linux/fs/coredump.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0
   2#include <linux/slab.h>
   3#include <linux/file.h>
   4#include <linux/fdtable.h>
   5#include <linux/freezer.h>
   6#include <linux/mm.h>
   7#include <linux/stat.h>
   8#include <linux/fcntl.h>
   9#include <linux/swap.h>
  10#include <linux/string.h>
  11#include <linux/init.h>
  12#include <linux/pagemap.h>
  13#include <linux/perf_event.h>
  14#include <linux/highmem.h>
  15#include <linux/spinlock.h>
  16#include <linux/key.h>
  17#include <linux/personality.h>
  18#include <linux/binfmts.h>
  19#include <linux/coredump.h>
  20#include <linux/sched/coredump.h>
  21#include <linux/sched/signal.h>
  22#include <linux/sched/task_stack.h>
  23#include <linux/utsname.h>
  24#include <linux/pid_namespace.h>
  25#include <linux/module.h>
  26#include <linux/namei.h>
  27#include <linux/mount.h>
  28#include <linux/security.h>
  29#include <linux/syscalls.h>
  30#include <linux/tsacct_kern.h>
  31#include <linux/cn_proc.h>
  32#include <linux/audit.h>
  33#include <linux/tracehook.h>
  34#include <linux/kmod.h>
  35#include <linux/fsnotify.h>
  36#include <linux/fs_struct.h>
  37#include <linux/pipe_fs_i.h>
  38#include <linux/oom.h>
  39#include <linux/compat.h>
  40#include <linux/fs.h>
  41#include <linux/path.h>
  42#include <linux/timekeeping.h>
  43
  44#include <linux/uaccess.h>
  45#include <asm/mmu_context.h>
  46#include <asm/tlb.h>
  47#include <asm/exec.h>
  48
  49#include <trace/events/task.h>
  50#include "internal.h"
  51
  52#include <trace/events/sched.h>
  53
  54int core_uses_pid;
  55unsigned int core_pipe_limit;
  56char core_pattern[CORENAME_MAX_SIZE] = "core";
  57static int core_name_size = CORENAME_MAX_SIZE;
  58
  59struct core_name {
  60        char *corename;
  61        int used, size;
  62};
  63
  64/* The maximal length of core_pattern is also specified in sysctl.c */
  65
  66static int expand_corename(struct core_name *cn, int size)
  67{
  68        char *corename = krealloc(cn->corename, size, GFP_KERNEL);
  69
  70        if (!corename)
  71                return -ENOMEM;
  72
  73        if (size > core_name_size) /* racy but harmless */
  74                core_name_size = size;
  75
  76        cn->size = ksize(corename);
  77        cn->corename = corename;
  78        return 0;
  79}
  80
  81static __printf(2, 0) int cn_vprintf(struct core_name *cn, const char *fmt,
  82                                     va_list arg)
  83{
  84        int free, need;
  85        va_list arg_copy;
  86
  87again:
  88        free = cn->size - cn->used;
  89
  90        va_copy(arg_copy, arg);
  91        need = vsnprintf(cn->corename + cn->used, free, fmt, arg_copy);
  92        va_end(arg_copy);
  93
  94        if (need < free) {
  95                cn->used += need;
  96                return 0;
  97        }
  98
  99        if (!expand_corename(cn, cn->size + need - free + 1))
 100                goto again;
 101
 102        return -ENOMEM;
 103}
 104
 105static __printf(2, 3) int cn_printf(struct core_name *cn, const char *fmt, ...)
 106{
 107        va_list arg;
 108        int ret;
 109
 110        va_start(arg, fmt);
 111        ret = cn_vprintf(cn, fmt, arg);
 112        va_end(arg);
 113
 114        return ret;
 115}
 116
 117static __printf(2, 3)
 118int cn_esc_printf(struct core_name *cn, const char *fmt, ...)
 119{
 120        int cur = cn->used;
 121        va_list arg;
 122        int ret;
 123
 124        va_start(arg, fmt);
 125        ret = cn_vprintf(cn, fmt, arg);
 126        va_end(arg);
 127
 128        if (ret == 0) {
 129                /*
 130                 * Ensure that this coredump name component can't cause the
 131                 * resulting corefile path to consist of a ".." or ".".
 132                 */
 133                if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
 134                                (cn->used - cur == 2 && cn->corename[cur] == '.'
 135                                && cn->corename[cur+1] == '.'))
 136                        cn->corename[cur] = '!';
 137
 138                /*
 139                 * Empty names are fishy and could be used to create a "//" in a
 140                 * corefile name, causing the coredump to happen one directory
 141                 * level too high. Enforce that all components of the core
 142                 * pattern are at least one character long.
 143                 */
 144                if (cn->used == cur)
 145                        ret = cn_printf(cn, "!");
 146        }
 147
 148        for (; cur < cn->used; ++cur) {
 149                if (cn->corename[cur] == '/')
 150                        cn->corename[cur] = '!';
 151        }
 152        return ret;
 153}
 154
 155static int cn_print_exe_file(struct core_name *cn)
 156{
 157        struct file *exe_file;
 158        char *pathbuf, *path;
 159        int ret;
 160
 161        exe_file = get_mm_exe_file(current->mm);
 162        if (!exe_file)
 163                return cn_esc_printf(cn, "%s (path unknown)", current->comm);
 164
 165        pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
 166        if (!pathbuf) {
 167                ret = -ENOMEM;
 168                goto put_exe_file;
 169        }
 170
 171        path = file_path(exe_file, pathbuf, PATH_MAX);
 172        if (IS_ERR(path)) {
 173                ret = PTR_ERR(path);
 174                goto free_buf;
 175        }
 176
 177        ret = cn_esc_printf(cn, "%s", path);
 178
 179free_buf:
 180        kfree(pathbuf);
 181put_exe_file:
 182        fput(exe_file);
 183        return ret;
 184}
 185
 186/* format_corename will inspect the pattern parameter, and output a
 187 * name into corename, which must have space for at least
 188 * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
 189 */
 190static int format_corename(struct core_name *cn, struct coredump_params *cprm)
 191{
 192        const struct cred *cred = current_cred();
 193        const char *pat_ptr = core_pattern;
 194        int ispipe = (*pat_ptr == '|');
 195        int pid_in_pattern = 0;
 196        int err = 0;
 197
 198        cn->used = 0;
 199        cn->corename = NULL;
 200        if (expand_corename(cn, core_name_size))
 201                return -ENOMEM;
 202        cn->corename[0] = '\0';
 203
 204        if (ispipe)
 205                ++pat_ptr;
 206
 207        /* Repeat as long as we have more pattern to process and more output
 208           space */
 209        while (*pat_ptr) {
 210                if (*pat_ptr != '%') {
 211                        err = cn_printf(cn, "%c", *pat_ptr++);
 212                } else {
 213                        switch (*++pat_ptr) {
 214                        /* single % at the end, drop that */
 215                        case 0:
 216                                goto out;
 217                        /* Double percent, output one percent */
 218                        case '%':
 219                                err = cn_printf(cn, "%c", '%');
 220                                break;
 221                        /* pid */
 222                        case 'p':
 223                                pid_in_pattern = 1;
 224                                err = cn_printf(cn, "%d",
 225                                              task_tgid_vnr(current));
 226                                break;
 227                        /* global pid */
 228                        case 'P':
 229                                err = cn_printf(cn, "%d",
 230                                              task_tgid_nr(current));
 231                                break;
 232                        case 'i':
 233                                err = cn_printf(cn, "%d",
 234                                              task_pid_vnr(current));
 235                                break;
 236                        case 'I':
 237                                err = cn_printf(cn, "%d",
 238                                              task_pid_nr(current));
 239                                break;
 240                        /* uid */
 241                        case 'u':
 242                                err = cn_printf(cn, "%u",
 243                                                from_kuid(&init_user_ns,
 244                                                          cred->uid));
 245                                break;
 246                        /* gid */
 247                        case 'g':
 248                                err = cn_printf(cn, "%u",
 249                                                from_kgid(&init_user_ns,
 250                                                          cred->gid));
 251                                break;
 252                        case 'd':
 253                                err = cn_printf(cn, "%d",
 254                                        __get_dumpable(cprm->mm_flags));
 255                                break;
 256                        /* signal that caused the coredump */
 257                        case 's':
 258                                err = cn_printf(cn, "%d",
 259                                                cprm->siginfo->si_signo);
 260                                break;
 261                        /* UNIX time of coredump */
 262                        case 't': {
 263                                time64_t time;
 264
 265                                time = ktime_get_real_seconds();
 266                                err = cn_printf(cn, "%lld", time);
 267                                break;
 268                        }
 269                        /* hostname */
 270                        case 'h':
 271                                down_read(&uts_sem);
 272                                err = cn_esc_printf(cn, "%s",
 273                                              utsname()->nodename);
 274                                up_read(&uts_sem);
 275                                break;
 276                        /* executable */
 277                        case 'e':
 278                                err = cn_esc_printf(cn, "%s", current->comm);
 279                                break;
 280                        case 'E':
 281                                err = cn_print_exe_file(cn);
 282                                break;
 283                        /* core limit size */
 284                        case 'c':
 285                                err = cn_printf(cn, "%lu",
 286                                              rlimit(RLIMIT_CORE));
 287                                break;
 288                        default:
 289                                break;
 290                        }
 291                        ++pat_ptr;
 292                }
 293
 294                if (err)
 295                        return err;
 296        }
 297
 298out:
 299        /* Backward compatibility with core_uses_pid:
 300         *
 301         * If core_pattern does not include a %p (as is the default)
 302         * and core_uses_pid is set, then .%pid will be appended to
 303         * the filename. Do not do this for piped commands. */
 304        if (!ispipe && !pid_in_pattern && core_uses_pid) {
 305                err = cn_printf(cn, ".%d", task_tgid_vnr(current));
 306                if (err)
 307                        return err;
 308        }
 309        return ispipe;
 310}
 311
 312static int zap_process(struct task_struct *start, int exit_code, int flags)
 313{
 314        struct task_struct *t;
 315        int nr = 0;
 316
 317        /* ignore all signals except SIGKILL, see prepare_signal() */
 318        start->signal->flags = SIGNAL_GROUP_COREDUMP | flags;
 319        start->signal->group_exit_code = exit_code;
 320        start->signal->group_stop_count = 0;
 321
 322        for_each_thread(start, t) {
 323                task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
 324                if (t != current && t->mm) {
 325                        sigaddset(&t->pending.signal, SIGKILL);
 326                        signal_wake_up(t, 1);
 327                        nr++;
 328                }
 329        }
 330
 331        return nr;
 332}
 333
 334static int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
 335                        struct core_state *core_state, int exit_code)
 336{
 337        struct task_struct *g, *p;
 338        unsigned long flags;
 339        int nr = -EAGAIN;
 340
 341        spin_lock_irq(&tsk->sighand->siglock);
 342        if (!signal_group_exit(tsk->signal)) {
 343                mm->core_state = core_state;
 344                tsk->signal->group_exit_task = tsk;
 345                nr = zap_process(tsk, exit_code, 0);
 346                clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
 347        }
 348        spin_unlock_irq(&tsk->sighand->siglock);
 349        if (unlikely(nr < 0))
 350                return nr;
 351
 352        tsk->flags |= PF_DUMPCORE;
 353        if (atomic_read(&mm->mm_users) == nr + 1)
 354                goto done;
 355        /*
 356         * We should find and kill all tasks which use this mm, and we should
 357         * count them correctly into ->nr_threads. We don't take tasklist
 358         * lock, but this is safe wrt:
 359         *
 360         * fork:
 361         *      None of sub-threads can fork after zap_process(leader). All
 362         *      processes which were created before this point should be
 363         *      visible to zap_threads() because copy_process() adds the new
 364         *      process to the tail of init_task.tasks list, and lock/unlock
 365         *      of ->siglock provides a memory barrier.
 366         *
 367         * do_exit:
 368         *      The caller holds mm->mmap_sem. This means that the task which
 369         *      uses this mm can't pass exit_mm(), so it can't exit or clear
 370         *      its ->mm.
 371         *
 372         * de_thread:
 373         *      It does list_replace_rcu(&leader->tasks, &current->tasks),
 374         *      we must see either old or new leader, this does not matter.
 375         *      However, it can change p->sighand, so lock_task_sighand(p)
 376         *      must be used. Since p->mm != NULL and we hold ->mmap_sem
 377         *      it can't fail.
 378         *
 379         *      Note also that "g" can be the old leader with ->mm == NULL
 380         *      and already unhashed and thus removed from ->thread_group.
 381         *      This is OK, __unhash_process()->list_del_rcu() does not
 382         *      clear the ->next pointer, we will find the new leader via
 383         *      next_thread().
 384         */
 385        rcu_read_lock();
 386        for_each_process(g) {
 387                if (g == tsk->group_leader)
 388                        continue;
 389                if (g->flags & PF_KTHREAD)
 390                        continue;
 391
 392                for_each_thread(g, p) {
 393                        if (unlikely(!p->mm))
 394                                continue;
 395                        if (unlikely(p->mm == mm)) {
 396                                lock_task_sighand(p, &flags);
 397                                nr += zap_process(p, exit_code,
 398                                                        SIGNAL_GROUP_EXIT);
 399                                unlock_task_sighand(p, &flags);
 400                        }
 401                        break;
 402                }
 403        }
 404        rcu_read_unlock();
 405done:
 406        atomic_set(&core_state->nr_threads, nr);
 407        return nr;
 408}
 409
 410static int coredump_wait(int exit_code, struct core_state *core_state)
 411{
 412        struct task_struct *tsk = current;
 413        struct mm_struct *mm = tsk->mm;
 414        int core_waiters = -EBUSY;
 415
 416        init_completion(&core_state->startup);
 417        core_state->dumper.task = tsk;
 418        core_state->dumper.next = NULL;
 419
 420        if (down_write_killable(&mm->mmap_sem))
 421                return -EINTR;
 422
 423        if (!mm->core_state)
 424                core_waiters = zap_threads(tsk, mm, core_state, exit_code);
 425        up_write(&mm->mmap_sem);
 426
 427        if (core_waiters > 0) {
 428                struct core_thread *ptr;
 429
 430                freezer_do_not_count();
 431                wait_for_completion(&core_state->startup);
 432                freezer_count();
 433                /*
 434                 * Wait for all the threads to become inactive, so that
 435                 * all the thread context (extended register state, like
 436                 * fpu etc) gets copied to the memory.
 437                 */
 438                ptr = core_state->dumper.next;
 439                while (ptr != NULL) {
 440                        wait_task_inactive(ptr->task, 0);
 441                        ptr = ptr->next;
 442                }
 443        }
 444
 445        return core_waiters;
 446}
 447
 448static void coredump_finish(struct mm_struct *mm, bool core_dumped)
 449{
 450        struct core_thread *curr, *next;
 451        struct task_struct *task;
 452
 453        spin_lock_irq(&current->sighand->siglock);
 454        if (core_dumped && !__fatal_signal_pending(current))
 455                current->signal->group_exit_code |= 0x80;
 456        current->signal->group_exit_task = NULL;
 457        current->signal->flags = SIGNAL_GROUP_EXIT;
 458        spin_unlock_irq(&current->sighand->siglock);
 459
 460        next = mm->core_state->dumper.next;
 461        while ((curr = next) != NULL) {
 462                next = curr->next;
 463                task = curr->task;
 464                /*
 465                 * see exit_mm(), curr->task must not see
 466                 * ->task == NULL before we read ->next.
 467                 */
 468                smp_mb();
 469                curr->task = NULL;
 470                wake_up_process(task);
 471        }
 472
 473        mm->core_state = NULL;
 474}
 475
 476static bool dump_interrupted(void)
 477{
 478        /*
 479         * SIGKILL or freezing() interrupt the coredumping. Perhaps we
 480         * can do try_to_freeze() and check __fatal_signal_pending(),
 481         * but then we need to teach dump_write() to restart and clear
 482         * TIF_SIGPENDING.
 483         */
 484        return signal_pending(current);
 485}
 486
 487static void wait_for_dump_helpers(struct file *file)
 488{
 489        struct pipe_inode_info *pipe = file->private_data;
 490
 491        pipe_lock(pipe);
 492        pipe->readers++;
 493        pipe->writers--;
 494        wake_up_interruptible_sync(&pipe->wait);
 495        kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
 496        pipe_unlock(pipe);
 497
 498        /*
 499         * We actually want wait_event_freezable() but then we need
 500         * to clear TIF_SIGPENDING and improve dump_interrupted().
 501         */
 502        wait_event_interruptible(pipe->wait, pipe->readers == 1);
 503
 504        pipe_lock(pipe);
 505        pipe->readers--;
 506        pipe->writers++;
 507        pipe_unlock(pipe);
 508}
 509
 510/*
 511 * umh_pipe_setup
 512 * helper function to customize the process used
 513 * to collect the core in userspace.  Specifically
 514 * it sets up a pipe and installs it as fd 0 (stdin)
 515 * for the process.  Returns 0 on success, or
 516 * PTR_ERR on failure.
 517 * Note that it also sets the core limit to 1.  This
 518 * is a special value that we use to trap recursive
 519 * core dumps
 520 */
 521static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
 522{
 523        struct file *files[2];
 524        struct coredump_params *cp = (struct coredump_params *)info->data;
 525        int err = create_pipe_files(files, 0);
 526        if (err)
 527                return err;
 528
 529        cp->file = files[1];
 530
 531        err = replace_fd(0, files[0], 0);
 532        fput(files[0]);
 533        /* and disallow core files too */
 534        current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
 535
 536        return err;
 537}
 538
 539void do_coredump(const siginfo_t *siginfo)
 540{
 541        struct core_state core_state;
 542        struct core_name cn;
 543        struct mm_struct *mm = current->mm;
 544        struct linux_binfmt * binfmt;
 545        const struct cred *old_cred;
 546        struct cred *cred;
 547        int retval = 0;
 548        int ispipe;
 549        struct files_struct *displaced;
 550        /* require nonrelative corefile path and be extra careful */
 551        bool need_suid_safe = false;
 552        bool core_dumped = false;
 553        static atomic_t core_dump_count = ATOMIC_INIT(0);
 554        struct coredump_params cprm = {
 555                .siginfo = siginfo,
 556                .regs = signal_pt_regs(),
 557                .limit = rlimit(RLIMIT_CORE),
 558                /*
 559                 * We must use the same mm->flags while dumping core to avoid
 560                 * inconsistency of bit flags, since this flag is not protected
 561                 * by any locks.
 562                 */
 563                .mm_flags = mm->flags,
 564        };
 565
 566        audit_core_dumps(siginfo->si_signo);
 567
 568        binfmt = mm->binfmt;
 569        if (!binfmt || !binfmt->core_dump)
 570                goto fail;
 571        if (!__get_dumpable(cprm.mm_flags))
 572                goto fail;
 573
 574        cred = prepare_creds();
 575        if (!cred)
 576                goto fail;
 577        /*
 578         * We cannot trust fsuid as being the "true" uid of the process
 579         * nor do we know its entire history. We only know it was tainted
 580         * so we dump it as root in mode 2, and only into a controlled
 581         * environment (pipe handler or fully qualified path).
 582         */
 583        if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
 584                /* Setuid core dump mode */
 585                cred->fsuid = GLOBAL_ROOT_UID;  /* Dump root private */
 586                need_suid_safe = true;
 587        }
 588
 589        retval = coredump_wait(siginfo->si_signo, &core_state);
 590        if (retval < 0)
 591                goto fail_creds;
 592
 593        old_cred = override_creds(cred);
 594
 595        ispipe = format_corename(&cn, &cprm);
 596
 597        if (ispipe) {
 598                int dump_count;
 599                char **helper_argv;
 600                struct subprocess_info *sub_info;
 601
 602                if (ispipe < 0) {
 603                        printk(KERN_WARNING "format_corename failed\n");
 604                        printk(KERN_WARNING "Aborting core\n");
 605                        goto fail_unlock;
 606                }
 607
 608                if (cprm.limit == 1) {
 609                        /* See umh_pipe_setup() which sets RLIMIT_CORE = 1.
 610                         *
 611                         * Normally core limits are irrelevant to pipes, since
 612                         * we're not writing to the file system, but we use
 613                         * cprm.limit of 1 here as a special value, this is a
 614                         * consistent way to catch recursive crashes.
 615                         * We can still crash if the core_pattern binary sets
 616                         * RLIM_CORE = !1, but it runs as root, and can do
 617                         * lots of stupid things.
 618                         *
 619                         * Note that we use task_tgid_vnr here to grab the pid
 620                         * of the process group leader.  That way we get the
 621                         * right pid if a thread in a multi-threaded
 622                         * core_pattern process dies.
 623                         */
 624                        printk(KERN_WARNING
 625                                "Process %d(%s) has RLIMIT_CORE set to 1\n",
 626                                task_tgid_vnr(current), current->comm);
 627                        printk(KERN_WARNING "Aborting core\n");
 628                        goto fail_unlock;
 629                }
 630                cprm.limit = RLIM_INFINITY;
 631
 632                dump_count = atomic_inc_return(&core_dump_count);
 633                if (core_pipe_limit && (core_pipe_limit < dump_count)) {
 634                        printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
 635                               task_tgid_vnr(current), current->comm);
 636                        printk(KERN_WARNING "Skipping core dump\n");
 637                        goto fail_dropcount;
 638                }
 639
 640                helper_argv = argv_split(GFP_KERNEL, cn.corename, NULL);
 641                if (!helper_argv) {
 642                        printk(KERN_WARNING "%s failed to allocate memory\n",
 643                               __func__);
 644                        goto fail_dropcount;
 645                }
 646
 647                retval = -ENOMEM;
 648                sub_info = call_usermodehelper_setup(helper_argv[0],
 649                                                helper_argv, NULL, GFP_KERNEL,
 650                                                umh_pipe_setup, NULL, &cprm);
 651                if (sub_info)
 652                        retval = call_usermodehelper_exec(sub_info,
 653                                                          UMH_WAIT_EXEC);
 654
 655                argv_free(helper_argv);
 656                if (retval) {
 657                        printk(KERN_INFO "Core dump to |%s pipe failed\n",
 658                               cn.corename);
 659                        goto close_fail;
 660                }
 661        } else {
 662                struct inode *inode;
 663                int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW |
 664                                 O_LARGEFILE | O_EXCL;
 665
 666                if (cprm.limit < binfmt->min_coredump)
 667                        goto fail_unlock;
 668
 669                if (need_suid_safe && cn.corename[0] != '/') {
 670                        printk(KERN_WARNING "Pid %d(%s) can only dump core "\
 671                                "to fully qualified path!\n",
 672                                task_tgid_vnr(current), current->comm);
 673                        printk(KERN_WARNING "Skipping core dump\n");
 674                        goto fail_unlock;
 675                }
 676
 677                /*
 678                 * Unlink the file if it exists unless this is a SUID
 679                 * binary - in that case, we're running around with root
 680                 * privs and don't want to unlink another user's coredump.
 681                 */
 682                if (!need_suid_safe) {
 683                        mm_segment_t old_fs;
 684
 685                        old_fs = get_fs();
 686                        set_fs(KERNEL_DS);
 687                        /*
 688                         * If it doesn't exist, that's fine. If there's some
 689                         * other problem, we'll catch it at the filp_open().
 690                         */
 691                        (void) sys_unlink((const char __user *)cn.corename);
 692                        set_fs(old_fs);
 693                }
 694
 695                /*
 696                 * There is a race between unlinking and creating the
 697                 * file, but if that causes an EEXIST here, that's
 698                 * fine - another process raced with us while creating
 699                 * the corefile, and the other process won. To userspace,
 700                 * what matters is that at least one of the two processes
 701                 * writes its coredump successfully, not which one.
 702                 */
 703                if (need_suid_safe) {
 704                        /*
 705                         * Using user namespaces, normal user tasks can change
 706                         * their current->fs->root to point to arbitrary
 707                         * directories. Since the intention of the "only dump
 708                         * with a fully qualified path" rule is to control where
 709                         * coredumps may be placed using root privileges,
 710                         * current->fs->root must not be used. Instead, use the
 711                         * root directory of init_task.
 712                         */
 713                        struct path root;
 714
 715                        task_lock(&init_task);
 716                        get_fs_root(init_task.fs, &root);
 717                        task_unlock(&init_task);
 718                        cprm.file = file_open_root(root.dentry, root.mnt,
 719                                cn.corename, open_flags, 0600);
 720                        path_put(&root);
 721                } else {
 722                        cprm.file = filp_open(cn.corename, open_flags, 0600);
 723                }
 724                if (IS_ERR(cprm.file))
 725                        goto fail_unlock;
 726
 727                inode = file_inode(cprm.file);
 728                if (inode->i_nlink > 1)
 729                        goto close_fail;
 730                if (d_unhashed(cprm.file->f_path.dentry))
 731                        goto close_fail;
 732                /*
 733                 * AK: actually i see no reason to not allow this for named
 734                 * pipes etc, but keep the previous behaviour for now.
 735                 */
 736                if (!S_ISREG(inode->i_mode))
 737                        goto close_fail;
 738                /*
 739                 * Don't dump core if the filesystem changed owner or mode
 740                 * of the file during file creation. This is an issue when
 741                 * a process dumps core while its cwd is e.g. on a vfat
 742                 * filesystem.
 743                 */
 744                if (!uid_eq(inode->i_uid, current_fsuid()))
 745                        goto close_fail;
 746                if ((inode->i_mode & 0677) != 0600)
 747                        goto close_fail;
 748                if (!(cprm.file->f_mode & FMODE_CAN_WRITE))
 749                        goto close_fail;
 750                if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file))
 751                        goto close_fail;
 752        }
 753
 754        /* get us an unshared descriptor table; almost always a no-op */
 755        retval = unshare_files(&displaced);
 756        if (retval)
 757                goto close_fail;
 758        if (displaced)
 759                put_files_struct(displaced);
 760        if (!dump_interrupted()) {
 761                file_start_write(cprm.file);
 762                core_dumped = binfmt->core_dump(&cprm);
 763                file_end_write(cprm.file);
 764        }
 765        if (ispipe && core_pipe_limit)
 766                wait_for_dump_helpers(cprm.file);
 767close_fail:
 768        if (cprm.file)
 769                filp_close(cprm.file, NULL);
 770fail_dropcount:
 771        if (ispipe)
 772                atomic_dec(&core_dump_count);
 773fail_unlock:
 774        kfree(cn.corename);
 775        coredump_finish(mm, core_dumped);
 776        revert_creds(old_cred);
 777fail_creds:
 778        put_cred(cred);
 779fail:
 780        return;
 781}
 782
 783/*
 784 * Core dumping helper functions.  These are the only things you should
 785 * do on a core-file: use only these functions to write out all the
 786 * necessary info.
 787 */
 788int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
 789{
 790        struct file *file = cprm->file;
 791        loff_t pos = file->f_pos;
 792        ssize_t n;
 793        if (cprm->written + nr > cprm->limit)
 794                return 0;
 795        while (nr) {
 796                if (dump_interrupted())
 797                        return 0;
 798                n = __kernel_write(file, addr, nr, &pos);
 799                if (n <= 0)
 800                        return 0;
 801                file->f_pos = pos;
 802                cprm->written += n;
 803                cprm->pos += n;
 804                nr -= n;
 805        }
 806        return 1;
 807}
 808EXPORT_SYMBOL(dump_emit);
 809
 810int dump_skip(struct coredump_params *cprm, size_t nr)
 811{
 812        static char zeroes[PAGE_SIZE];
 813        struct file *file = cprm->file;
 814        if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
 815                if (dump_interrupted() ||
 816                    file->f_op->llseek(file, nr, SEEK_CUR) < 0)
 817                        return 0;
 818                cprm->pos += nr;
 819                return 1;
 820        } else {
 821                while (nr > PAGE_SIZE) {
 822                        if (!dump_emit(cprm, zeroes, PAGE_SIZE))
 823                                return 0;
 824                        nr -= PAGE_SIZE;
 825                }
 826                return dump_emit(cprm, zeroes, nr);
 827        }
 828}
 829EXPORT_SYMBOL(dump_skip);
 830
 831int dump_align(struct coredump_params *cprm, int align)
 832{
 833        unsigned mod = cprm->pos & (align - 1);
 834        if (align & (align - 1))
 835                return 0;
 836        return mod ? dump_skip(cprm, align - mod) : 1;
 837}
 838EXPORT_SYMBOL(dump_align);
 839
 840/*
 841 * Ensures that file size is big enough to contain the current file
 842 * postion. This prevents gdb from complaining about a truncated file
 843 * if the last "write" to the file was dump_skip.
 844 */
 845void dump_truncate(struct coredump_params *cprm)
 846{
 847        struct file *file = cprm->file;
 848        loff_t offset;
 849
 850        if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
 851                offset = file->f_op->llseek(file, 0, SEEK_CUR);
 852                if (i_size_read(file->f_mapping->host) < offset)
 853                        do_truncate(file->f_path.dentry, offset, 0, file);
 854        }
 855}
 856EXPORT_SYMBOL(dump_truncate);
 857