1 files changed, 70 insertions, 34 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 632b02e34ec7..49cdaa19e5b9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -195,7 +195,7 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
                 *    to work from.
                 */
                rlim = current->signal->rlim;
-                if (size > rlim[RLIMIT_STACK].rlim_cur / 4) {
+                if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
                        put_page(page);
                        return NULL;
                }
@@ -246,6 +246,7 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
        vma->vm_start = vma->vm_end - PAGE_SIZE;
        vma->vm_flags = VM_STACK_FLAGS;
        vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
+        INIT_LIST_HEAD(&vma->anon_vma_chain);
        err = insert_vm_struct(mm, vma);
        if (err)
                goto err;
@@ -516,7 +517,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
        /*
         * cover the whole range: [new_start, old_end)
         */
-        vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL);
+        if (vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL))
+                return -ENOMEM;
        /*
         * move the page tables downwards, on failure we rely on
@@ -547,15 +549,13 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
        tlb_finish_mmu(tlb, new_end, old_end);
        /*
-         * shrink the vma to just the new range.
+         * Shrink the vma to just the new range.  Always succeeds.
         */
        vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL);
        return 0;
 }
-#define EXTRA_STACK_VM_PAGES    20      /* random */
 /*
 * Finalizes the stack vm_area_struct. The flags and permissions are updated,
 * the stack is optionally relocated, and some extra space is added.
@@ -571,10 +571,13 @@ int setup_arg_pages(struct linux_binprm *bprm,
        struct vm_area_struct *prev = NULL;
        unsigned long vm_flags;
        unsigned long stack_base;
+        unsigned long stack_size;
+        unsigned long stack_expand;
+        unsigned long rlim_stack;
 #ifdef CONFIG_STACK_GROWSUP
        /* Limit stack size to 1GB */
-        stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max;
+        stack_base = rlimit_max(RLIMIT_STACK);
        if (stack_base > (1 << 30))
                stack_base = 1 << 30;
@@ -627,10 +630,23 @@ int setup_arg_pages(struct linux_binprm *bprm,
                        goto out_unlock;
        }
+        stack_expand = 131072UL; /* randomly 32*4k (or 2*64k) pages */
+        stack_size = vma->vm_end - vma->vm_start;
+        /*
+         * Align this down to a page boundary as expand_stack
+         * will align it up.
+         */
+        rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
 #ifdef CONFIG_STACK_GROWSUP
-        stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
+        if (stack_size + stack_expand > rlim_stack)
+                stack_base = vma->vm_start + rlim_stack;
+        else
+                stack_base = vma->vm_end + stack_expand;
 #else
-        stack_base = vma->vm_start - EXTRA_STACK_VM_PAGES * PAGE_SIZE;
+        if (stack_size + stack_expand > rlim_stack)
+                stack_base = vma->vm_end - rlim_stack;
+        else
+                stack_base = vma->vm_start - stack_expand;
 #endif
        ret = expand_stack(vma, stack_base);
        if (ret)
@@ -702,6 +718,7 @@ static int exec_mmap(struct mm_struct *mm)
        /* Notify parent that we're no longer interested in the old VM */
        tsk = current;
        old_mm = current->mm;
+        sync_mm_rss(tsk, old_mm);
        mm_release(tsk, old_mm);
        if (old_mm) {
@@ -941,9 +958,7 @@ void set_task_comm(struct task_struct *tsk, char *buf)
 int flush_old_exec(struct linux_binprm * bprm)
 {
-        char * name;
+        int retval;
-        int i, ch, retval;
-        char tcomm[sizeof(current->comm)];
        /*
         * Make sure we have a private signal table and that
@@ -964,6 +979,25 @@ int flush_old_exec(struct linux_binprm * bprm)
        bprm->mm = NULL;                /* We're using it now */
+        current->flags &= ~PF_RANDOMIZE;
+        flush_thread();
+        current->personality &= ~bprm->per_clear;
+        return 0;
+out:
+        return retval;
+}
+EXPORT_SYMBOL(flush_old_exec);
+void setup_new_exec(struct linux_binprm * bprm)
+{
+        int i, ch;
+        char * name;
+        char tcomm[sizeof(current->comm)];
+        arch_pick_mmap_layout(current->mm);
        /* This is the point of no return */
        current->sas_ss_sp = current->sas_ss_size = 0;
@@ -985,9 +1019,6 @@ int flush_old_exec(struct linux_binprm * bprm)
        tcomm[i] = '\0';
        set_task_comm(current, tcomm);
-        current->flags &= ~PF_RANDOMIZE;
-        flush_thread();
        /* Set the new mm task size. We have to do that late because it may
         * depend on TIF_32BIT which is only updated in flush_thread() on
         * some architectures like powerpc
@@ -1003,8 +1034,6 @@ int flush_old_exec(struct linux_binprm * bprm)
                set_dumpable(current->mm, suid_dumpable);
        }
-        current->personality &= ~bprm->per_clear;
        /*
         * Flush performance counters when crossing a
         * security domain:
@@ -1019,14 +1048,8 @@ int flush_old_exec(struct linux_binprm * bprm)
                        
        flush_signal_handlers(current, 0);
        flush_old_files(current->files);
-        return 0;
-out:
-        return retval;
 }
+EXPORT_SYMBOL(setup_new_exec);
-EXPORT_SYMBOL(flush_old_exec);
 /*
 * Prepare credentials and lock ->cred_guard_mutex.
@@ -1510,7 +1533,7 @@ static int format_corename(char *corename, long signr)
                        /* core limit size */
                        case 'c':
                                rc = snprintf(out_ptr, out_end - out_ptr,
-                                              "%lu", current->signal->rlim[RLIMIT_CORE].rlim_cur);
+                                              "%lu", rlimit(RLIMIT_CORE));
                                if (rc > out_end - out_ptr)
                                        goto out;
                                out_ptr += rc;
@@ -1538,12 +1561,13 @@ out:
        return ispipe;
 }
-static int zap_process(struct task_struct *start)
+static int zap_process(struct task_struct *start, int exit_code)
 {
        struct task_struct *t;
        int nr = 0;
        start->signal->flags = SIGNAL_GROUP_EXIT;
+        start->signal->group_exit_code = exit_code;
        start->signal->group_stop_count = 0;
        t = start;
@@ -1568,8 +1592,7 @@ static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
        spin_lock_irq(&tsk->sighand->siglock);
        if (!signal_group_exit(tsk->signal)) {
                mm->core_state = core_state;
-                tsk->signal->group_exit_code = exit_code;
+                nr = zap_process(tsk, exit_code);
-                nr = zap_process(tsk);
        }
        spin_unlock_irq(&tsk->sighand->siglock);
        if (unlikely(nr < 0))
@@ -1618,7 +1641,7 @@ static inline int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
                        if (p->mm) {
                                if (unlikely(p->mm == mm)) {
                                        lock_task_sighand(p, &flags);
-                                        nr += zap_process(p);
+                                        nr += zap_process(p, exit_code);
                                        unlock_task_sighand(p, &flags);
                                }
                                break;
@@ -1725,14 +1748,19 @@ void set_dumpable(struct mm_struct *mm, int value)
        }
 }
-int get_dumpable(struct mm_struct *mm)
+static int __get_dumpable(unsigned long mm_flags)
 {
        int ret;
-        ret = mm->flags & 0x3;
+        ret = mm_flags & MMF_DUMPABLE_MASK;
        return (ret >= 2) ? 2 : ret;
 }
+int get_dumpable(struct mm_struct *mm)
+{
+        return __get_dumpable(mm->flags);
+}
 static void wait_for_dump_helpers(struct file *file)
 {
        struct pipe_inode_info *pipe;
@@ -1775,7 +1803,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
        struct coredump_params cprm = {
                .signr = signr,
                .regs = regs,
-                .limit = current->signal->rlim[RLIMIT_CORE].rlim_cur,
+                .limit = rlimit(RLIMIT_CORE),
+                /*
+                 * We must use the same mm->flags while dumping core to avoid
+                 * inconsistency of bit flags, since this flag is not protected
+                 * by any locks.
+                 */
+                .mm_flags = mm->flags,
        };
        audit_core_dumps(signr);
@@ -1794,7 +1828,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
        /*
         * If another thread got here first, or we are not dumpable, bail out.
         */
-        if (mm->core_state || !get_dumpable(mm)) {
+        if (mm->core_state || !__get_dumpable(cprm.mm_flags)) {
                up_write(&mm->mmap_sem);
                put_cred(cred);
                goto fail;
@@ -1805,7 +1839,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
         *      process nor do we know its entire history. We only know it
         *      was tainted so we dump it as root in mode 2.
         */
-        if (get_dumpable(mm) == 2) {    /* Setuid core dump mode */
+        if (__get_dumpable(cprm.mm_flags) == 2) {
+                /* Setuid core dump mode */
                flag = O_EXCL;          /* Stop rewrite attacks */
                cred->fsuid = 0;        /* Dump root private */
        }
@@ -1901,8 +1936,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
        /*
         * Dont allow local users get cute and trick others to coredump
         * into their pre-created files:
+         * Note, this is not relevant for pipes
         */
-        if (inode->i_uid != current_fsuid())
+        if (!ispipe && (inode->i_uid != current_fsuid()))
                goto close_fail;
        if (!cprm.file->f_op)
                goto close_fail;

diff --git a/fs/exec.c b/fs/exec.c index 632b02e34ec7..49cdaa19e5b9 100644 --- a/fs/exec.c +++ b/fs/exec.c
@@ -195,7 +195,7 @@ static struct page get_arg_page(struct linux_binprm bprm, unsigned long pos,
195	* to work from.	195	* to work from.
196	*/	196	*/
197	rlim = current->signal->rlim;	197	rlim = current->signal->rlim;
198	if (size > rlim[RLIMIT_STACK].rlim_cur / 4) {	198	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
199	put_page(page);	199	put_page(page);
200	return NULL;	200	return NULL;
201	}	201	}
@@ -246,6 +246,7 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
246	vma->vm_start = vma->vm_end - PAGE_SIZE;	246	vma->vm_start = vma->vm_end - PAGE_SIZE;
247	vma->vm_flags = VM_STACK_FLAGS;	247	vma->vm_flags = VM_STACK_FLAGS;
248	vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);	248	vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
		249	INIT_LIST_HEAD(&vma->anon_vma_chain);
249	err = insert_vm_struct(mm, vma);	250	err = insert_vm_struct(mm, vma);
250	if (err)	251	if (err)
251	goto err;	252	goto err;
@@ -516,7 +517,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
516	/*	517	/*
517	* cover the whole range: [new_start, old_end)	518	* cover the whole range: [new_start, old_end)
518	*/	519	*/
519	vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL);	520	if (vma_adjust(vma, new_start, old_end, vma->vm_pgoff, NULL))
		521	return -ENOMEM;
520		522
521	/*	523	/*
522	* move the page tables downwards, on failure we rely on	524	* move the page tables downwards, on failure we rely on
@@ -547,15 +549,13 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
547	tlb_finish_mmu(tlb, new_end, old_end);	549	tlb_finish_mmu(tlb, new_end, old_end);
548		550
549	/*	551	/*
550	* shrink the vma to just the new range.	552	* Shrink the vma to just the new range. Always succeeds.
551	*/	553	*/
552	vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL);	554	vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL);
553		555
554	return 0;	556	return 0;
555	}	557	}
556		558
557	#define EXTRA_STACK_VM_PAGES 20 /* random */
558
559	/*	559	/*
560	* Finalizes the stack vm_area_struct. The flags and permissions are updated,	560	* Finalizes the stack vm_area_struct. The flags and permissions are updated,
561	* the stack is optionally relocated, and some extra space is added.	561	* the stack is optionally relocated, and some extra space is added.
@@ -571,10 +571,13 @@ int setup_arg_pages(struct linux_binprm *bprm,
571	struct vm_area_struct *prev = NULL;	571	struct vm_area_struct *prev = NULL;
572	unsigned long vm_flags;	572	unsigned long vm_flags;
573	unsigned long stack_base;	573	unsigned long stack_base;
		574	unsigned long stack_size;
		575	unsigned long stack_expand;
		576	unsigned long rlim_stack;
574		577
575	#ifdef CONFIG_STACK_GROWSUP	578	#ifdef CONFIG_STACK_GROWSUP
576	/* Limit stack size to 1GB */	579	/* Limit stack size to 1GB */
577	stack_base = current->signal->rlim[RLIMIT_STACK].rlim_max;	580	stack_base = rlimit_max(RLIMIT_STACK);
578	if (stack_base > (1 << 30))	581	if (stack_base > (1 << 30))
579	stack_base = 1 << 30;	582	stack_base = 1 << 30;
580		583
@@ -627,10 +630,23 @@ int setup_arg_pages(struct linux_binprm *bprm,
627	goto out_unlock;	630	goto out_unlock;
628	}	631	}
629		632
		633	stack_expand = 131072UL; /* randomly 324k (or 264k) pages */
		634	stack_size = vma->vm_end - vma->vm_start;
		635	/*
		636	* Align this down to a page boundary as expand_stack
		637	* will align it up.
		638	*/
		639	rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
630	#ifdef CONFIG_STACK_GROWSUP	640	#ifdef CONFIG_STACK_GROWSUP
631	stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;	641	if (stack_size + stack_expand > rlim_stack)
		642	stack_base = vma->vm_start + rlim_stack;
		643	else
		644	stack_base = vma->vm_end + stack_expand;
632	#else	645	#else
633	stack_base = vma->vm_start - EXTRA_STACK_VM_PAGES * PAGE_SIZE;	646	if (stack_size + stack_expand > rlim_stack)
		647	stack_base = vma->vm_end - rlim_stack;
		648	else
		649	stack_base = vma->vm_start - stack_expand;
634	#endif	650	#endif
635	ret = expand_stack(vma, stack_base);	651	ret = expand_stack(vma, stack_base);
636	if (ret)	652	if (ret)
@@ -702,6 +718,7 @@ static int exec_mmap(struct mm_struct *mm)
702	/* Notify parent that we're no longer interested in the old VM */	718	/* Notify parent that we're no longer interested in the old VM */
703	tsk = current;	719	tsk = current;
704	old_mm = current->mm;	720	old_mm = current->mm;
		721	sync_mm_rss(tsk, old_mm);
705	mm_release(tsk, old_mm);	722	mm_release(tsk, old_mm);
706		723
707	if (old_mm) {	724	if (old_mm) {
@@ -941,9 +958,7 @@ void set_task_comm(struct task_struct tsk, char buf)
941		958
942	int flush_old_exec(struct linux_binprm * bprm)	959	int flush_old_exec(struct linux_binprm * bprm)
943	{	960	{
944	char * name;	961	int retval;
945	int i, ch, retval;
946	char tcomm[sizeof(current->comm)];
947		962
948	/*	963	/*
949	* Make sure we have a private signal table and that	964	* Make sure we have a private signal table and that
@@ -964,6 +979,25 @@ int flush_old_exec(struct linux_binprm * bprm)
964		979
965	bprm->mm = NULL; /* We're using it now */	980	bprm->mm = NULL; /* We're using it now */
966		981
		982	current->flags &= ~PF_RANDOMIZE;
		983	flush_thread();
		984	current->personality &= ~bprm->per_clear;
		985
		986	return 0;
		987
		988	out:
		989	return retval;
		990	}
		991	EXPORT_SYMBOL(flush_old_exec);
		992
		993	void setup_new_exec(struct linux_binprm * bprm)
		994	{
		995	int i, ch;
		996	char * name;
		997	char tcomm[sizeof(current->comm)];
		998
		999	arch_pick_mmap_layout(current->mm);
		1000
967	/* This is the point of no return */	1001	/* This is the point of no return */
968	current->sas_ss_sp = current->sas_ss_size = 0;	1002	current->sas_ss_sp = current->sas_ss_size = 0;
969		1003
@@ -985,9 +1019,6 @@ int flush_old_exec(struct linux_binprm * bprm)
985	tcomm[i] = '\0';	1019	tcomm[i] = '\0';
986	set_task_comm(current, tcomm);	1020	set_task_comm(current, tcomm);
987		1021
988	current->flags &= ~PF_RANDOMIZE;
989	flush_thread();
990
991	/* Set the new mm task size. We have to do that late because it may	1022	/* Set the new mm task size. We have to do that late because it may
992	* depend on TIF_32BIT which is only updated in flush_thread() on	1023	* depend on TIF_32BIT which is only updated in flush_thread() on
993	* some architectures like powerpc	1024	* some architectures like powerpc
@@ -1003,8 +1034,6 @@ int flush_old_exec(struct linux_binprm * bprm)
1003	set_dumpable(current->mm, suid_dumpable);	1034	set_dumpable(current->mm, suid_dumpable);
1004	}	1035	}
1005		1036
1006	current->personality &= ~bprm->per_clear;
1007
1008	/*	1037	/*
1009	* Flush performance counters when crossing a	1038	* Flush performance counters when crossing a
1010	* security domain:	1039	* security domain:
@@ -1019,14 +1048,8 @@ int flush_old_exec(struct linux_binprm * bprm)
1019		1048
1020	flush_signal_handlers(current, 0);	1049	flush_signal_handlers(current, 0);
1021	flush_old_files(current->files);	1050	flush_old_files(current->files);
1022
1023	return 0;
1024
1025	out:
1026	return retval;
1027	}	1051	}
1028		1052	EXPORT_SYMBOL(setup_new_exec);
1029	EXPORT_SYMBOL(flush_old_exec);
1030		1053
1031	/*	1054	/*
1032	* Prepare credentials and lock ->cred_guard_mutex.	1055	* Prepare credentials and lock ->cred_guard_mutex.
@@ -1510,7 +1533,7 @@ static int format_corename(char *corename, long signr)
1510	/* core limit size */	1533	/* core limit size */
1511	case 'c':	1534	case 'c':
1512	rc = snprintf(out_ptr, out_end - out_ptr,	1535	rc = snprintf(out_ptr, out_end - out_ptr,
1513	"%lu", current->signal->rlim[RLIMIT_CORE].rlim_cur);	1536	"%lu", rlimit(RLIMIT_CORE));
1514	if (rc > out_end - out_ptr)	1537	if (rc > out_end - out_ptr)
1515	goto out;	1538	goto out;
1516	out_ptr += rc;	1539	out_ptr += rc;
@@ -1538,12 +1561,13 @@ out:
1538	return ispipe;	1561	return ispipe;
1539	}	1562	}
1540		1563
1541	static int zap_process(struct task_struct *start)	1564	static int zap_process(struct task_struct *start, int exit_code)
1542	{	1565	{
1543	struct task_struct *t;	1566	struct task_struct *t;
1544	int nr = 0;	1567	int nr = 0;
1545		1568
1546	start->signal->flags = SIGNAL_GROUP_EXIT;	1569	start->signal->flags = SIGNAL_GROUP_EXIT;
		1570	start->signal->group_exit_code = exit_code;
1547	start->signal->group_stop_count = 0;	1571	start->signal->group_stop_count = 0;
1548		1572
1549	t = start;	1573	t = start;
@@ -1568,8 +1592,7 @@ static inline int zap_threads(struct task_struct tsk, struct mm_struct mm,
1568	spin_lock_irq(&tsk->sighand->siglock);	1592	spin_lock_irq(&tsk->sighand->siglock);
1569	if (!signal_group_exit(tsk->signal)) {	1593	if (!signal_group_exit(tsk->signal)) {
1570	mm->core_state = core_state;	1594	mm->core_state = core_state;
1571	tsk->signal->group_exit_code = exit_code;	1595	nr = zap_process(tsk, exit_code);
1572	nr = zap_process(tsk);
1573	}	1596	}
1574	spin_unlock_irq(&tsk->sighand->siglock);	1597	spin_unlock_irq(&tsk->sighand->siglock);
1575	if (unlikely(nr < 0))	1598	if (unlikely(nr < 0))
@@ -1618,7 +1641,7 @@ static inline int zap_threads(struct task_struct tsk, struct mm_struct mm,
1618	if (p->mm) {	1641	if (p->mm) {
1619	if (unlikely(p->mm == mm)) {	1642	if (unlikely(p->mm == mm)) {
1620	lock_task_sighand(p, &flags);	1643	lock_task_sighand(p, &flags);
1621	nr += zap_process(p);	1644	nr += zap_process(p, exit_code);
1622	unlock_task_sighand(p, &flags);	1645	unlock_task_sighand(p, &flags);
1623	}	1646	}
1624	break;	1647	break;
@@ -1725,14 +1748,19 @@ void set_dumpable(struct mm_struct *mm, int value)
1725	}	1748	}
1726	}	1749	}
1727		1750
1728	int get_dumpable(struct mm_struct *mm)	1751	static int __get_dumpable(unsigned long mm_flags)
1729	{	1752	{
1730	int ret;	1753	int ret;
1731		1754
1732	ret = mm->flags & 0x3;	1755	ret = mm_flags & MMF_DUMPABLE_MASK;
1733	return (ret >= 2) ? 2 : ret;	1756	return (ret >= 2) ? 2 : ret;
1734	}	1757	}
1735		1758
		1759	int get_dumpable(struct mm_struct *mm)
		1760	{
		1761	return __get_dumpable(mm->flags);
		1762	}
		1763
1736	static void wait_for_dump_helpers(struct file *file)	1764	static void wait_for_dump_helpers(struct file *file)
1737	{	1765	{
1738	struct pipe_inode_info *pipe;	1766	struct pipe_inode_info *pipe;
@@ -1775,7 +1803,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1775	struct coredump_params cprm = {	1803	struct coredump_params cprm = {
1776	.signr = signr,	1804	.signr = signr,
1777	.regs = regs,	1805	.regs = regs,
1778	.limit = current->signal->rlim[RLIMIT_CORE].rlim_cur,	1806	.limit = rlimit(RLIMIT_CORE),
		1807	/*
		1808	* We must use the same mm->flags while dumping core to avoid
		1809	* inconsistency of bit flags, since this flag is not protected
		1810	* by any locks.
		1811	*/
		1812	.mm_flags = mm->flags,
1779	};	1813	};
1780		1814
1781	audit_core_dumps(signr);	1815	audit_core_dumps(signr);
@@ -1794,7 +1828,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1794	/*	1828	/*
1795	* If another thread got here first, or we are not dumpable, bail out.	1829	* If another thread got here first, or we are not dumpable, bail out.
1796	*/	1830	*/
1797	if (mm->core_state \|\| !get_dumpable(mm)) {	1831	if (mm->core_state \|\| !__get_dumpable(cprm.mm_flags)) {
1798	up_write(&mm->mmap_sem);	1832	up_write(&mm->mmap_sem);
1799	put_cred(cred);	1833	put_cred(cred);
1800	goto fail;	1834	goto fail;
@@ -1805,7 +1839,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1805	* process nor do we know its entire history. We only know it	1839	* process nor do we know its entire history. We only know it
1806	* was tainted so we dump it as root in mode 2.	1840	* was tainted so we dump it as root in mode 2.
1807	*/	1841	*/
1808	if (get_dumpable(mm) == 2) { /* Setuid core dump mode */	1842	if (__get_dumpable(cprm.mm_flags) == 2) {
		1843	/* Setuid core dump mode */
1809	flag = O_EXCL; /* Stop rewrite attacks */	1844	flag = O_EXCL; /* Stop rewrite attacks */
1810	cred->fsuid = 0; /* Dump root private */	1845	cred->fsuid = 0; /* Dump root private */
1811	}	1846	}
@@ -1901,8 +1936,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1901	/*	1936	/*
1902	* Dont allow local users get cute and trick others to coredump	1937	* Dont allow local users get cute and trick others to coredump
1903	* into their pre-created files:	1938	* into their pre-created files:
		1939	* Note, this is not relevant for pipes
1904	*/	1940	*/
1905	if (inode->i_uid != current_fsuid())	1941	if (!ispipe && (inode->i_uid != current_fsuid()))
1906	goto close_fail;	1942	goto close_fail;
1907	if (!cprm.file->f_op)	1943	if (!cprm.file->f_op)
1908	goto close_fail;	1944	goto close_fail;