1 /* 2 * linux/fs/exec.c 3 * 4 * Copyright (C) 1991, 1992 Linus Torvalds 5 */ 6 7 /* 8 * #!-checking implemented by tytso. 9 */ 10 /* 11 * Demand-loading implemented 01.12.91 - no need to read anything but 12 * the header into memory. The inode of the executable is put into 13 * "current->executable", and page faults do the actual loading. Clean. 14 * 15 * Once more I can proudly say that linux stood up to being changed: it 16 * was less than 2 hours work to get demand-loading completely implemented. 17 * 18 * Demand loading changed July 1993 by Eric Youngdale. Use mmap instead, 19 * current->executable is only used by the procfs. This allows a dispatch 20 * table to check for several different types of binary formats. We keep 21 * trying until we recognize the file or we run out of supported binary 22 * formats. 23 */ 24 25 #include <linux/slab.h> 26 #include <linux/file.h> 27 #include <linux/mman.h> 28 #include <linux/a.out.h> 29 #include <linux/stat.h> 30 #include <linux/fcntl.h> 31 #include <linux/smp_lock.h> 32 #include <linux/init.h> 33 #include <linux/pagemap.h> 34 #include <linux/highmem.h> 35 #include <linux/spinlock.h> 36 #include <linux/key.h> 37 #include <linux/personality.h> 38 #include <linux/binfmts.h> 39 #include <linux/swap.h> 40 #include <linux/utsname.h> 41 #include <linux/pid_namespace.h> 42 #include <linux/module.h> 43 #include <linux/namei.h> 44 #include <linux/proc_fs.h> 45 #include <linux/ptrace.h> 46 #include <linux/mount.h> 47 #include <linux/security.h> 48 #include <linux/syscalls.h> 49 #include <linux/rmap.h> 50 #include <linux/tsacct_kern.h> 51 #include <linux/cn_proc.h> 52 #include <linux/audit.h> 53 #include <linux/signalfd.h> 54 55 #include <asm/uaccess.h> 56 #include <asm/mmu_context.h> 57 58 #ifdef CONFIG_KMOD 59 #include <linux/kmod.h> 60 #endif 61 62 int core_uses_pid; 63 char core_pattern[CORENAME_MAX_SIZE] = "core"; 64 int suid_dumpable = 0; 65 66 EXPORT_SYMBOL(suid_dumpable); 67 /* The maximal length of core_pattern is also specified in sysctl.c */ 68 69 static struct linux_binfmt *formats; 70 static DEFINE_RWLOCK(binfmt_lock); 71 72 int register_binfmt(struct linux_binfmt * fmt) 73 { 74 struct linux_binfmt ** tmp = &formats; 75 76 if (!fmt) 77 return -EINVAL; 78 if (fmt->next) 79 return -EBUSY; 80 write_lock(&binfmt_lock); 81 while (*tmp) { 82 if (fmt == *tmp) { 83 write_unlock(&binfmt_lock); 84 return -EBUSY; 85 } 86 tmp = &(*tmp)->next; 87 } 88 fmt->next = formats; 89 formats = fmt; 90 write_unlock(&binfmt_lock); 91 return 0; 92 } 93 94 EXPORT_SYMBOL(register_binfmt); 95 96 int unregister_binfmt(struct linux_binfmt * fmt) 97 { 98 struct linux_binfmt ** tmp = &formats; 99 100 write_lock(&binfmt_lock); 101 while (*tmp) { 102 if (fmt == *tmp) { 103 *tmp = fmt->next; 104 fmt->next = NULL; 105 write_unlock(&binfmt_lock); 106 return 0; 107 } 108 tmp = &(*tmp)->next; 109 } 110 write_unlock(&binfmt_lock); 111 return -EINVAL; 112 } 113 114 EXPORT_SYMBOL(unregister_binfmt); 115 116 static inline void put_binfmt(struct linux_binfmt * fmt) 117 { 118 module_put(fmt->module); 119 } 120 121 /* 122 * Note that a shared library must be both readable and executable due to 123 * security reasons. 124 * 125 * Also note that we take the address to load from from the file itself. 126 */ 127 asmlinkage long sys_uselib(const char __user * library) 128 { 129 struct file * file; 130 struct nameidata nd; 131 int error; 132 133 error = __user_path_lookup_open(library, LOOKUP_FOLLOW, &nd, FMODE_READ|FMODE_EXEC); 134 if (error) 135 goto out; 136 137 error = -EACCES; 138 if (nd.mnt->mnt_flags & MNT_NOEXEC) 139 goto exit; 140 error = -EINVAL; 141 if (!S_ISREG(nd.dentry->d_inode->i_mode)) 142 goto exit; 143 144 error = vfs_permission(&nd, MAY_READ | MAY_EXEC); 145 if (error) 146 goto exit; 147 148 file = nameidata_to_filp(&nd, O_RDONLY); 149 error = PTR_ERR(file); 150 if (IS_ERR(file)) 151 goto out; 152 153 error = -ENOEXEC; 154 if(file->f_op) { 155 struct linux_binfmt * fmt; 156 157 read_lock(&binfmt_lock); 158 for (fmt = formats ; fmt ; fmt = fmt->next) { 159 if (!fmt->load_shlib) 160 continue; 161 if (!try_module_get(fmt->module)) 162 continue; 163 read_unlock(&binfmt_lock); 164 error = fmt->load_shlib(file); 165 read_lock(&binfmt_lock); 166 put_binfmt(fmt); 167 if (error != -ENOEXEC) 168 break; 169 } 170 read_unlock(&binfmt_lock); 171 } 172 fput(file); 173 out: 174 return error; 175 exit: 176 release_open_intent(&nd); 177 path_release(&nd); 178 goto out; 179 } 180 181 /* 182 * count() counts the number of strings in array ARGV. 183 */ 184 static int count(char __user * __user * argv, int max) 185 { 186 int i = 0; 187 188 if (argv != NULL) { 189 for (;;) { 190 char __user * p; 191 192 if (get_user(p, argv)) 193 return -EFAULT; 194 if (!p) 195 break; 196 argv++; 197 if(++i > max) 198 return -E2BIG; 199 cond_resched(); 200 } 201 } 202 return i; 203 } 204 205 /* 206 * 'copy_strings()' copies argument/environment strings from user 207 * memory to free pages in kernel mem. These are in a format ready 208 * to be put directly into the top of new user memory. 209 */ 210 static int copy_strings(int argc, char __user * __user * argv, 211 struct linux_binprm *bprm) 212 { 213 struct page *kmapped_page = NULL; 214 char *kaddr = NULL; 215 int ret; 216 217 while (argc-- > 0) { 218 char __user *str; 219 int len; 220 unsigned long pos; 221 222 if (get_user(str, argv+argc) || 223 !(len = strnlen_user(str, bprm->p))) { 224 ret = -EFAULT; 225 goto out; 226 } 227 228 if (bprm->p < len) { 229 ret = -E2BIG; 230 goto out; 231 } 232 233 bprm->p -= len; 234 /* XXX: add architecture specific overflow check here. */ 235 pos = bprm->p; 236 237 while (len > 0) { 238 int i, new, err; 239 int offset, bytes_to_copy; 240 struct page *page; 241 242 offset = pos % PAGE_SIZE; 243 i = pos/PAGE_SIZE; 244 page = bprm->page[i]; 245 new = 0; 246 if (!page) { 247 page = alloc_page(GFP_HIGHUSER); 248 bprm->page[i] = page; 249 if (!page) { 250 ret = -ENOMEM; 251 goto out; 252 } 253 new = 1; 254 } 255 256 if (page != kmapped_page) { 257 if (kmapped_page) 258 kunmap(kmapped_page); 259 kmapped_page = page; 260 kaddr = kmap(kmapped_page); 261 } 262 if (new && offset) 263 memset(kaddr, 0, offset); 264 bytes_to_copy = PAGE_SIZE - offset; 265 if (bytes_to_copy > len) { 266 bytes_to_copy = len; 267 if (new) 268 memset(kaddr+offset+len, 0, 269 PAGE_SIZE-offset-len); 270 } 271 err = copy_from_user(kaddr+offset, str, bytes_to_copy); 272 if (err) { 273 ret = -EFAULT; 274 goto out; 275 } 276 277 pos += bytes_to_copy; 278 str += bytes_to_copy; 279 len -= bytes_to_copy; 280 } 281 } 282 ret = 0; 283 out: 284 if (kmapped_page) 285 kunmap(kmapped_page); 286 return ret; 287 } 288 289 /* 290 * Like copy_strings, but get argv and its values from kernel memory. 291 */ 292 int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) 293 { 294 int r; 295 mm_segment_t oldfs = get_fs(); 296 set_fs(KERNEL_DS); 297 r = copy_strings(argc, (char __user * __user *)argv, bprm); 298 set_fs(oldfs); 299 return r; 300 } 301 302 EXPORT_SYMBOL(copy_strings_kernel); 303 304 #ifdef CONFIG_MMU 305 /* 306 * This routine is used to map in a page into an address space: needed by 307 * execve() for the initial stack and environment pages. 308 * 309 * vma->vm_mm->mmap_sem is held for writing. 310 */ 311 void install_arg_page(struct vm_area_struct *vma, 312 struct page *page, unsigned long address) 313 { 314 struct mm_struct *mm = vma->vm_mm; 315 pte_t * pte; 316 spinlock_t *ptl; 317 318 if (unlikely(anon_vma_prepare(vma))) 319 goto out; 320 321 flush_dcache_page(page); 322 pte = get_locked_pte(mm, address, &ptl); 323 if (!pte) 324 goto out; 325 if (!pte_none(*pte)) { 326 pte_unmap_unlock(pte, ptl); 327 goto out; 328 } 329 inc_mm_counter(mm, anon_rss); 330 lru_cache_add_active(page); 331 set_pte_at(mm, address, pte, pte_mkdirty(pte_mkwrite(mk_pte( 332 page, vma->vm_page_prot)))); 333 page_add_new_anon_rmap(page, vma, address); 334 pte_unmap_unlock(pte, ptl); 335 336 /* no need for flush_tlb */ 337 return; 338 out: 339 __free_page(page); 340 force_sig(SIGKILL, current); 341 } 342 343 #define EXTRA_STACK_VM_PAGES 20 /* random */ 344 345 int setup_arg_pages(struct linux_binprm *bprm, 346 unsigned long stack_top, 347 int executable_stack) 348 { 349 unsigned long stack_base; 350 struct vm_area_struct *mpnt; 351 struct mm_struct *mm = current->mm; 352 int i, ret; 353 long arg_size; 354 355 #ifdef CONFIG_STACK_GROWSUP 356 /* Move the argument and environment strings to the bottom of the 357 * stack space. 358 */ 359 int offset, j; 360 char *to, *from; 361 362 /* Start by shifting all the pages down */ 363 i = 0; 364 for (j = 0; j < MAX_ARG_PAGES; j++) { 365 struct page *page = bprm->page[j]; 366 if (!page) 367 continue; 368 bprm->page[i++] = page; 369 } 370 371 /* Now move them within their pages */ 372 offset = bprm->p % PAGE_SIZE; 373 to = kmap(bprm->page[0]); 374 for (j = 1; j < i; j++) { 375 memmove(to, to + offset, PAGE_SIZE - offset); 376 from = kmap(bprm->page[j]); 377 memcpy(to + PAGE_SIZE - offset, from, offset); 378 kunmap(bprm->page[j - 1]); 379 to = from; 380 } 381 memmove(to, to + offset, PAGE_SIZE - offset); 382 kunmap(bprm->page[j - 1]); 383 384 /* Limit stack size to 1GB */ 385 stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max; 386 if (stack_base > (1 << 30)) 387 stack_base = 1 << 30; 388 stack_base = PAGE_ALIGN(stack_top - stack_base); 389 390 /* Adjust bprm->p to point to the end of the strings. */ 391 bprm->p = stack_base + PAGE_SIZE * i - offset; 392 393 mm->arg_start = stack_base; 394 arg_size = i << PAGE_SHIFT; 395 396 /* zero pages that were copied above */ 397 while (i < MAX_ARG_PAGES) 398 bprm->page[i++] = NULL; 399 #else 400 stack_base = arch_align_stack(stack_top - MAX_ARG_PAGES*PAGE_SIZE); 401 stack_base = PAGE_ALIGN(stack_base); 402 bprm->p += stack_base; 403 mm->arg_start = bprm->p; 404 arg_size = stack_top - (PAGE_MASK & (unsigned long) mm->arg_start); 405 #endif 406 407 arg_size += EXTRA_STACK_VM_PAGES * PAGE_SIZE; 408 409 if (bprm->loader) 410 bprm->loader += stack_base; 411 bprm->exec += stack_base; 412 413 mpnt = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); 414 if (!mpnt) 415 return -ENOMEM; 416 417 down_write(&mm->mmap_sem); 418 { 419 mpnt->vm_mm = mm; 420 #ifdef CONFIG_STACK_GROWSUP 421 mpnt->vm_start = stack_base; 422 mpnt->vm_end = stack_base + arg_size; 423 #else 424 mpnt->vm_end = stack_top; 425 mpnt->vm_start = mpnt->vm_end - arg_size; 426 #endif 427 /* Adjust stack execute permissions; explicitly enable 428 * for EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X 429 * and leave alone (arch default) otherwise. */ 430 if (unlikely(executable_stack == EXSTACK_ENABLE_X)) 431 mpnt->vm_flags = VM_STACK_FLAGS | VM_EXEC; 432 else if (executable_stack == EXSTACK_DISABLE_X) 433 mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC; 434 else 435 mpnt->vm_flags = VM_STACK_FLAGS; 436 mpnt->vm_flags |= mm->def_flags; 437 mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7]; 438 if ((ret = insert_vm_struct(mm, mpnt))) { 439 up_write(&mm->mmap_sem); 440 kmem_cache_free(vm_area_cachep, mpnt); 441 return ret; 442 } 443 mm->stack_vm = mm->total_vm = vma_pages(mpnt); 444 } 445 446 for (i = 0 ; i < MAX_ARG_PAGES ; i++) { 447 struct page *page = bprm->page[i]; 448 if (page) { 449 bprm->page[i] = NULL; 450 install_arg_page(mpnt, page, stack_base); 451 } 452 stack_base += PAGE_SIZE; 453 } 454 up_write(&mm->mmap_sem); 455 456 return 0; 457 } 458 459 EXPORT_SYMBOL(setup_arg_pages); 460 461 #define free_arg_pages(bprm) do { } while (0) 462 463 #else 464 465 static inline void free_arg_pages(struct linux_binprm *bprm) 466 { 467 int i; 468 469 for (i = 0; i < MAX_ARG_PAGES; i++) { 470 if (bprm->page[i]) 471 __free_page(bprm->page[i]); 472 bprm->page[i] = NULL; 473 } 474 } 475 476 #endif /* CONFIG_MMU */ 477 478 struct file *open_exec(const char *name) 479 { 480 struct nameidata nd; 481 int err; 482 struct file *file; 483 484 err = path_lookup_open(AT_FDCWD, name, LOOKUP_FOLLOW, &nd, FMODE_READ|FMODE_EXEC); 485 file = ERR_PTR(err); 486 487 if (!err) { 488 struct inode *inode = nd.dentry->d_inode; 489 file = ERR_PTR(-EACCES); 490 if (!(nd.mnt->mnt_flags & MNT_NOEXEC) && 491 S_ISREG(inode->i_mode)) { 492 int err = vfs_permission(&nd, MAY_EXEC); 493 file = ERR_PTR(err); 494 if (!err) { 495 file = nameidata_to_filp(&nd, O_RDONLY); 496 if (!IS_ERR(file)) { 497 err = deny_write_access(file); 498 if (err) { 499 fput(file); 500 file = ERR_PTR(err); 501 } 502 } 503 out: 504 return file; 505 } 506 } 507 release_open_intent(&nd); 508 path_release(&nd); 509 } 510 goto out; 511 } 512 513 EXPORT_SYMBOL(open_exec); 514 515 int kernel_read(struct file *file, unsigned long offset, 516 char *addr, unsigned long count) 517 { 518 mm_segment_t old_fs; 519 loff_t pos = offset; 520 int result; 521 522 old_fs = get_fs(); 523 set_fs(get_ds()); 524 /* The cast to a user pointer is valid due to the set_fs() */ 525 result = vfs_read(file, (void __user *)addr, count, &pos); 526 set_fs(old_fs); 527 return result; 528 } 529 530 EXPORT_SYMBOL(kernel_read); 531 532 static int exec_mmap(struct mm_struct *mm) 533 { 534 struct task_struct *tsk; 535 struct mm_struct * old_mm, *active_mm; 536 537 /* Notify parent that we're no longer interested in the old VM */ 538 tsk = current; 539 old_mm = current->mm; 540 mm_release(tsk, old_mm); 541 542 if (old_mm) { 543 /* 544 * Make sure that if there is a core dump in progress 545 * for the old mm, we get out and die instead of going 546 * through with the exec. We must hold mmap_sem around 547 * checking core_waiters and changing tsk->mm. The 548 * core-inducing thread will increment core_waiters for 549 * each thread whose ->mm == old_mm. 550 */ 551 down_read(&old_mm->mmap_sem); 552 if (unlikely(old_mm->core_waiters)) { 553 up_read(&old_mm->mmap_sem); 554 return -EINTR; 555 } 556 } 557 task_lock(tsk); 558 active_mm = tsk->active_mm; 559 tsk->mm = mm; 560 tsk->active_mm = mm; 561 activate_mm(active_mm, mm); 562 task_unlock(tsk); 563 arch_pick_mmap_layout(mm); 564 if (old_mm) { 565 up_read(&old_mm->mmap_sem); 566 BUG_ON(active_mm != old_mm); 567 mmput(old_mm); 568 return 0; 569 } 570 mmdrop(active_mm); 571 return 0; 572 } 573 574 /* 575 * This function makes sure the current process has its own signal table, 576 * so that flush_signal_handlers can later reset the handlers without 577 * disturbing other processes. (Other processes might share the signal 578 * table via the CLONE_SIGHAND option to clone().) 579 */ 580 static int de_thread(struct task_struct *tsk) 581 { 582 struct signal_struct *sig = tsk->signal; 583 struct sighand_struct *newsighand, *oldsighand = tsk->sighand; 584 spinlock_t *lock = &oldsighand->siglock; 585 struct task_struct *leader = NULL; 586 int count; 587 588 /* 589 * Tell all the sighand listeners that this sighand has 590 * been detached. The signalfd_detach() function grabs the 591 * sighand lock, if signal listeners are present on the sighand. 592 */ 593 signalfd_detach(tsk); 594 595 /* 596 * If we don't share sighandlers, then we aren't sharing anything 597 * and we can just re-use it all. 598 */ 599 if (atomic_read(&oldsighand->count) <= 1) { 600 BUG_ON(atomic_read(&sig->count) != 1); 601 exit_itimers(sig); 602 return 0; 603 } 604 605 newsighand = kmem_cache_alloc(sighand_cachep, GFP_KERNEL); 606 if (!newsighand) 607 return -ENOMEM; 608 609 if (thread_group_empty(tsk)) 610 goto no_thread_group; 611 612 /* 613 * Kill all other threads in the thread group. 614 * We must hold tasklist_lock to call zap_other_threads. 615 */ 616 read_lock(&tasklist_lock); 617 spin_lock_irq(lock); 618 if (sig->flags & SIGNAL_GROUP_EXIT) { 619 /* 620 * Another group action in progress, just 621 * return so that the signal is processed. 622 */ 623 spin_unlock_irq(lock); 624 read_unlock(&tasklist_lock); 625 kmem_cache_free(sighand_cachep, newsighand); 626 return -EAGAIN; 627 } 628 629 /* 630 * child_reaper ignores SIGKILL, change it now. 631 * Reparenting needs write_lock on tasklist_lock, 632 * so it is safe to do it under read_lock. 633 */ 634 if (unlikely(tsk->group_leader == child_reaper(tsk))) 635 tsk->nsproxy->pid_ns->child_reaper = tsk; 636 637 zap_other_threads(tsk); 638 read_unlock(&tasklist_lock); 639 640 /* 641 * Account for the thread group leader hanging around: 642 */ 643 count = 1; 644 if (!thread_group_leader(tsk)) { 645 count = 2; 646 /* 647 * The SIGALRM timer survives the exec, but needs to point 648 * at us as the new group leader now. We have a race with 649 * a timer firing now getting the old leader, so we need to 650 * synchronize with any firing (by calling del_timer_sync) 651 * before we can safely let the old group leader die. 652 */ 653 sig->tsk = tsk; 654 spin_unlock_irq(lock); 655 if (hrtimer_cancel(&sig->real_timer)) 656 hrtimer_restart(&sig->real_timer); 657 spin_lock_irq(lock); 658 } 659 while (atomic_read(&sig->count) > count) { 660 sig->group_exit_task = tsk; 661 sig->notify_count = count; 662 __set_current_state(TASK_UNINTERRUPTIBLE); 663 spin_unlock_irq(lock); 664 schedule(); 665 spin_lock_irq(lock); 666 } 667 sig->group_exit_task = NULL; 668 sig->notify_count = 0; 669 spin_unlock_irq(lock); 670 671 /* 672 * At this point all other threads have exited, all we have to 673 * do is to wait for the thread group leader to become inactive, 674 * and to assume its PID: 675 */ 676 if (!thread_group_leader(tsk)) { 677 /* 678 * Wait for the thread group leader to be a zombie. 679 * It should already be zombie at this point, most 680 * of the time. 681 */ 682 leader = tsk->group_leader; 683 while (leader->exit_state != EXIT_ZOMBIE) 684 yield(); 685 686 /* 687 * The only record we have of the real-time age of a 688 * process, regardless of execs it's done, is start_time. 689 * All the past CPU time is accumulated in signal_struct 690 * from sister threads now dead. But in this non-leader 691 * exec, nothing survives from the original leader thread, 692 * whose birth marks the true age of this process now. 693 * When we take on its identity by switching to its PID, we 694 * also take its birthdate (always earlier than our own). 695 */ 696 tsk->start_time = leader->start_time; 697 698 write_lock_irq(&tasklist_lock); 699 700 BUG_ON(leader->tgid != tsk->tgid); 701 BUG_ON(tsk->pid == tsk->tgid); 702 /* 703 * An exec() starts a new thread group with the 704 * TGID of the previous thread group. Rehash the 705 * two threads with a switched PID, and release 706 * the former thread group leader: 707 */ 708 709 /* Become a process group leader with the old leader's pid. 710 * The old leader becomes a thread of the this thread group. 711 * Note: The old leader also uses this pid until release_task 712 * is called. Odd but simple and correct. 713 */ 714 detach_pid(tsk, PIDTYPE_PID); 715 tsk->pid = leader->pid; 716 attach_pid(tsk, PIDTYPE_PID, find_pid(tsk->pid)); 717 transfer_pid(leader, tsk, PIDTYPE_PGID); 718 transfer_pid(leader, tsk, PIDTYPE_SID); 719 list_replace_rcu(&leader->tasks, &tsk->tasks); 720 721 tsk->group_leader = tsk; 722 leader->group_leader = tsk; 723 724 tsk->exit_signal = SIGCHLD; 725 726 BUG_ON(leader->exit_state != EXIT_ZOMBIE); 727 leader->exit_state = EXIT_DEAD; 728 729 write_unlock_irq(&tasklist_lock); 730 } 731 732 /* 733 * There may be one thread left which is just exiting, 734 * but it's safe to stop telling the group to kill themselves. 735 */ 736 sig->flags = 0; 737 738 no_thread_group: 739 exit_itimers(sig); 740 if (leader) 741 release_task(leader); 742 743 BUG_ON(atomic_read(&sig->count) != 1); 744 745 if (atomic_read(&oldsighand->count) == 1) { 746 /* 747 * Now that we nuked the rest of the thread group, 748 * it turns out we are not sharing sighand any more either. 749 * So we can just keep it. 750 */ 751 kmem_cache_free(sighand_cachep, newsighand); 752 } else { 753 /* 754 * Move our state over to newsighand and switch it in. 755 */ 756 atomic_set(&newsighand->count, 1); 757 memcpy(newsighand->action, oldsighand->action, 758 sizeof(newsighand->action)); 759 760 write_lock_irq(&tasklist_lock); 761 spin_lock(&oldsighand->siglock); 762 spin_lock_nested(&newsighand->siglock, SINGLE_DEPTH_NESTING); 763 764 rcu_assign_pointer(tsk->sighand, newsighand); 765 recalc_sigpending(); 766 767 spin_unlock(&newsighand->siglock); 768 spin_unlock(&oldsighand->siglock); 769 write_unlock_irq(&tasklist_lock); 770 771 __cleanup_sighand(oldsighand); 772 } 773 774 BUG_ON(!thread_group_leader(tsk)); 775 return 0; 776 } 777 778 /* 779 * These functions flushes out all traces of the currently running executable 780 * so that a new one can be started 781 */ 782 783 static void flush_old_files(struct files_struct * files) 784 { 785 long j = -1; 786 struct fdtable *fdt; 787 788 spin_lock(&files->file_lock); 789 for (;;) { 790 unsigned long set, i; 791 792 j++; 793 i = j * __NFDBITS; 794 fdt = files_fdtable(files); 795 if (i >= fdt->max_fds) 796 break; 797 set = fdt->close_on_exec->fds_bits[j]; 798 if (!set) 799 continue; 800 fdt->close_on_exec->fds_bits[j] = 0; 801 spin_unlock(&files->file_lock); 802 for ( ; set ; i++,set >>= 1) { 803 if (set & 1) { 804 sys_close(i); 805 } 806 } 807 spin_lock(&files->file_lock); 808 809 } 810 spin_unlock(&files->file_lock); 811 } 812 813 void get_task_comm(char *buf, struct task_struct *tsk) 814 { 815 /* buf must be at least sizeof(tsk->comm) in size */ 816 task_lock(tsk); 817 strncpy(buf, tsk->comm, sizeof(tsk->comm)); 818 task_unlock(tsk); 819 } 820 821 void set_task_comm(struct task_struct *tsk, char *buf) 822 { 823 task_lock(tsk); 824 strlcpy(tsk->comm, buf, sizeof(tsk->comm)); 825 task_unlock(tsk); 826 } 827 828 int flush_old_exec(struct linux_binprm * bprm) 829 { 830 char * name; 831 int i, ch, retval; 832 struct files_struct *files; 833 char tcomm[sizeof(current->comm)]; 834 835 /* 836 * Make sure we have a private signal table and that 837 * we are unassociated from the previous thread group. 838 */ 839 retval = de_thread(current); 840 if (retval) 841 goto out; 842 843 /* 844 * Make sure we have private file handles. Ask the 845 * fork helper to do the work for us and the exit 846 * helper to do the cleanup of the old one. 847 */ 848 files = current->files; /* refcounted so safe to hold */ 849 retval = unshare_files(); 850 if (retval) 851 goto out; 852 /* 853 * Release all of the old mmap stuff 854 */ 855 retval = exec_mmap(bprm->mm); 856 if (retval) 857 goto mmap_failed; 858 859 bprm->mm = NULL; /* We're using it now */ 860 861 /* This is the point of no return */ 862 put_files_struct(files); 863 864 current->sas_ss_sp = current->sas_ss_size = 0; 865 866 if (current->euid == current->uid && current->egid == current->gid) 867 current->mm->dumpable = 1; 868 else 869 current->mm->dumpable = suid_dumpable; 870 871 name = bprm->filename; 872 873 /* Copies the binary name from after last slash */ 874 for (i=0; (ch = *(name++)) != '\0';) { 875 if (ch == '/') 876 i = 0; /* overwrite what we wrote */ 877 else 878 if (i < (sizeof(tcomm) - 1)) 879 tcomm[i++] = ch; 880 } 881 tcomm[i] = '\0'; 882 set_task_comm(current, tcomm); 883 884 current->flags &= ~PF_RANDOMIZE; 885 flush_thread(); 886 887 /* Set the new mm task size. We have to do that late because it may 888 * depend on TIF_32BIT which is only updated in flush_thread() on 889 * some architectures like powerpc 890 */ 891 current->mm->task_size = TASK_SIZE; 892 893 if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 894 file_permission(bprm->file, MAY_READ) || 895 (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { 896 suid_keys(current); 897 current->mm->dumpable = suid_dumpable; 898 } 899 900 /* An exec changes our domain. We are no longer part of the thread 901 group */ 902 903 current->self_exec_id++; 904 905 flush_signal_handlers(current, 0); 906 flush_old_files(current->files); 907 908 return 0; 909 910 mmap_failed: 911 reset_files_struct(current, files); 912 out: 913 return retval; 914 } 915 916 EXPORT_SYMBOL(flush_old_exec); 917 918 /* 919 * Fill the binprm structure from the inode. 920 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes 921 */ 922 int prepare_binprm(struct linux_binprm *bprm) 923 { 924 int mode; 925 struct inode * inode = bprm->file->f_path.dentry->d_inode; 926 int retval; 927 928 mode = inode->i_mode; 929 if (bprm->file->f_op == NULL) 930 return -EACCES; 931 932 bprm->e_uid = current->euid; 933 bprm->e_gid = current->egid; 934 935 if(!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { 936 /* Set-uid? */ 937 if (mode & S_ISUID) { 938 current->personality &= ~PER_CLEAR_ON_SETID; 939 bprm->e_uid = inode->i_uid; 940 } 941 942 /* Set-gid? */ 943 /* 944 * If setgid is set but no group execute bit then this 945 * is a candidate for mandatory locking, not a setgid 946 * executable. 947 */ 948 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { 949 current->personality &= ~PER_CLEAR_ON_SETID; 950 bprm->e_gid = inode->i_gid; 951 } 952 } 953 954 /* fill in binprm security blob */ 955 retval = security_bprm_set(bprm); 956 if (retval) 957 return retval; 958 959 memset(bprm->buf,0,BINPRM_BUF_SIZE); 960 return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE); 961 } 962 963 EXPORT_SYMBOL(prepare_binprm); 964 965 static int unsafe_exec(struct task_struct *p) 966 { 967 int unsafe = 0; 968 if (p->ptrace & PT_PTRACED) { 969 if (p->ptrace & PT_PTRACE_CAP) 970 unsafe |= LSM_UNSAFE_PTRACE_CAP; 971 else 972 unsafe |= LSM_UNSAFE_PTRACE; 973 } 974 if (atomic_read(&p->fs->count) > 1 || 975 atomic_read(&p->files->count) > 1 || 976 atomic_read(&p->sighand->count) > 1) 977 unsafe |= LSM_UNSAFE_SHARE; 978 979 return unsafe; 980 } 981 982 void compute_creds(struct linux_binprm *bprm) 983 { 984 int unsafe; 985 986 if (bprm->e_uid != current->uid) 987 suid_keys(current); 988 exec_keys(current); 989 990 task_lock(current); 991 unsafe = unsafe_exec(current); 992 security_bprm_apply_creds(bprm, unsafe); 993 task_unlock(current); 994 security_bprm_post_apply_creds(bprm); 995 } 996 EXPORT_SYMBOL(compute_creds); 997 998 /* 999 * Arguments are '\0' separated strings found at the location bprm->p 1000 * points to; chop off the first by relocating brpm->p to right after 1001 * the first '\0' encountered. 1002 */ 1003 void remove_arg_zero(struct linux_binprm *bprm) 1004 { 1005 if (bprm->argc) { 1006 char ch; 1007 1008 do { 1009 unsigned long offset; 1010 unsigned long index; 1011 char *kaddr; 1012 struct page *page; 1013 1014 offset = bprm->p & ~PAGE_MASK; 1015 index = bprm->p >> PAGE_SHIFT; 1016 1017 page = bprm->page[index]; 1018 kaddr = kmap_atomic(page, KM_USER0); 1019 1020 /* run through page until we reach end or find NUL */ 1021 do { 1022 ch = *(kaddr + offset); 1023 1024 /* discard that character... */ 1025 bprm->p++; 1026 offset++; 1027 } while (offset < PAGE_SIZE && ch != '\0'); 1028 1029 kunmap_atomic(kaddr, KM_USER0); 1030 1031 /* free the old page */ 1032 if (offset == PAGE_SIZE) { 1033 __free_page(page); 1034 bprm->page[index] = NULL; 1035 } 1036 } while (ch != '\0'); 1037 1038 bprm->argc--; 1039 } 1040 } 1041 EXPORT_SYMBOL(remove_arg_zero); 1042 1043 /* 1044 * cycle the list of binary formats handler, until one recognizes the image 1045 */ 1046 int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) 1047 { 1048 int try,retval; 1049 struct linux_binfmt *fmt; 1050 #ifdef __alpha__ 1051 /* handle /sbin/loader.. */ 1052 { 1053 struct exec * eh = (struct exec *) bprm->buf; 1054 1055 if (!bprm->loader && eh->fh.f_magic == 0x183 && 1056 (eh->fh.f_flags & 0x3000) == 0x3000) 1057 { 1058 struct file * file; 1059 unsigned long loader; 1060 1061 allow_write_access(bprm->file); 1062 fput(bprm->file); 1063 bprm->file = NULL; 1064 1065 loader = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); 1066 1067 file = open_exec("/sbin/loader"); 1068 retval = PTR_ERR(file); 1069 if (IS_ERR(file)) 1070 return retval; 1071 1072 /* Remember if the application is TASO. */ 1073 bprm->sh_bang = eh->ah.entry < 0x100000000UL; 1074 1075 bprm->file = file; 1076 bprm->loader = loader; 1077 retval = prepare_binprm(bprm); 1078 if (retval<0) 1079 return retval; 1080 /* should call search_binary_handler recursively here, 1081 but it does not matter */ 1082 } 1083 } 1084 #endif 1085 retval = security_bprm_check(bprm); 1086 if (retval) 1087 return retval; 1088 1089 /* kernel module loader fixup */ 1090 /* so we don't try to load run modprobe in kernel space. */ 1091 set_fs(USER_DS); 1092 1093 retval = audit_bprm(bprm); 1094 if (retval) 1095 return retval; 1096 1097 retval = -ENOENT; 1098 for (try=0; try<2; try++) { 1099 read_lock(&binfmt_lock); 1100 for (fmt = formats ; fmt ; fmt = fmt->next) { 1101 int (*fn)(struct linux_binprm *, struct pt_regs *) = fmt->load_binary; 1102 if (!fn) 1103 continue; 1104 if (!try_module_get(fmt->module)) 1105 continue; 1106 read_unlock(&binfmt_lock); 1107 retval = fn(bprm, regs); 1108 if (retval >= 0) { 1109 put_binfmt(fmt); 1110 allow_write_access(bprm->file); 1111 if (bprm->file) 1112 fput(bprm->file); 1113 bprm->file = NULL; 1114 current->did_exec = 1; 1115 proc_exec_connector(current); 1116 return retval; 1117 } 1118 read_lock(&binfmt_lock); 1119 put_binfmt(fmt); 1120 if (retval != -ENOEXEC || bprm->mm == NULL) 1121 break; 1122 if (!bprm->file) { 1123 read_unlock(&binfmt_lock); 1124 return retval; 1125 } 1126 } 1127 read_unlock(&binfmt_lock); 1128 if (retval != -ENOEXEC || bprm->mm == NULL) { 1129 break; 1130 #ifdef CONFIG_KMOD 1131 }else{ 1132 #define printable(c) (((c)=='\t') || ((c)=='\n') || (0x20<=(c) && (c)<=0x7e)) 1133 if (printable(bprm->buf[0]) && 1134 printable(bprm->buf[1]) && 1135 printable(bprm->buf[2]) && 1136 printable(bprm->buf[3])) 1137 break; /* -ENOEXEC */ 1138 request_module("binfmt-%04x", *(unsigned short *)(&bprm->buf[2])); 1139 #endif 1140 } 1141 } 1142 return retval; 1143 } 1144 1145 EXPORT_SYMBOL(search_binary_handler); 1146 1147 /* 1148 * sys_execve() executes a new program. 1149 */ 1150 int do_execve(char * filename, 1151 char __user *__user *argv, 1152 char __user *__user *envp, 1153 struct pt_regs * regs) 1154 { 1155 struct linux_binprm *bprm; 1156 struct file *file; 1157 int retval; 1158 int i; 1159 1160 retval = -ENOMEM; 1161 bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); 1162 if (!bprm) 1163 goto out_ret; 1164 1165 file = open_exec(filename); 1166 retval = PTR_ERR(file); 1167 if (IS_ERR(file)) 1168 goto out_kfree; 1169 1170 sched_exec(); 1171 1172 bprm->p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); 1173 1174 bprm->file = file; 1175 bprm->filename = filename; 1176 bprm->interp = filename; 1177 bprm->mm = mm_alloc(); 1178 retval = -ENOMEM; 1179 if (!bprm->mm) 1180 goto out_file; 1181 1182 retval = init_new_context(current, bprm->mm); 1183 if (retval < 0) 1184 goto out_mm; 1185 1186 bprm->argc = count(argv, bprm->p / sizeof(void *)); 1187 if ((retval = bprm->argc) < 0) 1188 goto out_mm; 1189 1190 bprm->envc = count(envp, bprm->p / sizeof(void *)); 1191 if ((retval = bprm->envc) < 0) 1192 goto out_mm; 1193 1194 retval = security_bprm_alloc(bprm); 1195 if (retval) 1196 goto out; 1197 1198 retval = prepare_binprm(bprm); 1199 if (retval < 0) 1200 goto out; 1201 1202 retval = copy_strings_kernel(1, &bprm->filename, bprm); 1203 if (retval < 0) 1204 goto out; 1205 1206 bprm->exec = bprm->p; 1207 retval = copy_strings(bprm->envc, envp, bprm); 1208 if (retval < 0) 1209 goto out; 1210 1211 retval = copy_strings(bprm->argc, argv, bprm); 1212 if (retval < 0) 1213 goto out; 1214 1215 retval = search_binary_handler(bprm,regs); 1216 if (retval >= 0) { 1217 free_arg_pages(bprm); 1218 1219 /* execve success */ 1220 security_bprm_free(bprm); 1221 acct_update_integrals(current); 1222 kfree(bprm); 1223 return retval; 1224 } 1225 1226 out: 1227 /* Something went wrong, return the inode and free the argument pages*/ 1228 for (i = 0 ; i < MAX_ARG_PAGES ; i++) { 1229 struct page * page = bprm->page[i]; 1230 if (page) 1231 __free_page(page); 1232 } 1233 1234 if (bprm->security) 1235 security_bprm_free(bprm); 1236 1237 out_mm: 1238 if (bprm->mm) 1239 mmdrop(bprm->mm); 1240 1241 out_file: 1242 if (bprm->file) { 1243 allow_write_access(bprm->file); 1244 fput(bprm->file); 1245 } 1246 1247 out_kfree: 1248 kfree(bprm); 1249 1250 out_ret: 1251 return retval; 1252 } 1253 1254 int set_binfmt(struct linux_binfmt *new) 1255 { 1256 struct linux_binfmt *old = current->binfmt; 1257 1258 if (new) { 1259 if (!try_module_get(new->module)) 1260 return -1; 1261 } 1262 current->binfmt = new; 1263 if (old) 1264 module_put(old->module); 1265 return 0; 1266 } 1267 1268 EXPORT_SYMBOL(set_binfmt); 1269 1270 /* format_corename will inspect the pattern parameter, and output a 1271 * name into corename, which must have space for at least 1272 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. 1273 */ 1274 static int format_corename(char *corename, const char *pattern, long signr) 1275 { 1276 const char *pat_ptr = pattern; 1277 char *out_ptr = corename; 1278 char *const out_end = corename + CORENAME_MAX_SIZE; 1279 int rc; 1280 int pid_in_pattern = 0; 1281 int ispipe = 0; 1282 1283 if (*pattern == '|') 1284 ispipe = 1; 1285 1286 /* Repeat as long as we have more pattern to process and more output 1287 space */ 1288 while (*pat_ptr) { 1289 if (*pat_ptr != '%') { 1290 if (out_ptr == out_end) 1291 goto out; 1292 *out_ptr++ = *pat_ptr++; 1293 } else { 1294 switch (*++pat_ptr) { 1295 case 0: 1296 goto out; 1297 /* Double percent, output one percent */ 1298 case '%': 1299 if (out_ptr == out_end) 1300 goto out; 1301 *out_ptr++ = '%'; 1302 break; 1303 /* pid */ 1304 case 'p': 1305 pid_in_pattern = 1; 1306 rc = snprintf(out_ptr, out_end - out_ptr, 1307 "%d", current->tgid); 1308 if (rc > out_end - out_ptr) 1309 goto out; 1310 out_ptr += rc; 1311 break; 1312 /* uid */ 1313 case 'u': 1314 rc = snprintf(out_ptr, out_end - out_ptr, 1315 "%d", current->uid); 1316 if (rc > out_end - out_ptr) 1317 goto out; 1318 out_ptr += rc; 1319 break; 1320 /* gid */ 1321 case 'g': 1322 rc = snprintf(out_ptr, out_end - out_ptr, 1323 "%d", current->gid); 1324 if (rc > out_end - out_ptr) 1325 goto out; 1326 out_ptr += rc; 1327 break; 1328 /* signal that caused the coredump */ 1329 case 's': 1330 rc = snprintf(out_ptr, out_end - out_ptr, 1331 "%ld", signr); 1332 if (rc > out_end - out_ptr) 1333 goto out; 1334 out_ptr += rc; 1335 break; 1336 /* UNIX time of coredump */ 1337 case 't': { 1338 struct timeval tv; 1339 do_gettimeofday(&tv); 1340 rc = snprintf(out_ptr, out_end - out_ptr, 1341 "%lu", tv.tv_sec); 1342 if (rc > out_end - out_ptr) 1343 goto out; 1344 out_ptr += rc; 1345 break; 1346 } 1347 /* hostname */ 1348 case 'h': 1349 down_read(&uts_sem); 1350 rc = snprintf(out_ptr, out_end - out_ptr, 1351 "%s", utsname()->nodename); 1352 up_read(&uts_sem); 1353 if (rc > out_end - out_ptr) 1354 goto out; 1355 out_ptr += rc; 1356 break; 1357 /* executable */ 1358 case 'e': 1359 rc = snprintf(out_ptr, out_end - out_ptr, 1360 "%s", current->comm); 1361 if (rc > out_end - out_ptr) 1362 goto out; 1363 out_ptr += rc; 1364 break; 1365 default: 1366 break; 1367 } 1368 ++pat_ptr; 1369 } 1370 } 1371 /* Backward compatibility with core_uses_pid: 1372 * 1373 * If core_pattern does not include a %p (as is the default) 1374 * and core_uses_pid is set, then .%pid will be appended to 1375 * the filename. Do not do this for piped commands. */ 1376 if (!ispipe && !pid_in_pattern 1377 && (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1)) { 1378 rc = snprintf(out_ptr, out_end - out_ptr, 1379 ".%d", current->tgid); 1380 if (rc > out_end - out_ptr) 1381 goto out; 1382 out_ptr += rc; 1383 } 1384 out: 1385 *out_ptr = 0; 1386 return ispipe; 1387 } 1388 1389 static void zap_process(struct task_struct *start) 1390 { 1391 struct task_struct *t; 1392 1393 start->signal->flags = SIGNAL_GROUP_EXIT; 1394 start->signal->group_stop_count = 0; 1395 1396 t = start; 1397 do { 1398 if (t != current && t->mm) { 1399 t->mm->core_waiters++; 1400 sigaddset(&t->pending.signal, SIGKILL); 1401 signal_wake_up(t, 1); 1402 } 1403 } while ((t = next_thread(t)) != start); 1404 } 1405 1406 static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm, 1407 int exit_code) 1408 { 1409 struct task_struct *g, *p; 1410 unsigned long flags; 1411 int err = -EAGAIN; 1412 1413 spin_lock_irq(&tsk->sighand->siglock); 1414 if (!(tsk->signal->flags & SIGNAL_GROUP_EXIT)) { 1415 tsk->signal->group_exit_code = exit_code; 1416 zap_process(tsk); 1417 err = 0; 1418 } 1419 spin_unlock_irq(&tsk->sighand->siglock); 1420 if (err) 1421 return err; 1422 1423 if (atomic_read(&mm->mm_users) == mm->core_waiters + 1) 1424 goto done; 1425 1426 rcu_read_lock(); 1427 for_each_process(g) { 1428 if (g == tsk->group_leader) 1429 continue; 1430 1431 p = g; 1432 do { 1433 if (p->mm) { 1434 if (p->mm == mm) { 1435 /* 1436 * p->sighand can't disappear, but 1437 * may be changed by de_thread() 1438 */ 1439 lock_task_sighand(p, &flags); 1440 zap_process(p); 1441 unlock_task_sighand(p, &flags); 1442 } 1443 break; 1444 } 1445 } while ((p = next_thread(p)) != g); 1446 } 1447 rcu_read_unlock(); 1448 done: 1449 return mm->core_waiters; 1450 } 1451 1452 static int coredump_wait(int exit_code) 1453 { 1454 struct task_struct *tsk = current; 1455 struct mm_struct *mm = tsk->mm; 1456 struct completion startup_done; 1457 struct completion *vfork_done; 1458 int core_waiters; 1459 1460 init_completion(&mm->core_done); 1461 init_completion(&startup_done); 1462 mm->core_startup_done = &startup_done; 1463 1464 core_waiters = zap_threads(tsk, mm, exit_code); 1465 up_write(&mm->mmap_sem); 1466 1467 if (unlikely(core_waiters < 0)) 1468 goto fail; 1469 1470 /* 1471 * Make sure nobody is waiting for us to release the VM, 1472 * otherwise we can deadlock when we wait on each other 1473 */ 1474 vfork_done = tsk->vfork_done; 1475 if (vfork_done) { 1476 tsk->vfork_done = NULL; 1477 complete(vfork_done); 1478 } 1479 1480 if (core_waiters) 1481 wait_for_completion(&startup_done); 1482 fail: 1483 BUG_ON(mm->core_waiters); 1484 return core_waiters; 1485 } 1486 1487 int do_coredump(long signr, int exit_code, struct pt_regs * regs) 1488 { 1489 char corename[CORENAME_MAX_SIZE + 1]; 1490 struct mm_struct *mm = current->mm; 1491 struct linux_binfmt * binfmt; 1492 struct inode * inode; 1493 struct file * file; 1494 int retval = 0; 1495 int fsuid = current->fsuid; 1496 int flag = 0; 1497 int ispipe = 0; 1498 1499 audit_core_dumps(signr); 1500 1501 binfmt = current->binfmt; 1502 if (!binfmt || !binfmt->core_dump) 1503 goto fail; 1504 down_write(&mm->mmap_sem); 1505 if (!mm->dumpable) { 1506 up_write(&mm->mmap_sem); 1507 goto fail; 1508 } 1509 1510 /* 1511 * We cannot trust fsuid as being the "true" uid of the 1512 * process nor do we know its entire history. We only know it 1513 * was tainted so we dump it as root in mode 2. 1514 */ 1515 if (mm->dumpable == 2) { /* Setuid core dump mode */ 1516 flag = O_EXCL; /* Stop rewrite attacks */ 1517 current->fsuid = 0; /* Dump root private */ 1518 } 1519 mm->dumpable = 0; 1520 1521 retval = coredump_wait(exit_code); 1522 if (retval < 0) 1523 goto fail; 1524 1525 /* 1526 * Clear any false indication of pending signals that might 1527 * be seen by the filesystem code called to write the core file. 1528 */ 1529 clear_thread_flag(TIF_SIGPENDING); 1530 1531 if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump) 1532 goto fail_unlock; 1533 1534 /* 1535 * lock_kernel() because format_corename() is controlled by sysctl, which 1536 * uses lock_kernel() 1537 */ 1538 lock_kernel(); 1539 ispipe = format_corename(corename, core_pattern, signr); 1540 unlock_kernel(); 1541 if (ispipe) { 1542 /* SIGPIPE can happen, but it's just never processed */ 1543 if(call_usermodehelper_pipe(corename+1, NULL, NULL, &file)) { 1544 printk(KERN_INFO "Core dump to %s pipe failed\n", 1545 corename); 1546 goto fail_unlock; 1547 } 1548 } else 1549 file = filp_open(corename, 1550 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 1551 0600); 1552 if (IS_ERR(file)) 1553 goto fail_unlock; 1554 inode = file->f_path.dentry->d_inode; 1555 if (inode->i_nlink > 1) 1556 goto close_fail; /* multiple links - don't dump */ 1557 if (!ispipe && d_unhashed(file->f_path.dentry)) 1558 goto close_fail; 1559 1560 /* AK: actually i see no reason to not allow this for named pipes etc., 1561 but keep the previous behaviour for now. */ 1562 if (!ispipe && !S_ISREG(inode->i_mode)) 1563 goto close_fail; 1564 if (!file->f_op) 1565 goto close_fail; 1566 if (!file->f_op->write) 1567 goto close_fail; 1568 if (!ispipe && do_truncate(file->f_path.dentry, 0, 0, file) != 0) 1569 goto close_fail; 1570 1571 retval = binfmt->core_dump(signr, regs, file); 1572 1573 if (retval) 1574 current->signal->group_exit_code |= 0x80; 1575 close_fail: 1576 filp_close(file, NULL); 1577 fail_unlock: 1578 current->fsuid = fsuid; 1579 complete_all(&mm->core_done); 1580 fail: 1581 return retval; 1582 } 1583