xref: /openbmc/linux/fs/binfmt_elf.c (revision dd21bfa4)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * linux/fs/binfmt_elf.c
4  *
5  * These are the functions used to load ELF format executables as used
6  * on SVr4 machines.  Information on the format may be found in the book
7  * "UNIX SYSTEM V RELEASE 4 Programmers Guide: Ansi C and Programming Support
8  * Tools".
9  *
10  * Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
11  */
12 
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/fs.h>
16 #include <linux/log2.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/errno.h>
20 #include <linux/signal.h>
21 #include <linux/binfmts.h>
22 #include <linux/string.h>
23 #include <linux/file.h>
24 #include <linux/slab.h>
25 #include <linux/personality.h>
26 #include <linux/elfcore.h>
27 #include <linux/init.h>
28 #include <linux/highuid.h>
29 #include <linux/compiler.h>
30 #include <linux/highmem.h>
31 #include <linux/hugetlb.h>
32 #include <linux/pagemap.h>
33 #include <linux/vmalloc.h>
34 #include <linux/security.h>
35 #include <linux/random.h>
36 #include <linux/elf.h>
37 #include <linux/elf-randomize.h>
38 #include <linux/utsname.h>
39 #include <linux/coredump.h>
40 #include <linux/sched.h>
41 #include <linux/sched/coredump.h>
42 #include <linux/sched/task_stack.h>
43 #include <linux/sched/cputime.h>
44 #include <linux/sizes.h>
45 #include <linux/types.h>
46 #include <linux/cred.h>
47 #include <linux/dax.h>
48 #include <linux/uaccess.h>
49 #include <asm/param.h>
50 #include <asm/page.h>
51 
52 #ifndef ELF_COMPAT
53 #define ELF_COMPAT 0
54 #endif
55 
56 #ifndef user_long_t
57 #define user_long_t long
58 #endif
59 #ifndef user_siginfo_t
60 #define user_siginfo_t siginfo_t
61 #endif
62 
63 /* That's for binfmt_elf_fdpic to deal with */
64 #ifndef elf_check_fdpic
65 #define elf_check_fdpic(ex) false
66 #endif
67 
68 static int load_elf_binary(struct linux_binprm *bprm);
69 
70 #ifdef CONFIG_USELIB
71 static int load_elf_library(struct file *);
72 #else
73 #define load_elf_library NULL
74 #endif
75 
76 /*
77  * If we don't support core dumping, then supply a NULL so we
78  * don't even try.
79  */
80 #ifdef CONFIG_ELF_CORE
81 static int elf_core_dump(struct coredump_params *cprm);
82 #else
83 #define elf_core_dump	NULL
84 #endif
85 
86 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
87 #define ELF_MIN_ALIGN	ELF_EXEC_PAGESIZE
88 #else
89 #define ELF_MIN_ALIGN	PAGE_SIZE
90 #endif
91 
92 #ifndef ELF_CORE_EFLAGS
93 #define ELF_CORE_EFLAGS	0
94 #endif
95 
96 #define ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(ELF_MIN_ALIGN-1))
97 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
98 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
99 
100 static struct linux_binfmt elf_format = {
101 	.module		= THIS_MODULE,
102 	.load_binary	= load_elf_binary,
103 	.load_shlib	= load_elf_library,
104 	.core_dump	= elf_core_dump,
105 	.min_coredump	= ELF_EXEC_PAGESIZE,
106 };
107 
108 #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
109 
110 static int set_brk(unsigned long start, unsigned long end, int prot)
111 {
112 	start = ELF_PAGEALIGN(start);
113 	end = ELF_PAGEALIGN(end);
114 	if (end > start) {
115 		/*
116 		 * Map the last of the bss segment.
117 		 * If the header is requesting these pages to be
118 		 * executable, honour that (ppc32 needs this).
119 		 */
120 		int error = vm_brk_flags(start, end - start,
121 				prot & PROT_EXEC ? VM_EXEC : 0);
122 		if (error)
123 			return error;
124 	}
125 	current->mm->start_brk = current->mm->brk = end;
126 	return 0;
127 }
128 
129 /* We need to explicitly zero any fractional pages
130    after the data section (i.e. bss).  This would
131    contain the junk from the file that should not
132    be in memory
133  */
134 static int padzero(unsigned long elf_bss)
135 {
136 	unsigned long nbyte;
137 
138 	nbyte = ELF_PAGEOFFSET(elf_bss);
139 	if (nbyte) {
140 		nbyte = ELF_MIN_ALIGN - nbyte;
141 		if (clear_user((void __user *) elf_bss, nbyte))
142 			return -EFAULT;
143 	}
144 	return 0;
145 }
146 
147 /* Let's use some macros to make this stack manipulation a little clearer */
148 #ifdef CONFIG_STACK_GROWSUP
149 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
150 #define STACK_ROUND(sp, items) \
151 	((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
152 #define STACK_ALLOC(sp, len) ({ \
153 	elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
154 	old_sp; })
155 #else
156 #define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
157 #define STACK_ROUND(sp, items) \
158 	(((unsigned long) (sp - items)) &~ 15UL)
159 #define STACK_ALLOC(sp, len) (sp -= len)
160 #endif
161 
162 #ifndef ELF_BASE_PLATFORM
163 /*
164  * AT_BASE_PLATFORM indicates the "real" hardware/microarchitecture.
165  * If the arch defines ELF_BASE_PLATFORM (in asm/elf.h), the value
166  * will be copied to the user stack in the same manner as AT_PLATFORM.
167  */
168 #define ELF_BASE_PLATFORM NULL
169 #endif
170 
171 static int
172 create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
173 		unsigned long load_addr, unsigned long interp_load_addr,
174 		unsigned long e_entry)
175 {
176 	struct mm_struct *mm = current->mm;
177 	unsigned long p = bprm->p;
178 	int argc = bprm->argc;
179 	int envc = bprm->envc;
180 	elf_addr_t __user *sp;
181 	elf_addr_t __user *u_platform;
182 	elf_addr_t __user *u_base_platform;
183 	elf_addr_t __user *u_rand_bytes;
184 	const char *k_platform = ELF_PLATFORM;
185 	const char *k_base_platform = ELF_BASE_PLATFORM;
186 	unsigned char k_rand_bytes[16];
187 	int items;
188 	elf_addr_t *elf_info;
189 	elf_addr_t flags = 0;
190 	int ei_index;
191 	const struct cred *cred = current_cred();
192 	struct vm_area_struct *vma;
193 
194 	/*
195 	 * In some cases (e.g. Hyper-Threading), we want to avoid L1
196 	 * evictions by the processes running on the same package. One
197 	 * thing we can do is to shuffle the initial stack for them.
198 	 */
199 
200 	p = arch_align_stack(p);
201 
202 	/*
203 	 * If this architecture has a platform capability string, copy it
204 	 * to userspace.  In some cases (Sparc), this info is impossible
205 	 * for userspace to get any other way, in others (i386) it is
206 	 * merely difficult.
207 	 */
208 	u_platform = NULL;
209 	if (k_platform) {
210 		size_t len = strlen(k_platform) + 1;
211 
212 		u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
213 		if (copy_to_user(u_platform, k_platform, len))
214 			return -EFAULT;
215 	}
216 
217 	/*
218 	 * If this architecture has a "base" platform capability
219 	 * string, copy it to userspace.
220 	 */
221 	u_base_platform = NULL;
222 	if (k_base_platform) {
223 		size_t len = strlen(k_base_platform) + 1;
224 
225 		u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
226 		if (copy_to_user(u_base_platform, k_base_platform, len))
227 			return -EFAULT;
228 	}
229 
230 	/*
231 	 * Generate 16 random bytes for userspace PRNG seeding.
232 	 */
233 	get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
234 	u_rand_bytes = (elf_addr_t __user *)
235 		       STACK_ALLOC(p, sizeof(k_rand_bytes));
236 	if (copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
237 		return -EFAULT;
238 
239 	/* Create the ELF interpreter info */
240 	elf_info = (elf_addr_t *)mm->saved_auxv;
241 	/* update AT_VECTOR_SIZE_BASE if the number of NEW_AUX_ENT() changes */
242 #define NEW_AUX_ENT(id, val) \
243 	do { \
244 		*elf_info++ = id; \
245 		*elf_info++ = val; \
246 	} while (0)
247 
248 #ifdef ARCH_DLINFO
249 	/*
250 	 * ARCH_DLINFO must come first so PPC can do its special alignment of
251 	 * AUXV.
252 	 * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
253 	 * ARCH_DLINFO changes
254 	 */
255 	ARCH_DLINFO;
256 #endif
257 	NEW_AUX_ENT(AT_HWCAP, ELF_HWCAP);
258 	NEW_AUX_ENT(AT_PAGESZ, ELF_EXEC_PAGESIZE);
259 	NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);
260 	NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff);
261 	NEW_AUX_ENT(AT_PHENT, sizeof(struct elf_phdr));
262 	NEW_AUX_ENT(AT_PHNUM, exec->e_phnum);
263 	NEW_AUX_ENT(AT_BASE, interp_load_addr);
264 	if (bprm->interp_flags & BINPRM_FLAGS_PRESERVE_ARGV0)
265 		flags |= AT_FLAGS_PRESERVE_ARGV0;
266 	NEW_AUX_ENT(AT_FLAGS, flags);
267 	NEW_AUX_ENT(AT_ENTRY, e_entry);
268 	NEW_AUX_ENT(AT_UID, from_kuid_munged(cred->user_ns, cred->uid));
269 	NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
270 	NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
271 	NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
272 	NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
273 	NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
274 #ifdef ELF_HWCAP2
275 	NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
276 #endif
277 	NEW_AUX_ENT(AT_EXECFN, bprm->exec);
278 	if (k_platform) {
279 		NEW_AUX_ENT(AT_PLATFORM,
280 			    (elf_addr_t)(unsigned long)u_platform);
281 	}
282 	if (k_base_platform) {
283 		NEW_AUX_ENT(AT_BASE_PLATFORM,
284 			    (elf_addr_t)(unsigned long)u_base_platform);
285 	}
286 	if (bprm->have_execfd) {
287 		NEW_AUX_ENT(AT_EXECFD, bprm->execfd);
288 	}
289 #undef NEW_AUX_ENT
290 	/* AT_NULL is zero; clear the rest too */
291 	memset(elf_info, 0, (char *)mm->saved_auxv +
292 			sizeof(mm->saved_auxv) - (char *)elf_info);
293 
294 	/* And advance past the AT_NULL entry.  */
295 	elf_info += 2;
296 
297 	ei_index = elf_info - (elf_addr_t *)mm->saved_auxv;
298 	sp = STACK_ADD(p, ei_index);
299 
300 	items = (argc + 1) + (envc + 1) + 1;
301 	bprm->p = STACK_ROUND(sp, items);
302 
303 	/* Point sp at the lowest address on the stack */
304 #ifdef CONFIG_STACK_GROWSUP
305 	sp = (elf_addr_t __user *)bprm->p - items - ei_index;
306 	bprm->exec = (unsigned long)sp; /* XXX: PARISC HACK */
307 #else
308 	sp = (elf_addr_t __user *)bprm->p;
309 #endif
310 
311 
312 	/*
313 	 * Grow the stack manually; some architectures have a limit on how
314 	 * far ahead a user-space access may be in order to grow the stack.
315 	 */
316 	if (mmap_read_lock_killable(mm))
317 		return -EINTR;
318 	vma = find_extend_vma(mm, bprm->p);
319 	mmap_read_unlock(mm);
320 	if (!vma)
321 		return -EFAULT;
322 
323 	/* Now, let's put argc (and argv, envp if appropriate) on the stack */
324 	if (put_user(argc, sp++))
325 		return -EFAULT;
326 
327 	/* Populate list of argv pointers back to argv strings. */
328 	p = mm->arg_end = mm->arg_start;
329 	while (argc-- > 0) {
330 		size_t len;
331 		if (put_user((elf_addr_t)p, sp++))
332 			return -EFAULT;
333 		len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
334 		if (!len || len > MAX_ARG_STRLEN)
335 			return -EINVAL;
336 		p += len;
337 	}
338 	if (put_user(0, sp++))
339 		return -EFAULT;
340 	mm->arg_end = p;
341 
342 	/* Populate list of envp pointers back to envp strings. */
343 	mm->env_end = mm->env_start = p;
344 	while (envc-- > 0) {
345 		size_t len;
346 		if (put_user((elf_addr_t)p, sp++))
347 			return -EFAULT;
348 		len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
349 		if (!len || len > MAX_ARG_STRLEN)
350 			return -EINVAL;
351 		p += len;
352 	}
353 	if (put_user(0, sp++))
354 		return -EFAULT;
355 	mm->env_end = p;
356 
357 	/* Put the elf_info on the stack in the right place.  */
358 	if (copy_to_user(sp, mm->saved_auxv, ei_index * sizeof(elf_addr_t)))
359 		return -EFAULT;
360 	return 0;
361 }
362 
363 static unsigned long elf_map(struct file *filep, unsigned long addr,
364 		const struct elf_phdr *eppnt, int prot, int type,
365 		unsigned long total_size)
366 {
367 	unsigned long map_addr;
368 	unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
369 	unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
370 	addr = ELF_PAGESTART(addr);
371 	size = ELF_PAGEALIGN(size);
372 
373 	/* mmap() will return -EINVAL if given a zero size, but a
374 	 * segment with zero filesize is perfectly valid */
375 	if (!size)
376 		return addr;
377 
378 	/*
379 	* total_size is the size of the ELF (interpreter) image.
380 	* The _first_ mmap needs to know the full size, otherwise
381 	* randomization might put this image into an overlapping
382 	* position with the ELF binary image. (since size < total_size)
383 	* So we first map the 'big' image - and unmap the remainder at
384 	* the end. (which unmap is needed for ELF images with holes.)
385 	*/
386 	if (total_size) {
387 		total_size = ELF_PAGEALIGN(total_size);
388 		map_addr = vm_mmap(filep, addr, total_size, prot, type, off);
389 		if (!BAD_ADDR(map_addr))
390 			vm_munmap(map_addr+size, total_size-size);
391 	} else
392 		map_addr = vm_mmap(filep, addr, size, prot, type, off);
393 
394 	if ((type & MAP_FIXED_NOREPLACE) &&
395 	    PTR_ERR((void *)map_addr) == -EEXIST)
396 		pr_info("%d (%s): Uhuuh, elf segment at %px requested but the memory is mapped already\n",
397 			task_pid_nr(current), current->comm, (void *)addr);
398 
399 	return(map_addr);
400 }
401 
402 static unsigned long total_mapping_size(const struct elf_phdr *cmds, int nr)
403 {
404 	int i, first_idx = -1, last_idx = -1;
405 
406 	for (i = 0; i < nr; i++) {
407 		if (cmds[i].p_type == PT_LOAD) {
408 			last_idx = i;
409 			if (first_idx == -1)
410 				first_idx = i;
411 		}
412 	}
413 	if (first_idx == -1)
414 		return 0;
415 
416 	return cmds[last_idx].p_vaddr + cmds[last_idx].p_memsz -
417 				ELF_PAGESTART(cmds[first_idx].p_vaddr);
418 }
419 
420 static int elf_read(struct file *file, void *buf, size_t len, loff_t pos)
421 {
422 	ssize_t rv;
423 
424 	rv = kernel_read(file, buf, len, &pos);
425 	if (unlikely(rv != len)) {
426 		return (rv < 0) ? rv : -EIO;
427 	}
428 	return 0;
429 }
430 
431 static unsigned long maximum_alignment(struct elf_phdr *cmds, int nr)
432 {
433 	unsigned long alignment = 0;
434 	int i;
435 
436 	for (i = 0; i < nr; i++) {
437 		if (cmds[i].p_type == PT_LOAD) {
438 			unsigned long p_align = cmds[i].p_align;
439 
440 			/* skip non-power of two alignments as invalid */
441 			if (!is_power_of_2(p_align))
442 				continue;
443 			alignment = max(alignment, p_align);
444 		}
445 	}
446 
447 	/* ensure we align to at least one page */
448 	return ELF_PAGEALIGN(alignment);
449 }
450 
451 /**
452  * load_elf_phdrs() - load ELF program headers
453  * @elf_ex:   ELF header of the binary whose program headers should be loaded
454  * @elf_file: the opened ELF binary file
455  *
456  * Loads ELF program headers from the binary file elf_file, which has the ELF
457  * header pointed to by elf_ex, into a newly allocated array. The caller is
458  * responsible for freeing the allocated data. Returns an ERR_PTR upon failure.
459  */
460 static struct elf_phdr *load_elf_phdrs(const struct elfhdr *elf_ex,
461 				       struct file *elf_file)
462 {
463 	struct elf_phdr *elf_phdata = NULL;
464 	int retval, err = -1;
465 	unsigned int size;
466 
467 	/*
468 	 * If the size of this structure has changed, then punt, since
469 	 * we will be doing the wrong thing.
470 	 */
471 	if (elf_ex->e_phentsize != sizeof(struct elf_phdr))
472 		goto out;
473 
474 	/* Sanity check the number of program headers... */
475 	/* ...and their total size. */
476 	size = sizeof(struct elf_phdr) * elf_ex->e_phnum;
477 	if (size == 0 || size > 65536 || size > ELF_MIN_ALIGN)
478 		goto out;
479 
480 	elf_phdata = kmalloc(size, GFP_KERNEL);
481 	if (!elf_phdata)
482 		goto out;
483 
484 	/* Read in the program headers */
485 	retval = elf_read(elf_file, elf_phdata, size, elf_ex->e_phoff);
486 	if (retval < 0) {
487 		err = retval;
488 		goto out;
489 	}
490 
491 	/* Success! */
492 	err = 0;
493 out:
494 	if (err) {
495 		kfree(elf_phdata);
496 		elf_phdata = NULL;
497 	}
498 	return elf_phdata;
499 }
500 
501 #ifndef CONFIG_ARCH_BINFMT_ELF_STATE
502 
503 /**
504  * struct arch_elf_state - arch-specific ELF loading state
505  *
506  * This structure is used to preserve architecture specific data during
507  * the loading of an ELF file, throughout the checking of architecture
508  * specific ELF headers & through to the point where the ELF load is
509  * known to be proceeding (ie. SET_PERSONALITY).
510  *
511  * This implementation is a dummy for architectures which require no
512  * specific state.
513  */
514 struct arch_elf_state {
515 };
516 
517 #define INIT_ARCH_ELF_STATE {}
518 
519 /**
520  * arch_elf_pt_proc() - check a PT_LOPROC..PT_HIPROC ELF program header
521  * @ehdr:	The main ELF header
522  * @phdr:	The program header to check
523  * @elf:	The open ELF file
524  * @is_interp:	True if the phdr is from the interpreter of the ELF being
525  *		loaded, else false.
526  * @state:	Architecture-specific state preserved throughout the process
527  *		of loading the ELF.
528  *
529  * Inspects the program header phdr to validate its correctness and/or
530  * suitability for the system. Called once per ELF program header in the
531  * range PT_LOPROC to PT_HIPROC, for both the ELF being loaded and its
532  * interpreter.
533  *
534  * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
535  *         with that return code.
536  */
537 static inline int arch_elf_pt_proc(struct elfhdr *ehdr,
538 				   struct elf_phdr *phdr,
539 				   struct file *elf, bool is_interp,
540 				   struct arch_elf_state *state)
541 {
542 	/* Dummy implementation, always proceed */
543 	return 0;
544 }
545 
546 /**
547  * arch_check_elf() - check an ELF executable
548  * @ehdr:	The main ELF header
549  * @has_interp:	True if the ELF has an interpreter, else false.
550  * @interp_ehdr: The interpreter's ELF header
551  * @state:	Architecture-specific state preserved throughout the process
552  *		of loading the ELF.
553  *
554  * Provides a final opportunity for architecture code to reject the loading
555  * of the ELF & cause an exec syscall to return an error. This is called after
556  * all program headers to be checked by arch_elf_pt_proc have been.
557  *
558  * Return: Zero to proceed with the ELF load, non-zero to fail the ELF load
559  *         with that return code.
560  */
561 static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
562 				 struct elfhdr *interp_ehdr,
563 				 struct arch_elf_state *state)
564 {
565 	/* Dummy implementation, always proceed */
566 	return 0;
567 }
568 
569 #endif /* !CONFIG_ARCH_BINFMT_ELF_STATE */
570 
571 static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state,
572 			    bool has_interp, bool is_interp)
573 {
574 	int prot = 0;
575 
576 	if (p_flags & PF_R)
577 		prot |= PROT_READ;
578 	if (p_flags & PF_W)
579 		prot |= PROT_WRITE;
580 	if (p_flags & PF_X)
581 		prot |= PROT_EXEC;
582 
583 	return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp);
584 }
585 
586 /* This is much more generalized than the library routine read function,
587    so we keep this separate.  Technically the library read function
588    is only provided so that we can read a.out libraries that have
589    an ELF header */
590 
591 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
592 		struct file *interpreter,
593 		unsigned long no_base, struct elf_phdr *interp_elf_phdata,
594 		struct arch_elf_state *arch_state)
595 {
596 	struct elf_phdr *eppnt;
597 	unsigned long load_addr = 0;
598 	int load_addr_set = 0;
599 	unsigned long last_bss = 0, elf_bss = 0;
600 	int bss_prot = 0;
601 	unsigned long error = ~0UL;
602 	unsigned long total_size;
603 	int i;
604 
605 	/* First of all, some simple consistency checks */
606 	if (interp_elf_ex->e_type != ET_EXEC &&
607 	    interp_elf_ex->e_type != ET_DYN)
608 		goto out;
609 	if (!elf_check_arch(interp_elf_ex) ||
610 	    elf_check_fdpic(interp_elf_ex))
611 		goto out;
612 	if (!interpreter->f_op->mmap)
613 		goto out;
614 
615 	total_size = total_mapping_size(interp_elf_phdata,
616 					interp_elf_ex->e_phnum);
617 	if (!total_size) {
618 		error = -EINVAL;
619 		goto out;
620 	}
621 
622 	eppnt = interp_elf_phdata;
623 	for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
624 		if (eppnt->p_type == PT_LOAD) {
625 			int elf_type = MAP_PRIVATE;
626 			int elf_prot = make_prot(eppnt->p_flags, arch_state,
627 						 true, true);
628 			unsigned long vaddr = 0;
629 			unsigned long k, map_addr;
630 
631 			vaddr = eppnt->p_vaddr;
632 			if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
633 				elf_type |= MAP_FIXED;
634 			else if (no_base && interp_elf_ex->e_type == ET_DYN)
635 				load_addr = -vaddr;
636 
637 			map_addr = elf_map(interpreter, load_addr + vaddr,
638 					eppnt, elf_prot, elf_type, total_size);
639 			total_size = 0;
640 			error = map_addr;
641 			if (BAD_ADDR(map_addr))
642 				goto out;
643 
644 			if (!load_addr_set &&
645 			    interp_elf_ex->e_type == ET_DYN) {
646 				load_addr = map_addr - ELF_PAGESTART(vaddr);
647 				load_addr_set = 1;
648 			}
649 
650 			/*
651 			 * Check to see if the section's size will overflow the
652 			 * allowed task size. Note that p_filesz must always be
653 			 * <= p_memsize so it's only necessary to check p_memsz.
654 			 */
655 			k = load_addr + eppnt->p_vaddr;
656 			if (BAD_ADDR(k) ||
657 			    eppnt->p_filesz > eppnt->p_memsz ||
658 			    eppnt->p_memsz > TASK_SIZE ||
659 			    TASK_SIZE - eppnt->p_memsz < k) {
660 				error = -ENOMEM;
661 				goto out;
662 			}
663 
664 			/*
665 			 * Find the end of the file mapping for this phdr, and
666 			 * keep track of the largest address we see for this.
667 			 */
668 			k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
669 			if (k > elf_bss)
670 				elf_bss = k;
671 
672 			/*
673 			 * Do the same thing for the memory mapping - between
674 			 * elf_bss and last_bss is the bss section.
675 			 */
676 			k = load_addr + eppnt->p_vaddr + eppnt->p_memsz;
677 			if (k > last_bss) {
678 				last_bss = k;
679 				bss_prot = elf_prot;
680 			}
681 		}
682 	}
683 
684 	/*
685 	 * Now fill out the bss section: first pad the last page from
686 	 * the file up to the page boundary, and zero it from elf_bss
687 	 * up to the end of the page.
688 	 */
689 	if (padzero(elf_bss)) {
690 		error = -EFAULT;
691 		goto out;
692 	}
693 	/*
694 	 * Next, align both the file and mem bss up to the page size,
695 	 * since this is where elf_bss was just zeroed up to, and where
696 	 * last_bss will end after the vm_brk_flags() below.
697 	 */
698 	elf_bss = ELF_PAGEALIGN(elf_bss);
699 	last_bss = ELF_PAGEALIGN(last_bss);
700 	/* Finally, if there is still more bss to allocate, do it. */
701 	if (last_bss > elf_bss) {
702 		error = vm_brk_flags(elf_bss, last_bss - elf_bss,
703 				bss_prot & PROT_EXEC ? VM_EXEC : 0);
704 		if (error)
705 			goto out;
706 	}
707 
708 	error = load_addr;
709 out:
710 	return error;
711 }
712 
713 /*
714  * These are the functions used to load ELF style executables and shared
715  * libraries.  There is no binary dependent code anywhere else.
716  */
717 
718 static int parse_elf_property(const char *data, size_t *off, size_t datasz,
719 			      struct arch_elf_state *arch,
720 			      bool have_prev_type, u32 *prev_type)
721 {
722 	size_t o, step;
723 	const struct gnu_property *pr;
724 	int ret;
725 
726 	if (*off == datasz)
727 		return -ENOENT;
728 
729 	if (WARN_ON_ONCE(*off > datasz || *off % ELF_GNU_PROPERTY_ALIGN))
730 		return -EIO;
731 	o = *off;
732 	datasz -= *off;
733 
734 	if (datasz < sizeof(*pr))
735 		return -ENOEXEC;
736 	pr = (const struct gnu_property *)(data + o);
737 	o += sizeof(*pr);
738 	datasz -= sizeof(*pr);
739 
740 	if (pr->pr_datasz > datasz)
741 		return -ENOEXEC;
742 
743 	WARN_ON_ONCE(o % ELF_GNU_PROPERTY_ALIGN);
744 	step = round_up(pr->pr_datasz, ELF_GNU_PROPERTY_ALIGN);
745 	if (step > datasz)
746 		return -ENOEXEC;
747 
748 	/* Properties are supposed to be unique and sorted on pr_type: */
749 	if (have_prev_type && pr->pr_type <= *prev_type)
750 		return -ENOEXEC;
751 	*prev_type = pr->pr_type;
752 
753 	ret = arch_parse_elf_property(pr->pr_type, data + o,
754 				      pr->pr_datasz, ELF_COMPAT, arch);
755 	if (ret)
756 		return ret;
757 
758 	*off = o + step;
759 	return 0;
760 }
761 
762 #define NOTE_DATA_SZ SZ_1K
763 #define GNU_PROPERTY_TYPE_0_NAME "GNU"
764 #define NOTE_NAME_SZ (sizeof(GNU_PROPERTY_TYPE_0_NAME))
765 
766 static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
767 				struct arch_elf_state *arch)
768 {
769 	union {
770 		struct elf_note nhdr;
771 		char data[NOTE_DATA_SZ];
772 	} note;
773 	loff_t pos;
774 	ssize_t n;
775 	size_t off, datasz;
776 	int ret;
777 	bool have_prev_type;
778 	u32 prev_type;
779 
780 	if (!IS_ENABLED(CONFIG_ARCH_USE_GNU_PROPERTY) || !phdr)
781 		return 0;
782 
783 	/* load_elf_binary() shouldn't call us unless this is true... */
784 	if (WARN_ON_ONCE(phdr->p_type != PT_GNU_PROPERTY))
785 		return -ENOEXEC;
786 
787 	/* If the properties are crazy large, that's too bad (for now): */
788 	if (phdr->p_filesz > sizeof(note))
789 		return -ENOEXEC;
790 
791 	pos = phdr->p_offset;
792 	n = kernel_read(f, &note, phdr->p_filesz, &pos);
793 
794 	BUILD_BUG_ON(sizeof(note) < sizeof(note.nhdr) + NOTE_NAME_SZ);
795 	if (n < 0 || n < sizeof(note.nhdr) + NOTE_NAME_SZ)
796 		return -EIO;
797 
798 	if (note.nhdr.n_type != NT_GNU_PROPERTY_TYPE_0 ||
799 	    note.nhdr.n_namesz != NOTE_NAME_SZ ||
800 	    strncmp(note.data + sizeof(note.nhdr),
801 		    GNU_PROPERTY_TYPE_0_NAME, n - sizeof(note.nhdr)))
802 		return -ENOEXEC;
803 
804 	off = round_up(sizeof(note.nhdr) + NOTE_NAME_SZ,
805 		       ELF_GNU_PROPERTY_ALIGN);
806 	if (off > n)
807 		return -ENOEXEC;
808 
809 	if (note.nhdr.n_descsz > n - off)
810 		return -ENOEXEC;
811 	datasz = off + note.nhdr.n_descsz;
812 
813 	have_prev_type = false;
814 	do {
815 		ret = parse_elf_property(note.data, &off, datasz, arch,
816 					 have_prev_type, &prev_type);
817 		have_prev_type = true;
818 	} while (!ret);
819 
820 	return ret == -ENOENT ? 0 : ret;
821 }
822 
823 static int load_elf_binary(struct linux_binprm *bprm)
824 {
825 	struct file *interpreter = NULL; /* to shut gcc up */
826  	unsigned long load_addr = 0, load_bias = 0;
827 	int load_addr_set = 0;
828 	unsigned long error;
829 	struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
830 	struct elf_phdr *elf_property_phdata = NULL;
831 	unsigned long elf_bss, elf_brk;
832 	int bss_prot = 0;
833 	int retval, i;
834 	unsigned long elf_entry;
835 	unsigned long e_entry;
836 	unsigned long interp_load_addr = 0;
837 	unsigned long start_code, end_code, start_data, end_data;
838 	unsigned long reloc_func_desc __maybe_unused = 0;
839 	int executable_stack = EXSTACK_DEFAULT;
840 	struct elfhdr *elf_ex = (struct elfhdr *)bprm->buf;
841 	struct elfhdr *interp_elf_ex = NULL;
842 	struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
843 	struct mm_struct *mm;
844 	struct pt_regs *regs;
845 
846 	retval = -ENOEXEC;
847 	/* First of all, some simple consistency checks */
848 	if (memcmp(elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
849 		goto out;
850 
851 	if (elf_ex->e_type != ET_EXEC && elf_ex->e_type != ET_DYN)
852 		goto out;
853 	if (!elf_check_arch(elf_ex))
854 		goto out;
855 	if (elf_check_fdpic(elf_ex))
856 		goto out;
857 	if (!bprm->file->f_op->mmap)
858 		goto out;
859 
860 	elf_phdata = load_elf_phdrs(elf_ex, bprm->file);
861 	if (!elf_phdata)
862 		goto out;
863 
864 	elf_ppnt = elf_phdata;
865 	for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
866 		char *elf_interpreter;
867 
868 		if (elf_ppnt->p_type == PT_GNU_PROPERTY) {
869 			elf_property_phdata = elf_ppnt;
870 			continue;
871 		}
872 
873 		if (elf_ppnt->p_type != PT_INTERP)
874 			continue;
875 
876 		/*
877 		 * This is the program interpreter used for shared libraries -
878 		 * for now assume that this is an a.out format binary.
879 		 */
880 		retval = -ENOEXEC;
881 		if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
882 			goto out_free_ph;
883 
884 		retval = -ENOMEM;
885 		elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
886 		if (!elf_interpreter)
887 			goto out_free_ph;
888 
889 		retval = elf_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
890 				  elf_ppnt->p_offset);
891 		if (retval < 0)
892 			goto out_free_interp;
893 		/* make sure path is NULL terminated */
894 		retval = -ENOEXEC;
895 		if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0')
896 			goto out_free_interp;
897 
898 		interpreter = open_exec(elf_interpreter);
899 		kfree(elf_interpreter);
900 		retval = PTR_ERR(interpreter);
901 		if (IS_ERR(interpreter))
902 			goto out_free_ph;
903 
904 		/*
905 		 * If the binary is not readable then enforce mm->dumpable = 0
906 		 * regardless of the interpreter's permissions.
907 		 */
908 		would_dump(bprm, interpreter);
909 
910 		interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
911 		if (!interp_elf_ex) {
912 			retval = -ENOMEM;
913 			goto out_free_ph;
914 		}
915 
916 		/* Get the exec headers */
917 		retval = elf_read(interpreter, interp_elf_ex,
918 				  sizeof(*interp_elf_ex), 0);
919 		if (retval < 0)
920 			goto out_free_dentry;
921 
922 		break;
923 
924 out_free_interp:
925 		kfree(elf_interpreter);
926 		goto out_free_ph;
927 	}
928 
929 	elf_ppnt = elf_phdata;
930 	for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
931 		switch (elf_ppnt->p_type) {
932 		case PT_GNU_STACK:
933 			if (elf_ppnt->p_flags & PF_X)
934 				executable_stack = EXSTACK_ENABLE_X;
935 			else
936 				executable_stack = EXSTACK_DISABLE_X;
937 			break;
938 
939 		case PT_LOPROC ... PT_HIPROC:
940 			retval = arch_elf_pt_proc(elf_ex, elf_ppnt,
941 						  bprm->file, false,
942 						  &arch_state);
943 			if (retval)
944 				goto out_free_dentry;
945 			break;
946 		}
947 
948 	/* Some simple consistency checks for the interpreter */
949 	if (interpreter) {
950 		retval = -ELIBBAD;
951 		/* Not an ELF interpreter */
952 		if (memcmp(interp_elf_ex->e_ident, ELFMAG, SELFMAG) != 0)
953 			goto out_free_dentry;
954 		/* Verify the interpreter has a valid arch */
955 		if (!elf_check_arch(interp_elf_ex) ||
956 		    elf_check_fdpic(interp_elf_ex))
957 			goto out_free_dentry;
958 
959 		/* Load the interpreter program headers */
960 		interp_elf_phdata = load_elf_phdrs(interp_elf_ex,
961 						   interpreter);
962 		if (!interp_elf_phdata)
963 			goto out_free_dentry;
964 
965 		/* Pass PT_LOPROC..PT_HIPROC headers to arch code */
966 		elf_property_phdata = NULL;
967 		elf_ppnt = interp_elf_phdata;
968 		for (i = 0; i < interp_elf_ex->e_phnum; i++, elf_ppnt++)
969 			switch (elf_ppnt->p_type) {
970 			case PT_GNU_PROPERTY:
971 				elf_property_phdata = elf_ppnt;
972 				break;
973 
974 			case PT_LOPROC ... PT_HIPROC:
975 				retval = arch_elf_pt_proc(interp_elf_ex,
976 							  elf_ppnt, interpreter,
977 							  true, &arch_state);
978 				if (retval)
979 					goto out_free_dentry;
980 				break;
981 			}
982 	}
983 
984 	retval = parse_elf_properties(interpreter ?: bprm->file,
985 				      elf_property_phdata, &arch_state);
986 	if (retval)
987 		goto out_free_dentry;
988 
989 	/*
990 	 * Allow arch code to reject the ELF at this point, whilst it's
991 	 * still possible to return an error to the code that invoked
992 	 * the exec syscall.
993 	 */
994 	retval = arch_check_elf(elf_ex,
995 				!!interpreter, interp_elf_ex,
996 				&arch_state);
997 	if (retval)
998 		goto out_free_dentry;
999 
1000 	/* Flush all traces of the currently running executable */
1001 	retval = begin_new_exec(bprm);
1002 	if (retval)
1003 		goto out_free_dentry;
1004 
1005 	/* Do this immediately, since STACK_TOP as used in setup_arg_pages
1006 	   may depend on the personality.  */
1007 	SET_PERSONALITY2(*elf_ex, &arch_state);
1008 	if (elf_read_implies_exec(*elf_ex, executable_stack))
1009 		current->personality |= READ_IMPLIES_EXEC;
1010 
1011 	if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1012 		current->flags |= PF_RANDOMIZE;
1013 
1014 	setup_new_exec(bprm);
1015 
1016 	/* Do this so that we can load the interpreter, if need be.  We will
1017 	   change some of these later */
1018 	retval = setup_arg_pages(bprm, randomize_stack_top(STACK_TOP),
1019 				 executable_stack);
1020 	if (retval < 0)
1021 		goto out_free_dentry;
1022 
1023 	elf_bss = 0;
1024 	elf_brk = 0;
1025 
1026 	start_code = ~0UL;
1027 	end_code = 0;
1028 	start_data = 0;
1029 	end_data = 0;
1030 
1031 	/* Now we do a little grungy work by mmapping the ELF image into
1032 	   the correct location in memory. */
1033 	for(i = 0, elf_ppnt = elf_phdata;
1034 	    i < elf_ex->e_phnum; i++, elf_ppnt++) {
1035 		int elf_prot, elf_flags;
1036 		unsigned long k, vaddr;
1037 		unsigned long total_size = 0;
1038 		unsigned long alignment;
1039 
1040 		if (elf_ppnt->p_type != PT_LOAD)
1041 			continue;
1042 
1043 		if (unlikely (elf_brk > elf_bss)) {
1044 			unsigned long nbyte;
1045 
1046 			/* There was a PT_LOAD segment with p_memsz > p_filesz
1047 			   before this one. Map anonymous pages, if needed,
1048 			   and clear the area.  */
1049 			retval = set_brk(elf_bss + load_bias,
1050 					 elf_brk + load_bias,
1051 					 bss_prot);
1052 			if (retval)
1053 				goto out_free_dentry;
1054 			nbyte = ELF_PAGEOFFSET(elf_bss);
1055 			if (nbyte) {
1056 				nbyte = ELF_MIN_ALIGN - nbyte;
1057 				if (nbyte > elf_brk - elf_bss)
1058 					nbyte = elf_brk - elf_bss;
1059 				if (clear_user((void __user *)elf_bss +
1060 							load_bias, nbyte)) {
1061 					/*
1062 					 * This bss-zeroing can fail if the ELF
1063 					 * file specifies odd protections. So
1064 					 * we don't check the return value
1065 					 */
1066 				}
1067 			}
1068 		}
1069 
1070 		elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
1071 				     !!interpreter, false);
1072 
1073 		elf_flags = MAP_PRIVATE;
1074 
1075 		vaddr = elf_ppnt->p_vaddr;
1076 		/*
1077 		 * The first time through the loop, load_addr_set is false:
1078 		 * layout will be calculated. Once set, use MAP_FIXED since
1079 		 * we know we've already safely mapped the entire region with
1080 		 * MAP_FIXED_NOREPLACE in the once-per-binary logic following.
1081 		 */
1082 		if (load_addr_set) {
1083 			elf_flags |= MAP_FIXED;
1084 		} else if (elf_ex->e_type == ET_EXEC) {
1085 			/*
1086 			 * This logic is run once for the first LOAD Program
1087 			 * Header for ET_EXEC binaries. No special handling
1088 			 * is needed.
1089 			 */
1090 			elf_flags |= MAP_FIXED_NOREPLACE;
1091 		} else if (elf_ex->e_type == ET_DYN) {
1092 			/*
1093 			 * This logic is run once for the first LOAD Program
1094 			 * Header for ET_DYN binaries to calculate the
1095 			 * randomization (load_bias) for all the LOAD
1096 			 * Program Headers.
1097 			 *
1098 			 * There are effectively two types of ET_DYN
1099 			 * binaries: programs (i.e. PIE: ET_DYN with INTERP)
1100 			 * and loaders (ET_DYN without INTERP, since they
1101 			 * _are_ the ELF interpreter). The loaders must
1102 			 * be loaded away from programs since the program
1103 			 * may otherwise collide with the loader (especially
1104 			 * for ET_EXEC which does not have a randomized
1105 			 * position). For example to handle invocations of
1106 			 * "./ld.so someprog" to test out a new version of
1107 			 * the loader, the subsequent program that the
1108 			 * loader loads must avoid the loader itself, so
1109 			 * they cannot share the same load range. Sufficient
1110 			 * room for the brk must be allocated with the
1111 			 * loader as well, since brk must be available with
1112 			 * the loader.
1113 			 *
1114 			 * Therefore, programs are loaded offset from
1115 			 * ELF_ET_DYN_BASE and loaders are loaded into the
1116 			 * independently randomized mmap region (0 load_bias
1117 			 * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
1118 			 */
1119 			alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
1120 			if (interpreter || alignment > ELF_MIN_ALIGN) {
1121 				load_bias = ELF_ET_DYN_BASE;
1122 				if (current->flags & PF_RANDOMIZE)
1123 					load_bias += arch_mmap_rnd();
1124 				if (alignment)
1125 					load_bias &= ~(alignment - 1);
1126 				elf_flags |= MAP_FIXED_NOREPLACE;
1127 			} else
1128 				load_bias = 0;
1129 
1130 			/*
1131 			 * Since load_bias is used for all subsequent loading
1132 			 * calculations, we must lower it by the first vaddr
1133 			 * so that the remaining calculations based on the
1134 			 * ELF vaddrs will be correctly offset. The result
1135 			 * is then page aligned.
1136 			 */
1137 			load_bias = ELF_PAGESTART(load_bias - vaddr);
1138 
1139 			/*
1140 			 * Calculate the entire size of the ELF mapping
1141 			 * (total_size), used for the initial mapping,
1142 			 * due to load_addr_set which is set to true later
1143 			 * once the initial mapping is performed.
1144 			 *
1145 			 * Note that this is only sensible when the LOAD
1146 			 * segments are contiguous (or overlapping). If
1147 			 * used for LOADs that are far apart, this would
1148 			 * cause the holes between LOADs to be mapped,
1149 			 * running the risk of having the mapping fail,
1150 			 * as it would be larger than the ELF file itself.
1151 			 *
1152 			 * As a result, only ET_DYN does this, since
1153 			 * some ET_EXEC (e.g. ia64) may have large virtual
1154 			 * memory holes between LOADs.
1155 			 *
1156 			 */
1157 			total_size = total_mapping_size(elf_phdata,
1158 							elf_ex->e_phnum);
1159 			if (!total_size) {
1160 				retval = -EINVAL;
1161 				goto out_free_dentry;
1162 			}
1163 		}
1164 
1165 		error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
1166 				elf_prot, elf_flags, total_size);
1167 		if (BAD_ADDR(error)) {
1168 			retval = IS_ERR((void *)error) ?
1169 				PTR_ERR((void*)error) : -EINVAL;
1170 			goto out_free_dentry;
1171 		}
1172 
1173 		if (!load_addr_set) {
1174 			load_addr_set = 1;
1175 			load_addr = (elf_ppnt->p_vaddr - elf_ppnt->p_offset);
1176 			if (elf_ex->e_type == ET_DYN) {
1177 				load_bias += error -
1178 				             ELF_PAGESTART(load_bias + vaddr);
1179 				load_addr += load_bias;
1180 				reloc_func_desc = load_bias;
1181 			}
1182 		}
1183 		k = elf_ppnt->p_vaddr;
1184 		if ((elf_ppnt->p_flags & PF_X) && k < start_code)
1185 			start_code = k;
1186 		if (start_data < k)
1187 			start_data = k;
1188 
1189 		/*
1190 		 * Check to see if the section's size will overflow the
1191 		 * allowed task size. Note that p_filesz must always be
1192 		 * <= p_memsz so it is only necessary to check p_memsz.
1193 		 */
1194 		if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
1195 		    elf_ppnt->p_memsz > TASK_SIZE ||
1196 		    TASK_SIZE - elf_ppnt->p_memsz < k) {
1197 			/* set_brk can never work. Avoid overflows. */
1198 			retval = -EINVAL;
1199 			goto out_free_dentry;
1200 		}
1201 
1202 		k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
1203 
1204 		if (k > elf_bss)
1205 			elf_bss = k;
1206 		if ((elf_ppnt->p_flags & PF_X) && end_code < k)
1207 			end_code = k;
1208 		if (end_data < k)
1209 			end_data = k;
1210 		k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
1211 		if (k > elf_brk) {
1212 			bss_prot = elf_prot;
1213 			elf_brk = k;
1214 		}
1215 	}
1216 
1217 	e_entry = elf_ex->e_entry + load_bias;
1218 	elf_bss += load_bias;
1219 	elf_brk += load_bias;
1220 	start_code += load_bias;
1221 	end_code += load_bias;
1222 	start_data += load_bias;
1223 	end_data += load_bias;
1224 
1225 	/* Calling set_brk effectively mmaps the pages that we need
1226 	 * for the bss and break sections.  We must do this before
1227 	 * mapping in the interpreter, to make sure it doesn't wind
1228 	 * up getting placed where the bss needs to go.
1229 	 */
1230 	retval = set_brk(elf_bss, elf_brk, bss_prot);
1231 	if (retval)
1232 		goto out_free_dentry;
1233 	if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
1234 		retval = -EFAULT; /* Nobody gets to see this, but.. */
1235 		goto out_free_dentry;
1236 	}
1237 
1238 	if (interpreter) {
1239 		elf_entry = load_elf_interp(interp_elf_ex,
1240 					    interpreter,
1241 					    load_bias, interp_elf_phdata,
1242 					    &arch_state);
1243 		if (!IS_ERR((void *)elf_entry)) {
1244 			/*
1245 			 * load_elf_interp() returns relocation
1246 			 * adjustment
1247 			 */
1248 			interp_load_addr = elf_entry;
1249 			elf_entry += interp_elf_ex->e_entry;
1250 		}
1251 		if (BAD_ADDR(elf_entry)) {
1252 			retval = IS_ERR((void *)elf_entry) ?
1253 					(int)elf_entry : -EINVAL;
1254 			goto out_free_dentry;
1255 		}
1256 		reloc_func_desc = interp_load_addr;
1257 
1258 		allow_write_access(interpreter);
1259 		fput(interpreter);
1260 
1261 		kfree(interp_elf_ex);
1262 		kfree(interp_elf_phdata);
1263 	} else {
1264 		elf_entry = e_entry;
1265 		if (BAD_ADDR(elf_entry)) {
1266 			retval = -EINVAL;
1267 			goto out_free_dentry;
1268 		}
1269 	}
1270 
1271 	kfree(elf_phdata);
1272 
1273 	set_binfmt(&elf_format);
1274 
1275 #ifdef ARCH_HAS_SETUP_ADDITIONAL_PAGES
1276 	retval = ARCH_SETUP_ADDITIONAL_PAGES(bprm, elf_ex, !!interpreter);
1277 	if (retval < 0)
1278 		goto out;
1279 #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */
1280 
1281 	retval = create_elf_tables(bprm, elf_ex,
1282 			  load_addr, interp_load_addr, e_entry);
1283 	if (retval < 0)
1284 		goto out;
1285 
1286 	mm = current->mm;
1287 	mm->end_code = end_code;
1288 	mm->start_code = start_code;
1289 	mm->start_data = start_data;
1290 	mm->end_data = end_data;
1291 	mm->start_stack = bprm->p;
1292 
1293 	if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
1294 		/*
1295 		 * For architectures with ELF randomization, when executing
1296 		 * a loader directly (i.e. no interpreter listed in ELF
1297 		 * headers), move the brk area out of the mmap region
1298 		 * (since it grows up, and may collide early with the stack
1299 		 * growing down), and into the unused ELF_ET_DYN_BASE region.
1300 		 */
1301 		if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
1302 		    elf_ex->e_type == ET_DYN && !interpreter) {
1303 			mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
1304 		}
1305 
1306 		mm->brk = mm->start_brk = arch_randomize_brk(mm);
1307 #ifdef compat_brk_randomized
1308 		current->brk_randomized = 1;
1309 #endif
1310 	}
1311 
1312 	if (current->personality & MMAP_PAGE_ZERO) {
1313 		/* Why this, you ask???  Well SVr4 maps page 0 as read-only,
1314 		   and some applications "depend" upon this behavior.
1315 		   Since we do not have the power to recompile these, we
1316 		   emulate the SVr4 behavior. Sigh. */
1317 		error = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_EXEC,
1318 				MAP_FIXED | MAP_PRIVATE, 0);
1319 	}
1320 
1321 	regs = current_pt_regs();
1322 #ifdef ELF_PLAT_INIT
1323 	/*
1324 	 * The ABI may specify that certain registers be set up in special
1325 	 * ways (on i386 %edx is the address of a DT_FINI function, for
1326 	 * example.  In addition, it may also specify (eg, PowerPC64 ELF)
1327 	 * that the e_entry field is the address of the function descriptor
1328 	 * for the startup routine, rather than the address of the startup
1329 	 * routine itself.  This macro performs whatever initialization to
1330 	 * the regs structure is required as well as any relocations to the
1331 	 * function descriptor entries when executing dynamically links apps.
1332 	 */
1333 	ELF_PLAT_INIT(regs, reloc_func_desc);
1334 #endif
1335 
1336 	finalize_exec(bprm);
1337 	START_THREAD(elf_ex, regs, elf_entry, bprm->p);
1338 	retval = 0;
1339 out:
1340 	return retval;
1341 
1342 	/* error cleanup */
1343 out_free_dentry:
1344 	kfree(interp_elf_ex);
1345 	kfree(interp_elf_phdata);
1346 	allow_write_access(interpreter);
1347 	if (interpreter)
1348 		fput(interpreter);
1349 out_free_ph:
1350 	kfree(elf_phdata);
1351 	goto out;
1352 }
1353 
1354 #ifdef CONFIG_USELIB
1355 /* This is really simpleminded and specialized - we are loading an
1356    a.out library that is given an ELF header. */
1357 static int load_elf_library(struct file *file)
1358 {
1359 	struct elf_phdr *elf_phdata;
1360 	struct elf_phdr *eppnt;
1361 	unsigned long elf_bss, bss, len;
1362 	int retval, error, i, j;
1363 	struct elfhdr elf_ex;
1364 
1365 	error = -ENOEXEC;
1366 	retval = elf_read(file, &elf_ex, sizeof(elf_ex), 0);
1367 	if (retval < 0)
1368 		goto out;
1369 
1370 	if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
1371 		goto out;
1372 
1373 	/* First of all, some simple consistency checks */
1374 	if (elf_ex.e_type != ET_EXEC || elf_ex.e_phnum > 2 ||
1375 	    !elf_check_arch(&elf_ex) || !file->f_op->mmap)
1376 		goto out;
1377 	if (elf_check_fdpic(&elf_ex))
1378 		goto out;
1379 
1380 	/* Now read in all of the header information */
1381 
1382 	j = sizeof(struct elf_phdr) * elf_ex.e_phnum;
1383 	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
1384 
1385 	error = -ENOMEM;
1386 	elf_phdata = kmalloc(j, GFP_KERNEL);
1387 	if (!elf_phdata)
1388 		goto out;
1389 
1390 	eppnt = elf_phdata;
1391 	error = -ENOEXEC;
1392 	retval = elf_read(file, eppnt, j, elf_ex.e_phoff);
1393 	if (retval < 0)
1394 		goto out_free_ph;
1395 
1396 	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
1397 		if ((eppnt + i)->p_type == PT_LOAD)
1398 			j++;
1399 	if (j != 1)
1400 		goto out_free_ph;
1401 
1402 	while (eppnt->p_type != PT_LOAD)
1403 		eppnt++;
1404 
1405 	/* Now use mmap to map the library into memory. */
1406 	error = vm_mmap(file,
1407 			ELF_PAGESTART(eppnt->p_vaddr),
1408 			(eppnt->p_filesz +
1409 			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
1410 			PROT_READ | PROT_WRITE | PROT_EXEC,
1411 			MAP_FIXED_NOREPLACE | MAP_PRIVATE,
1412 			(eppnt->p_offset -
1413 			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
1414 	if (error != ELF_PAGESTART(eppnt->p_vaddr))
1415 		goto out_free_ph;
1416 
1417 	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
1418 	if (padzero(elf_bss)) {
1419 		error = -EFAULT;
1420 		goto out_free_ph;
1421 	}
1422 
1423 	len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
1424 	bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
1425 	if (bss > len) {
1426 		error = vm_brk(len, bss - len);
1427 		if (error)
1428 			goto out_free_ph;
1429 	}
1430 	error = 0;
1431 
1432 out_free_ph:
1433 	kfree(elf_phdata);
1434 out:
1435 	return error;
1436 }
1437 #endif /* #ifdef CONFIG_USELIB */
1438 
1439 #ifdef CONFIG_ELF_CORE
1440 /*
1441  * ELF core dumper
1442  *
1443  * Modelled on fs/exec.c:aout_core_dump()
1444  * Jeremy Fitzhardinge <jeremy@sw.oz.au>
1445  */
1446 
1447 /* An ELF note in memory */
1448 struct memelfnote
1449 {
1450 	const char *name;
1451 	int type;
1452 	unsigned int datasz;
1453 	void *data;
1454 };
1455 
1456 static int notesize(struct memelfnote *en)
1457 {
1458 	int sz;
1459 
1460 	sz = sizeof(struct elf_note);
1461 	sz += roundup(strlen(en->name) + 1, 4);
1462 	sz += roundup(en->datasz, 4);
1463 
1464 	return sz;
1465 }
1466 
1467 static int writenote(struct memelfnote *men, struct coredump_params *cprm)
1468 {
1469 	struct elf_note en;
1470 	en.n_namesz = strlen(men->name) + 1;
1471 	en.n_descsz = men->datasz;
1472 	en.n_type = men->type;
1473 
1474 	return dump_emit(cprm, &en, sizeof(en)) &&
1475 	    dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
1476 	    dump_emit(cprm, men->data, men->datasz) && dump_align(cprm, 4);
1477 }
1478 
1479 static void fill_elf_header(struct elfhdr *elf, int segs,
1480 			    u16 machine, u32 flags)
1481 {
1482 	memset(elf, 0, sizeof(*elf));
1483 
1484 	memcpy(elf->e_ident, ELFMAG, SELFMAG);
1485 	elf->e_ident[EI_CLASS] = ELF_CLASS;
1486 	elf->e_ident[EI_DATA] = ELF_DATA;
1487 	elf->e_ident[EI_VERSION] = EV_CURRENT;
1488 	elf->e_ident[EI_OSABI] = ELF_OSABI;
1489 
1490 	elf->e_type = ET_CORE;
1491 	elf->e_machine = machine;
1492 	elf->e_version = EV_CURRENT;
1493 	elf->e_phoff = sizeof(struct elfhdr);
1494 	elf->e_flags = flags;
1495 	elf->e_ehsize = sizeof(struct elfhdr);
1496 	elf->e_phentsize = sizeof(struct elf_phdr);
1497 	elf->e_phnum = segs;
1498 }
1499 
1500 static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
1501 {
1502 	phdr->p_type = PT_NOTE;
1503 	phdr->p_offset = offset;
1504 	phdr->p_vaddr = 0;
1505 	phdr->p_paddr = 0;
1506 	phdr->p_filesz = sz;
1507 	phdr->p_memsz = 0;
1508 	phdr->p_flags = 0;
1509 	phdr->p_align = 0;
1510 }
1511 
1512 static void fill_note(struct memelfnote *note, const char *name, int type,
1513 		unsigned int sz, void *data)
1514 {
1515 	note->name = name;
1516 	note->type = type;
1517 	note->datasz = sz;
1518 	note->data = data;
1519 }
1520 
1521 /*
1522  * fill up all the fields in prstatus from the given task struct, except
1523  * registers which need to be filled up separately.
1524  */
1525 static void fill_prstatus(struct elf_prstatus_common *prstatus,
1526 		struct task_struct *p, long signr)
1527 {
1528 	prstatus->pr_info.si_signo = prstatus->pr_cursig = signr;
1529 	prstatus->pr_sigpend = p->pending.signal.sig[0];
1530 	prstatus->pr_sighold = p->blocked.sig[0];
1531 	rcu_read_lock();
1532 	prstatus->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1533 	rcu_read_unlock();
1534 	prstatus->pr_pid = task_pid_vnr(p);
1535 	prstatus->pr_pgrp = task_pgrp_vnr(p);
1536 	prstatus->pr_sid = task_session_vnr(p);
1537 	if (thread_group_leader(p)) {
1538 		struct task_cputime cputime;
1539 
1540 		/*
1541 		 * This is the record for the group leader.  It shows the
1542 		 * group-wide total, not its individual thread total.
1543 		 */
1544 		thread_group_cputime(p, &cputime);
1545 		prstatus->pr_utime = ns_to_kernel_old_timeval(cputime.utime);
1546 		prstatus->pr_stime = ns_to_kernel_old_timeval(cputime.stime);
1547 	} else {
1548 		u64 utime, stime;
1549 
1550 		task_cputime(p, &utime, &stime);
1551 		prstatus->pr_utime = ns_to_kernel_old_timeval(utime);
1552 		prstatus->pr_stime = ns_to_kernel_old_timeval(stime);
1553 	}
1554 
1555 	prstatus->pr_cutime = ns_to_kernel_old_timeval(p->signal->cutime);
1556 	prstatus->pr_cstime = ns_to_kernel_old_timeval(p->signal->cstime);
1557 }
1558 
1559 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
1560 		       struct mm_struct *mm)
1561 {
1562 	const struct cred *cred;
1563 	unsigned int i, len;
1564 	unsigned int state;
1565 
1566 	/* first copy the parameters from user space */
1567 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));
1568 
1569 	len = mm->arg_end - mm->arg_start;
1570 	if (len >= ELF_PRARGSZ)
1571 		len = ELF_PRARGSZ-1;
1572 	if (copy_from_user(&psinfo->pr_psargs,
1573 		           (const char __user *)mm->arg_start, len))
1574 		return -EFAULT;
1575 	for(i = 0; i < len; i++)
1576 		if (psinfo->pr_psargs[i] == 0)
1577 			psinfo->pr_psargs[i] = ' ';
1578 	psinfo->pr_psargs[len] = 0;
1579 
1580 	rcu_read_lock();
1581 	psinfo->pr_ppid = task_pid_vnr(rcu_dereference(p->real_parent));
1582 	rcu_read_unlock();
1583 	psinfo->pr_pid = task_pid_vnr(p);
1584 	psinfo->pr_pgrp = task_pgrp_vnr(p);
1585 	psinfo->pr_sid = task_session_vnr(p);
1586 
1587 	state = READ_ONCE(p->__state);
1588 	i = state ? ffz(~state) + 1 : 0;
1589 	psinfo->pr_state = i;
1590 	psinfo->pr_sname = (i > 5) ? '.' : "RSDTZW"[i];
1591 	psinfo->pr_zomb = psinfo->pr_sname == 'Z';
1592 	psinfo->pr_nice = task_nice(p);
1593 	psinfo->pr_flag = p->flags;
1594 	rcu_read_lock();
1595 	cred = __task_cred(p);
1596 	SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
1597 	SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
1598 	rcu_read_unlock();
1599 	get_task_comm(psinfo->pr_fname, p);
1600 
1601 	return 0;
1602 }
1603 
1604 static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
1605 {
1606 	elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
1607 	int i = 0;
1608 	do
1609 		i += 2;
1610 	while (auxv[i - 2] != AT_NULL);
1611 	fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
1612 }
1613 
1614 static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1615 		const kernel_siginfo_t *siginfo)
1616 {
1617 	copy_siginfo_to_external(csigdata, siginfo);
1618 	fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
1619 }
1620 
1621 #define MAX_FILE_NOTE_SIZE (4*1024*1024)
1622 /*
1623  * Format of NT_FILE note:
1624  *
1625  * long count     -- how many files are mapped
1626  * long page_size -- units for file_ofs
1627  * array of [COUNT] elements of
1628  *   long start
1629  *   long end
1630  *   long file_ofs
1631  * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL...
1632  */
1633 static int fill_files_note(struct memelfnote *note)
1634 {
1635 	struct mm_struct *mm = current->mm;
1636 	struct vm_area_struct *vma;
1637 	unsigned count, size, names_ofs, remaining, n;
1638 	user_long_t *data;
1639 	user_long_t *start_end_ofs;
1640 	char *name_base, *name_curpos;
1641 
1642 	/* *Estimated* file count and total data size needed */
1643 	count = mm->map_count;
1644 	if (count > UINT_MAX / 64)
1645 		return -EINVAL;
1646 	size = count * 64;
1647 
1648 	names_ofs = (2 + 3 * count) * sizeof(data[0]);
1649  alloc:
1650 	if (size >= MAX_FILE_NOTE_SIZE) /* paranoia check */
1651 		return -EINVAL;
1652 	size = round_up(size, PAGE_SIZE);
1653 	/*
1654 	 * "size" can be 0 here legitimately.
1655 	 * Let it ENOMEM and omit NT_FILE section which will be empty anyway.
1656 	 */
1657 	data = kvmalloc(size, GFP_KERNEL);
1658 	if (ZERO_OR_NULL_PTR(data))
1659 		return -ENOMEM;
1660 
1661 	start_end_ofs = data + 2;
1662 	name_base = name_curpos = ((char *)data) + names_ofs;
1663 	remaining = size - names_ofs;
1664 	count = 0;
1665 	for (vma = mm->mmap; vma != NULL; vma = vma->vm_next) {
1666 		struct file *file;
1667 		const char *filename;
1668 
1669 		file = vma->vm_file;
1670 		if (!file)
1671 			continue;
1672 		filename = file_path(file, name_curpos, remaining);
1673 		if (IS_ERR(filename)) {
1674 			if (PTR_ERR(filename) == -ENAMETOOLONG) {
1675 				kvfree(data);
1676 				size = size * 5 / 4;
1677 				goto alloc;
1678 			}
1679 			continue;
1680 		}
1681 
1682 		/* file_path() fills at the end, move name down */
1683 		/* n = strlen(filename) + 1: */
1684 		n = (name_curpos + remaining) - filename;
1685 		remaining = filename - name_curpos;
1686 		memmove(name_curpos, filename, n);
1687 		name_curpos += n;
1688 
1689 		*start_end_ofs++ = vma->vm_start;
1690 		*start_end_ofs++ = vma->vm_end;
1691 		*start_end_ofs++ = vma->vm_pgoff;
1692 		count++;
1693 	}
1694 
1695 	/* Now we know exact count of files, can store it */
1696 	data[0] = count;
1697 	data[1] = PAGE_SIZE;
1698 	/*
1699 	 * Count usually is less than mm->map_count,
1700 	 * we need to move filenames down.
1701 	 */
1702 	n = mm->map_count - count;
1703 	if (n != 0) {
1704 		unsigned shift_bytes = n * 3 * sizeof(data[0]);
1705 		memmove(name_base - shift_bytes, name_base,
1706 			name_curpos - name_base);
1707 		name_curpos -= shift_bytes;
1708 	}
1709 
1710 	size = name_curpos - (char *)data;
1711 	fill_note(note, "CORE", NT_FILE, size, data);
1712 	return 0;
1713 }
1714 
1715 #ifdef CORE_DUMP_USE_REGSET
1716 #include <linux/regset.h>
1717 
1718 struct elf_thread_core_info {
1719 	struct elf_thread_core_info *next;
1720 	struct task_struct *task;
1721 	struct elf_prstatus prstatus;
1722 	struct memelfnote notes[];
1723 };
1724 
1725 struct elf_note_info {
1726 	struct elf_thread_core_info *thread;
1727 	struct memelfnote psinfo;
1728 	struct memelfnote signote;
1729 	struct memelfnote auxv;
1730 	struct memelfnote files;
1731 	user_siginfo_t csigdata;
1732 	size_t size;
1733 	int thread_notes;
1734 };
1735 
1736 /*
1737  * When a regset has a writeback hook, we call it on each thread before
1738  * dumping user memory.  On register window machines, this makes sure the
1739  * user memory backing the register data is up to date before we read it.
1740  */
1741 static void do_thread_regset_writeback(struct task_struct *task,
1742 				       const struct user_regset *regset)
1743 {
1744 	if (regset->writeback)
1745 		regset->writeback(task, regset, 1);
1746 }
1747 
1748 #ifndef PRSTATUS_SIZE
1749 #define PRSTATUS_SIZE sizeof(struct elf_prstatus)
1750 #endif
1751 
1752 #ifndef SET_PR_FPVALID
1753 #define SET_PR_FPVALID(S) ((S)->pr_fpvalid = 1)
1754 #endif
1755 
1756 static int fill_thread_core_info(struct elf_thread_core_info *t,
1757 				 const struct user_regset_view *view,
1758 				 long signr, size_t *total)
1759 {
1760 	unsigned int i;
1761 
1762 	/*
1763 	 * NT_PRSTATUS is the one special case, because the regset data
1764 	 * goes into the pr_reg field inside the note contents, rather
1765 	 * than being the whole note contents.  We fill the reset in here.
1766 	 * We assume that regset 0 is NT_PRSTATUS.
1767 	 */
1768 	fill_prstatus(&t->prstatus.common, t->task, signr);
1769 	regset_get(t->task, &view->regsets[0],
1770 		   sizeof(t->prstatus.pr_reg), &t->prstatus.pr_reg);
1771 
1772 	fill_note(&t->notes[0], "CORE", NT_PRSTATUS,
1773 		  PRSTATUS_SIZE, &t->prstatus);
1774 	*total += notesize(&t->notes[0]);
1775 
1776 	do_thread_regset_writeback(t->task, &view->regsets[0]);
1777 
1778 	/*
1779 	 * Each other regset might generate a note too.  For each regset
1780 	 * that has no core_note_type or is inactive, we leave t->notes[i]
1781 	 * all zero and we'll know to skip writing it later.
1782 	 */
1783 	for (i = 1; i < view->n; ++i) {
1784 		const struct user_regset *regset = &view->regsets[i];
1785 		int note_type = regset->core_note_type;
1786 		bool is_fpreg = note_type == NT_PRFPREG;
1787 		void *data;
1788 		int ret;
1789 
1790 		do_thread_regset_writeback(t->task, regset);
1791 		if (!note_type) // not for coredumps
1792 			continue;
1793 		if (regset->active && regset->active(t->task, regset) <= 0)
1794 			continue;
1795 
1796 		ret = regset_get_alloc(t->task, regset, ~0U, &data);
1797 		if (ret < 0)
1798 			continue;
1799 
1800 		if (is_fpreg)
1801 			SET_PR_FPVALID(&t->prstatus);
1802 
1803 		fill_note(&t->notes[i], is_fpreg ? "CORE" : "LINUX",
1804 			  note_type, ret, data);
1805 
1806 		*total += notesize(&t->notes[i]);
1807 	}
1808 
1809 	return 1;
1810 }
1811 
1812 static int fill_note_info(struct elfhdr *elf, int phdrs,
1813 			  struct elf_note_info *info,
1814 			  const kernel_siginfo_t *siginfo, struct pt_regs *regs)
1815 {
1816 	struct task_struct *dump_task = current;
1817 	const struct user_regset_view *view = task_user_regset_view(dump_task);
1818 	struct elf_thread_core_info *t;
1819 	struct elf_prpsinfo *psinfo;
1820 	struct core_thread *ct;
1821 	unsigned int i;
1822 
1823 	info->size = 0;
1824 	info->thread = NULL;
1825 
1826 	psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
1827 	if (psinfo == NULL) {
1828 		info->psinfo.data = NULL; /* So we don't free this wrongly */
1829 		return 0;
1830 	}
1831 
1832 	fill_note(&info->psinfo, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
1833 
1834 	/*
1835 	 * Figure out how many notes we're going to need for each thread.
1836 	 */
1837 	info->thread_notes = 0;
1838 	for (i = 0; i < view->n; ++i)
1839 		if (view->regsets[i].core_note_type != 0)
1840 			++info->thread_notes;
1841 
1842 	/*
1843 	 * Sanity check.  We rely on regset 0 being in NT_PRSTATUS,
1844 	 * since it is our one special case.
1845 	 */
1846 	if (unlikely(info->thread_notes == 0) ||
1847 	    unlikely(view->regsets[0].core_note_type != NT_PRSTATUS)) {
1848 		WARN_ON(1);
1849 		return 0;
1850 	}
1851 
1852 	/*
1853 	 * Initialize the ELF file header.
1854 	 */
1855 	fill_elf_header(elf, phdrs,
1856 			view->e_machine, view->e_flags);
1857 
1858 	/*
1859 	 * Allocate a structure for each thread.
1860 	 */
1861 	for (ct = &dump_task->signal->core_state->dumper; ct; ct = ct->next) {
1862 		t = kzalloc(offsetof(struct elf_thread_core_info,
1863 				     notes[info->thread_notes]),
1864 			    GFP_KERNEL);
1865 		if (unlikely(!t))
1866 			return 0;
1867 
1868 		t->task = ct->task;
1869 		if (ct->task == dump_task || !info->thread) {
1870 			t->next = info->thread;
1871 			info->thread = t;
1872 		} else {
1873 			/*
1874 			 * Make sure to keep the original task at
1875 			 * the head of the list.
1876 			 */
1877 			t->next = info->thread->next;
1878 			info->thread->next = t;
1879 		}
1880 	}
1881 
1882 	/*
1883 	 * Now fill in each thread's information.
1884 	 */
1885 	for (t = info->thread; t != NULL; t = t->next)
1886 		if (!fill_thread_core_info(t, view, siginfo->si_signo, &info->size))
1887 			return 0;
1888 
1889 	/*
1890 	 * Fill in the two process-wide notes.
1891 	 */
1892 	fill_psinfo(psinfo, dump_task->group_leader, dump_task->mm);
1893 	info->size += notesize(&info->psinfo);
1894 
1895 	fill_siginfo_note(&info->signote, &info->csigdata, siginfo);
1896 	info->size += notesize(&info->signote);
1897 
1898 	fill_auxv_note(&info->auxv, current->mm);
1899 	info->size += notesize(&info->auxv);
1900 
1901 	if (fill_files_note(&info->files) == 0)
1902 		info->size += notesize(&info->files);
1903 
1904 	return 1;
1905 }
1906 
1907 static size_t get_note_info_size(struct elf_note_info *info)
1908 {
1909 	return info->size;
1910 }
1911 
1912 /*
1913  * Write all the notes for each thread.  When writing the first thread, the
1914  * process-wide notes are interleaved after the first thread-specific note.
1915  */
1916 static int write_note_info(struct elf_note_info *info,
1917 			   struct coredump_params *cprm)
1918 {
1919 	bool first = true;
1920 	struct elf_thread_core_info *t = info->thread;
1921 
1922 	do {
1923 		int i;
1924 
1925 		if (!writenote(&t->notes[0], cprm))
1926 			return 0;
1927 
1928 		if (first && !writenote(&info->psinfo, cprm))
1929 			return 0;
1930 		if (first && !writenote(&info->signote, cprm))
1931 			return 0;
1932 		if (first && !writenote(&info->auxv, cprm))
1933 			return 0;
1934 		if (first && info->files.data &&
1935 				!writenote(&info->files, cprm))
1936 			return 0;
1937 
1938 		for (i = 1; i < info->thread_notes; ++i)
1939 			if (t->notes[i].data &&
1940 			    !writenote(&t->notes[i], cprm))
1941 				return 0;
1942 
1943 		first = false;
1944 		t = t->next;
1945 	} while (t);
1946 
1947 	return 1;
1948 }
1949 
1950 static void free_note_info(struct elf_note_info *info)
1951 {
1952 	struct elf_thread_core_info *threads = info->thread;
1953 	while (threads) {
1954 		unsigned int i;
1955 		struct elf_thread_core_info *t = threads;
1956 		threads = t->next;
1957 		WARN_ON(t->notes[0].data && t->notes[0].data != &t->prstatus);
1958 		for (i = 1; i < info->thread_notes; ++i)
1959 			kfree(t->notes[i].data);
1960 		kfree(t);
1961 	}
1962 	kfree(info->psinfo.data);
1963 	kvfree(info->files.data);
1964 }
1965 
1966 #else
1967 
1968 /* Here is the structure in which status of each thread is captured. */
1969 struct elf_thread_status
1970 {
1971 	struct list_head list;
1972 	struct elf_prstatus prstatus;	/* NT_PRSTATUS */
1973 	elf_fpregset_t fpu;		/* NT_PRFPREG */
1974 	struct task_struct *thread;
1975 	struct memelfnote notes[3];
1976 	int num_notes;
1977 };
1978 
1979 /*
1980  * In order to add the specific thread information for the elf file format,
1981  * we need to keep a linked list of every threads pr_status and then create
1982  * a single section for them in the final core file.
1983  */
1984 static int elf_dump_thread_status(long signr, struct elf_thread_status *t)
1985 {
1986 	int sz = 0;
1987 	struct task_struct *p = t->thread;
1988 	t->num_notes = 0;
1989 
1990 	fill_prstatus(&t->prstatus.common, p, signr);
1991 	elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
1992 
1993 	fill_note(&t->notes[0], "CORE", NT_PRSTATUS, sizeof(t->prstatus),
1994 		  &(t->prstatus));
1995 	t->num_notes++;
1996 	sz += notesize(&t->notes[0]);
1997 
1998 	if ((t->prstatus.pr_fpvalid = elf_core_copy_task_fpregs(p, NULL,
1999 								&t->fpu))) {
2000 		fill_note(&t->notes[1], "CORE", NT_PRFPREG, sizeof(t->fpu),
2001 			  &(t->fpu));
2002 		t->num_notes++;
2003 		sz += notesize(&t->notes[1]);
2004 	}
2005 	return sz;
2006 }
2007 
2008 struct elf_note_info {
2009 	struct memelfnote *notes;
2010 	struct memelfnote *notes_files;
2011 	struct elf_prstatus *prstatus;	/* NT_PRSTATUS */
2012 	struct elf_prpsinfo *psinfo;	/* NT_PRPSINFO */
2013 	struct list_head thread_list;
2014 	elf_fpregset_t *fpu;
2015 	user_siginfo_t csigdata;
2016 	int thread_status_size;
2017 	int numnote;
2018 };
2019 
2020 static int elf_note_info_init(struct elf_note_info *info)
2021 {
2022 	memset(info, 0, sizeof(*info));
2023 	INIT_LIST_HEAD(&info->thread_list);
2024 
2025 	/* Allocate space for ELF notes */
2026 	info->notes = kmalloc_array(8, sizeof(struct memelfnote), GFP_KERNEL);
2027 	if (!info->notes)
2028 		return 0;
2029 	info->psinfo = kmalloc(sizeof(*info->psinfo), GFP_KERNEL);
2030 	if (!info->psinfo)
2031 		return 0;
2032 	info->prstatus = kmalloc(sizeof(*info->prstatus), GFP_KERNEL);
2033 	if (!info->prstatus)
2034 		return 0;
2035 	info->fpu = kmalloc(sizeof(*info->fpu), GFP_KERNEL);
2036 	if (!info->fpu)
2037 		return 0;
2038 	return 1;
2039 }
2040 
2041 static int fill_note_info(struct elfhdr *elf, int phdrs,
2042 			  struct elf_note_info *info,
2043 			  const kernel_siginfo_t *siginfo, struct pt_regs *regs)
2044 {
2045 	struct core_thread *ct;
2046 	struct elf_thread_status *ets;
2047 
2048 	if (!elf_note_info_init(info))
2049 		return 0;
2050 
2051 	for (ct = current->signal->core_state->dumper.next;
2052 					ct; ct = ct->next) {
2053 		ets = kzalloc(sizeof(*ets), GFP_KERNEL);
2054 		if (!ets)
2055 			return 0;
2056 
2057 		ets->thread = ct->task;
2058 		list_add(&ets->list, &info->thread_list);
2059 	}
2060 
2061 	list_for_each_entry(ets, &info->thread_list, list) {
2062 		int sz;
2063 
2064 		sz = elf_dump_thread_status(siginfo->si_signo, ets);
2065 		info->thread_status_size += sz;
2066 	}
2067 	/* now collect the dump for the current */
2068 	memset(info->prstatus, 0, sizeof(*info->prstatus));
2069 	fill_prstatus(&info->prstatus->common, current, siginfo->si_signo);
2070 	elf_core_copy_regs(&info->prstatus->pr_reg, regs);
2071 
2072 	/* Set up header */
2073 	fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS);
2074 
2075 	/*
2076 	 * Set up the notes in similar form to SVR4 core dumps made
2077 	 * with info from their /proc.
2078 	 */
2079 
2080 	fill_note(info->notes + 0, "CORE", NT_PRSTATUS,
2081 		  sizeof(*info->prstatus), info->prstatus);
2082 	fill_psinfo(info->psinfo, current->group_leader, current->mm);
2083 	fill_note(info->notes + 1, "CORE", NT_PRPSINFO,
2084 		  sizeof(*info->psinfo), info->psinfo);
2085 
2086 	fill_siginfo_note(info->notes + 2, &info->csigdata, siginfo);
2087 	fill_auxv_note(info->notes + 3, current->mm);
2088 	info->numnote = 4;
2089 
2090 	if (fill_files_note(info->notes + info->numnote) == 0) {
2091 		info->notes_files = info->notes + info->numnote;
2092 		info->numnote++;
2093 	}
2094 
2095 	/* Try to dump the FPU. */
2096 	info->prstatus->pr_fpvalid = elf_core_copy_task_fpregs(current, regs,
2097 							       info->fpu);
2098 	if (info->prstatus->pr_fpvalid)
2099 		fill_note(info->notes + info->numnote++,
2100 			  "CORE", NT_PRFPREG, sizeof(*info->fpu), info->fpu);
2101 	return 1;
2102 }
2103 
2104 static size_t get_note_info_size(struct elf_note_info *info)
2105 {
2106 	int sz = 0;
2107 	int i;
2108 
2109 	for (i = 0; i < info->numnote; i++)
2110 		sz += notesize(info->notes + i);
2111 
2112 	sz += info->thread_status_size;
2113 
2114 	return sz;
2115 }
2116 
2117 static int write_note_info(struct elf_note_info *info,
2118 			   struct coredump_params *cprm)
2119 {
2120 	struct elf_thread_status *ets;
2121 	int i;
2122 
2123 	for (i = 0; i < info->numnote; i++)
2124 		if (!writenote(info->notes + i, cprm))
2125 			return 0;
2126 
2127 	/* write out the thread status notes section */
2128 	list_for_each_entry(ets, &info->thread_list, list) {
2129 		for (i = 0; i < ets->num_notes; i++)
2130 			if (!writenote(&ets->notes[i], cprm))
2131 				return 0;
2132 	}
2133 
2134 	return 1;
2135 }
2136 
2137 static void free_note_info(struct elf_note_info *info)
2138 {
2139 	while (!list_empty(&info->thread_list)) {
2140 		struct list_head *tmp = info->thread_list.next;
2141 		list_del(tmp);
2142 		kfree(list_entry(tmp, struct elf_thread_status, list));
2143 	}
2144 
2145 	/* Free data possibly allocated by fill_files_note(): */
2146 	if (info->notes_files)
2147 		kvfree(info->notes_files->data);
2148 
2149 	kfree(info->prstatus);
2150 	kfree(info->psinfo);
2151 	kfree(info->notes);
2152 	kfree(info->fpu);
2153 }
2154 
2155 #endif
2156 
2157 static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
2158 			     elf_addr_t e_shoff, int segs)
2159 {
2160 	elf->e_shoff = e_shoff;
2161 	elf->e_shentsize = sizeof(*shdr4extnum);
2162 	elf->e_shnum = 1;
2163 	elf->e_shstrndx = SHN_UNDEF;
2164 
2165 	memset(shdr4extnum, 0, sizeof(*shdr4extnum));
2166 
2167 	shdr4extnum->sh_type = SHT_NULL;
2168 	shdr4extnum->sh_size = elf->e_shnum;
2169 	shdr4extnum->sh_link = elf->e_shstrndx;
2170 	shdr4extnum->sh_info = segs;
2171 }
2172 
2173 /*
2174  * Actual dumper
2175  *
2176  * This is a two-pass process; first we find the offsets of the bits,
2177  * and then they are actually written out.  If we run out of core limit
2178  * we just truncate.
2179  */
2180 static int elf_core_dump(struct coredump_params *cprm)
2181 {
2182 	int has_dumped = 0;
2183 	int vma_count, segs, i;
2184 	size_t vma_data_size;
2185 	struct elfhdr elf;
2186 	loff_t offset = 0, dataoff;
2187 	struct elf_note_info info = { };
2188 	struct elf_phdr *phdr4note = NULL;
2189 	struct elf_shdr *shdr4extnum = NULL;
2190 	Elf_Half e_phnum;
2191 	elf_addr_t e_shoff;
2192 	struct core_vma_metadata *vma_meta;
2193 
2194 	if (dump_vma_snapshot(cprm, &vma_count, &vma_meta, &vma_data_size))
2195 		return 0;
2196 
2197 	/*
2198 	 * The number of segs are recored into ELF header as 16bit value.
2199 	 * Please check DEFAULT_MAX_MAP_COUNT definition when you modify here.
2200 	 */
2201 	segs = vma_count + elf_core_extra_phdrs();
2202 
2203 	/* for notes section */
2204 	segs++;
2205 
2206 	/* If segs > PN_XNUM(0xffff), then e_phnum overflows. To avoid
2207 	 * this, kernel supports extended numbering. Have a look at
2208 	 * include/linux/elf.h for further information. */
2209 	e_phnum = segs > PN_XNUM ? PN_XNUM : segs;
2210 
2211 	/*
2212 	 * Collect all the non-memory information about the process for the
2213 	 * notes.  This also sets up the file header.
2214 	 */
2215 	if (!fill_note_info(&elf, e_phnum, &info, cprm->siginfo, cprm->regs))
2216 		goto end_coredump;
2217 
2218 	has_dumped = 1;
2219 
2220 	offset += sizeof(elf);				/* Elf header */
2221 	offset += segs * sizeof(struct elf_phdr);	/* Program headers */
2222 
2223 	/* Write notes phdr entry */
2224 	{
2225 		size_t sz = get_note_info_size(&info);
2226 
2227 		/* For cell spufs */
2228 		sz += elf_coredump_extra_notes_size();
2229 
2230 		phdr4note = kmalloc(sizeof(*phdr4note), GFP_KERNEL);
2231 		if (!phdr4note)
2232 			goto end_coredump;
2233 
2234 		fill_elf_note_phdr(phdr4note, sz, offset);
2235 		offset += sz;
2236 	}
2237 
2238 	dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
2239 
2240 	offset += vma_data_size;
2241 	offset += elf_core_extra_data_size();
2242 	e_shoff = offset;
2243 
2244 	if (e_phnum == PN_XNUM) {
2245 		shdr4extnum = kmalloc(sizeof(*shdr4extnum), GFP_KERNEL);
2246 		if (!shdr4extnum)
2247 			goto end_coredump;
2248 		fill_extnum_info(&elf, shdr4extnum, e_shoff, segs);
2249 	}
2250 
2251 	offset = dataoff;
2252 
2253 	if (!dump_emit(cprm, &elf, sizeof(elf)))
2254 		goto end_coredump;
2255 
2256 	if (!dump_emit(cprm, phdr4note, sizeof(*phdr4note)))
2257 		goto end_coredump;
2258 
2259 	/* Write program headers for segments dump */
2260 	for (i = 0; i < vma_count; i++) {
2261 		struct core_vma_metadata *meta = vma_meta + i;
2262 		struct elf_phdr phdr;
2263 
2264 		phdr.p_type = PT_LOAD;
2265 		phdr.p_offset = offset;
2266 		phdr.p_vaddr = meta->start;
2267 		phdr.p_paddr = 0;
2268 		phdr.p_filesz = meta->dump_size;
2269 		phdr.p_memsz = meta->end - meta->start;
2270 		offset += phdr.p_filesz;
2271 		phdr.p_flags = 0;
2272 		if (meta->flags & VM_READ)
2273 			phdr.p_flags |= PF_R;
2274 		if (meta->flags & VM_WRITE)
2275 			phdr.p_flags |= PF_W;
2276 		if (meta->flags & VM_EXEC)
2277 			phdr.p_flags |= PF_X;
2278 		phdr.p_align = ELF_EXEC_PAGESIZE;
2279 
2280 		if (!dump_emit(cprm, &phdr, sizeof(phdr)))
2281 			goto end_coredump;
2282 	}
2283 
2284 	if (!elf_core_write_extra_phdrs(cprm, offset))
2285 		goto end_coredump;
2286 
2287  	/* write out the notes section */
2288 	if (!write_note_info(&info, cprm))
2289 		goto end_coredump;
2290 
2291 	/* For cell spufs */
2292 	if (elf_coredump_extra_notes_write(cprm))
2293 		goto end_coredump;
2294 
2295 	/* Align to page */
2296 	dump_skip_to(cprm, dataoff);
2297 
2298 	for (i = 0; i < vma_count; i++) {
2299 		struct core_vma_metadata *meta = vma_meta + i;
2300 
2301 		if (!dump_user_range(cprm, meta->start, meta->dump_size))
2302 			goto end_coredump;
2303 	}
2304 
2305 	if (!elf_core_write_extra_data(cprm))
2306 		goto end_coredump;
2307 
2308 	if (e_phnum == PN_XNUM) {
2309 		if (!dump_emit(cprm, shdr4extnum, sizeof(*shdr4extnum)))
2310 			goto end_coredump;
2311 	}
2312 
2313 end_coredump:
2314 	free_note_info(&info);
2315 	kfree(shdr4extnum);
2316 	kvfree(vma_meta);
2317 	kfree(phdr4note);
2318 	return has_dumped;
2319 }
2320 
2321 #endif		/* CONFIG_ELF_CORE */
2322 
2323 static int __init init_elf_binfmt(void)
2324 {
2325 	register_binfmt(&elf_format);
2326 	return 0;
2327 }
2328 
2329 static void __exit exit_elf_binfmt(void)
2330 {
2331 	/* Remove the COFF and ELF loaders. */
2332 	unregister_binfmt(&elf_format);
2333 }
2334 
2335 core_initcall(init_elf_binfmt);
2336 module_exit(exit_elf_binfmt);
2337 MODULE_LICENSE("GPL");
2338