LXR linux/fs/coredump.c

   1#include <linux/slab.h>
   2#include <linux/file.h>
   3#include <linux/fdtable.h>
   4#include <linux/mm.h>
   5#include <linux/stat.h>
   6#include <linux/fcntl.h>
   7#include <linux/swap.h>
   8#include <linux/string.h>
   9#include <linux/init.h>
  10#include <linux/pagemap.h>
  11#include <linux/perf_event.h>
  12#include <linux/highmem.h>
  13#include <linux/spinlock.h>
  14#include <linux/key.h>
  15#include <linux/personality.h>
  16#include <linux/binfmts.h>
  17#include <linux/coredump.h>
  18#include <linux/utsname.h>
  19#include <linux/pid_namespace.h>
  20#include <linux/module.h>
  21#include <linux/namei.h>
  22#include <linux/mount.h>
  23#include <linux/security.h>
  24#include <linux/syscalls.h>
  25#include <linux/tsacct_kern.h>
  26#include <linux/cn_proc.h>
  27#include <linux/audit.h>
  28#include <linux/tracehook.h>
  29#include <linux/kmod.h>
  30#include <linux/fsnotify.h>
  31#include <linux/fs_struct.h>
  32#include <linux/pipe_fs_i.h>
  33#include <linux/oom.h>
  34#include <linux/compat.h>
  35#include <linux/timekeeping.h>
  36
  37#include <asm/uaccess.h>
  38#include <asm/mmu_context.h>
  39#include <asm/tlb.h>
  40#include <asm/exec.h>
  41
  42#include <trace/events/task.h>
  43#include "internal.h"
  44
  45#include <trace/events/sched.h>
  46
  47int core_uses_pid;
  48unsigned int core_pipe_limit;
  49char core_pattern[CORENAME_MAX_SIZE] = "core";
  50static int core_name_size = CORENAME_MAX_SIZE;
  51
  52struct core_name {
  53        char *corename;
  54        int used, size;
  55};
  56
  57/* The maximal length of core_pattern is also specified in sysctl.c */
  58
  59static int expand_corename(struct core_name *cn, int size)
  60{
  61        char *corename = krealloc(cn->corename, size, GFP_KERNEL);
  62
  63        if (!corename)
  64                return -ENOMEM;
  65
  66        if (size > core_name_size) /* racy but harmless */
  67                core_name_size = size;
  68
  69        cn->size = ksize(corename);
  70        cn->corename = corename;
  71        return 0;
  72}
  73
  74static __printf(2, 0) int cn_vprintf(struct core_name *cn, const char *fmt,
  75                                     va_list arg)
  76{
  77        int free, need;
  78        va_list arg_copy;
  79
  80again:
  81        free = cn->size - cn->used;
  82
  83        va_copy(arg_copy, arg);
  84        need = vsnprintf(cn->corename + cn->used, free, fmt, arg_copy);
  85        va_end(arg_copy);
  86
  87        if (need < free) {
  88                cn->used += need;
  89                return 0;
  90        }
  91
  92        if (!expand_corename(cn, cn->size + need - free + 1))
  93                goto again;
  94
  95        return -ENOMEM;
  96}
  97
  98static __printf(2, 3) int cn_printf(struct core_name *cn, const char *fmt, ...)
  99{
 100        va_list arg;
 101        int ret;
 102
 103        va_start(arg, fmt);
 104        ret = cn_vprintf(cn, fmt, arg);
 105        va_end(arg);
 106
 107        return ret;
 108}
 109
 110static __printf(2, 3)
 111int cn_esc_printf(struct core_name *cn, const char *fmt, ...)
 112{
 113        int cur = cn->used;
 114        va_list arg;
 115        int ret;
 116
 117        va_start(arg, fmt);
 118        ret = cn_vprintf(cn, fmt, arg);
 119        va_end(arg);
 120
 121        if (ret == 0) {
 122                /*
 123                 * Ensure that this coredump name component can't cause the
 124                 * resulting corefile path to consist of a ".." or ".".
 125                 */
 126                if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
 127                                (cn->used - cur == 2 && cn->corename[cur] == '.'
 128                                && cn->corename[cur+1] == '.'))
 129                        cn->corename[cur] = '!';
 130
 131                /*
 132                 * Empty names are fishy and could be used to create a "//" in a
 133                 * corefile name, causing the coredump to happen one directory
 134                 * level too high. Enforce that all components of the core
 135                 * pattern are at least one character long.
 136                 */
 137                if (cn->used == cur)
 138                        ret = cn_printf(cn, "!");
 139        }
 140
 141        for (; cur < cn->used; ++cur) {
 142                if (cn->corename[cur] == '/')
 143                        cn->corename[cur] = '!';
 144        }
 145        return ret;
 146}
 147
 148static int cn_print_exe_file(struct core_name *cn)
 149{
 150        struct file *exe_file;
 151        char *pathbuf, *path;
 152        int ret;
 153
 154        exe_file = get_mm_exe_file(current->mm);
 155        if (!exe_file)
 156                return cn_esc_printf(cn, "%s (path unknown)", current->comm);
 157
 158        pathbuf = kmalloc(PATH_MAX, GFP_TEMPORARY);
 159        if (!pathbuf) {
 160                ret = -ENOMEM;
 161                goto put_exe_file;
 162        }
 163
 164        path = file_path(exe_file, pathbuf, PATH_MAX);
 165        if (IS_ERR(path)) {
 166                ret = PTR_ERR(path);
 167                goto free_buf;
 168        }
 169
 170        ret = cn_esc_printf(cn, "%s", path);
 171
 172free_buf:
 173        kfree(pathbuf);
 174put_exe_file:
 175        fput(exe_file);
 176        return ret;
 177}
 178
 179/* format_corename will inspect the pattern parameter, and output a
 180 * name into corename, which must have space for at least
 181 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
 182 */
 183static int format_corename(struct core_name *cn, struct coredump_params *cprm)
 184{
 185        const struct cred *cred = current_cred();
 186        const char *pat_ptr = core_pattern;
 187        int ispipe = (*pat_ptr == '|');
 188        int pid_in_pattern = 0;
 189        int err = 0;
 190
 191        cn->used = 0;
 192        cn->corename = NULL;
 193        if (expand_corename(cn, core_name_size))
 194                return -ENOMEM;
 195        cn->corename[0] = '\0';
 196
 197        if (ispipe)
 198                ++pat_ptr;
 199
 200        /* Repeat as long as we have more pattern to process and more output
 201           space */
 202        while (*pat_ptr) {
 203                if (*pat_ptr != '%') {
 204                        err = cn_printf(cn, "%c", *pat_ptr++);
 205                } else {
 206                        switch (*++pat_ptr) {
 207                        /* single % at the end, drop that */
 208                        case 0:
 209                                goto out;
 210                        /* Double percent, output one percent */
 211                        case '%':
 212                                err = cn_printf(cn, "%c", '%');
 213                                break;
 214                        /* pid */
 215                        case 'p':
 216                                pid_in_pattern = 1;
 217                                err = cn_printf(cn, "%d",
 218                                              task_tgid_vnr(current));
 219                                break;
 220                        /* global pid */
 221                        case 'P':
 222                                err = cn_printf(cn, "%d",
 223                                              task_tgid_nr(current));
 224                                break;
 225                        case 'i':
 226                                err = cn_printf(cn, "%d",
 227                                              task_pid_vnr(current));
 228                                break;
 229                        case 'I':
 230                                err = cn_printf(cn, "%d",
 231                                              task_pid_nr(current));
 232                                break;
 233                        /* uid */
 234                        case 'u':
 235                                err = cn_printf(cn, "%u",
 236                                                from_kuid(&init_user_ns,
 237                                                          cred->uid));
 238                                break;
 239                        /* gid */
 240                        case 'g':
 241                                err = cn_printf(cn, "%u",
 242                                                from_kgid(&init_user_ns,
 243                                                          cred->gid));
 244                                break;
 245                        case 'd':
 246                                err = cn_printf(cn, "%d",
 247                                        __get_dumpable(cprm->mm_flags));
 248                                break;
 249                        /* signal that caused the coredump */
 250                        case 's':
 251                                err = cn_printf(cn, "%d",
 252                                                cprm->siginfo->si_signo);
 253                                break;
 254                        /* UNIX time of coredump */
 255                        case 't': {
 256                                time64_t time;
 257
 258                                time = ktime_get_real_seconds();
 259                                err = cn_printf(cn, "%lld", time);
 260                                break;
 261                        }
 262                        /* hostname */
 263                        case 'h':
 264                                down_read(&uts_sem);
 265                                err = cn_esc_printf(cn, "%s",
 266                                              utsname()->nodename);
 267                                up_read(&uts_sem);
 268                                break;
 269                        /* executable */
 270                        case 'e':
 271                                err = cn_esc_printf(cn, "%s", current->comm);
 272                                break;
 273                        case 'E':
 274                                err = cn_print_exe_file(cn);
 275                                break;
 276                        /* core limit size */
 277                        case 'c':
 278                                err = cn_printf(cn, "%lu",
 279                                              rlimit(RLIMIT_CORE));
 280                                break;
 281                        default:
 282                                break;
 283                        }
 284                        ++pat_ptr;
 285                }
 286
 287                if (err)
 288                        return err;
 289        }
 290
 291out:
 292        /* Backward compatibility with core_uses_pid:
 293         *
 294         * If core_pattern does not include a %p (as is the default)
 295         * and core_uses_pid is set, then .%pid will be appended to
 296         * the filename. Do not do this for piped commands. */
 297        if (!ispipe && !pid_in_pattern && core_uses_pid) {
 298                err = cn_printf(cn, ".%d", task_tgid_vnr(current));
 299                if (err)
 300                        return err;
 301        }
 302        return ispipe;
 303}
 304
 305static int zap_process(struct task_struct *start, int exit_code, int flags)
 306{
 307        struct task_struct *t;
 308        int nr = 0;
 309
 310        /* ignore all signals except SIGKILL, see prepare_signal() */
 311        start->signal->flags = SIGNAL_GROUP_COREDUMP | flags;
 312        start->signal->group_exit_code = exit_code;
 313        start->signal->group_stop_count = 0;
 314
 315        for_each_thread(start, t) {
 316                task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
 317                if (t != current && t->mm) {
 318                        sigaddset(&t->pending.signal, SIGKILL);
 319                        signal_wake_up(t, 1);
 320                        nr++;
 321                }
 322        }
 323
 324        return nr;
 325}
 326
 327static int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
 328                        struct core_state *core_state, int exit_code)
 329{
 330        struct task_struct *g, *p;
 331        unsigned long flags;
 332        int nr = -EAGAIN;
 333
 334        spin_lock_irq(&tsk->sighand->siglock);
 335        if (!signal_group_exit(tsk->signal)) {
 336                mm->core_state = core_state;
 337                tsk->signal->group_exit_task = tsk;
 338                nr = zap_process(tsk, exit_code, 0);
 339                clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
 340        }
 341        spin_unlock_irq(&tsk->sighand->siglock);
 342        if (unlikely(nr < 0))
 343                return nr;
 344
 345        tsk->flags |= PF_DUMPCORE;
 346        if (atomic_read(&mm->mm_users) == nr + 1)
 347                goto done;
 348        /*
 349         * We should find and kill all tasks which use this mm, and we should
 350         * count them correctly into ->nr_threads. We don't take tasklist
 351         * lock, but this is safe wrt:
 352         *
 353         * fork:
 354         *      None of sub-threads can fork after zap_process(leader). All
 355         *      processes which were created before this point should be
 356         *      visible to zap_threads() because copy_process() adds the new
 357         *      process to the tail of init_task.tasks list, and lock/unlock
 358         *      of ->siglock provides a memory barrier.
 359         *
 360         * do_exit:
 361         *      The caller holds mm->mmap_sem. This means that the task which
 362         *      uses this mm can't pass exit_mm(), so it can't exit or clear
 363         *      its ->mm.
 364         *
 365         * de_thread:
 366         *      It does list_replace_rcu(&leader->tasks, &current->tasks),
 367         *      we must see either old or new leader, this does not matter.
 368         *      However, it can change p->sighand, so lock_task_sighand(p)
 369         *      must be used. Since p->mm != NULL and we hold ->mmap_sem
 370         *      it can't fail.
 371         *
 372         *      Note also that "g" can be the old leader with ->mm == NULL
 373         *      and already unhashed and thus removed from ->thread_group.
 374         *      This is OK, __unhash_process()->list_del_rcu() does not
 375         *      clear the ->next pointer, we will find the new leader via
 376         *      next_thread().
 377         */
 378        rcu_read_lock();
 379        for_each_process(g) {
 380                if (g == tsk->group_leader)
 381                        continue;
 382                if (g->flags & PF_KTHREAD)
 383                        continue;
 384
 385                for_each_thread(g, p) {
 386                        if (unlikely(!p->mm))
 387                                continue;
 388                        if (unlikely(p->mm == mm)) {
 389                                lock_task_sighand(p, &flags);
 390                                nr += zap_process(p, exit_code,
 391                                                        SIGNAL_GROUP_EXIT);
 392                                unlock_task_sighand(p, &flags);
 393                        }
 394                        break;
 395                }
 396        }
 397        rcu_read_unlock();
 398done:
 399        atomic_set(&core_state->nr_threads, nr);
 400        return nr;
 401}
 402
 403static int coredump_wait(int exit_code, struct core_state *core_state)
 404{
 405        struct task_struct *tsk = current;
 406        struct mm_struct *mm = tsk->mm;
 407        int core_waiters = -EBUSY;
 408
 409        init_completion(&core_state->startup);
 410        core_state->dumper.task = tsk;
 411        core_state->dumper.next = NULL;
 412
 413        down_write(&mm->mmap_sem);
 414        if (!mm->core_state)
 415                core_waiters = zap_threads(tsk, mm, core_state, exit_code);
 416        up_write(&mm->mmap_sem);
 417
 418        if (core_waiters > 0) {
 419                struct core_thread *ptr;
 420
 421                wait_for_completion(&core_state->startup);
 422                /*
 423                 * Wait for all the threads to become inactive, so that
 424                 * all the thread context (extended register state, like
 425                 * fpu etc) gets copied to the memory.
 426                 */
 427                ptr = core_state->dumper.next;
 428                while (ptr != NULL) {
 429                        wait_task_inactive(ptr->task, 0);
 430                        ptr = ptr->next;
 431                }
 432        }
 433
 434        return core_waiters;
 435}
 436
 437static void coredump_finish(struct mm_struct *mm, bool core_dumped)
 438{
 439        struct core_thread *curr, *next;
 440        struct task_struct *task;
 441
 442        spin_lock_irq(&current->sighand->siglock);
 443        if (core_dumped && !__fatal_signal_pending(current))
 444                current->signal->group_exit_code |= 0x80;
 445        current->signal->group_exit_task = NULL;
 446        current->signal->flags = SIGNAL_GROUP_EXIT;
 447        spin_unlock_irq(&current->sighand->siglock);
 448
 449        next = mm->core_state->dumper.next;
 450        while ((curr = next) != NULL) {
 451                next = curr->next;
 452                task = curr->task;
 453                /*
 454                 * see exit_mm(), curr->task must not see
 455                 * ->task == NULL before we read ->next.
 456                 */
 457                smp_mb();
 458                curr->task = NULL;
 459                wake_up_process(task);
 460        }
 461
 462        mm->core_state = NULL;
 463}
 464
 465static bool dump_interrupted(void)
 466{
 467        /*
 468         * SIGKILL or freezing() interrupt the coredumping. Perhaps we
 469         * can do try_to_freeze() and check __fatal_signal_pending(),
 470         * but then we need to teach dump_write() to restart and clear
 471         * TIF_SIGPENDING.
 472         */
 473        return signal_pending(current);
 474}
 475
 476static void wait_for_dump_helpers(struct file *file)
 477{
 478        struct pipe_inode_info *pipe = file->private_data;
 479
 480        pipe_lock(pipe);
 481        pipe->readers++;
 482        pipe->writers--;
 483        wake_up_interruptible_sync(&pipe->wait);
 484        kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
 485        pipe_unlock(pipe);
 486
 487        /*
 488         * We actually want wait_event_freezable() but then we need
 489         * to clear TIF_SIGPENDING and improve dump_interrupted().
 490         */
 491        wait_event_interruptible(pipe->wait, pipe->readers == 1);
 492
 493        pipe_lock(pipe);
 494        pipe->readers--;
 495        pipe->writers++;
 496        pipe_unlock(pipe);
 497}
 498
 499/*
 500 * umh_pipe_setup
 501 * helper function to customize the process used
 502 * to collect the core in userspace.  Specifically
 503 * it sets up a pipe and installs it as fd 0 (stdin)
 504 * for the process.  Returns 0 on success, or
 505 * PTR_ERR on failure.
 506 * Note that it also sets the core limit to 1.  This
 507 * is a special value that we use to trap recursive
 508 * core dumps
 509 */
 510static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
 511{
 512        struct file *files[2];
 513        struct coredump_params *cp = (struct coredump_params *)info->data;
 514        int err = create_pipe_files(files, 0);
 515        if (err)
 516                return err;
 517
 518        cp->file = files[1];
 519
 520        err = replace_fd(0, files[0], 0);
 521        fput(files[0]);
 522        /* and disallow core files too */
 523        current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
 524
 525        return err;
 526}
 527
 528void do_coredump(const siginfo_t *siginfo)
 529{
 530        struct core_state core_state;
 531        struct core_name cn;
 532        struct mm_struct *mm = current->mm;
 533        struct linux_binfmt * binfmt;
 534        const struct cred *old_cred;
 535        struct cred *cred;
 536        int retval = 0;
 537        int ispipe;
 538        struct files_struct *displaced;
 539        /* require nonrelative corefile path and be extra careful */
 540        bool need_suid_safe = false;
 541        bool core_dumped = false;
 542        static atomic_t core_dump_count = ATOMIC_INIT(0);
 543        struct coredump_params cprm = {
 544                .siginfo = siginfo,
 545                .regs = signal_pt_regs(),
 546                .limit = rlimit(RLIMIT_CORE),
 547                /*
 548                 * We must use the same mm->flags while dumping core to avoid
 549                 * inconsistency of bit flags, since this flag is not protected
 550                 * by any locks.
 551                 */
 552                .mm_flags = mm->flags,
 553        };
 554
 555        audit_core_dumps(siginfo->si_signo);
 556
 557        binfmt = mm->binfmt;
 558        if (!binfmt || !binfmt->core_dump)
 559                goto fail;
 560        if (!__get_dumpable(cprm.mm_flags))
 561                goto fail;
 562
 563        cred = prepare_creds();
 564        if (!cred)
 565                goto fail;
 566        /*
 567         * We cannot trust fsuid as being the "true" uid of the process
 568         * nor do we know its entire history. We only know it was tainted
 569         * so we dump it as root in mode 2, and only into a controlled
 570         * environment (pipe handler or fully qualified path).
 571         */
 572        if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
 573                /* Setuid core dump mode */
 574                cred->fsuid = GLOBAL_ROOT_UID;  /* Dump root private */
 575                need_suid_safe = true;
 576        }
 577
 578        retval = coredump_wait(siginfo->si_signo, &core_state);
 579        if (retval < 0)
 580                goto fail_creds;
 581
 582        old_cred = override_creds(cred);
 583
 584        ispipe = format_corename(&cn, &cprm);
 585
 586        if (ispipe) {
 587                int dump_count;
 588                char **helper_argv;
 589                struct subprocess_info *sub_info;
 590
 591                if (ispipe < 0) {
 592                        printk(KERN_WARNING "format_corename failed\n");
 593                        printk(KERN_WARNING "Aborting core\n");
 594                        goto fail_unlock;
 595                }
 596
 597                if (cprm.limit == 1) {
 598                        /* See umh_pipe_setup() which sets RLIMIT_CORE = 1.
 599                         *
 600                         * Normally core limits are irrelevant to pipes, since
 601                         * we're not writing to the file system, but we use
 602                         * cprm.limit of 1 here as a special value, this is a
 603                         * consistent way to catch recursive crashes.
 604                         * We can still crash if the core_pattern binary sets
 605                         * RLIM_CORE = !1, but it runs as root, and can do
 606                         * lots of stupid things.
 607                         *
 608                         * Note that we use task_tgid_vnr here to grab the pid
 609                         * of the process group leader.  That way we get the
 610                         * right pid if a thread in a multi-threaded
 611                         * core_pattern process dies.
 612                         */
 613                        printk(KERN_WARNING
 614                                "Process %d(%s) has RLIMIT_CORE set to 1\n",
 615                                task_tgid_vnr(current), current->comm);
 616                        printk(KERN_WARNING "Aborting core\n");
 617                        goto fail_unlock;
 618                }
 619                cprm.limit = RLIM_INFINITY;
 620
 621                dump_count = atomic_inc_return(&core_dump_count);
 622                if (core_pipe_limit && (core_pipe_limit < dump_count)) {
 623                        printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
 624                               task_tgid_vnr(current), current->comm);
 625                        printk(KERN_WARNING "Skipping core dump\n");
 626                        goto fail_dropcount;
 627                }
 628
 629                helper_argv = argv_split(GFP_KERNEL, cn.corename, NULL);
 630                if (!helper_argv) {
 631                        printk(KERN_WARNING "%s failed to allocate memory\n",
 632                               __func__);
 633                        goto fail_dropcount;
 634                }
 635
 636                retval = -ENOMEM;
 637                sub_info = call_usermodehelper_setup(helper_argv[0],
 638                                                helper_argv, NULL, GFP_KERNEL,
 639                                                umh_pipe_setup, NULL, &cprm);
 640                if (sub_info)
 641                        retval = call_usermodehelper_exec(sub_info,
 642                                                          UMH_WAIT_EXEC);
 643
 644                argv_free(helper_argv);
 645                if (retval) {
 646                        printk(KERN_INFO "Core dump to |%s pipe failed\n",
 647                               cn.corename);
 648                        goto close_fail;
 649                }
 650        } else {
 651                struct inode *inode;
 652
 653                if (cprm.limit < binfmt->min_coredump)
 654                        goto fail_unlock;
 655
 656                if (need_suid_safe && cn.corename[0] != '/') {
 657                        printk(KERN_WARNING "Pid %d(%s) can only dump core "\
 658                                "to fully qualified path!\n",
 659                                task_tgid_vnr(current), current->comm);
 660                        printk(KERN_WARNING "Skipping core dump\n");
 661                        goto fail_unlock;
 662                }
 663
 664                /*
 665                 * Unlink the file if it exists unless this is a SUID
 666                 * binary - in that case, we're running around with root
 667                 * privs and don't want to unlink another user's coredump.
 668                 */
 669                if (!need_suid_safe) {
 670                        mm_segment_t old_fs;
 671
 672                        old_fs = get_fs();
 673                        set_fs(KERNEL_DS);
 674                        /*
 675                         * If it doesn't exist, that's fine. If there's some
 676                         * other problem, we'll catch it at the filp_open().
 677                         */
 678                        (void) sys_unlink((const char __user *)cn.corename);
 679                        set_fs(old_fs);
 680                }
 681
 682                /*
 683                 * There is a race between unlinking and creating the
 684                 * file, but if that causes an EEXIST here, that's
 685                 * fine - another process raced with us while creating
 686                 * the corefile, and the other process won. To userspace,
 687                 * what matters is that at least one of the two processes
 688                 * writes its coredump successfully, not which one.
 689                 */
 690                cprm.file = filp_open(cn.corename,
 691                                 O_CREAT | 2 | O_NOFOLLOW |
 692                                 O_LARGEFILE | O_EXCL,
 693                                 0600);
 694                if (IS_ERR(cprm.file))
 695                        goto fail_unlock;
 696
 697                inode = file_inode(cprm.file);
 698                if (inode->i_nlink > 1)
 699                        goto close_fail;
 700                if (d_unhashed(cprm.file->f_path.dentry))
 701                        goto close_fail;
 702                /*
 703                 * AK: actually i see no reason to not allow this for named
 704                 * pipes etc, but keep the previous behaviour for now.
 705                 */
 706                if (!S_ISREG(inode->i_mode))
 707                        goto close_fail;
 708                /*
 709                 * Don't dump core if the filesystem changed owner or mode
 710                 * of the file during file creation. This is an issue when
 711                 * a process dumps core while its cwd is e.g. on a vfat
 712                 * filesystem.
 713                 */
 714                if (!uid_eq(inode->i_uid, current_fsuid()))
 715                        goto close_fail;
 716                if ((inode->i_mode & 0677) != 0600)
 717                        goto close_fail;
 718                if (!(cprm.file->f_mode & FMODE_CAN_WRITE))
 719                        goto close_fail;
 720                if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file))
 721                        goto close_fail;
 722        }
 723
 724        /* get us an unshared descriptor table; almost always a no-op */
 725        retval = unshare_files(&displaced);
 726        if (retval)
 727                goto close_fail;
 728        if (displaced)
 729                put_files_struct(displaced);
 730        if (!dump_interrupted()) {
 731                file_start_write(cprm.file);
 732                core_dumped = binfmt->core_dump(&cprm);
 733                file_end_write(cprm.file);
 734        }
 735        if (ispipe && core_pipe_limit)
 736                wait_for_dump_helpers(cprm.file);
 737close_fail:
 738        if (cprm.file)
 739                filp_close(cprm.file, NULL);
 740fail_dropcount:
 741        if (ispipe)
 742                atomic_dec(&core_dump_count);
 743fail_unlock:
 744        kfree(cn.corename);
 745        coredump_finish(mm, core_dumped);
 746        revert_creds(old_cred);
 747fail_creds:
 748        put_cred(cred);
 749fail:
 750        return;
 751}
 752
 753/*
 754 * Core dumping helper functions.  These are the only things you should
 755 * do on a core-file: use only these functions to write out all the
 756 * necessary info.
 757 */
 758int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
 759{
 760        struct file *file = cprm->file;
 761        loff_t pos = file->f_pos;
 762        ssize_t n;
 763        if (cprm->written + nr > cprm->limit)
 764                return 0;
 765        while (nr) {
 766                if (dump_interrupted())
 767                        return 0;
 768                n = __kernel_write(file, addr, nr, &pos);
 769                if (n <= 0)
 770                        return 0;
 771                file->f_pos = pos;
 772                cprm->written += n;
 773                nr -= n;
 774        }
 775        return 1;
 776}
 777EXPORT_SYMBOL(dump_emit);
 778
 779int dump_skip(struct coredump_params *cprm, size_t nr)
 780{
 781        static char zeroes[PAGE_SIZE];
 782        struct file *file = cprm->file;
 783        if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
 784                if (cprm->written + nr > cprm->limit)
 785                        return 0;
 786                if (dump_interrupted() ||
 787                    file->f_op->llseek(file, nr, SEEK_CUR) < 0)
 788                        return 0;
 789                cprm->written += nr;
 790                return 1;
 791        } else {
 792                while (nr > PAGE_SIZE) {
 793                        if (!dump_emit(cprm, zeroes, PAGE_SIZE))
 794                                return 0;
 795                        nr -= PAGE_SIZE;
 796                }
 797                return dump_emit(cprm, zeroes, nr);
 798        }
 799}
 800EXPORT_SYMBOL(dump_skip);
 801
 802int dump_align(struct coredump_params *cprm, int align)
 803{
 804        unsigned mod = cprm->written & (align - 1);
 805        if (align & (align - 1))
 806                return 0;
 807        return mod ? dump_skip(cprm, align - mod) : 1;
 808}
 809EXPORT_SYMBOL(dump_align);
 810