1 files changed, 108 insertions, 31 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 5e62d26a4fec..936f5776655c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,6 +55,7 @@
 #include <linux/fs_struct.h>
 #include <linux/pipe_fs_i.h>
 #include <linux/oom.h>
+#include <linux/compat.h>
 #include <asm/uaccess.h>
 #include <asm/mmu_context.h>
@@ -166,8 +167,13 @@ out:
 }
 #ifdef CONFIG_MMU
+/*
-void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
+ * The nascent bprm->mm is not visible until exec_mmap() but it can
+ * use a lot of memory, account these pages in current->mm temporary
+ * for oom_badness()->get_mm_rss(). Once exec succeeds or fails, we
+ * change the counter back via acct_arg_size(0).
+ */
+static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
 {
        struct mm_struct *mm = current->mm;
        long diff = (long)(pages - bprm->vma_pages);
@@ -186,7 +192,7 @@ void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
 #endif
 }
-struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
                int write)
 {
        struct page *page;
@@ -194,7 +200,7 @@ struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 #ifdef CONFIG_STACK_GROWSUP
        if (write) {
-                ret = expand_stack_downwards(bprm->vma, pos);
+                ret = expand_downwards(bprm->vma, pos);
                if (ret < 0)
                        return NULL;
        }
@@ -305,11 +311,11 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len)
 #else
-void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
+static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
 {
 }
-struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
                int write)
 {
        struct page *page;
@@ -398,22 +404,56 @@ err:
        return err;
 }
+struct user_arg_ptr {
+#ifdef CONFIG_COMPAT
+        bool is_compat;
+#endif
+        union {
+                const char __user *const __user *native;
+#ifdef CONFIG_COMPAT
+                compat_uptr_t __user *compat;
+#endif
+        } ptr;
+};
+static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+{
+        const char __user *native;
+#ifdef CONFIG_COMPAT
+        if (unlikely(argv.is_compat)) {
+                compat_uptr_t compat;
+                if (get_user(compat, argv.ptr.compat + nr))
+                        return ERR_PTR(-EFAULT);
+                return compat_ptr(compat);
+        }
+#endif
+        if (get_user(native, argv.ptr.native + nr))
+                return ERR_PTR(-EFAULT);
+        return native;
+}
 /*
 * count() counts the number of strings in array ARGV.
 */
-static int count(const char __user * const __user * argv, int max)
+static int count(struct user_arg_ptr argv, int max)
 {
        int i = 0;
-        if (argv != NULL) {
+        if (argv.ptr.native != NULL) {
                for (;;) {
-                        const char __user * p;
+                        const char __user *p = get_user_arg_ptr(argv, i);
-                        if (get_user(p, argv))
-                                return -EFAULT;
                        if (!p)
                                break;
-                        argv++;
+                        if (IS_ERR(p))
+                                return -EFAULT;
                        if (i++ >= max)
                                return -E2BIG;
@@ -430,7 +470,7 @@ static int count(const char __user * const __user * argv, int max)
 * processes's memory to the new process's stack.  The call to get_user_pages()
 * ensures the destination page is created and not swapped out.
 */
-static int copy_strings(int argc, const char __user *const __user *argv,
+static int copy_strings(int argc, struct user_arg_ptr argv,
                        struct linux_binprm *bprm)
 {
        struct page *kmapped_page = NULL;
@@ -443,16 +483,18 @@ static int copy_strings(int argc, const char __user *const __user *argv,
                int len;
                unsigned long pos;
-                if (get_user(str, argv+argc) ||
+                ret = -EFAULT;
-                                !(len = strnlen_user(str, MAX_ARG_STRLEN))) {
+                str = get_user_arg_ptr(argv, argc);
-                        ret = -EFAULT;
+                if (IS_ERR(str))
                        goto out;
-                }
-                if (!valid_arg_len(bprm, len)) {
+                len = strnlen_user(str, MAX_ARG_STRLEN);
-                        ret = -E2BIG;
+                if (!len)
+                        goto out;
+                ret = -E2BIG;
+                if (!valid_arg_len(bprm, len))
                        goto out;
-                }
                /* We're going to work our way backwords. */
                pos = bprm->p;
@@ -519,14 +561,19 @@ out:
 /*
 * Like copy_strings, but get argv and its values from kernel memory.
 */
-int copy_strings_kernel(int argc, const char *const *argv,
+int copy_strings_kernel(int argc, const char *const *__argv,
                        struct linux_binprm *bprm)
 {
        int r;
        mm_segment_t oldfs = get_fs();
+        struct user_arg_ptr argv = {
+                .ptr.native = (const char __user *const  __user *)__argv,
+        };
        set_fs(KERNEL_DS);
-        r = copy_strings(argc, (const char __user *const  __user *)argv, bprm);
+        r = copy_strings(argc, argv, bprm);
        set_fs(oldfs);
        return r;
 }
 EXPORT_SYMBOL(copy_strings_kernel);
@@ -553,7 +600,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
        unsigned long length = old_end - old_start;
        unsigned long new_start = old_start - shift;
        unsigned long new_end = old_end - shift;
-        struct mmu_gather *tlb;
+        struct mmu_gather tlb;
        BUG_ON(new_start > new_end);
@@ -579,12 +626,12 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
                return -ENOMEM;
        lru_add_drain();
-        tlb = tlb_gather_mmu(mm, 0);
+        tlb_gather_mmu(&tlb, mm, 0);
        if (new_end > old_start) {
                /*
                 * when the old and new regions overlap clear from new_end.
                 */
-                free_pgd_range(tlb, new_end, old_end, new_end,
+                free_pgd_range(&tlb, new_end, old_end, new_end,
                        vma->vm_next ? vma->vm_next->vm_start : 0);
        } else {
                /*
@@ -593,10 +640,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
                 * have constraints on va-space that make this illegal (IA64) -
                 * for the others its just a little faster.
                 */
-                free_pgd_range(tlb, old_start, old_end, new_end,
+                free_pgd_range(&tlb, old_start, old_end, new_end,
                        vma->vm_next ? vma->vm_next->vm_start : 0);
        }
-        tlb_finish_mmu(tlb, new_end, old_end);
+        tlb_finish_mmu(&tlb, new_end, old_end);
        /*
         * Shrink the vma to just the new range.  Always succeeds.
@@ -1004,6 +1051,7 @@ char *get_task_comm(char *buf, struct task_struct *tsk)
        task_unlock(tsk);
        return buf;
 }
+EXPORT_SYMBOL_GPL(get_task_comm);
 void set_task_comm(struct task_struct *tsk, char *buf)
 {
@@ -1379,10 +1427,10 @@ EXPORT_SYMBOL(search_binary_handler);
 /*
 * sys_execve() executes a new program.
 */
-int do_execve(const char * filename,
+static int do_execve_common(const char *filename,
-        const char __user *const __user *argv,
+                                struct user_arg_ptr argv,
-        const char __user *const __user *envp,
+                                struct user_arg_ptr envp,
-        struct pt_regs * regs)
+                                struct pt_regs *regs)
 {
        struct linux_binprm *bprm;
        struct file *file;
@@ -1489,6 +1537,34 @@ out_ret:
        return retval;
 }
+int do_execve(const char *filename,
+        const char __user *const __user *__argv,
+        const char __user *const __user *__envp,
+        struct pt_regs *regs)
+{
+        struct user_arg_ptr argv = { .ptr.native = __argv };
+        struct user_arg_ptr envp = { .ptr.native = __envp };
+        return do_execve_common(filename, argv, envp, regs);
+}
+#ifdef CONFIG_COMPAT
+int compat_do_execve(char *filename,
+        compat_uptr_t __user *__argv,
+        compat_uptr_t __user *__envp,
+        struct pt_regs *regs)
+{
+        struct user_arg_ptr argv = {
+                .is_compat = true,
+                .ptr.compat = __argv,
+        };
+        struct user_arg_ptr envp = {
+                .is_compat = true,
+                .ptr.compat = __envp,
+        };
+        return do_execve_common(filename, argv, envp, regs);
+}
+#endif
 void set_binfmt(struct linux_binfmt *new)
 {
        struct mm_struct *mm = current->mm;
@@ -1659,6 +1735,7 @@ static int zap_process(struct task_struct *start, int exit_code)
        t = start;
        do {
+                task_clear_group_stop_pending(t);
                if (t != current && t->mm) {
                        sigaddset(&t->pending.signal, SIGKILL);
                        signal_wake_up(t, 1);

diff --git a/fs/exec.c b/fs/exec.c index 5e62d26a4fec..936f5776655c 100644 --- a/fs/exec.c +++ b/fs/exec.c
@@ -55,6 +55,7 @@
55	#include <linux/fs_struct.h>	55	#include <linux/fs_struct.h>
56	#include <linux/pipe_fs_i.h>	56	#include <linux/pipe_fs_i.h>
57	#include <linux/oom.h>	57	#include <linux/oom.h>
		58	#include <linux/compat.h>
58		59
59	#include <asm/uaccess.h>	60	#include <asm/uaccess.h>
60	#include <asm/mmu_context.h>	61	#include <asm/mmu_context.h>
@@ -166,8 +167,13 @@ out:
166	}	167	}
167		168
168	#ifdef CONFIG_MMU	169	#ifdef CONFIG_MMU
169		170	/*
170	void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)	171	* The nascent bprm->mm is not visible until exec_mmap() but it can
		172	* use a lot of memory, account these pages in current->mm temporary
		173	* for oom_badness()->get_mm_rss(). Once exec succeeds or fails, we
		174	* change the counter back via acct_arg_size(0).
		175	*/
		176	static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
171	{	177	{
172	struct mm_struct *mm = current->mm;	178	struct mm_struct *mm = current->mm;
173	long diff = (long)(pages - bprm->vma_pages);	179	long diff = (long)(pages - bprm->vma_pages);
@@ -186,7 +192,7 @@ void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
186	#endif	192	#endif
187	}	193	}
188		194
189	struct page get_arg_page(struct linux_binprm bprm, unsigned long pos,	195	static struct page get_arg_page(struct linux_binprm bprm, unsigned long pos,
190	int write)	196	int write)
191	{	197	{
192	struct page *page;	198	struct page *page;
@@ -194,7 +200,7 @@ struct page get_arg_page(struct linux_binprm bprm, unsigned long pos,
194		200
195	#ifdef CONFIG_STACK_GROWSUP	201	#ifdef CONFIG_STACK_GROWSUP
196	if (write) {	202	if (write) {
197	ret = expand_stack_downwards(bprm->vma, pos);	203	ret = expand_downwards(bprm->vma, pos);
198	if (ret < 0)	204	if (ret < 0)
199	return NULL;	205	return NULL;
200	}	206	}
@@ -305,11 +311,11 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len)
305		311
306	#else	312	#else
307		313
308	void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)	314	static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
309	{	315	{
310	}	316	}
311		317
312	struct page get_arg_page(struct linux_binprm bprm, unsigned long pos,	318	static struct page get_arg_page(struct linux_binprm bprm, unsigned long pos,
313	int write)	319	int write)
314	{	320	{
315	struct page *page;	321	struct page *page;
@@ -398,22 +404,56 @@ err:
398	return err;	404	return err;
399	}	405	}
400		406
		407	struct user_arg_ptr {
		408	#ifdef CONFIG_COMPAT
		409	bool is_compat;
		410	#endif
		411	union {
		412	const char __user const __user native;
		413	#ifdef CONFIG_COMPAT
		414	compat_uptr_t __user *compat;
		415	#endif
		416	} ptr;
		417	};
		418
		419	static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
		420	{
		421	const char __user *native;
		422
		423	#ifdef CONFIG_COMPAT
		424	if (unlikely(argv.is_compat)) {
		425	compat_uptr_t compat;
		426
		427	if (get_user(compat, argv.ptr.compat + nr))
		428	return ERR_PTR(-EFAULT);
		429
		430	return compat_ptr(compat);
		431	}
		432	#endif
		433
		434	if (get_user(native, argv.ptr.native + nr))
		435	return ERR_PTR(-EFAULT);
		436
		437	return native;
		438	}
		439
401	/*	440	/*
402	* count() counts the number of strings in array ARGV.	441	* count() counts the number of strings in array ARGV.
403	*/	442	*/
404	static int count(const char __user * const __user * argv, int max)	443	static int count(struct user_arg_ptr argv, int max)
405	{	444	{
406	int i = 0;	445	int i = 0;
407		446
408	if (argv != NULL) {	447	if (argv.ptr.native != NULL) {
409	for (;;) {	448	for (;;) {
410	const char __user * p;	449	const char __user *p = get_user_arg_ptr(argv, i);
411		450
412	if (get_user(p, argv))
413	return -EFAULT;
414	if (!p)	451	if (!p)
415	break;	452	break;
416	argv++;	453
		454	if (IS_ERR(p))
		455	return -EFAULT;
		456
417	if (i++ >= max)	457	if (i++ >= max)
418	return -E2BIG;	458	return -E2BIG;
419		459
@@ -430,7 +470,7 @@ static int count(const char __user * const __user * argv, int max)
430	* processes's memory to the new process's stack. The call to get_user_pages()	470	* processes's memory to the new process's stack. The call to get_user_pages()
431	* ensures the destination page is created and not swapped out.	471	* ensures the destination page is created and not swapped out.
432	*/	472	*/
433	static int copy_strings(int argc, const char __user const __user argv,	473	static int copy_strings(int argc, struct user_arg_ptr argv,
434	struct linux_binprm *bprm)	474	struct linux_binprm *bprm)
435	{	475	{
436	struct page *kmapped_page = NULL;	476	struct page *kmapped_page = NULL;
@@ -443,16 +483,18 @@ static int copy_strings(int argc, const char __user const __user argv,
443	int len;	483	int len;
444	unsigned long pos;	484	unsigned long pos;
445		485
446	if (get_user(str, argv+argc) \|\|	486	ret = -EFAULT;
447	!(len = strnlen_user(str, MAX_ARG_STRLEN))) {	487	str = get_user_arg_ptr(argv, argc);
448	ret = -EFAULT;	488	if (IS_ERR(str))
449	goto out;	489	goto out;
450	}
451		490
452	if (!valid_arg_len(bprm, len)) {	491	len = strnlen_user(str, MAX_ARG_STRLEN);
453	ret = -E2BIG;	492	if (!len)
		493	goto out;
		494
		495	ret = -E2BIG;
		496	if (!valid_arg_len(bprm, len))
454	goto out;	497	goto out;
455	}
456		498
457	/* We're going to work our way backwords. */	499	/* We're going to work our way backwords. */
458	pos = bprm->p;	500	pos = bprm->p;
@@ -519,14 +561,19 @@ out:
519	/*	561	/*
520	* Like copy_strings, but get argv and its values from kernel memory.	562	* Like copy_strings, but get argv and its values from kernel memory.
521	*/	563	*/
522	int copy_strings_kernel(int argc, const char const argv,	564	int copy_strings_kernel(int argc, const char const __argv,
523	struct linux_binprm *bprm)	565	struct linux_binprm *bprm)
524	{	566	{
525	int r;	567	int r;
526	mm_segment_t oldfs = get_fs();	568	mm_segment_t oldfs = get_fs();
		569	struct user_arg_ptr argv = {
		570	.ptr.native = (const char __user const __user )__argv,
		571	};
		572
527	set_fs(KERNEL_DS);	573	set_fs(KERNEL_DS);
528	r = copy_strings(argc, (const char __user const __user )argv, bprm);	574	r = copy_strings(argc, argv, bprm);
529	set_fs(oldfs);	575	set_fs(oldfs);
		576
530	return r;	577	return r;
531	}	578	}
532	EXPORT_SYMBOL(copy_strings_kernel);	579	EXPORT_SYMBOL(copy_strings_kernel);
@@ -553,7 +600,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
553	unsigned long length = old_end - old_start;	600	unsigned long length = old_end - old_start;
554	unsigned long new_start = old_start - shift;	601	unsigned long new_start = old_start - shift;
555	unsigned long new_end = old_end - shift;	602	unsigned long new_end = old_end - shift;
556	struct mmu_gather *tlb;	603	struct mmu_gather tlb;
557		604
558	BUG_ON(new_start > new_end);	605	BUG_ON(new_start > new_end);
559		606
@@ -579,12 +626,12 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
579	return -ENOMEM;	626	return -ENOMEM;
580		627
581	lru_add_drain();	628	lru_add_drain();
582	tlb = tlb_gather_mmu(mm, 0);	629	tlb_gather_mmu(&tlb, mm, 0);
583	if (new_end > old_start) {	630	if (new_end > old_start) {
584	/*	631	/*
585	* when the old and new regions overlap clear from new_end.	632	* when the old and new regions overlap clear from new_end.
586	*/	633	*/
587	free_pgd_range(tlb, new_end, old_end, new_end,	634	free_pgd_range(&tlb, new_end, old_end, new_end,
588	vma->vm_next ? vma->vm_next->vm_start : 0);	635	vma->vm_next ? vma->vm_next->vm_start : 0);
589	} else {	636	} else {
590	/*	637	/*
@@ -593,10 +640,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
593	* have constraints on va-space that make this illegal (IA64) -	640	* have constraints on va-space that make this illegal (IA64) -
594	* for the others its just a little faster.	641	* for the others its just a little faster.
595	*/	642	*/
596	free_pgd_range(tlb, old_start, old_end, new_end,	643	free_pgd_range(&tlb, old_start, old_end, new_end,
597	vma->vm_next ? vma->vm_next->vm_start : 0);	644	vma->vm_next ? vma->vm_next->vm_start : 0);
598	}	645	}
599	tlb_finish_mmu(tlb, new_end, old_end);	646	tlb_finish_mmu(&tlb, new_end, old_end);
600		647
601	/*	648	/*
602	* Shrink the vma to just the new range. Always succeeds.	649	* Shrink the vma to just the new range. Always succeeds.
@@ -1004,6 +1051,7 @@ char get_task_comm(char buf, struct task_struct *tsk)
1004	task_unlock(tsk);	1051	task_unlock(tsk);
1005	return buf;	1052	return buf;
1006	}	1053	}
		1054	EXPORT_SYMBOL_GPL(get_task_comm);
1007		1055
1008	void set_task_comm(struct task_struct tsk, char buf)	1056	void set_task_comm(struct task_struct tsk, char buf)
1009	{	1057	{
@@ -1379,10 +1427,10 @@ EXPORT_SYMBOL(search_binary_handler);
1379	/*	1427	/*
1380	* sys_execve() executes a new program.	1428	* sys_execve() executes a new program.
1381	*/	1429	*/
1382	int do_execve(const char * filename,	1430	static int do_execve_common(const char *filename,
1383	const char __user const __user argv,	1431	struct user_arg_ptr argv,
1384	const char __user const __user envp,	1432	struct user_arg_ptr envp,
1385	struct pt_regs * regs)	1433	struct pt_regs *regs)
1386	{	1434	{
1387	struct linux_binprm *bprm;	1435	struct linux_binprm *bprm;
1388	struct file *file;	1436	struct file *file;
@@ -1489,6 +1537,34 @@ out_ret:
1489	return retval;	1537	return retval;
1490	}	1538	}
1491		1539
		1540	int do_execve(const char *filename,
		1541	const char __user const __user __argv,
		1542	const char __user const __user __envp,
		1543	struct pt_regs *regs)
		1544	{
		1545	struct user_arg_ptr argv = { .ptr.native = __argv };
		1546	struct user_arg_ptr envp = { .ptr.native = __envp };
		1547	return do_execve_common(filename, argv, envp, regs);
		1548	}
		1549
		1550	#ifdef CONFIG_COMPAT
		1551	int compat_do_execve(char *filename,
		1552	compat_uptr_t __user *__argv,
		1553	compat_uptr_t __user *__envp,
		1554	struct pt_regs *regs)
		1555	{
		1556	struct user_arg_ptr argv = {
		1557	.is_compat = true,
		1558	.ptr.compat = __argv,
		1559	};
		1560	struct user_arg_ptr envp = {
		1561	.is_compat = true,
		1562	.ptr.compat = __envp,
		1563	};
		1564	return do_execve_common(filename, argv, envp, regs);
		1565	}
		1566	#endif
		1567
1492	void set_binfmt(struct linux_binfmt *new)	1568	void set_binfmt(struct linux_binfmt *new)
1493	{	1569	{
1494	struct mm_struct *mm = current->mm;	1570	struct mm_struct *mm = current->mm;
@@ -1659,6 +1735,7 @@ static int zap_process(struct task_struct *start, int exit_code)
1659		1735
1660	t = start;	1736	t = start;
1661	do {	1737	do {
		1738	task_clear_group_stop_pending(t);
1662	if (t != current && t->mm) {	1739	if (t != current && t->mm) {
1663	sigaddset(&t->pending.signal, SIGKILL);	1740	sigaddset(&t->pending.signal, SIGKILL);
1664	signal_wake_up(t, 1);	1741	signal_wake_up(t, 1);