8328beSAl Viro goto out_files; 13341da177e4SLinus Torvalds 1335a2a8474cSOleg Nesterov retval = prepare_bprm_creds(bprm); 1336a2a8474cSOleg Nesterov if (retval) 1337a6f76f23SDavid Howells goto out_free; 1338498052bbSAl Viro 1339498052bbSAl Viro retval = check_unsafe_exec(bprm); 13408c652f96SOleg Nesterov if (retval < 0) 1341a2a8474cSOleg Nesterov goto out_free; 13428c652f96SOleg Nesterov clear_in_exec = retval; 1343a2a8474cSOleg Nesterov current->in_execve = 1; 1344a6f76f23SDavid Howells 13451da177e4SLinus Torvalds file = open_exec(filename); 13461da177e4SLinus Torvalds retval = PTR_ERR(file); 13471da177e4SLinus Torvalds if (IS_ERR(file)) 1348498052bbSAl Viro goto out_unmark; 13491da177e4SLinus Torvalds 13501da177e4SLinus Torvalds sched_exec(); 13511da177e4SLinus Torvalds 13521da177e4SLinus Torvalds bprm->file = file; 13531da177e4SLinus Torvalds bprm->filename = filename; 13541da177e4SLinus Torvalds bprm->interp = filename; 1355b6a2fea3SOllie Wild 1356b6a2fea3SOllie Wild retval = bprm_mm_init(bprm); 1357b6a2fea3SOllie Wild if (retval) 13581da177e4SLinus Torvalds goto out_file; 13591da177e4SLinus Torvalds 1360b6a2fea3SOllie Wild bprm->argc = count(argv, MAX_ARG_STRINGS); 13611da177e4SLinus Torvalds if ((retval = bprm->argc) < 0) 1362a6f76f23SDavid Howells goto out; 13631da177e4SLinus Torvalds 1364b6a2fea3SOllie Wild bprm->envc = count(envp, MAX_ARG_STRINGS); 13651da177e4SLinus Torvalds if ((retval = bprm->envc) < 0) 13661da177e4SLinus Torvalds goto out; 13671da177e4SLinus Torvalds 13681da177e4SLinus Torvalds retval = prepare_binprm(bprm); 13691da177e4SLinus Torvalds if (retval < 0) 13701da177e4SLinus Torvalds goto out; 13711da177e4SLinus Torvalds 13721da177e4SLinus Torvalds retval = copy_strings_kernel(1, &bprm->filename, bprm); 13731da177e4SLinus Torvalds if (retval < 0) 13741da177e4SLinus Torvalds goto out; 13751da177e4SLinus Torvalds 13761da177e4SLinus Torvalds bprm->exec = bprm->p; 13771da177e4SLinus Torvalds retval = copy_strings(bprm->envc, envp, bprm); 13781da177e4SLinus Torvalds if (retval < 0) 13791da177e4SLinus Torvalds goto out; 13801da177e4SLinus Torvalds 13811da177e4SLinus Torvalds retval = copy_strings(bprm->argc, argv, bprm); 13821da177e4SLinus Torvalds if (retval < 0) 13831da177e4SLinus Torvalds goto out; 13841da177e4SLinus Torvalds 13857b34e428SOleg Nesterov current->flags &= ~PF_KTHREAD; 13861da177e4SLinus Torvalds retval = search_binary_handler(bprm,regs); 1387a6f76f23SDavid Howells if (retval < 0) 1388a6f76f23SDavid Howells goto out; 1389a6f76f23SDavid Howells 1390d899bf7bSStefani Seibold current->stack_start = current->mm->start_stack; 1391d899bf7bSStefani Seibold 1392a6f76f23SDavid Howells /* execve succeeded */ 1393498052bbSAl Viro current->fs->in_exec = 0; 1394f9ce1f1cSKentaro Takeda current->in_execve = 0; 13951da177e4SLinus Torvalds acct_update_integrals(current); 139608a6fac1SAl Viro free_bprm(bprm); 13973b125388SAl Viro if (displaced) 13983b125388SAl Viro put_files_struct(displaced); 13991da177e4SLinus Torvalds return retval; 14001da177e4SLinus Torvalds 14011da177e4SLinus Torvalds out: 14021da177e4SLinus Torvalds if (bprm->mm) 1403b6a2fea3SOllie Wild mmput (bprm->mm); 14041da177e4SLinus Torvalds 14051da177e4SLinus Torvalds out_file: 14061da177e4SLinus Torvalds if (bprm->file) { 14071da177e4SLinus Torvalds allow_write_access(bprm->file); 14081da177e4SLinus Torvalds fput(bprm->file); 14091da177e4SLinus Torvalds } 1410a6f76f23SDavid Howells 1411498052bbSAl Viro out_unmark: 14128c652f96SOleg Nesterov if (clear_in_exec) 1413498052bbSAl Viro current->fs->in_exec = 0; 1414f9ce1f1cSKentaro Takeda current->in_execve = 0; 1415a6f76f23SDavid Howells 1416a6f76f23SDavid Howells out_free: 141708a6fac1SAl Viro free_bprm(bprm); 14181da177e4SLinus Torvalds 1419fd8328beSAl Viro out_files: 14203b125388SAl Viro if (displaced) 14213b125388SAl Viro reset_files_struct(displaced); 14221da177e4SLinus Torvalds out_ret: 14231da177e4SLinus Torvalds return retval; 14241da177e4SLinus Torvalds } 14251da177e4SLinus Torvalds 1426964ee7dfSOleg Nesterov void set_binfmt(struct linux_binfmt *new) 14271da177e4SLinus Torvalds { 1428801460d0SHiroshi Shimamoto struct mm_struct *mm = current->mm; 14291da177e4SLinus Torvalds 1430801460d0SHiroshi Shimamoto if (mm->binfmt) 1431801460d0SHiroshi Shimamoto module_put(mm->binfmt->module); 1432801460d0SHiroshi Shimamoto 1433801460d0SHiroshi Shimamoto mm->binfmt = new; 1434964ee7dfSOleg Nesterov if (new) 1435964ee7dfSOleg Nesterov __module_get(new->module); 14361da177e4SLinus Torvalds } 14371da177e4SLinus Torvalds 14381da177e4SLinus Torvalds EXPORT_SYMBOL(set_binfmt); 14391da177e4SLinus Torvalds 14401da177e4SLinus Torvalds /* format_corename will inspect the pattern parameter, and output a 14411da177e4SLinus Torvalds * name into corename, which must have space for at least 14421da177e4SLinus Torvalds * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. 14431da177e4SLinus Torvalds */ 14446409324bSOleg Nesterov static int format_corename(char *corename, long signr) 14451da177e4SLinus Torvalds { 144686a264abSDavid Howells const struct cred *cred = current_cred(); 1447565b9b14SOleg Nesterov const char *pat_ptr = core_pattern; 1448565b9b14SOleg Nesterov int ispipe = (*pat_ptr == '|'); 14491da177e4SLinus Torvalds char *out_ptr = corename; 14501da177e4SLinus Torvalds char *const out_end = corename + CORENAME_MAX_SIZE; 14511da177e4SLinus Torvalds int rc; 14521da177e4SLinus Torvalds int pid_in_pattern = 0; 14531da177e4SLinus Torvalds 14541da177e4SLinus Torvalds /* Repeat as long as we have more pattern to process and more output 14551da177e4SLinus Torvalds space */ 14561da177e4SLinus Torvalds while (*pat_ptr) { 14571da177e4SLinus Torvalds if (*pat_ptr != '%') { 14581da177e4SLinus Torvalds if (out_ptr == out_end) 14591da177e4SLinus Torvalds goto out; 14601da177e4SLinus Torvalds *out_ptr++ = *pat_ptr++; 14611da177e4SLinus Torvalds } else { 14621da177e4SLinus Torvalds switch (*++pat_ptr) { 14631da177e4SLinus Torvalds case 0: 14641da177e4SLinus Torvalds goto out; 14651da177e4SLinus Torvalds /* Double percent, output one percent */ 14661da177e4SLinus Torvalds case '%': 14671da177e4SLinus Torvalds if (out_ptr == out_end) 14681da177e4SLinus Torvalds goto out; 14691da177e4SLinus Torvalds *out_ptr++ = '%'; 14701da177e4SLinus Torvalds break; 14711da177e4SLinus Torvalds /* pid */ 14721da177e4SLinus Torvalds case 'p': 14731da177e4SLinus Torvalds pid_in_pattern = 1; 14741da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 1475b488893aSPavel Emelyanov "%d", task_tgid_vnr(current)); 14761da177e4SLinus Torvalds if (rc > out_end - out_ptr) 14771da177e4SLinus Torvalds goto out; 14781da177e4SLinus Torvalds out_ptr += rc; 14791da177e4SLinus Torvalds break; 14801da177e4SLinus Torvalds /* uid */ 14811da177e4SLinus Torvalds case 'u': 14821da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 148386a264abSDavid Howells "%d", cred->uid); 14841da177e4SLinus Torvalds if (rc > out_end - out_ptr) 14851da177e4SLinus Torvalds goto out; 14861da177e4SLinus Torvalds out_ptr += rc; 14871da177e4SLinus Torvalds break; 14881da177e4SLinus Torvalds /* gid */ 14891da177e4SLinus Torvalds case 'g': 14901da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 149186a264abSDavid Howells "%d", cred->gid); 14921da177e4SLinus Torvalds if (rc > out_end - out_ptr) 14931da177e4SLinus Torvalds goto out; 14941da177e4SLinus Torvalds out_ptr += rc; 14951da177e4SLinus Torvalds break; 14961da177e4SLinus Torvalds /* signal that caused the coredump */ 14971da177e4SLinus Torvalds case 's': 14981da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 14991da177e4SLinus Torvalds "%ld", signr); 15001da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15011da177e4SLinus Torvalds goto out; 15021da177e4SLinus Torvalds out_ptr += rc; 15031da177e4SLinus Torvalds break; 15041da177e4SLinus Torvalds /* UNIX time of coredump */ 15051da177e4SLinus Torvalds case 't': { 15061da177e4SLinus Torvalds struct timeval tv; 15071da177e4SLinus Torvalds do_gettimeofday(&tv); 15081da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 15091da177e4SLinus Torvalds "%lu", tv.tv_sec); 15101da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15111da177e4SLinus Torvalds goto out; 15121da177e4SLinus Torvalds out_ptr += rc; 15131da177e4SLinus Torvalds break; 15141da177e4SLinus Torvalds } 15151da177e4SLinus Torvalds /* hostname */ 15161da177e4SLinus Torvalds case 'h': 15171da177e4SLinus Torvalds down_read(&uts_sem); 15181da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 1519e9ff3990SSerge E. Hallyn "%s", utsname()->nodename); 15201da177e4SLinus Torvalds up_read(&uts_sem); 15211da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15221da177e4SLinus Torvalds goto out; 15231da177e4SLinus Torvalds out_ptr += rc; 15241da177e4SLinus Torvalds break; 15251da177e4SLinus Torvalds /* executable */ 15261da177e4SLinus Torvalds case 'e': 15271da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 15281da177e4SLinus Torvalds "%s", current->comm); 15291da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15301da177e4SLinus Torvalds goto out; 15311da177e4SLinus Torvalds out_ptr += rc; 15321da177e4SLinus Torvalds break; 153374aadce9SNeil Horman /* core limit size */ 153474aadce9SNeil Horman case 'c': 153574aadce9SNeil Horman rc = snprintf(out_ptr, out_end - out_ptr, 153674aadce9SNeil Horman "%lu", current->signal->rlim[RLIMIT_CORE].rlim_cur); 153774aadce9SNeil Horman if (rc > out_end - out_ptr) 153874aadce9SNeil Horman goto out; 153974aadce9SNeil Horman out_ptr += rc; 154074aadce9SNeil Horman break; 15411da177e4SLinus Torvalds default: 15421da177e4SLinus Torvalds break; 15431da177e4SLinus Torvalds } 15441da177e4SLinus Torvalds ++pat_ptr; 15451da177e4SLinus Torvalds } 15461da177e4SLinus Torvalds } 15471da177e4SLinus Torvalds /* Backward compatibility with core_uses_pid: 15481da177e4SLinus Torvalds * 15491da177e4SLinus Torvalds * If core_pattern does not include a %p (as is the default) 15501da177e4SLinus Torvalds * and core_uses_pid is set, then .%pid will be appended to 1551c4bbafdaSAlan Cox * the filename. Do not do this for piped commands. */ 15526409324bSOleg Nesterov if (!ispipe && !pid_in_pattern && core_uses_pid) { 15531da177e4SLinus Torvalds rc = snprintf(out_ptr, out_end - out_ptr, 1554b488893aSPavel Emelyanov ".%d", task_tgid_vnr(current)); 15551da177e4SLinus Torvalds if (rc > out_end - out_ptr) 15561da177e4SLinus Torvalds goto out; 15571da177e4SLinus Torvalds out_ptr += rc; 15581da177e4SLinus Torvalds } 15591da177e4SLinus Torvalds out: 15601da177e4SLinus Torvalds *out_ptr = 0; 1561c4bbafdaSAlan Cox return ispipe; 15621da177e4SLinus Torvalds } 15631da177e4SLinus Torvalds 15648cd9c249SOleg Nesterov static int zap_process(struct task_struct *start) 1565aceecc04SOleg Nesterov { 1566aceecc04SOleg Nesterov struct task_struct *t; 15678cd9c249SOleg Nesterov int nr = 0; 1568281de339SOleg Nesterov 1569d5f70c00SOleg Nesterov start->signal->flags = SIGNAL_GROUP_EXIT; 1570d5f70c00SOleg Nesterov start->signal->group_stop_count = 0; 1571aceecc04SOleg Nesterov 1572aceecc04SOleg Nesterov t = start; 1573aceecc04SOleg Nesterov do { 1574aceecc04SOleg Nesterov if (t != current && t->mm) { 1575281de339SOleg Nesterov sigaddset(&t->pending.signal, SIGKILL); 1576281de339SOleg Nesterov signal_wake_up(t, 1); 15778cd9c249SOleg Nesterov nr++; 1578aceecc04SOleg Nesterov } 1579e4901f92SOleg Nesterov } while_each_thread(start, t); 15808cd9c249SOleg Nesterov 15818cd9c249SOleg Nesterov return nr; 1582aceecc04SOleg Nesterov } 1583aceecc04SOleg Nesterov 1584dcf560c5SOleg Nesterov static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm, 15858cd9c249SOleg Nesterov struct core_state *core_state, int exit_code) 15861da177e4SLinus Torvalds { 15871da177e4SLinus Torvalds struct task_struct *g, *p; 15885debfa6dSOleg Nesterov unsigned long flags; 15898cd9c249SOleg Nesterov int nr = -EAGAIN; 15901da177e4SLinus Torvalds 1591dcf560c5SOleg Nesterov spin_lock_irq(&tsk->sighand->siglock); 1592ed5d2cacSOleg Nesterov if (!signal_group_exit(tsk->signal)) { 15938cd9c249SOleg Nesterov mm->core_state = core_state; 1594dcf560c5SOleg Nesterov tsk->signal->group_exit_code = exit_code; 15958cd9c249SOleg Nesterov nr = zap_process(tsk); 15961da177e4SLinus Torvalds } 1597dcf560c5SOleg Nesterov spin_unlock_irq(&tsk->sighand->siglock); 15988cd9c249SOleg Nesterov if (unlikely(nr < 0)) 15998cd9c249SOleg Nesterov return nr; 16001da177e4SLinus Torvalds 16018cd9c249SOleg Nesterov if (atomic_read(&mm->mm_users) == nr + 1) 16025debfa6dSOleg Nesterov goto done; 1603e4901f92SOleg Nesterov /* 1604e4901f92SOleg Nesterov * We should find and kill all tasks which use this mm, and we should 1605999d9fc1SOleg Nesterov * count them correctly into ->nr_threads. We don't take tasklist 1606e4901f92SOleg Nesterov * lock, but this is safe wrt: 1607e4901f92SOleg Nesterov * 1608e4901f92SOleg Nesterov * fork: 1609e4901f92SOleg Nesterov * None of sub-threads can fork after zap_process(leader). All 1610e4901f92SOleg Nesterov * processes which were created before this point should be 1611e4901f92SOleg Nesterov * visible to zap_threads() because copy_process() adds the new 1612e4901f92SOleg Nesterov * process to the tail of init_task.tasks list, and lock/unlock 1613e4901f92SOleg Nesterov * of ->siglock provides a memory barrier. 1614e4901f92SOleg Nesterov * 1615e4901f92SOleg Nesterov * do_exit: 1616e4901f92SOleg Nesterov * The caller holds mm->mmap_sem. This means that the task which 1617e4901f92SOleg Nesterov * uses this mm can't pass exit_mm(), so it can't exit or clear 1618e4901f92SOleg Nesterov * its ->mm. 1619e4901f92SOleg Nesterov * 1620e4901f92SOleg Nesterov * de_thread: 1621e4901f92SOleg Nesterov * It does list_replace_rcu(&leader->tasks, ¤t->tasks), 1622e4901f92SOleg Nesterov * we must see either old or new leader, this does not matter. 1623e4901f92SOleg Nesterov * However, it can change p->sighand, so lock_task_sighand(p) 1624e4901f92SOleg Nesterov * must be used. Since p->mm != NULL and we hold ->mmap_sem 1625e4901f92SOleg Nesterov * it can't fail. 1626e4901f92SOleg Nesterov * 1627e4901f92SOleg Nesterov * Note also that "g" can be the old leader with ->mm == NULL 1628e4901f92SOleg Nesterov * and already unhashed and thus removed from ->thread_group. 1629e4901f92SOleg Nesterov * This is OK, __unhash_process()->list_del_rcu() does not 1630e4901f92SOleg Nesterov * clear the ->next pointer, we will find the new leader via 1631e4901f92SOleg Nesterov * next_thread(). 1632e4901f92SOleg Nesterov */ 16337b1c6154SOleg Nesterov rcu_read_lock(); 1634aceecc04SOleg Nesterov for_each_process(g) { 16355debfa6dSOleg Nesterov if (g == tsk->group_leader) 16365debfa6dSOleg Nesterov continue; 163715b9f360SOleg Nesterov if (g->flags & PF_KTHREAD) 163815b9f360SOleg Nesterov continue; 1639aceecc04SOleg Nesterov p = g; 1640aceecc04SOleg Nesterov do { 1641aceecc04SOleg Nesterov if (p->mm) { 164215b9f360SOleg Nesterov if (unlikely(p->mm == mm)) { 16435debfa6dSOleg Nesterov lock_task_sighand(p, &flags); 16448cd9c249SOleg Nesterov nr += zap_process(p); 16455debfa6dSOleg Nesterov unlock_task_sighand(p, &flags); 16465debfa6dSOleg Nesterov } 1647aceecc04SOleg Nesterov break; 16481da177e4SLinus Torvalds } 1649e4901f92SOleg Nesterov } while_each_thread(g, p); 1650aceecc04SOleg Nesterov } 16517b1c6154SOleg Nesterov rcu_read_unlock(); 16525debfa6dSOleg Nesterov done: 1653c5f1cc8cSOleg Nesterov atomic_set(&core_state->nr_threads, nr); 16548cd9c249SOleg Nesterov return nr; 16551da177e4SLinus Torvalds } 16561da177e4SLinus Torvalds 16579d5b327bSOleg Nesterov static int coredump_wait(int exit_code, struct core_state *core_state) 16581da177e4SLinus Torvalds { 1659dcf560c5SOleg Nesterov struct task_struct *tsk = current; 1660dcf560c5SOleg Nesterov struct mm_struct *mm = tsk->mm; 1661dcf560c5SOleg Nesterov struct completion *vfork_done; 16622384f55fSOleg Nesterov int core_waiters; 16631da177e4SLinus Torvalds 16649d5b327bSOleg Nesterov init_completion(&core_state->startup); 1665b564daf8SOleg Nesterov core_state->dumper.task = tsk; 1666b564daf8SOleg Nesterov core_state->dumper.next = NULL; 16679d5b327bSOleg Nesterov core_waiters = zap_threads(tsk, mm, core_state, exit_code); 16681da177e4SLinus Torvalds up_write(&mm->mmap_sem); 16692384f55fSOleg Nesterov 1670dcf560c5SOleg Nesterov if (unlikely(core_waiters < 0)) 1671dcf560c5SOleg Nesterov goto fail; 1672dcf560c5SOleg Nesterov 1673dcf560c5SOleg Nesterov /* 1674dcf560c5SOleg Nesterov * Make sure nobody is waiting for us to release the VM, 1675dcf560c5SOleg Nesterov * otherwise we can deadlock when we wait on each other 1676dcf560c5SOleg Nesterov */ 1677dcf560c5SOleg Nesterov vfork_done = tsk->vfork_done; 1678dcf560c5SOleg Nesterov if (vfork_done) { 1679dcf560c5SOleg Nesterov tsk->vfork_done = NULL; 1680dcf560c5SOleg Nesterov complete(vfork_done); 1681dcf560c5SOleg Nesterov } 1682dcf560c5SOleg Nesterov 16832384f55fSOleg Nesterov if (core_waiters) 16849d5b327bSOleg Nesterov wait_for_completion(&core_state->startup); 1685dcf560c5SOleg Nesterov fail: 1686dcf560c5SOleg Nesterov return core_waiters; 16871da177e4SLinus Torvalds } 16881da177e4SLinus Torvalds 1689a94e2d40SOleg Nesterov static void coredump_finish(struct mm_struct *mm) 1690a94e2d40SOleg Nesterov { 1691a94e2d40SOleg Nesterov struct core_thread *curr, *next; 1692a94e2d40SOleg Nesterov struct task_struct *task; 1693a94e2d40SOleg Nesterov 1694a94e2d40SOleg Nesterov next = mm->core_state->dumper.next; 1695a94e2d40SOleg Nesterov while ((curr = next) != NULL) { 1696a94e2d40SOleg Nesterov next = curr->next; 1697a94e2d40SOleg Nesterov task = curr->task; 1698a94e2d40SOleg Nesterov /* 1699a94e2d40SOleg Nesterov * see exit_mm(), curr->task must not see 1700a94e2d40SOleg Nesterov * ->task == NULL before we read ->next. 1701a94e2d40SOleg Nesterov */ 1702a94e2d40SOleg Nesterov smp_mb(); 1703a94e2d40SOleg Nesterov curr->task = NULL; 1704a94e2d40SOleg Nesterov wake_up_process(task); 1705a94e2d40SOleg Nesterov } 1706a94e2d40SOleg Nesterov 1707a94e2d40SOleg Nesterov mm->core_state = NULL; 1708a94e2d40SOleg Nesterov } 1709a94e2d40SOleg Nesterov 17106c5d5238SKawai, Hidehiro /* 17116c5d5238SKawai, Hidehiro * set_dumpable converts traditional three-value dumpable to two flags and 17126c5d5238SKawai, Hidehiro * stores them into mm->flags. It modifies lower two bits of mm->flags, but 17136c5d5238SKawai, Hidehiro * these bits are not changed atomically. So get_dumpable can observe the 17146c5d5238SKawai, Hidehiro * intermediate state. To avoid doing unexpected behavior, get get_dumpable 17156c5d5238SKawai, Hidehiro * return either old dumpable or new one by paying attention to the order of 17166c5d5238SKawai, Hidehiro * modifying the bits. 17176c5d5238SKawai, Hidehiro * 17186c5d5238SKawai, Hidehiro * dumpable | mm->flags (binary) 17196c5d5238SKawai, Hidehiro * old new | initial interim final 17206c5d5238SKawai, Hidehiro * ---------+----------------------- 17216c5d5238SKawai, Hidehiro * 0 1 | 00 01 01 17226c5d5238SKawai, Hidehiro * 0 2 | 00 10(*) 11 17236c5d5238SKawai, Hidehiro * 1 0 | 01 00 00 17246c5d5238SKawai, Hidehiro * 1 2 | 01 11 11 17256c5d5238SKawai, Hidehiro * 2 0 | 11 10(*) 00 17266c5d5238SKawai, Hidehiro * 2 1 | 11 11 01 17276c5d5238SKawai, Hidehiro * 17286c5d5238SKawai, Hidehiro * (*) get_dumpable regards interim value of 10 as 11. 17296c5d5238SKawai, Hidehiro */ 17306c5d5238SKawai, Hidehiro void set_dumpable(struct mm_struct *mm, int value) 17316c5d5238SKawai, Hidehiro { 17326c5d5238SKawai, Hidehiro switch (value) { 17336c5d5238SKawai, Hidehiro case 0: 17346c5d5238SKawai, Hidehiro clear_bit(MMF_DUMPABLE, &mm->flags); 17356c5d5238SKawai, Hidehiro smp_wmb(); 17366c5d5238SKawai, Hidehiro clear_bit(MMF_DUMP_SECURELY, &mm->flags); 17376c5d5238SKawai, Hidehiro break; 17386c5d5238SKawai, Hidehiro case 1: 17396c5d5238SKawai, Hidehiro set_bit(MMF_DUMPABLE, &mm->flags); 17406c5d5238SKawai, Hidehiro smp_wmb(); 17416c5d5238SKawai, Hidehiro clear_bit(MMF_DUMP_SECURELY, &mm->flags); 17426c5d5238SKawai, Hidehiro break; 17436c5d5238SKawai, Hidehiro case 2: 17446c5d5238SKawai, Hidehiro set_bit(MMF_DUMP_SECURELY, &mm->flags); 17456c5d5238SKawai, Hidehiro smp_wmb(); 17466c5d5238SKawai, Hidehiro set_bit(MMF_DUMPABLE, &mm->flags); 17476c5d5238SKawai, Hidehiro break; 17486c5d5238SKawai, Hidehiro } 17496c5d5238SKawai, Hidehiro } 17506c5d5238SKawai, Hidehiro 17516c5d5238SKawai, Hidehiro int get_dumpable(struct mm_struct *mm) 17526c5d5238SKawai, Hidehiro { 17536c5d5238SKawai, Hidehiro int ret; 17546c5d5238SKawai, Hidehiro 17556c5d5238SKawai, Hidehiro ret = mm->flags & 0x3; 17566c5d5238SKawai, Hidehiro return (ret >= 2) ? 2 : ret; 17576c5d5238SKawai, Hidehiro } 17586c5d5238SKawai, Hidehiro 175961be228aSNeil Horman static void wait_for_dump_helpers(struct file *file) 176061be228aSNeil Horman { 176161be228aSNeil Horman struct pipe_inode_info *pipe; 176261be228aSNeil Horman 176361be228aSNeil Horman pipe = file->f_path.dentry->d_inode->i_pipe; 176461be228aSNeil Horman 176561be228aSNeil Horman pipe_lock(pipe); 176661be228aSNeil Horman pipe->readers++; 176761be228aSNeil Horman pipe->writers--; 176861be228aSNeil Horman 176961be228aSNeil Horman while ((pipe->readers > 1) && (!signal_pending(current))) { 177061be228aSNeil Horman wake_up_interruptible_sync(&pipe->wait); 177161be228aSNeil Horman kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); 177261be228aSNeil Horman pipe_wait(pipe); 177361be228aSNeil Horman } 177461be228aSNeil Horman 177561be228aSNeil Horman pipe->readers--; 177661be228aSNeil Horman pipe->writers++; 177761be228aSNeil Horman pipe_unlock(pipe); 177861be228aSNeil Horman 177961be228aSNeil Horman } 178061be228aSNeil Horman 178161be228aSNeil Horman 17828cd3ac3aSWANG Cong void do_coredump(long signr, int exit_code, struct pt_regs *regs) 17831da177e4SLinus Torvalds { 17849d5b327bSOleg Nesterov struct core_state core_state; 17851da177e4SLinus Torvalds char corename[CORENAME_MAX_SIZE + 1]; 17861da177e4SLinus Torvalds struct mm_struct *mm = current->mm; 17871da177e4SLinus Torvalds struct linux_binfmt * binfmt; 17881da177e4SLinus Torvalds struct inode * inode; 1789d84f4f99SDavid Howells const struct cred *old_cred; 1790d84f4f99SDavid Howells struct cred *cred; 17911da177e4SLinus Torvalds int retval = 0; 1792d6e71144SAlan Cox int flag = 0; 1793d025c9dbSAndi Kleen int ispipe = 0; 179474aadce9SNeil Horman char **helper_argv = NULL; 179574aadce9SNeil Horman int helper_argc = 0; 1796a293980cSNeil Horman int dump_count = 0; 1797a293980cSNeil Horman static atomic_t core_dump_count = ATOMIC_INIT(0); 1798f6151dfeSMasami Hiramatsu struct coredump_params cprm = { 1799f6151dfeSMasami Hiramatsu .signr = signr, 1800f6151dfeSMasami Hiramatsu .regs = regs, 1801f6151dfeSMasami Hiramatsu .limit = current->signal->rlim[RLIMIT_CORE].rlim_cur, 1802f6151dfeSMasami Hiramatsu }; 18031da177e4SLinus Torvalds 18040a4ff8c2SSteve Grubb audit_core_dumps(signr); 18050a4ff8c2SSteve Grubb 1806801460d0SHiroshi Shimamoto binfmt = mm->binfmt; 18071da177e4SLinus Torvalds if (!binfmt || !binfmt->core_dump) 18081da177e4SLinus Torvalds goto fail; 1809d84f4f99SDavid Howells 1810d84f4f99SDavid Howells cred = prepare_creds(); 1811d84f4f99SDavid Howells if (!cred) { 1812d84f4f99SDavid Howells retval = -ENOMEM; 1813d84f4f99SDavid Howells goto fail; 1814d84f4f99SDavid Howells } 1815d84f4f99SDavid Howells 18161da177e4SLinus Torvalds down_write(&mm->mmap_sem); 181700ec99daSRoland McGrath /* 181800ec99daSRoland McGrath * If another thread got here first, or we are not dumpable, bail out. 181900ec99daSRoland McGrath */ 1820999d9fc1SOleg Nesterov if (mm->core_state || !get_dumpable(mm)) { 18211da177e4SLinus Torvalds up_write(&mm->mmap_sem); 1822d84f4f99SDavid Howells put_cred(cred); 18231da177e4SLinus Torvalds goto fail; 18241da177e4SLinus Torvalds } 1825d6e71144SAlan Cox 1826d6e71144SAlan Cox /* 1827d6e71144SAlan Cox * We cannot trust fsuid as being the "true" uid of the 1828d6e71144SAlan Cox * process nor do we know its entire history. We only know it 1829d6e71144SAlan Cox * was tainted so we dump it as root in mode 2. 1830d6e71144SAlan Cox */ 18316c5d5238SKawai, Hidehiro if (get_dumpable(mm) == 2) { /* Setuid core dump mode */ 1832d6e71144SAlan Cox flag = O_EXCL; /* Stop rewrite attacks */ 1833d84f4f99SDavid Howells cred->fsuid = 0; /* Dump root private */ 1834d6e71144SAlan Cox } 18351291cf41SOleg Nesterov 18369d5b327bSOleg Nesterov retval = coredump_wait(exit_code, &core_state); 1837d84f4f99SDavid Howells if (retval < 0) { 1838d84f4f99SDavid Howells put_cred(cred); 18391291cf41SOleg Nesterov goto fail; 1840d84f4f99SDavid Howells } 1841d84f4f99SDavid Howells 1842d84f4f99SDavid Howells old_cred = override_creds(cred); 18431da177e4SLinus Torvalds 18441da177e4SLinus Torvalds /* 18451da177e4SLinus Torvalds * Clear any false indication of pending signals that might 18461da177e4SLinus Torvalds * be seen by the filesystem code called to write the core file. 18471da177e4SLinus Torvalds */ 18481da177e4SLinus Torvalds clear_thread_flag(TIF_SIGPENDING); 18491da177e4SLinus Torvalds 18501da177e4SLinus Torvalds /* 18511da177e4SLinus Torvalds * lock_kernel() because format_corename() is controlled by sysctl, which 18521da177e4SLinus Torvalds * uses lock_kernel() 18531da177e4SLinus Torvalds */ 18541da177e4SLinus Torvalds lock_kernel(); 18556409324bSOleg Nesterov ispipe = format_corename(corename, signr); 18561da177e4SLinus Torvalds unlock_kernel(); 1857725eae32SNeil Horman 1858f6151dfeSMasami Hiramatsu if ((!ispipe) && (cprm.limit < binfmt->min_coredump)) 18597dc0b22eSNeil Horman goto fail_unlock; 18607dc0b22eSNeil Horman 1861c4bbafdaSAlan Cox if (ispipe) { 1862f6151dfeSMasami Hiramatsu if (cprm.limit == 0) { 1863725eae32SNeil Horman /* 1864725eae32SNeil Horman * Normally core limits are irrelevant to pipes, since 1865725eae32SNeil Horman * we're not writing to the file system, but we use 1866f6151dfeSMasami Hiramatsu * cprm.limit of 0 here as a speacial value. Any 1867725eae32SNeil Horman * non-zero limit gets set to RLIM_INFINITY below, but 1868725eae32SNeil Horman * a limit of 0 skips the dump. This is a consistent 1869725eae32SNeil Horman * way to catch recursive crashes. We can still crash 1870725eae32SNeil Horman * if the core_pattern binary sets RLIM_CORE = !0 1871725eae32SNeil Horman * but it runs as root, and can do lots of stupid things 1872725eae32SNeil Horman * Note that we use task_tgid_vnr here to grab the pid 1873725eae32SNeil Horman * of the process group leader. That way we get the 1874725eae32SNeil Horman * right pid if a thread in a multi-threaded 1875725eae32SNeil Horman * core_pattern process dies. 1876725eae32SNeil Horman */ 1877725eae32SNeil Horman printk(KERN_WARNING 1878725eae32SNeil Horman "Process %d(%s) has RLIMIT_CORE set to 0\n", 1879725eae32SNeil Horman task_tgid_vnr(current), current->comm); 1880725eae32SNeil Horman printk(KERN_WARNING "Aborting core\n"); 1881725eae32SNeil Horman goto fail_unlock; 1882725eae32SNeil Horman } 1883725eae32SNeil Horman 1884a293980cSNeil Horman dump_count = atomic_inc_return(&core_dump_count); 1885a293980cSNeil Horman if (core_pipe_limit && (core_pipe_limit < dump_count)) { 1886a293980cSNeil Horman printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", 1887a293980cSNeil Horman task_tgid_vnr(current), current->comm); 1888a293980cSNeil Horman printk(KERN_WARNING "Skipping core dump\n"); 1889a293980cSNeil Horman goto fail_dropcount; 1890a293980cSNeil Horman } 1891a293980cSNeil Horman 189274aadce9SNeil Horman helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc); 1893350eaf79STetsuo Handa if (!helper_argv) { 1894350eaf79STetsuo Handa printk(KERN_WARNING "%s failed to allocate memory\n", 1895350eaf79STetsuo Handa __func__); 1896a293980cSNeil Horman goto fail_dropcount; 1897350eaf79STetsuo Handa } 189832321137SNeil Horman 1899f6151dfeSMasami Hiramatsu cprm.limit = RLIM_INFINITY; 190032321137SNeil Horman 1901d025c9dbSAndi Kleen /* SIGPIPE can happen, but it's just never processed */ 1902a293980cSNeil Horman if (call_usermodehelper_pipe(helper_argv[0], helper_argv, NULL, 1903f6151dfeSMasami Hiramatsu &cprm.file)) { 1904d025c9dbSAndi Kleen printk(KERN_INFO "Core dump to %s pipe failed\n", 1905d025c9dbSAndi Kleen corename); 1906a293980cSNeil Horman goto fail_dropcount; 1907d025c9dbSAndi Kleen } 1908d025c9dbSAndi Kleen } else 1909f6151dfeSMasami Hiramatsu cprm.file = filp_open(corename, 19106d4df677SAlexey Dobriyan O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 19116d4df677SAlexey Dobriyan 0600); 1912f6151dfeSMasami Hiramatsu if (IS_ERR(cprm.file)) 1913a293980cSNeil Horman goto fail_dropcount; 1914f6151dfeSMasami Hiramatsu inode = cprm.file->f_path.dentry->d_inode; 19151da177e4SLinus Torvalds if (inode->i_nlink > 1) 19161da177e4SLinus Torvalds goto close_fail; /* multiple links - don't dump */ 1917f6151dfeSMasami Hiramatsu if (!ispipe && d_unhashed(cprm.file->f_path.dentry)) 19181da177e4SLinus Torvalds goto close_fail; 19191da177e4SLinus Torvalds 1920d025c9dbSAndi Kleen /* AK: actually i see no reason to not allow this for named pipes etc., 1921d025c9dbSAndi Kleen but keep the previous behaviour for now. */ 1922d025c9dbSAndi Kleen if (!ispipe && !S_ISREG(inode->i_mode)) 19231da177e4SLinus Torvalds goto close_fail; 1924c46f739dSIngo Molnar /* 1925c46f739dSIngo Molnar * Dont allow local users get cute and trick others to coredump 1926c46f739dSIngo Molnar * into their pre-created files: 1927c46f739dSIngo Molnar */ 1928da9592edSDavid Howells if (inode->i_uid != current_fsuid()) 1929c46f739dSIngo Molnar goto close_fail; 1930f6151dfeSMasami Hiramatsu if (!cprm.file->f_op) 19311da177e4SLinus Torvalds goto close_fail; 1932f6151dfeSMasami Hiramatsu if (!cprm.file->f_op->write) 19331da177e4SLinus Torvalds goto close_fail; 1934f6151dfeSMasami Hiramatsu if (!ispipe && 1935f6151dfeSMasami Hiramatsu do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file) != 0) 19361da177e4SLinus Torvalds goto close_fail; 19371da177e4SLinus Torvalds 1938f6151dfeSMasami Hiramatsu retval = binfmt->core_dump(&cprm); 19391da177e4SLinus Torvalds 19401da177e4SLinus Torvalds if (retval) 19411da177e4SLinus Torvalds current->signal->group_exit_code |= 0x80; 19421da177e4SLinus Torvalds close_fail: 194361be228aSNeil Horman if (ispipe && core_pipe_limit) 1944f6151dfeSMasami Hiramatsu wait_for_dump_helpers(cprm.file); 1945f6151dfeSMasami Hiramatsu filp_close(cprm.file, NULL); 1946a293980cSNeil Horman fail_dropcount: 1947a293980cSNeil Horman if (dump_count) 1948a293980cSNeil Horman atomic_dec(&core_dump_count); 19491da177e4SLinus Torvalds fail_unlock: 195074aadce9SNeil Horman if (helper_argv) 195174aadce9SNeil Horman argv_free(helper_argv); 195274aadce9SNeil Horman 1953d84f4f99SDavid Howells revert_creds(old_cred); 1954d84f4f99SDavid Howells put_cred(cred); 1955a94e2d40SOleg Nesterov coredump_finish(mm); 19561da177e4SLinus Torvalds fail: 19578cd3ac3aSWANG Cong return; 19581da177e4SLinus Torvalds } 1959