This source file includes following definitions.
- expand_corename
- __printf
- __printf
- __printf
- cn_print_exe_file
- format_corename
- zap_process
- zap_threads
- coredump_wait
- coredump_finish
- dump_interrupted
- wait_for_dump_helpers
- umh_pipe_setup
- do_coredump
- dump_emit
- dump_skip
- dump_align
- dump_truncate
1
2 #include <linux/slab.h>
3 #include <linux/file.h>
4 #include <linux/fdtable.h>
5 #include <linux/freezer.h>
6 #include <linux/mm.h>
7 #include <linux/stat.h>
8 #include <linux/fcntl.h>
9 #include <linux/swap.h>
10 #include <linux/ctype.h>
11 #include <linux/string.h>
12 #include <linux/init.h>
13 #include <linux/pagemap.h>
14 #include <linux/perf_event.h>
15 #include <linux/highmem.h>
16 #include <linux/spinlock.h>
17 #include <linux/key.h>
18 #include <linux/personality.h>
19 #include <linux/binfmts.h>
20 #include <linux/coredump.h>
21 #include <linux/sched/coredump.h>
22 #include <linux/sched/signal.h>
23 #include <linux/sched/task_stack.h>
24 #include <linux/utsname.h>
25 #include <linux/pid_namespace.h>
26 #include <linux/module.h>
27 #include <linux/namei.h>
28 #include <linux/mount.h>
29 #include <linux/security.h>
30 #include <linux/syscalls.h>
31 #include <linux/tsacct_kern.h>
32 #include <linux/cn_proc.h>
33 #include <linux/audit.h>
34 #include <linux/tracehook.h>
35 #include <linux/kmod.h>
36 #include <linux/fsnotify.h>
37 #include <linux/fs_struct.h>
38 #include <linux/pipe_fs_i.h>
39 #include <linux/oom.h>
40 #include <linux/compat.h>
41 #include <linux/fs.h>
42 #include <linux/path.h>
43 #include <linux/timekeeping.h>
44
45 #include <linux/uaccess.h>
46 #include <asm/mmu_context.h>
47 #include <asm/tlb.h>
48 #include <asm/exec.h>
49
50 #include <trace/events/task.h>
51 #include "internal.h"
52
53 #include <trace/events/sched.h>
54
55 int core_uses_pid;
56 unsigned int core_pipe_limit;
57 char core_pattern[CORENAME_MAX_SIZE] = "core";
58 static int core_name_size = CORENAME_MAX_SIZE;
59
60 struct core_name {
61 char *corename;
62 int used, size;
63 };
64
65
66
67 static int expand_corename(struct core_name *cn, int size)
68 {
69 char *corename = krealloc(cn->corename, size, GFP_KERNEL);
70
71 if (!corename)
72 return -ENOMEM;
73
74 if (size > core_name_size)
75 core_name_size = size;
76
77 cn->size = ksize(corename);
78 cn->corename = corename;
79 return 0;
80 }
81
82 static __printf(2, 0) int cn_vprintf(struct core_name *cn, const char *fmt,
83 va_list arg)
84 {
85 int free, need;
86 va_list arg_copy;
87
88 again:
89 free = cn->size - cn->used;
90
91 va_copy(arg_copy, arg);
92 need = vsnprintf(cn->corename + cn->used, free, fmt, arg_copy);
93 va_end(arg_copy);
94
95 if (need < free) {
96 cn->used += need;
97 return 0;
98 }
99
100 if (!expand_corename(cn, cn->size + need - free + 1))
101 goto again;
102
103 return -ENOMEM;
104 }
105
106 static __printf(2, 3) int cn_printf(struct core_name *cn, const char *fmt, ...)
107 {
108 va_list arg;
109 int ret;
110
111 va_start(arg, fmt);
112 ret = cn_vprintf(cn, fmt, arg);
113 va_end(arg);
114
115 return ret;
116 }
117
118 static __printf(2, 3)
119 int cn_esc_printf(struct core_name *cn, const char *fmt, ...)
120 {
121 int cur = cn->used;
122 va_list arg;
123 int ret;
124
125 va_start(arg, fmt);
126 ret = cn_vprintf(cn, fmt, arg);
127 va_end(arg);
128
129 if (ret == 0) {
130
131
132
133
134 if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
135 (cn->used - cur == 2 && cn->corename[cur] == '.'
136 && cn->corename[cur+1] == '.'))
137 cn->corename[cur] = '!';
138
139
140
141
142
143
144
145 if (cn->used == cur)
146 ret = cn_printf(cn, "!");
147 }
148
149 for (; cur < cn->used; ++cur) {
150 if (cn->corename[cur] == '/')
151 cn->corename[cur] = '!';
152 }
153 return ret;
154 }
155
156 static int cn_print_exe_file(struct core_name *cn)
157 {
158 struct file *exe_file;
159 char *pathbuf, *path;
160 int ret;
161
162 exe_file = get_mm_exe_file(current->mm);
163 if (!exe_file)
164 return cn_esc_printf(cn, "%s (path unknown)", current->comm);
165
166 pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
167 if (!pathbuf) {
168 ret = -ENOMEM;
169 goto put_exe_file;
170 }
171
172 path = file_path(exe_file, pathbuf, PATH_MAX);
173 if (IS_ERR(path)) {
174 ret = PTR_ERR(path);
175 goto free_buf;
176 }
177
178 ret = cn_esc_printf(cn, "%s", path);
179
180 free_buf:
181 kfree(pathbuf);
182 put_exe_file:
183 fput(exe_file);
184 return ret;
185 }
186
187
188
189
190
191 static int format_corename(struct core_name *cn, struct coredump_params *cprm,
192 size_t **argv, int *argc)
193 {
194 const struct cred *cred = current_cred();
195 const char *pat_ptr = core_pattern;
196 int ispipe = (*pat_ptr == '|');
197 bool was_space = false;
198 int pid_in_pattern = 0;
199 int err = 0;
200
201 cn->used = 0;
202 cn->corename = NULL;
203 if (expand_corename(cn, core_name_size))
204 return -ENOMEM;
205 cn->corename[0] = '\0';
206
207 if (ispipe) {
208 int argvs = sizeof(core_pattern) / 2;
209 (*argv) = kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL);
210 if (!(*argv))
211 return -ENOMEM;
212 (*argv)[(*argc)++] = 0;
213 ++pat_ptr;
214 if (!(*pat_ptr))
215 return -ENOMEM;
216 }
217
218
219
220 while (*pat_ptr) {
221
222
223
224
225 if (ispipe) {
226 if (isspace(*pat_ptr)) {
227 was_space = true;
228 pat_ptr++;
229 continue;
230 } else if (was_space) {
231 was_space = false;
232 err = cn_printf(cn, "%c", '\0');
233 if (err)
234 return err;
235 (*argv)[(*argc)++] = cn->used;
236 }
237 }
238 if (*pat_ptr != '%') {
239 err = cn_printf(cn, "%c", *pat_ptr++);
240 } else {
241 switch (*++pat_ptr) {
242
243 case 0:
244 goto out;
245
246 case '%':
247 err = cn_printf(cn, "%c", '%');
248 break;
249
250 case 'p':
251 pid_in_pattern = 1;
252 err = cn_printf(cn, "%d",
253 task_tgid_vnr(current));
254 break;
255
256 case 'P':
257 err = cn_printf(cn, "%d",
258 task_tgid_nr(current));
259 break;
260 case 'i':
261 err = cn_printf(cn, "%d",
262 task_pid_vnr(current));
263 break;
264 case 'I':
265 err = cn_printf(cn, "%d",
266 task_pid_nr(current));
267 break;
268
269 case 'u':
270 err = cn_printf(cn, "%u",
271 from_kuid(&init_user_ns,
272 cred->uid));
273 break;
274
275 case 'g':
276 err = cn_printf(cn, "%u",
277 from_kgid(&init_user_ns,
278 cred->gid));
279 break;
280 case 'd':
281 err = cn_printf(cn, "%d",
282 __get_dumpable(cprm->mm_flags));
283 break;
284
285 case 's':
286 err = cn_printf(cn, "%d",
287 cprm->siginfo->si_signo);
288 break;
289
290 case 't': {
291 time64_t time;
292
293 time = ktime_get_real_seconds();
294 err = cn_printf(cn, "%lld", time);
295 break;
296 }
297
298 case 'h':
299 down_read(&uts_sem);
300 err = cn_esc_printf(cn, "%s",
301 utsname()->nodename);
302 up_read(&uts_sem);
303 break;
304
305 case 'e':
306 err = cn_esc_printf(cn, "%s", current->comm);
307 break;
308 case 'E':
309 err = cn_print_exe_file(cn);
310 break;
311
312 case 'c':
313 err = cn_printf(cn, "%lu",
314 rlimit(RLIMIT_CORE));
315 break;
316 default:
317 break;
318 }
319 ++pat_ptr;
320 }
321
322 if (err)
323 return err;
324 }
325
326 out:
327
328
329
330
331
332 if (!ispipe && !pid_in_pattern && core_uses_pid) {
333 err = cn_printf(cn, ".%d", task_tgid_vnr(current));
334 if (err)
335 return err;
336 }
337 return ispipe;
338 }
339
340 static int zap_process(struct task_struct *start, int exit_code, int flags)
341 {
342 struct task_struct *t;
343 int nr = 0;
344
345
346 start->signal->flags = SIGNAL_GROUP_COREDUMP | flags;
347 start->signal->group_exit_code = exit_code;
348 start->signal->group_stop_count = 0;
349
350 for_each_thread(start, t) {
351 task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
352 if (t != current && t->mm) {
353 sigaddset(&t->pending.signal, SIGKILL);
354 signal_wake_up(t, 1);
355 nr++;
356 }
357 }
358
359 return nr;
360 }
361
362 static int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
363 struct core_state *core_state, int exit_code)
364 {
365 struct task_struct *g, *p;
366 unsigned long flags;
367 int nr = -EAGAIN;
368
369 spin_lock_irq(&tsk->sighand->siglock);
370 if (!signal_group_exit(tsk->signal)) {
371 mm->core_state = core_state;
372 tsk->signal->group_exit_task = tsk;
373 nr = zap_process(tsk, exit_code, 0);
374 clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
375 }
376 spin_unlock_irq(&tsk->sighand->siglock);
377 if (unlikely(nr < 0))
378 return nr;
379
380 tsk->flags |= PF_DUMPCORE;
381 if (atomic_read(&mm->mm_users) == nr + 1)
382 goto done;
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413 rcu_read_lock();
414 for_each_process(g) {
415 if (g == tsk->group_leader)
416 continue;
417 if (g->flags & PF_KTHREAD)
418 continue;
419
420 for_each_thread(g, p) {
421 if (unlikely(!p->mm))
422 continue;
423 if (unlikely(p->mm == mm)) {
424 lock_task_sighand(p, &flags);
425 nr += zap_process(p, exit_code,
426 SIGNAL_GROUP_EXIT);
427 unlock_task_sighand(p, &flags);
428 }
429 break;
430 }
431 }
432 rcu_read_unlock();
433 done:
434 atomic_set(&core_state->nr_threads, nr);
435 return nr;
436 }
437
438 static int coredump_wait(int exit_code, struct core_state *core_state)
439 {
440 struct task_struct *tsk = current;
441 struct mm_struct *mm = tsk->mm;
442 int core_waiters = -EBUSY;
443
444 init_completion(&core_state->startup);
445 core_state->dumper.task = tsk;
446 core_state->dumper.next = NULL;
447
448 if (down_write_killable(&mm->mmap_sem))
449 return -EINTR;
450
451 if (!mm->core_state)
452 core_waiters = zap_threads(tsk, mm, core_state, exit_code);
453 up_write(&mm->mmap_sem);
454
455 if (core_waiters > 0) {
456 struct core_thread *ptr;
457
458 freezer_do_not_count();
459 wait_for_completion(&core_state->startup);
460 freezer_count();
461
462
463
464
465
466 ptr = core_state->dumper.next;
467 while (ptr != NULL) {
468 wait_task_inactive(ptr->task, 0);
469 ptr = ptr->next;
470 }
471 }
472
473 return core_waiters;
474 }
475
476 static void coredump_finish(struct mm_struct *mm, bool core_dumped)
477 {
478 struct core_thread *curr, *next;
479 struct task_struct *task;
480
481 spin_lock_irq(¤t->sighand->siglock);
482 if (core_dumped && !__fatal_signal_pending(current))
483 current->signal->group_exit_code |= 0x80;
484 current->signal->group_exit_task = NULL;
485 current->signal->flags = SIGNAL_GROUP_EXIT;
486 spin_unlock_irq(¤t->sighand->siglock);
487
488 next = mm->core_state->dumper.next;
489 while ((curr = next) != NULL) {
490 next = curr->next;
491 task = curr->task;
492
493
494
495
496 smp_mb();
497 curr->task = NULL;
498 wake_up_process(task);
499 }
500
501 mm->core_state = NULL;
502 }
503
504 static bool dump_interrupted(void)
505 {
506
507
508
509
510
511
512 return signal_pending(current);
513 }
514
515 static void wait_for_dump_helpers(struct file *file)
516 {
517 struct pipe_inode_info *pipe = file->private_data;
518
519 pipe_lock(pipe);
520 pipe->readers++;
521 pipe->writers--;
522 wake_up_interruptible_sync(&pipe->wait);
523 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
524 pipe_unlock(pipe);
525
526
527
528
529
530 wait_event_interruptible(pipe->wait, pipe->readers == 1);
531
532 pipe_lock(pipe);
533 pipe->readers--;
534 pipe->writers++;
535 pipe_unlock(pipe);
536 }
537
538
539
540
541
542
543
544
545
546
547
548
549 static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)
550 {
551 struct file *files[2];
552 struct coredump_params *cp = (struct coredump_params *)info->data;
553 int err = create_pipe_files(files, 0);
554 if (err)
555 return err;
556
557 cp->file = files[1];
558
559 err = replace_fd(0, files[0], 0);
560 fput(files[0]);
561
562 current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};
563
564 return err;
565 }
566
567 void do_coredump(const kernel_siginfo_t *siginfo)
568 {
569 struct core_state core_state;
570 struct core_name cn;
571 struct mm_struct *mm = current->mm;
572 struct linux_binfmt * binfmt;
573 const struct cred *old_cred;
574 struct cred *cred;
575 int retval = 0;
576 int ispipe;
577 size_t *argv = NULL;
578 int argc = 0;
579 struct files_struct *displaced;
580
581 bool need_suid_safe = false;
582 bool core_dumped = false;
583 static atomic_t core_dump_count = ATOMIC_INIT(0);
584 struct coredump_params cprm = {
585 .siginfo = siginfo,
586 .regs = signal_pt_regs(),
587 .limit = rlimit(RLIMIT_CORE),
588
589
590
591
592
593 .mm_flags = mm->flags,
594 };
595
596 audit_core_dumps(siginfo->si_signo);
597
598 binfmt = mm->binfmt;
599 if (!binfmt || !binfmt->core_dump)
600 goto fail;
601 if (!__get_dumpable(cprm.mm_flags))
602 goto fail;
603
604 cred = prepare_creds();
605 if (!cred)
606 goto fail;
607
608
609
610
611
612
613 if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
614
615 cred->fsuid = GLOBAL_ROOT_UID;
616 need_suid_safe = true;
617 }
618
619 retval = coredump_wait(siginfo->si_signo, &core_state);
620 if (retval < 0)
621 goto fail_creds;
622
623 old_cred = override_creds(cred);
624
625 ispipe = format_corename(&cn, &cprm, &argv, &argc);
626
627 if (ispipe) {
628 int argi;
629 int dump_count;
630 char **helper_argv;
631 struct subprocess_info *sub_info;
632
633 if (ispipe < 0) {
634 printk(KERN_WARNING "format_corename failed\n");
635 printk(KERN_WARNING "Aborting core\n");
636 goto fail_unlock;
637 }
638
639 if (cprm.limit == 1) {
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655 printk(KERN_WARNING
656 "Process %d(%s) has RLIMIT_CORE set to 1\n",
657 task_tgid_vnr(current), current->comm);
658 printk(KERN_WARNING "Aborting core\n");
659 goto fail_unlock;
660 }
661 cprm.limit = RLIM_INFINITY;
662
663 dump_count = atomic_inc_return(&core_dump_count);
664 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
665 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
666 task_tgid_vnr(current), current->comm);
667 printk(KERN_WARNING "Skipping core dump\n");
668 goto fail_dropcount;
669 }
670
671 helper_argv = kmalloc_array(argc + 1, sizeof(*helper_argv),
672 GFP_KERNEL);
673 if (!helper_argv) {
674 printk(KERN_WARNING "%s failed to allocate memory\n",
675 __func__);
676 goto fail_dropcount;
677 }
678 for (argi = 0; argi < argc; argi++)
679 helper_argv[argi] = cn.corename + argv[argi];
680 helper_argv[argi] = NULL;
681
682 retval = -ENOMEM;
683 sub_info = call_usermodehelper_setup(helper_argv[0],
684 helper_argv, NULL, GFP_KERNEL,
685 umh_pipe_setup, NULL, &cprm);
686 if (sub_info)
687 retval = call_usermodehelper_exec(sub_info,
688 UMH_WAIT_EXEC);
689
690 kfree(helper_argv);
691 if (retval) {
692 printk(KERN_INFO "Core dump to |%s pipe failed\n",
693 cn.corename);
694 goto close_fail;
695 }
696 } else {
697 struct inode *inode;
698 int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW |
699 O_LARGEFILE | O_EXCL;
700
701 if (cprm.limit < binfmt->min_coredump)
702 goto fail_unlock;
703
704 if (need_suid_safe && cn.corename[0] != '/') {
705 printk(KERN_WARNING "Pid %d(%s) can only dump core "\
706 "to fully qualified path!\n",
707 task_tgid_vnr(current), current->comm);
708 printk(KERN_WARNING "Skipping core dump\n");
709 goto fail_unlock;
710 }
711
712
713
714
715
716
717 if (!need_suid_safe) {
718
719
720
721
722 do_unlinkat(AT_FDCWD, getname_kernel(cn.corename));
723 }
724
725
726
727
728
729
730
731
732
733 if (need_suid_safe) {
734
735
736
737
738
739
740
741
742
743 struct path root;
744
745 task_lock(&init_task);
746 get_fs_root(init_task.fs, &root);
747 task_unlock(&init_task);
748 cprm.file = file_open_root(root.dentry, root.mnt,
749 cn.corename, open_flags, 0600);
750 path_put(&root);
751 } else {
752 cprm.file = filp_open(cn.corename, open_flags, 0600);
753 }
754 if (IS_ERR(cprm.file))
755 goto fail_unlock;
756
757 inode = file_inode(cprm.file);
758 if (inode->i_nlink > 1)
759 goto close_fail;
760 if (d_unhashed(cprm.file->f_path.dentry))
761 goto close_fail;
762
763
764
765
766 if (!S_ISREG(inode->i_mode))
767 goto close_fail;
768
769
770
771
772
773
774 if (!uid_eq(inode->i_uid, current_fsuid()))
775 goto close_fail;
776 if ((inode->i_mode & 0677) != 0600)
777 goto close_fail;
778 if (!(cprm.file->f_mode & FMODE_CAN_WRITE))
779 goto close_fail;
780 if (do_truncate(cprm.file->f_path.dentry, 0, 0, cprm.file))
781 goto close_fail;
782 }
783
784
785 retval = unshare_files(&displaced);
786 if (retval)
787 goto close_fail;
788 if (displaced)
789 put_files_struct(displaced);
790 if (!dump_interrupted()) {
791
792
793
794
795 if (!cprm.file) {
796 pr_info("Core dump to |%s disabled\n", cn.corename);
797 goto close_fail;
798 }
799 file_start_write(cprm.file);
800 core_dumped = binfmt->core_dump(&cprm);
801 file_end_write(cprm.file);
802 }
803 if (ispipe && core_pipe_limit)
804 wait_for_dump_helpers(cprm.file);
805 close_fail:
806 if (cprm.file)
807 filp_close(cprm.file, NULL);
808 fail_dropcount:
809 if (ispipe)
810 atomic_dec(&core_dump_count);
811 fail_unlock:
812 kfree(argv);
813 kfree(cn.corename);
814 coredump_finish(mm, core_dumped);
815 revert_creds(old_cred);
816 fail_creds:
817 put_cred(cred);
818 fail:
819 return;
820 }
821
822
823
824
825
826
827 int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
828 {
829 struct file *file = cprm->file;
830 loff_t pos = file->f_pos;
831 ssize_t n;
832 if (cprm->written + nr > cprm->limit)
833 return 0;
834 while (nr) {
835 if (dump_interrupted())
836 return 0;
837 n = __kernel_write(file, addr, nr, &pos);
838 if (n <= 0)
839 return 0;
840 file->f_pos = pos;
841 cprm->written += n;
842 cprm->pos += n;
843 nr -= n;
844 }
845 return 1;
846 }
847 EXPORT_SYMBOL(dump_emit);
848
849 int dump_skip(struct coredump_params *cprm, size_t nr)
850 {
851 static char zeroes[PAGE_SIZE];
852 struct file *file = cprm->file;
853 if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
854 if (dump_interrupted() ||
855 file->f_op->llseek(file, nr, SEEK_CUR) < 0)
856 return 0;
857 cprm->pos += nr;
858 return 1;
859 } else {
860 while (nr > PAGE_SIZE) {
861 if (!dump_emit(cprm, zeroes, PAGE_SIZE))
862 return 0;
863 nr -= PAGE_SIZE;
864 }
865 return dump_emit(cprm, zeroes, nr);
866 }
867 }
868 EXPORT_SYMBOL(dump_skip);
869
870 int dump_align(struct coredump_params *cprm, int align)
871 {
872 unsigned mod = cprm->pos & (align - 1);
873 if (align & (align - 1))
874 return 0;
875 return mod ? dump_skip(cprm, align - mod) : 1;
876 }
877 EXPORT_SYMBOL(dump_align);
878
879
880
881
882
883
884 void dump_truncate(struct coredump_params *cprm)
885 {
886 struct file *file = cprm->file;
887 loff_t offset;
888
889 if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
890 offset = file->f_op->llseek(file, 0, SEEK_CUR);
891 if (i_size_read(file->f_mapping->host) < offset)
892 do_truncate(file->f_path.dentry, offset, 0, file);
893 }
894 }
895 EXPORT_SYMBOL(dump_truncate);