LCOV - code coverage report
Current view: top level - kernel - fork.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 453 1089 41.6 %
Date: 2023-04-06 08:38:28 Functions: 33 86 38.4 %

          Line data    Source code
       1             : // SPDX-License-Identifier: GPL-2.0-only
       2             : /*
       3             :  *  linux/kernel/fork.c
       4             :  *
       5             :  *  Copyright (C) 1991, 1992  Linus Torvalds
       6             :  */
       7             : 
       8             : /*
       9             :  *  'fork.c' contains the help-routines for the 'fork' system call
      10             :  * (see also entry.S and others).
      11             :  * Fork is rather simple, once you get the hang of it, but the memory
      12             :  * management can be a bitch. See 'mm/memory.c': 'copy_page_range()'
      13             :  */
      14             : 
      15             : #include <linux/anon_inodes.h>
      16             : #include <linux/slab.h>
      17             : #include <linux/sched/autogroup.h>
      18             : #include <linux/sched/mm.h>
      19             : #include <linux/sched/coredump.h>
      20             : #include <linux/sched/user.h>
      21             : #include <linux/sched/numa_balancing.h>
      22             : #include <linux/sched/stat.h>
      23             : #include <linux/sched/task.h>
      24             : #include <linux/sched/task_stack.h>
      25             : #include <linux/sched/cputime.h>
      26             : #include <linux/seq_file.h>
      27             : #include <linux/rtmutex.h>
      28             : #include <linux/init.h>
      29             : #include <linux/unistd.h>
      30             : #include <linux/module.h>
      31             : #include <linux/vmalloc.h>
      32             : #include <linux/completion.h>
      33             : #include <linux/personality.h>
      34             : #include <linux/mempolicy.h>
      35             : #include <linux/sem.h>
      36             : #include <linux/file.h>
      37             : #include <linux/fdtable.h>
      38             : #include <linux/iocontext.h>
      39             : #include <linux/key.h>
      40             : #include <linux/kmsan.h>
      41             : #include <linux/binfmts.h>
      42             : #include <linux/mman.h>
      43             : #include <linux/mmu_notifier.h>
      44             : #include <linux/fs.h>
      45             : #include <linux/mm.h>
      46             : #include <linux/mm_inline.h>
      47             : #include <linux/nsproxy.h>
      48             : #include <linux/capability.h>
      49             : #include <linux/cpu.h>
      50             : #include <linux/cgroup.h>
      51             : #include <linux/security.h>
      52             : #include <linux/hugetlb.h>
      53             : #include <linux/seccomp.h>
      54             : #include <linux/swap.h>
      55             : #include <linux/syscalls.h>
      56             : #include <linux/jiffies.h>
      57             : #include <linux/futex.h>
      58             : #include <linux/compat.h>
      59             : #include <linux/kthread.h>
      60             : #include <linux/task_io_accounting_ops.h>
      61             : #include <linux/rcupdate.h>
      62             : #include <linux/ptrace.h>
      63             : #include <linux/mount.h>
      64             : #include <linux/audit.h>
      65             : #include <linux/memcontrol.h>
      66             : #include <linux/ftrace.h>
      67             : #include <linux/proc_fs.h>
      68             : #include <linux/profile.h>
      69             : #include <linux/rmap.h>
      70             : #include <linux/ksm.h>
      71             : #include <linux/acct.h>
      72             : #include <linux/userfaultfd_k.h>
      73             : #include <linux/tsacct_kern.h>
      74             : #include <linux/cn_proc.h>
      75             : #include <linux/freezer.h>
      76             : #include <linux/delayacct.h>
      77             : #include <linux/taskstats_kern.h>
      78             : #include <linux/tty.h>
      79             : #include <linux/fs_struct.h>
      80             : #include <linux/magic.h>
      81             : #include <linux/perf_event.h>
      82             : #include <linux/posix-timers.h>
      83             : #include <linux/user-return-notifier.h>
      84             : #include <linux/oom.h>
      85             : #include <linux/khugepaged.h>
      86             : #include <linux/signalfd.h>
      87             : #include <linux/uprobes.h>
      88             : #include <linux/aio.h>
      89             : #include <linux/compiler.h>
      90             : #include <linux/sysctl.h>
      91             : #include <linux/kcov.h>
      92             : #include <linux/livepatch.h>
      93             : #include <linux/thread_info.h>
      94             : #include <linux/stackleak.h>
      95             : #include <linux/kasan.h>
      96             : #include <linux/scs.h>
      97             : #include <linux/io_uring.h>
      98             : #include <linux/bpf.h>
      99             : #include <linux/stackprotector.h>
     100             : 
     101             : #include <asm/pgalloc.h>
     102             : #include <linux/uaccess.h>
     103             : #include <asm/mmu_context.h>
     104             : #include <asm/cacheflush.h>
     105             : #include <asm/tlbflush.h>
     106             : 
     107             : #include <trace/events/sched.h>
     108             : 
     109             : #define CREATE_TRACE_POINTS
     110             : #include <trace/events/task.h>
     111             : 
     112             : /*
     113             :  * Minimum number of threads to boot the kernel
     114             :  */
     115             : #define MIN_THREADS 20
     116             : 
     117             : /*
     118             :  * Maximum number of threads
     119             :  */
     120             : #define MAX_THREADS FUTEX_TID_MASK
     121             : 
     122             : /*
     123             :  * Protected counters by write_lock_irq(&tasklist_lock)
     124             :  */
     125             : unsigned long total_forks;      /* Handle normal Linux uptimes. */
     126             : int nr_threads;                 /* The idle threads do not count.. */
     127             : 
     128             : static int max_threads;         /* tunable limit on nr_threads */
     129             : 
     130             : #define NAMED_ARRAY_INDEX(x)    [x] = __stringify(x)
     131             : 
     132             : static const char * const resident_page_types[] = {
     133             :         NAMED_ARRAY_INDEX(MM_FILEPAGES),
     134             :         NAMED_ARRAY_INDEX(MM_ANONPAGES),
     135             :         NAMED_ARRAY_INDEX(MM_SWAPENTS),
     136             :         NAMED_ARRAY_INDEX(MM_SHMEMPAGES),
     137             : };
     138             : 
     139             : DEFINE_PER_CPU(unsigned long, process_counts) = 0;
     140             : 
     141             : __cacheline_aligned DEFINE_RWLOCK(tasklist_lock);  /* outer */
     142             : 
     143             : #ifdef CONFIG_PROVE_RCU
     144             : int lockdep_tasklist_lock_is_held(void)
     145             : {
     146             :         return lockdep_is_held(&tasklist_lock);
     147             : }
     148             : EXPORT_SYMBOL_GPL(lockdep_tasklist_lock_is_held);
     149             : #endif /* #ifdef CONFIG_PROVE_RCU */
     150             : 
     151           0 : int nr_processes(void)
     152             : {
     153             :         int cpu;
     154           0 :         int total = 0;
     155             : 
     156           0 :         for_each_possible_cpu(cpu)
     157           0 :                 total += per_cpu(process_counts, cpu);
     158             : 
     159           0 :         return total;
     160             : }
     161             : 
     162         332 : void __weak arch_release_task_struct(struct task_struct *tsk)
     163             : {
     164         332 : }
     165             : 
     166             : #ifndef CONFIG_ARCH_TASK_STRUCT_ALLOCATOR
     167             : static struct kmem_cache *task_struct_cachep;
     168             : 
     169             : static inline struct task_struct *alloc_task_struct_node(int node)
     170             : {
     171         348 :         return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
     172             : }
     173             : 
     174             : static inline void free_task_struct(struct task_struct *tsk)
     175             : {
     176         332 :         kmem_cache_free(task_struct_cachep, tsk);
     177             : }
     178             : #endif
     179             : 
     180             : #ifndef CONFIG_ARCH_THREAD_STACK_ALLOCATOR
     181             : 
     182             : /*
     183             :  * Allocate pages if THREAD_SIZE is >= PAGE_SIZE, otherwise use a
     184             :  * kmemcache based allocator.
     185             :  */
     186             : # if THREAD_SIZE >= PAGE_SIZE || defined(CONFIG_VMAP_STACK)
     187             : 
     188             : #  ifdef CONFIG_VMAP_STACK
     189             : /*
     190             :  * vmalloc() is a bit slow, and calling vfree() enough times will force a TLB
     191             :  * flush.  Try to minimize the number of calls by caching stacks.
     192             :  */
     193             : #define NR_CACHED_STACKS 2
     194             : static DEFINE_PER_CPU(struct vm_struct *, cached_stacks[NR_CACHED_STACKS]);
     195             : 
     196             : struct vm_stack {
     197             :         struct rcu_head rcu;
     198             :         struct vm_struct *stack_vm_area;
     199             : };
     200             : 
     201         332 : static bool try_release_thread_stack_to_cache(struct vm_struct *vm)
     202             : {
     203             :         unsigned int i;
     204             : 
     205         332 :         for (i = 0; i < NR_CACHED_STACKS; i++) {
     206         996 :                 if (this_cpu_cmpxchg(cached_stacks[i], NULL, vm) != NULL)
     207           0 :                         continue;
     208             :                 return true;
     209             :         }
     210             :         return false;
     211             : }
     212             : 
     213           0 : static void thread_stack_free_rcu(struct rcu_head *rh)
     214             : {
     215           0 :         struct vm_stack *vm_stack = container_of(rh, struct vm_stack, rcu);
     216             : 
     217           0 :         if (try_release_thread_stack_to_cache(vm_stack->stack_vm_area))
     218             :                 return;
     219             : 
     220           0 :         vfree(vm_stack);
     221             : }
     222             : 
     223             : static void thread_stack_delayed_free(struct task_struct *tsk)
     224             : {
     225           0 :         struct vm_stack *vm_stack = tsk->stack;
     226             : 
     227           0 :         vm_stack->stack_vm_area = tsk->stack_vm_area;
     228           0 :         call_rcu(&vm_stack->rcu, thread_stack_free_rcu);
     229             : }
     230             : 
     231           0 : static int free_vm_stack_cache(unsigned int cpu)
     232             : {
     233           0 :         struct vm_struct **cached_vm_stacks = per_cpu_ptr(cached_stacks, cpu);
     234             :         int i;
     235             : 
     236           0 :         for (i = 0; i < NR_CACHED_STACKS; i++) {
     237           0 :                 struct vm_struct *vm_stack = cached_vm_stacks[i];
     238             : 
     239           0 :                 if (!vm_stack)
     240           0 :                         continue;
     241             : 
     242           0 :                 vfree(vm_stack->addr);
     243           0 :                 cached_vm_stacks[i] = NULL;
     244             :         }
     245             : 
     246           0 :         return 0;
     247             : }
     248             : 
     249         348 : static int memcg_charge_kernel_stack(struct vm_struct *vm)
     250             : {
     251             :         int i;
     252             :         int ret;
     253             : 
     254             :         BUILD_BUG_ON(IS_ENABLED(CONFIG_VMAP_STACK) && PAGE_SIZE % 1024 != 0);
     255         348 :         BUG_ON(vm->nr_pages != THREAD_SIZE / PAGE_SIZE);
     256             : 
     257             :         for (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++) {
     258             :                 ret = memcg_kmem_charge_page(vm->pages[i], GFP_KERNEL, 0);
     259             :                 if (ret)
     260             :                         goto err;
     261             :         }
     262             :         return 0;
     263             : err:
     264             :         /*
     265             :          * If memcg_kmem_charge_page() fails, page's memory cgroup pointer is
     266             :          * NULL, and memcg_kmem_uncharge_page() in free_thread_stack() will
     267             :          * ignore this page.
     268             :          */
     269             :         for (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)
     270             :                 memcg_kmem_uncharge_page(vm->pages[i], 0);
     271             :         return ret;
     272             : }
     273             : 
     274         348 : static int alloc_thread_stack_node(struct task_struct *tsk, int node)
     275             : {
     276             :         struct vm_struct *vm;
     277             :         void *stack;
     278             :         int i;
     279             : 
     280         760 :         for (i = 0; i < NR_CACHED_STACKS; i++) {
     281             :                 struct vm_struct *s;
     282             : 
     283        1092 :                 s = this_cpu_xchg(cached_stacks[i], NULL);
     284             : 
     285         364 :                 if (!s)
     286          32 :                         continue;
     287             : 
     288             :                 /* Reset stack metadata. */
     289         332 :                 kasan_unpoison_range(s->addr, THREAD_SIZE);
     290             : 
     291         332 :                 stack = kasan_reset_tag(s->addr);
     292             : 
     293             :                 /* Clear stale pointers from reused stack. */
     294         332 :                 memset(stack, 0, THREAD_SIZE);
     295             : 
     296         332 :                 if (memcg_charge_kernel_stack(s)) {
     297           0 :                         vfree(s->addr);
     298             :                         return -ENOMEM;
     299             :                 }
     300             : 
     301         332 :                 tsk->stack_vm_area = s;
     302         332 :                 tsk->stack = stack;
     303             :                 return 0;
     304             :         }
     305             : 
     306             :         /*
     307             :          * Allocated stacks are cached and later reused by new threads,
     308             :          * so memcg accounting is performed manually on assigning/releasing
     309             :          * stacks to tasks. Drop __GFP_ACCOUNT.
     310             :          */
     311          32 :         stack = __vmalloc_node_range(THREAD_SIZE, THREAD_ALIGN,
     312          16 :                                      VMALLOC_START, VMALLOC_END,
     313             :                                      THREADINFO_GFP & ~__GFP_ACCOUNT,
     314          16 :                                      PAGE_KERNEL,
     315          16 :                                      0, node, __builtin_return_address(0));
     316          16 :         if (!stack)
     317             :                 return -ENOMEM;
     318             : 
     319          16 :         vm = find_vm_area(stack);
     320          16 :         if (memcg_charge_kernel_stack(vm)) {
     321           0 :                 vfree(stack);
     322             :                 return -ENOMEM;
     323             :         }
     324             :         /*
     325             :          * We can't call find_vm_area() in interrupt context, and
     326             :          * free_thread_stack() can be called in interrupt context,
     327             :          * so cache the vm_struct.
     328             :          */
     329          16 :         tsk->stack_vm_area = vm;
     330          16 :         stack = kasan_reset_tag(stack);
     331          16 :         tsk->stack = stack;
     332             :         return 0;
     333             : }
     334             : 
     335         332 : static void free_thread_stack(struct task_struct *tsk)
     336             : {
     337         332 :         if (!try_release_thread_stack_to_cache(tsk->stack_vm_area))
     338           0 :                 thread_stack_delayed_free(tsk);
     339             : 
     340         332 :         tsk->stack = NULL;
     341         332 :         tsk->stack_vm_area = NULL;
     342         332 : }
     343             : 
     344             : #  else /* !CONFIG_VMAP_STACK */
     345             : 
     346             : static void thread_stack_free_rcu(struct rcu_head *rh)
     347             : {
     348             :         __free_pages(virt_to_page(rh), THREAD_SIZE_ORDER);
     349             : }
     350             : 
     351             : static void thread_stack_delayed_free(struct task_struct *tsk)
     352             : {
     353             :         struct rcu_head *rh = tsk->stack;
     354             : 
     355             :         call_rcu(rh, thread_stack_free_rcu);
     356             : }
     357             : 
     358             : static int alloc_thread_stack_node(struct task_struct *tsk, int node)
     359             : {
     360             :         struct page *page = alloc_pages_node(node, THREADINFO_GFP,
     361             :                                              THREAD_SIZE_ORDER);
     362             : 
     363             :         if (likely(page)) {
     364             :                 tsk->stack = kasan_reset_tag(page_address(page));
     365             :                 return 0;
     366             :         }
     367             :         return -ENOMEM;
     368             : }
     369             : 
     370             : static void free_thread_stack(struct task_struct *tsk)
     371             : {
     372             :         thread_stack_delayed_free(tsk);
     373             :         tsk->stack = NULL;
     374             : }
     375             : 
     376             : #  endif /* CONFIG_VMAP_STACK */
     377             : # else /* !(THREAD_SIZE >= PAGE_SIZE || defined(CONFIG_VMAP_STACK)) */
     378             : 
     379             : static struct kmem_cache *thread_stack_cache;
     380             : 
     381             : static void thread_stack_free_rcu(struct rcu_head *rh)
     382             : {
     383             :         kmem_cache_free(thread_stack_cache, rh);
     384             : }
     385             : 
     386             : static void thread_stack_delayed_free(struct task_struct *tsk)
     387             : {
     388             :         struct rcu_head *rh = tsk->stack;
     389             : 
     390             :         call_rcu(rh, thread_stack_free_rcu);
     391             : }
     392             : 
     393             : static int alloc_thread_stack_node(struct task_struct *tsk, int node)
     394             : {
     395             :         unsigned long *stack;
     396             :         stack = kmem_cache_alloc_node(thread_stack_cache, THREADINFO_GFP, node);
     397             :         stack = kasan_reset_tag(stack);
     398             :         tsk->stack = stack;
     399             :         return stack ? 0 : -ENOMEM;
     400             : }
     401             : 
     402             : static void free_thread_stack(struct task_struct *tsk)
     403             : {
     404             :         thread_stack_delayed_free(tsk);
     405             :         tsk->stack = NULL;
     406             : }
     407             : 
     408             : void thread_stack_cache_init(void)
     409             : {
     410             :         thread_stack_cache = kmem_cache_create_usercopy("thread_stack",
     411             :                                         THREAD_SIZE, THREAD_SIZE, 0, 0,
     412             :                                         THREAD_SIZE, NULL);
     413             :         BUG_ON(thread_stack_cache == NULL);
     414             : }
     415             : 
     416             : # endif /* THREAD_SIZE >= PAGE_SIZE || defined(CONFIG_VMAP_STACK) */
     417             : #else /* CONFIG_ARCH_THREAD_STACK_ALLOCATOR */
     418             : 
     419             : static int alloc_thread_stack_node(struct task_struct *tsk, int node)
     420             : {
     421             :         unsigned long *stack;
     422             : 
     423             :         stack = arch_alloc_thread_stack_node(tsk, node);
     424             :         tsk->stack = stack;
     425             :         return stack ? 0 : -ENOMEM;
     426             : }
     427             : 
     428             : static void free_thread_stack(struct task_struct *tsk)
     429             : {
     430             :         arch_free_thread_stack(tsk);
     431             :         tsk->stack = NULL;
     432             : }
     433             : 
     434             : #endif /* !CONFIG_ARCH_THREAD_STACK_ALLOCATOR */
     435             : 
     436             : /* SLAB cache for signal_struct structures (tsk->signal) */
     437             : static struct kmem_cache *signal_cachep;
     438             : 
     439             : /* SLAB cache for sighand_struct structures (tsk->sighand) */
     440             : struct kmem_cache *sighand_cachep;
     441             : 
     442             : /* SLAB cache for files_struct structures (tsk->files) */
     443             : struct kmem_cache *files_cachep;
     444             : 
     445             : /* SLAB cache for fs_struct structures (tsk->fs) */
     446             : struct kmem_cache *fs_cachep;
     447             : 
     448             : /* SLAB cache for vm_area_struct structures */
     449             : static struct kmem_cache *vm_area_cachep;
     450             : 
     451             : /* SLAB cache for mm_struct structures (tsk->mm) */
     452             : static struct kmem_cache *mm_cachep;
     453             : 
     454           0 : struct vm_area_struct *vm_area_alloc(struct mm_struct *mm)
     455             : {
     456             :         struct vm_area_struct *vma;
     457             : 
     458           0 :         vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
     459           0 :         if (vma)
     460             :                 vma_init(vma, mm);
     461           0 :         return vma;
     462             : }
     463             : 
     464           0 : struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig)
     465             : {
     466           0 :         struct vm_area_struct *new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
     467             : 
     468           0 :         if (new) {
     469           0 :                 ASSERT_EXCLUSIVE_WRITER(orig->vm_flags);
     470           0 :                 ASSERT_EXCLUSIVE_WRITER(orig->vm_file);
     471             :                 /*
     472             :                  * orig->shared.rb may be modified concurrently, but the clone
     473             :                  * will be reinitialized.
     474             :                  */
     475           0 :                 data_race(memcpy(new, orig, sizeof(*new)));
     476           0 :                 INIT_LIST_HEAD(&new->anon_vma_chain);
     477             :                 dup_anon_vma_name(orig, new);
     478             :         }
     479           0 :         return new;
     480             : }
     481             : 
     482           0 : void vm_area_free(struct vm_area_struct *vma)
     483             : {
     484           0 :         free_anon_vma_name(vma);
     485           0 :         kmem_cache_free(vm_area_cachep, vma);
     486           0 : }
     487             : 
     488             : static void account_kernel_stack(struct task_struct *tsk, int account)
     489             : {
     490             :         if (IS_ENABLED(CONFIG_VMAP_STACK)) {
     491             :                 struct vm_struct *vm = task_stack_vm_area(tsk);
     492             :                 int i;
     493             : 
     494        2724 :                 for (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)
     495        5448 :                         mod_lruvec_page_state(vm->pages[i], NR_KERNEL_STACK_KB,
     496             :                                               account * (PAGE_SIZE / 1024));
     497             :         } else {
     498             :                 void *stack = task_stack_page(tsk);
     499             : 
     500             :                 /* All stack pages are in the same node. */
     501             :                 mod_lruvec_kmem_state(stack, NR_KERNEL_STACK_KB,
     502             :                                       account * (THREAD_SIZE / 1024));
     503             :         }
     504             : }
     505             : 
     506         333 : void exit_task_stack_account(struct task_struct *tsk)
     507             : {
     508         666 :         account_kernel_stack(tsk, -1);
     509             : 
     510             :         if (IS_ENABLED(CONFIG_VMAP_STACK)) {
     511             :                 struct vm_struct *vm;
     512             :                 int i;
     513             : 
     514         333 :                 vm = task_stack_vm_area(tsk);
     515         333 :                 for (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)
     516             :                         memcg_kmem_uncharge_page(vm->pages[i], 0);
     517             :         }
     518         333 : }
     519             : 
     520         332 : static void release_task_stack(struct task_struct *tsk)
     521             : {
     522         332 :         if (WARN_ON(READ_ONCE(tsk->__state) != TASK_DEAD))
     523             :                 return;  /* Better to leak the stack than to free prematurely */
     524             : 
     525         332 :         free_thread_stack(tsk);
     526             : }
     527             : 
     528             : #ifdef CONFIG_THREAD_INFO_IN_TASK
     529             : void put_task_stack(struct task_struct *tsk)
     530             : {
     531             :         if (refcount_dec_and_test(&tsk->stack_refcount))
     532             :                 release_task_stack(tsk);
     533             : }
     534             : #endif
     535             : 
     536         332 : void free_task(struct task_struct *tsk)
     537             : {
     538             : #ifdef CONFIG_SECCOMP
     539         332 :         WARN_ON_ONCE(tsk->seccomp.filter);
     540             : #endif
     541         332 :         release_user_cpus_ptr(tsk);
     542         332 :         scs_release(tsk);
     543             : 
     544             : #ifndef CONFIG_THREAD_INFO_IN_TASK
     545             :         /*
     546             :          * The task is finally done with both the stack and thread_info,
     547             :          * so free both.
     548             :          */
     549         332 :         release_task_stack(tsk);
     550             : #else
     551             :         /*
     552             :          * If the task had a separate stack allocation, it should be gone
     553             :          * by now.
     554             :          */
     555             :         WARN_ON_ONCE(refcount_read(&tsk->stack_refcount) != 0);
     556             : #endif
     557         332 :         rt_mutex_debug_task_free(tsk);
     558         332 :         ftrace_graph_exit_task(tsk);
     559         332 :         arch_release_task_struct(tsk);
     560         332 :         if (tsk->flags & PF_KTHREAD)
     561         332 :                 free_kthread_struct(tsk);
     562         332 :         free_task_struct(tsk);
     563         332 : }
     564             : EXPORT_SYMBOL(free_task);
     565             : 
     566           0 : static void dup_mm_exe_file(struct mm_struct *mm, struct mm_struct *oldmm)
     567             : {
     568             :         struct file *exe_file;
     569             : 
     570           0 :         exe_file = get_mm_exe_file(oldmm);
     571           0 :         RCU_INIT_POINTER(mm->exe_file, exe_file);
     572             :         /*
     573             :          * We depend on the oldmm having properly denied write access to the
     574             :          * exe_file already.
     575             :          */
     576           0 :         if (exe_file && deny_write_access(exe_file))
     577           0 :                 pr_warn_once("deny_write_access() failed in %s\n", __func__);
     578           0 : }
     579             : 
     580             : #ifdef CONFIG_MMU
     581           0 : static __latent_entropy int dup_mmap(struct mm_struct *mm,
     582             :                                         struct mm_struct *oldmm)
     583             : {
     584             :         struct vm_area_struct *mpnt, *tmp;
     585             :         int retval;
     586           0 :         unsigned long charge = 0;
     587           0 :         LIST_HEAD(uf);
     588           0 :         VMA_ITERATOR(old_vmi, oldmm, 0);
     589           0 :         VMA_ITERATOR(vmi, mm, 0);
     590             : 
     591           0 :         uprobe_start_dup_mmap();
     592           0 :         if (mmap_write_lock_killable(oldmm)) {
     593             :                 retval = -EINTR;
     594             :                 goto fail_uprobe_end;
     595             :         }
     596           0 :         flush_cache_dup_mm(oldmm);
     597           0 :         uprobe_dup_mmap(oldmm, mm);
     598             :         /*
     599             :          * Not linked in yet - no deadlock potential:
     600             :          */
     601           0 :         mmap_write_lock_nested(mm, SINGLE_DEPTH_NESTING);
     602             : 
     603             :         /* No ordering required: file already has been exposed. */
     604           0 :         dup_mm_exe_file(mm, oldmm);
     605             : 
     606           0 :         mm->total_vm = oldmm->total_vm;
     607           0 :         mm->data_vm = oldmm->data_vm;
     608           0 :         mm->exec_vm = oldmm->exec_vm;
     609           0 :         mm->stack_vm = oldmm->stack_vm;
     610             : 
     611           0 :         retval = ksm_fork(mm, oldmm);
     612             :         if (retval)
     613             :                 goto out;
     614           0 :         khugepaged_fork(mm, oldmm);
     615             : 
     616           0 :         retval = vma_iter_bulk_alloc(&vmi, oldmm->map_count);
     617           0 :         if (retval)
     618             :                 goto out;
     619             : 
     620           0 :         for_each_vma(old_vmi, mpnt) {
     621             :                 struct file *file;
     622             : 
     623           0 :                 if (mpnt->vm_flags & VM_DONTCOPY) {
     624           0 :                         vm_stat_account(mm, mpnt->vm_flags, -vma_pages(mpnt));
     625           0 :                         continue;
     626             :                 }
     627           0 :                 charge = 0;
     628             :                 /*
     629             :                  * Don't duplicate many vmas if we've been oom-killed (for
     630             :                  * example)
     631             :                  */
     632           0 :                 if (fatal_signal_pending(current)) {
     633             :                         retval = -EINTR;
     634             :                         goto loop_out;
     635             :                 }
     636           0 :                 if (mpnt->vm_flags & VM_ACCOUNT) {
     637           0 :                         unsigned long len = vma_pages(mpnt);
     638             : 
     639           0 :                         if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
     640             :                                 goto fail_nomem;
     641             :                         charge = len;
     642             :                 }
     643           0 :                 tmp = vm_area_dup(mpnt);
     644           0 :                 if (!tmp)
     645             :                         goto fail_nomem;
     646           0 :                 retval = vma_dup_policy(mpnt, tmp);
     647             :                 if (retval)
     648             :                         goto fail_nomem_policy;
     649           0 :                 tmp->vm_mm = mm;
     650           0 :                 retval = dup_userfaultfd(tmp, &uf);
     651             :                 if (retval)
     652             :                         goto fail_nomem_anon_vma_fork;
     653           0 :                 if (tmp->vm_flags & VM_WIPEONFORK) {
     654             :                         /*
     655             :                          * VM_WIPEONFORK gets a clean slate in the child.
     656             :                          * Don't prepare anon_vma until fault since we don't
     657             :                          * copy page for current vma.
     658             :                          */
     659           0 :                         tmp->anon_vma = NULL;
     660           0 :                 } else if (anon_vma_fork(tmp, mpnt))
     661             :                         goto fail_nomem_anon_vma_fork;
     662           0 :                 vm_flags_clear(tmp, VM_LOCKED_MASK);
     663           0 :                 file = tmp->vm_file;
     664           0 :                 if (file) {
     665           0 :                         struct address_space *mapping = file->f_mapping;
     666             : 
     667           0 :                         get_file(file);
     668           0 :                         i_mmap_lock_write(mapping);
     669           0 :                         if (tmp->vm_flags & VM_SHARED)
     670             :                                 mapping_allow_writable(mapping);
     671           0 :                         flush_dcache_mmap_lock(mapping);
     672             :                         /* insert tmp into the share list, just after mpnt */
     673           0 :                         vma_interval_tree_insert_after(tmp, mpnt,
     674             :                                         &mapping->i_mmap);
     675           0 :                         flush_dcache_mmap_unlock(mapping);
     676             :                         i_mmap_unlock_write(mapping);
     677             :                 }
     678             : 
     679             :                 /*
     680             :                  * Copy/update hugetlb private vma information.
     681             :                  */
     682           0 :                 if (is_vm_hugetlb_page(tmp))
     683             :                         hugetlb_dup_vma_private(tmp);
     684             : 
     685             :                 /* Link the vma into the MT */
     686           0 :                 if (vma_iter_bulk_store(&vmi, tmp))
     687             :                         goto fail_nomem_vmi_store;
     688             : 
     689           0 :                 mm->map_count++;
     690           0 :                 if (!(tmp->vm_flags & VM_WIPEONFORK))
     691           0 :                         retval = copy_page_range(tmp, mpnt);
     692             : 
     693           0 :                 if (tmp->vm_ops && tmp->vm_ops->open)
     694           0 :                         tmp->vm_ops->open(tmp);
     695             : 
     696           0 :                 if (retval)
     697             :                         goto loop_out;
     698             :         }
     699             :         /* a new mm has just been created */
     700             :         retval = arch_dup_mmap(oldmm, mm);
     701             : loop_out:
     702             :         vma_iter_free(&vmi);
     703             : out:
     704           0 :         mmap_write_unlock(mm);
     705           0 :         flush_tlb_mm(oldmm);
     706             :         mmap_write_unlock(oldmm);
     707             :         dup_userfaultfd_complete(&uf);
     708             : fail_uprobe_end:
     709             :         uprobe_end_dup_mmap();
     710           0 :         return retval;
     711             : 
     712             : fail_nomem_vmi_store:
     713           0 :         unlink_anon_vmas(tmp);
     714             : fail_nomem_anon_vma_fork:
     715           0 :         mpol_put(vma_policy(tmp));
     716             : fail_nomem_policy:
     717             :         vm_area_free(tmp);
     718             : fail_nomem:
     719           0 :         retval = -ENOMEM;
     720           0 :         vm_unacct_memory(charge);
     721             :         goto loop_out;
     722             : }
     723             : 
     724             : static inline int mm_alloc_pgd(struct mm_struct *mm)
     725             : {
     726           0 :         mm->pgd = pgd_alloc(mm);
     727           0 :         if (unlikely(!mm->pgd))
     728             :                 return -ENOMEM;
     729             :         return 0;
     730             : }
     731             : 
     732             : static inline void mm_free_pgd(struct mm_struct *mm)
     733             : {
     734           0 :         pgd_free(mm, mm->pgd);
     735             : }
     736             : #else
     737             : static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
     738             : {
     739             :         mmap_write_lock(oldmm);
     740             :         dup_mm_exe_file(mm, oldmm);
     741             :         mmap_write_unlock(oldmm);
     742             :         return 0;
     743             : }
     744             : #define mm_alloc_pgd(mm)        (0)
     745             : #define mm_free_pgd(mm)
     746             : #endif /* CONFIG_MMU */
     747             : 
     748           0 : static void check_mm(struct mm_struct *mm)
     749             : {
     750             :         int i;
     751             : 
     752             :         BUILD_BUG_ON_MSG(ARRAY_SIZE(resident_page_types) != NR_MM_COUNTERS,
     753             :                          "Please make sure 'struct resident_page_types[]' is updated as well");
     754             : 
     755           0 :         for (i = 0; i < NR_MM_COUNTERS; i++) {
     756           0 :                 long x = percpu_counter_sum(&mm->rss_stat[i]);
     757             : 
     758           0 :                 if (likely(!x))
     759           0 :                         continue;
     760             : 
     761             :                 /* Making sure this is not due to race with CPU offlining. */
     762           0 :                 x = percpu_counter_sum_all(&mm->rss_stat[i]);
     763           0 :                 if (unlikely(x))
     764           0 :                         pr_alert("BUG: Bad rss-counter state mm:%p type:%s val:%ld\n",
     765             :                                  mm, resident_page_types[i], x);
     766             :         }
     767             : 
     768           0 :         if (mm_pgtables_bytes(mm))
     769           0 :                 pr_alert("BUG: non-zero pgtables_bytes on freeing mm: %ld\n",
     770             :                                 mm_pgtables_bytes(mm));
     771             : 
     772             : #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
     773             :         VM_BUG_ON_MM(mm->pmd_huge_pte, mm);
     774             : #endif
     775           0 : }
     776             : 
     777             : #define allocate_mm()   (kmem_cache_alloc(mm_cachep, GFP_KERNEL))
     778             : #define free_mm(mm)     (kmem_cache_free(mm_cachep, (mm)))
     779             : 
     780             : /*
     781             :  * Called when the last reference to the mm
     782             :  * is dropped: either by a lazy thread or by
     783             :  * mmput. Free the page directory and the mm.
     784             :  */
     785           0 : void __mmdrop(struct mm_struct *mm)
     786             : {
     787             :         int i;
     788             : 
     789           0 :         BUG_ON(mm == &init_mm);
     790           0 :         WARN_ON_ONCE(mm == current->mm);
     791           0 :         WARN_ON_ONCE(mm == current->active_mm);
     792           0 :         mm_free_pgd(mm);
     793           0 :         destroy_context(mm);
     794           0 :         mmu_notifier_subscriptions_destroy(mm);
     795           0 :         check_mm(mm);
     796           0 :         put_user_ns(mm->user_ns);
     797           0 :         mm_pasid_drop(mm);
     798             : 
     799           0 :         for (i = 0; i < NR_MM_COUNTERS; i++)
     800             :                 percpu_counter_destroy(&mm->rss_stat[i]);
     801           0 :         free_mm(mm);
     802           0 : }
     803             : EXPORT_SYMBOL_GPL(__mmdrop);
     804             : 
     805           0 : static void mmdrop_async_fn(struct work_struct *work)
     806             : {
     807             :         struct mm_struct *mm;
     808             : 
     809           0 :         mm = container_of(work, struct mm_struct, async_put_work);
     810           0 :         __mmdrop(mm);
     811           0 : }
     812             : 
     813           0 : static void mmdrop_async(struct mm_struct *mm)
     814             : {
     815           0 :         if (unlikely(atomic_dec_and_test(&mm->mm_count))) {
     816           0 :                 INIT_WORK(&mm->async_put_work, mmdrop_async_fn);
     817           0 :                 schedule_work(&mm->async_put_work);
     818             :         }
     819           0 : }
     820             : 
     821         332 : static inline void free_signal_struct(struct signal_struct *sig)
     822             : {
     823         332 :         taskstats_tgid_free(sig);
     824         332 :         sched_autogroup_exit(sig);
     825             :         /*
     826             :          * __mmdrop is not safe to call from softirq context on x86 due to
     827             :          * pgd_dtor so postpone it to the async context
     828             :          */
     829         332 :         if (sig->oom_mm)
     830           0 :                 mmdrop_async(sig->oom_mm);
     831         332 :         kmem_cache_free(signal_cachep, sig);
     832         332 : }
     833             : 
     834         332 : static inline void put_signal_struct(struct signal_struct *sig)
     835             : {
     836         664 :         if (refcount_dec_and_test(&sig->sigcnt))
     837         332 :                 free_signal_struct(sig);
     838         332 : }
     839             : 
     840         332 : void __put_task_struct(struct task_struct *tsk)
     841             : {
     842         332 :         WARN_ON(!tsk->exit_state);
     843         664 :         WARN_ON(refcount_read(&tsk->usage));
     844         332 :         WARN_ON(tsk == current);
     845             : 
     846         332 :         io_uring_free(tsk);
     847         332 :         cgroup_free(tsk);
     848         332 :         task_numa_free(tsk, true);
     849         332 :         security_task_free(tsk);
     850         332 :         bpf_task_storage_free(tsk);
     851         332 :         exit_creds(tsk);
     852         332 :         delayacct_tsk_free(tsk);
     853         332 :         put_signal_struct(tsk->signal);
     854         332 :         sched_core_free(tsk);
     855         332 :         free_task(tsk);
     856         332 : }
     857             : EXPORT_SYMBOL_GPL(__put_task_struct);
     858             : 
     859           1 : void __init __weak arch_task_cache_init(void) { }
     860             : 
     861             : /*
     862             :  * set_max_threads
     863             :  */
     864             : static void set_max_threads(unsigned int max_threads_suggested)
     865             : {
     866             :         u64 threads;
     867           1 :         unsigned long nr_pages = totalram_pages();
     868             : 
     869             :         /*
     870             :          * The number of threads shall be limited such that the thread
     871             :          * structures may only consume a small part of the available memory.
     872             :          */
     873           2 :         if (fls64(nr_pages) + fls64(PAGE_SIZE) > 64)
     874             :                 threads = MAX_THREADS;
     875             :         else
     876           2 :                 threads = div64_u64((u64) nr_pages * (u64) PAGE_SIZE,
     877             :                                     (u64) THREAD_SIZE * 8UL);
     878             : 
     879           1 :         if (threads > max_threads_suggested)
     880           0 :                 threads = max_threads_suggested;
     881             : 
     882           1 :         max_threads = clamp_t(u64, threads, MIN_THREADS, MAX_THREADS);
     883             : }
     884             : 
     885             : #ifdef CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT
     886             : /* Initialized by the architecture: */
     887             : int arch_task_struct_size __read_mostly;
     888             : #endif
     889             : 
     890             : #ifndef CONFIG_ARCH_TASK_STRUCT_ALLOCATOR
     891             : static void task_struct_whitelist(unsigned long *offset, unsigned long *size)
     892             : {
     893             :         /* Fetch thread_struct whitelist for the architecture. */
     894           1 :         arch_thread_struct_whitelist(offset, size);
     895             : 
     896             :         /*
     897             :          * Handle zero-sized whitelist or empty thread_struct, otherwise
     898             :          * adjust offset to position of thread_struct in task_struct.
     899             :          */
     900             :         if (unlikely(*size == 0))
     901             :                 *offset = 0;
     902             :         else
     903           1 :                 *offset += offsetof(struct task_struct, thread);
     904             : }
     905             : #endif /* CONFIG_ARCH_TASK_STRUCT_ALLOCATOR */
     906             : 
     907           1 : void __init fork_init(void)
     908             : {
     909             :         int i;
     910             : #ifndef CONFIG_ARCH_TASK_STRUCT_ALLOCATOR
     911             : #ifndef ARCH_MIN_TASKALIGN
     912             : #define ARCH_MIN_TASKALIGN      0
     913             : #endif
     914           1 :         int align = max_t(int, L1_CACHE_BYTES, ARCH_MIN_TASKALIGN);
     915             :         unsigned long useroffset, usersize;
     916             : 
     917             :         /* create a slab on which task_structs can be allocated */
     918           1 :         task_struct_whitelist(&useroffset, &usersize);
     919           1 :         task_struct_cachep = kmem_cache_create_usercopy("task_struct",
     920             :                         arch_task_struct_size, align,
     921             :                         SLAB_PANIC|SLAB_ACCOUNT,
     922             :                         useroffset, usersize, NULL);
     923             : #endif
     924             : 
     925             :         /* do the arch specific task caches init */
     926           1 :         arch_task_cache_init();
     927             : 
     928           1 :         set_max_threads(MAX_THREADS);
     929             : 
     930           1 :         init_task.signal->rlim[RLIMIT_NPROC].rlim_cur = max_threads/2;
     931           1 :         init_task.signal->rlim[RLIMIT_NPROC].rlim_max = max_threads/2;
     932           1 :         init_task.signal->rlim[RLIMIT_SIGPENDING] =
     933             :                 init_task.signal->rlim[RLIMIT_NPROC];
     934             : 
     935          11 :         for (i = 0; i < UCOUNT_COUNTS; i++)
     936          10 :                 init_user_ns.ucount_max[i] = max_threads/2;
     937             : 
     938           1 :         set_userns_rlimit_max(&init_user_ns, UCOUNT_RLIMIT_NPROC,      RLIM_INFINITY);
     939           1 :         set_userns_rlimit_max(&init_user_ns, UCOUNT_RLIMIT_MSGQUEUE,   RLIM_INFINITY);
     940           1 :         set_userns_rlimit_max(&init_user_ns, UCOUNT_RLIMIT_SIGPENDING, RLIM_INFINITY);
     941           1 :         set_userns_rlimit_max(&init_user_ns, UCOUNT_RLIMIT_MEMLOCK,    RLIM_INFINITY);
     942             : 
     943             : #ifdef CONFIG_VMAP_STACK
     944           1 :         cpuhp_setup_state(CPUHP_BP_PREPARE_DYN, "fork:vm_stack_cache",
     945             :                           NULL, free_vm_stack_cache);
     946             : #endif
     947             : 
     948             :         scs_init();
     949             : 
     950           1 :         lockdep_init_task(&init_task);
     951             :         uprobes_init();
     952           1 : }
     953             : 
     954         348 : int __weak arch_dup_task_struct(struct task_struct *dst,
     955             :                                                struct task_struct *src)
     956             : {
     957         348 :         *dst = *src;
     958         348 :         return 0;
     959             : }
     960             : 
     961           1 : void set_task_stack_end_magic(struct task_struct *tsk)
     962             : {
     963             :         unsigned long *stackend;
     964             : 
     965         349 :         stackend = end_of_stack(tsk);
     966         349 :         *stackend = STACK_END_MAGIC;    /* for overflow detection */
     967           1 : }
     968             : 
     969         348 : static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
     970             : {
     971             :         struct task_struct *tsk;
     972             :         int err;
     973             : 
     974         348 :         if (node == NUMA_NO_NODE)
     975         348 :                 node = tsk_fork_get_node(orig);
     976         348 :         tsk = alloc_task_struct_node(node);
     977         348 :         if (!tsk)
     978             :                 return NULL;
     979             : 
     980         348 :         err = arch_dup_task_struct(tsk, orig);
     981         348 :         if (err)
     982             :                 goto free_tsk;
     983             : 
     984         348 :         err = alloc_thread_stack_node(tsk, node);
     985         348 :         if (err)
     986             :                 goto free_tsk;
     987             : 
     988             : #ifdef CONFIG_THREAD_INFO_IN_TASK
     989             :         refcount_set(&tsk->stack_refcount, 1);
     990             : #endif
     991         348 :         account_kernel_stack(tsk, 1);
     992             : 
     993         348 :         err = scs_prepare(tsk, node);
     994             :         if (err)
     995             :                 goto free_stack;
     996             : 
     997             : #ifdef CONFIG_SECCOMP
     998             :         /*
     999             :          * We must handle setting up seccomp filters once we're under
    1000             :          * the sighand lock in case orig has changed between now and
    1001             :          * then. Until then, filter must be NULL to avoid messing up
    1002             :          * the usage counts on the error path calling free_task.
    1003             :          */
    1004         348 :         tsk->seccomp.filter = NULL;
    1005             : #endif
    1006             : 
    1007         696 :         setup_thread_stack(tsk, orig);
    1008         348 :         clear_user_return_notifier(tsk);
    1009         348 :         clear_tsk_need_resched(tsk);
    1010         348 :         set_task_stack_end_magic(tsk);
    1011             :         clear_syscall_work_syscall_user_dispatch(tsk);
    1012             : 
    1013             : #ifdef CONFIG_STACKPROTECTOR
    1014             :         tsk->stack_canary = get_random_canary();
    1015             : #endif
    1016         348 :         if (orig->cpus_ptr == &orig->cpus_mask)
    1017         348 :                 tsk->cpus_ptr = &tsk->cpus_mask;
    1018         348 :         dup_user_cpus_ptr(tsk, orig, node);
    1019             : 
    1020             :         /*
    1021             :          * One for the user space visible state that goes away when reaped.
    1022             :          * One for the scheduler.
    1023             :          */
    1024         696 :         refcount_set(&tsk->rcu_users, 2);
    1025             :         /* One for the rcu users */
    1026         696 :         refcount_set(&tsk->usage, 1);
    1027             : #ifdef CONFIG_BLK_DEV_IO_TRACE
    1028             :         tsk->btrace_seq = 0;
    1029             : #endif
    1030         348 :         tsk->splice_pipe = NULL;
    1031         348 :         tsk->task_frag.page = NULL;
    1032         348 :         tsk->wake_q.next = NULL;
    1033         348 :         tsk->worker_private = NULL;
    1034             : 
    1035             :         kcov_task_init(tsk);
    1036             :         kmsan_task_create(tsk);
    1037             :         kmap_local_fork(tsk);
    1038             : 
    1039             : #ifdef CONFIG_FAULT_INJECTION
    1040             :         tsk->fail_nth = 0;
    1041             : #endif
    1042             : 
    1043             : #ifdef CONFIG_BLK_CGROUP
    1044             :         tsk->throttle_disk = NULL;
    1045             :         tsk->use_memdelay = 0;
    1046             : #endif
    1047             : 
    1048             : #ifdef CONFIG_IOMMU_SVA
    1049             :         tsk->pasid_activated = 0;
    1050             : #endif
    1051             : 
    1052             : #ifdef CONFIG_MEMCG
    1053             :         tsk->active_memcg = NULL;
    1054             : #endif
    1055             : 
    1056             : #ifdef CONFIG_CPU_SUP_INTEL
    1057         348 :         tsk->reported_split_lock = 0;
    1058             : #endif
    1059             : 
    1060             : #ifdef CONFIG_SCHED_MM_CID
    1061             :         tsk->mm_cid = -1;
    1062             :         tsk->mm_cid_active = 0;
    1063             : #endif
    1064         348 :         return tsk;
    1065             : 
    1066             : free_stack:
    1067             :         exit_task_stack_account(tsk);
    1068             :         free_thread_stack(tsk);
    1069             : free_tsk:
    1070           0 :         free_task_struct(tsk);
    1071           0 :         return NULL;
    1072             : }
    1073             : 
    1074             : __cacheline_aligned_in_smp DEFINE_SPINLOCK(mmlist_lock);
    1075             : 
    1076             : static unsigned long default_dump_filter = MMF_DUMP_FILTER_DEFAULT;
    1077             : 
    1078           0 : static int __init coredump_filter_setup(char *s)
    1079             : {
    1080           0 :         default_dump_filter =
    1081           0 :                 (simple_strtoul(s, NULL, 0) << MMF_DUMP_FILTER_SHIFT) &
    1082             :                 MMF_DUMP_FILTER_MASK;
    1083           0 :         return 1;
    1084             : }
    1085             : 
    1086             : __setup("coredump_filter=", coredump_filter_setup);
    1087             : 
    1088             : #include <linux/init_task.h>
    1089             : 
    1090             : static void mm_init_aio(struct mm_struct *mm)
    1091             : {
    1092             : #ifdef CONFIG_AIO
    1093           0 :         spin_lock_init(&mm->ioctx_lock);
    1094           0 :         mm->ioctx_table = NULL;
    1095             : #endif
    1096             : }
    1097             : 
    1098             : static __always_inline void mm_clear_owner(struct mm_struct *mm,
    1099             :                                            struct task_struct *p)
    1100             : {
    1101             : #ifdef CONFIG_MEMCG
    1102             :         if (mm->owner == p)
    1103             :                 WRITE_ONCE(mm->owner, NULL);
    1104             : #endif
    1105             : }
    1106             : 
    1107             : static void mm_init_owner(struct mm_struct *mm, struct task_struct *p)
    1108             : {
    1109             : #ifdef CONFIG_MEMCG
    1110             :         mm->owner = p;
    1111             : #endif
    1112             : }
    1113             : 
    1114             : static void mm_init_uprobes_state(struct mm_struct *mm)
    1115             : {
    1116             : #ifdef CONFIG_UPROBES
    1117             :         mm->uprobes_state.xol_area = NULL;
    1118             : #endif
    1119             : }
    1120             : 
    1121           0 : static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
    1122             :         struct user_namespace *user_ns)
    1123             : {
    1124             :         int i;
    1125             : 
    1126           0 :         mt_init_flags(&mm->mm_mt, MM_MT_FLAGS);
    1127             :         mt_set_external_lock(&mm->mm_mt, &mm->mmap_lock);
    1128           0 :         atomic_set(&mm->mm_users, 1);
    1129           0 :         atomic_set(&mm->mm_count, 1);
    1130           0 :         seqcount_init(&mm->write_protect_seq);
    1131           0 :         mmap_init_lock(mm);
    1132           0 :         INIT_LIST_HEAD(&mm->mmlist);
    1133           0 :         mm_pgtables_bytes_init(mm);
    1134           0 :         mm->map_count = 0;
    1135           0 :         mm->locked_vm = 0;
    1136           0 :         atomic64_set(&mm->pinned_vm, 0);
    1137           0 :         memset(&mm->rss_stat, 0, sizeof(mm->rss_stat));
    1138           0 :         spin_lock_init(&mm->page_table_lock);
    1139           0 :         spin_lock_init(&mm->arg_lock);
    1140           0 :         mm_init_cpumask(mm);
    1141           0 :         mm_init_aio(mm);
    1142           0 :         mm_init_owner(mm, p);
    1143           0 :         mm_pasid_init(mm);
    1144           0 :         RCU_INIT_POINTER(mm->exe_file, NULL);
    1145           0 :         mmu_notifier_subscriptions_init(mm);
    1146           0 :         init_tlb_flush_pending(mm);
    1147             : #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
    1148             :         mm->pmd_huge_pte = NULL;
    1149             : #endif
    1150           0 :         mm_init_uprobes_state(mm);
    1151           0 :         hugetlb_count_init(mm);
    1152             : 
    1153           0 :         if (current->mm) {
    1154           0 :                 mm->flags = current->mm->flags & MMF_INIT_MASK;
    1155           0 :                 mm->def_flags = current->mm->def_flags & VM_INIT_DEF_MASK;
    1156             :         } else {
    1157           0 :                 mm->flags = default_dump_filter;
    1158           0 :                 mm->def_flags = 0;
    1159             :         }
    1160             : 
    1161           0 :         if (mm_alloc_pgd(mm))
    1162             :                 goto fail_nopgd;
    1163             : 
    1164           0 :         if (init_new_context(p, mm))
    1165             :                 goto fail_nocontext;
    1166             : 
    1167           0 :         for (i = 0; i < NR_MM_COUNTERS; i++)
    1168           0 :                 if (percpu_counter_init(&mm->rss_stat[i], 0, GFP_KERNEL_ACCOUNT))
    1169             :                         goto fail_pcpu;
    1170             : 
    1171           0 :         mm->user_ns = get_user_ns(user_ns);
    1172           0 :         lru_gen_init_mm(mm);
    1173           0 :         mm_init_cid(mm);
    1174             :         return mm;
    1175             : 
    1176             : fail_pcpu:
    1177             :         while (i > 0)
    1178             :                 percpu_counter_destroy(&mm->rss_stat[--i]);
    1179             : fail_nocontext:
    1180             :         mm_free_pgd(mm);
    1181             : fail_nopgd:
    1182           0 :         free_mm(mm);
    1183             :         return NULL;
    1184             : }
    1185             : 
    1186             : /*
    1187             :  * Allocate and initialize an mm_struct.
    1188             :  */
    1189           0 : struct mm_struct *mm_alloc(void)
    1190             : {
    1191             :         struct mm_struct *mm;
    1192             : 
    1193           0 :         mm = allocate_mm();
    1194           0 :         if (!mm)
    1195             :                 return NULL;
    1196             : 
    1197           0 :         memset(mm, 0, sizeof(*mm));
    1198           0 :         return mm_init(mm, current, current_user_ns());
    1199             : }
    1200             : 
    1201           0 : static inline void __mmput(struct mm_struct *mm)
    1202             : {
    1203             :         VM_BUG_ON(atomic_read(&mm->mm_users));
    1204             : 
    1205           0 :         uprobe_clear_state(mm);
    1206           0 :         exit_aio(mm);
    1207           0 :         ksm_exit(mm);
    1208           0 :         khugepaged_exit(mm); /* must run before exit_mmap */
    1209           0 :         exit_mmap(mm);
    1210           0 :         mm_put_huge_zero_page(mm);
    1211           0 :         set_mm_exe_file(mm, NULL);
    1212           0 :         if (!list_empty(&mm->mmlist)) {
    1213           0 :                 spin_lock(&mmlist_lock);
    1214           0 :                 list_del(&mm->mmlist);
    1215             :                 spin_unlock(&mmlist_lock);
    1216             :         }
    1217           0 :         if (mm->binfmt)
    1218             :                 module_put(mm->binfmt->module);
    1219           0 :         lru_gen_del_mm(mm);
    1220           0 :         mmdrop(mm);
    1221           0 : }
    1222             : 
    1223             : /*
    1224             :  * Decrement the use count and release all resources for an mm.
    1225             :  */
    1226           0 : void mmput(struct mm_struct *mm)
    1227             : {
    1228             :         might_sleep();
    1229             : 
    1230           0 :         if (atomic_dec_and_test(&mm->mm_users))
    1231           0 :                 __mmput(mm);
    1232           0 : }
    1233             : EXPORT_SYMBOL_GPL(mmput);
    1234             : 
    1235             : #ifdef CONFIG_MMU
    1236           0 : static void mmput_async_fn(struct work_struct *work)
    1237             : {
    1238           0 :         struct mm_struct *mm = container_of(work, struct mm_struct,
    1239             :                                             async_put_work);
    1240             : 
    1241           0 :         __mmput(mm);
    1242           0 : }
    1243             : 
    1244           0 : void mmput_async(struct mm_struct *mm)
    1245             : {
    1246           0 :         if (atomic_dec_and_test(&mm->mm_users)) {
    1247           0 :                 INIT_WORK(&mm->async_put_work, mmput_async_fn);
    1248           0 :                 schedule_work(&mm->async_put_work);
    1249             :         }
    1250           0 : }
    1251             : EXPORT_SYMBOL_GPL(mmput_async);
    1252             : #endif
    1253             : 
    1254             : /**
    1255             :  * set_mm_exe_file - change a reference to the mm's executable file
    1256             :  *
    1257             :  * This changes mm's executable file (shown as symlink /proc/[pid]/exe).
    1258             :  *
    1259             :  * Main users are mmput() and sys_execve(). Callers prevent concurrent
    1260             :  * invocations: in mmput() nobody alive left, in execve task is single
    1261             :  * threaded.
    1262             :  *
    1263             :  * Can only fail if new_exe_file != NULL.
    1264             :  */
    1265           0 : int set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file)
    1266             : {
    1267             :         struct file *old_exe_file;
    1268             : 
    1269             :         /*
    1270             :          * It is safe to dereference the exe_file without RCU as
    1271             :          * this function is only called if nobody else can access
    1272             :          * this mm -- see comment above for justification.
    1273             :          */
    1274           0 :         old_exe_file = rcu_dereference_raw(mm->exe_file);
    1275             : 
    1276           0 :         if (new_exe_file) {
    1277             :                 /*
    1278             :                  * We expect the caller (i.e., sys_execve) to already denied
    1279             :                  * write access, so this is unlikely to fail.
    1280             :                  */
    1281           0 :                 if (unlikely(deny_write_access(new_exe_file)))
    1282             :                         return -EACCES;
    1283             :                 get_file(new_exe_file);
    1284             :         }
    1285           0 :         rcu_assign_pointer(mm->exe_file, new_exe_file);
    1286           0 :         if (old_exe_file) {
    1287           0 :                 allow_write_access(old_exe_file);
    1288           0 :                 fput(old_exe_file);
    1289             :         }
    1290             :         return 0;
    1291             : }
    1292             : 
    1293             : /**
    1294             :  * replace_mm_exe_file - replace a reference to the mm's executable file
    1295             :  *
    1296             :  * This changes mm's executable file (shown as symlink /proc/[pid]/exe),
    1297             :  * dealing with concurrent invocation and without grabbing the mmap lock in
    1298             :  * write mode.
    1299             :  *
    1300             :  * Main user is sys_prctl(PR_SET_MM_MAP/EXE_FILE).
    1301             :  */
    1302           0 : int replace_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file)
    1303             : {
    1304             :         struct vm_area_struct *vma;
    1305             :         struct file *old_exe_file;
    1306           0 :         int ret = 0;
    1307             : 
    1308             :         /* Forbid mm->exe_file change if old file still mapped. */
    1309           0 :         old_exe_file = get_mm_exe_file(mm);
    1310           0 :         if (old_exe_file) {
    1311           0 :                 VMA_ITERATOR(vmi, mm, 0);
    1312             :                 mmap_read_lock(mm);
    1313           0 :                 for_each_vma(vmi, vma) {
    1314           0 :                         if (!vma->vm_file)
    1315           0 :                                 continue;
    1316           0 :                         if (path_equal(&vma->vm_file->f_path,
    1317           0 :                                        &old_exe_file->f_path)) {
    1318             :                                 ret = -EBUSY;
    1319             :                                 break;
    1320             :                         }
    1321             :                 }
    1322           0 :                 mmap_read_unlock(mm);
    1323           0 :                 fput(old_exe_file);
    1324           0 :                 if (ret)
    1325           0 :                         return ret;
    1326             :         }
    1327             : 
    1328             :         /* set the new file, lockless */
    1329           0 :         ret = deny_write_access(new_exe_file);
    1330           0 :         if (ret)
    1331             :                 return -EACCES;
    1332           0 :         get_file(new_exe_file);
    1333             : 
    1334           0 :         old_exe_file = xchg(&mm->exe_file, new_exe_file);
    1335           0 :         if (old_exe_file) {
    1336             :                 /*
    1337             :                  * Don't race with dup_mmap() getting the file and disallowing
    1338             :                  * write access while someone might open the file writable.
    1339             :                  */
    1340           0 :                 mmap_read_lock(mm);
    1341           0 :                 allow_write_access(old_exe_file);
    1342           0 :                 fput(old_exe_file);
    1343             :                 mmap_read_unlock(mm);
    1344             :         }
    1345             :         return 0;
    1346             : }
    1347             : 
    1348             : /**
    1349             :  * get_mm_exe_file - acquire a reference to the mm's executable file
    1350             :  *
    1351             :  * Returns %NULL if mm has no associated executable file.
    1352             :  * User must release file via fput().
    1353             :  */
    1354           0 : struct file *get_mm_exe_file(struct mm_struct *mm)
    1355             : {
    1356             :         struct file *exe_file;
    1357             : 
    1358             :         rcu_read_lock();
    1359           0 :         exe_file = rcu_dereference(mm->exe_file);
    1360           0 :         if (exe_file && !get_file_rcu(exe_file))
    1361           0 :                 exe_file = NULL;
    1362             :         rcu_read_unlock();
    1363           0 :         return exe_file;
    1364             : }
    1365             : 
    1366             : /**
    1367             :  * get_task_exe_file - acquire a reference to the task's executable file
    1368             :  *
    1369             :  * Returns %NULL if task's mm (if any) has no associated executable file or
    1370             :  * this is a kernel thread with borrowed mm (see the comment above get_task_mm).
    1371             :  * User must release file via fput().
    1372             :  */
    1373           0 : struct file *get_task_exe_file(struct task_struct *task)
    1374             : {
    1375           0 :         struct file *exe_file = NULL;
    1376             :         struct mm_struct *mm;
    1377             : 
    1378           0 :         task_lock(task);
    1379           0 :         mm = task->mm;
    1380           0 :         if (mm) {
    1381           0 :                 if (!(task->flags & PF_KTHREAD))
    1382           0 :                         exe_file = get_mm_exe_file(mm);
    1383             :         }
    1384           0 :         task_unlock(task);
    1385           0 :         return exe_file;
    1386             : }
    1387             : 
    1388             : /**
    1389             :  * get_task_mm - acquire a reference to the task's mm
    1390             :  *
    1391             :  * Returns %NULL if the task has no mm.  Checks PF_KTHREAD (meaning
    1392             :  * this kernel workthread has transiently adopted a user mm with use_mm,
    1393             :  * to do its AIO) is not set and if so returns a reference to it, after
    1394             :  * bumping up the use count.  User must release the mm via mmput()
    1395             :  * after use.  Typically used by /proc and ptrace.
    1396             :  */
    1397           0 : struct mm_struct *get_task_mm(struct task_struct *task)
    1398             : {
    1399             :         struct mm_struct *mm;
    1400             : 
    1401           0 :         task_lock(task);
    1402           0 :         mm = task->mm;
    1403           0 :         if (mm) {
    1404           0 :                 if (task->flags & PF_KTHREAD)
    1405             :                         mm = NULL;
    1406             :                 else
    1407             :                         mmget(mm);
    1408             :         }
    1409           0 :         task_unlock(task);
    1410           0 :         return mm;
    1411             : }
    1412             : EXPORT_SYMBOL_GPL(get_task_mm);
    1413             : 
    1414           0 : struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
    1415             : {
    1416             :         struct mm_struct *mm;
    1417             :         int err;
    1418             : 
    1419           0 :         err =  down_read_killable(&task->signal->exec_update_lock);
    1420           0 :         if (err)
    1421           0 :                 return ERR_PTR(err);
    1422             : 
    1423           0 :         mm = get_task_mm(task);
    1424           0 :         if (mm && mm != current->mm &&
    1425           0 :                         !ptrace_may_access(task, mode)) {
    1426             :                 mmput(mm);
    1427             :                 mm = ERR_PTR(-EACCES);
    1428             :         }
    1429           0 :         up_read(&task->signal->exec_update_lock);
    1430             : 
    1431           0 :         return mm;
    1432             : }
    1433             : 
    1434             : static void complete_vfork_done(struct task_struct *tsk)
    1435             : {
    1436             :         struct completion *vfork;
    1437             : 
    1438         333 :         task_lock(tsk);
    1439         333 :         vfork = tsk->vfork_done;
    1440         333 :         if (likely(vfork)) {
    1441         333 :                 tsk->vfork_done = NULL;
    1442         333 :                 complete(vfork);
    1443             :         }
    1444         333 :         task_unlock(tsk);
    1445             : }
    1446             : 
    1447           0 : static int wait_for_vfork_done(struct task_struct *child,
    1448             :                                 struct completion *vfork)
    1449             : {
    1450           0 :         unsigned int state = TASK_UNINTERRUPTIBLE|TASK_KILLABLE|TASK_FREEZABLE;
    1451             :         int killed;
    1452             : 
    1453             :         cgroup_enter_frozen();
    1454           0 :         killed = wait_for_completion_state(vfork, state);
    1455           0 :         cgroup_leave_frozen(false);
    1456             : 
    1457           0 :         if (killed) {
    1458           0 :                 task_lock(child);
    1459           0 :                 child->vfork_done = NULL;
    1460           0 :                 task_unlock(child);
    1461             :         }
    1462             : 
    1463           0 :         put_task_struct(child);
    1464           0 :         return killed;
    1465             : }
    1466             : 
    1467             : /* Please note the differences between mmput and mm_release.
    1468             :  * mmput is called whenever we stop holding onto a mm_struct,
    1469             :  * error success whatever.
    1470             :  *
    1471             :  * mm_release is called after a mm_struct has been removed
    1472             :  * from the current process.
    1473             :  *
    1474             :  * This difference is important for error handling, when we
    1475             :  * only half set up a mm_struct for a new process and need to restore
    1476             :  * the old one.  Because we mmput the new mm_struct before
    1477             :  * restoring the old one. . .
    1478             :  * Eric Biederman 10 January 1998
    1479             :  */
    1480         333 : static void mm_release(struct task_struct *tsk, struct mm_struct *mm)
    1481             : {
    1482         333 :         uprobe_free_utask(tsk);
    1483             : 
    1484             :         /* Get rid of any cached register state */
    1485         333 :         deactivate_mm(tsk, mm);
    1486             : 
    1487             :         /*
    1488             :          * Signal userspace if we're not exiting with a core dump
    1489             :          * because we want to leave the value intact for debugging
    1490             :          * purposes.
    1491             :          */
    1492         333 :         if (tsk->clear_child_tid) {
    1493           0 :                 if (atomic_read(&mm->mm_users) > 1) {
    1494             :                         /*
    1495             :                          * We don't check the error code - if userspace has
    1496             :                          * not set up a proper pointer then tough luck.
    1497             :                          */
    1498           0 :                         put_user(0, tsk->clear_child_tid);
    1499           0 :                         do_futex(tsk->clear_child_tid, FUTEX_WAKE,
    1500             :                                         1, NULL, NULL, 0, 0);
    1501             :                 }
    1502           0 :                 tsk->clear_child_tid = NULL;
    1503             :         }
    1504             : 
    1505             :         /*
    1506             :          * All done, finally we can wake up parent and return this mm to him.
    1507             :          * Also kthread_stop() uses this completion for synchronization.
    1508             :          */
    1509         333 :         if (tsk->vfork_done)
    1510         333 :                 complete_vfork_done(tsk);
    1511         333 : }
    1512             : 
    1513         333 : void exit_mm_release(struct task_struct *tsk, struct mm_struct *mm)
    1514             : {
    1515         333 :         futex_exit_release(tsk);
    1516         333 :         mm_release(tsk, mm);
    1517         333 : }
    1518             : 
    1519           0 : void exec_mm_release(struct task_struct *tsk, struct mm_struct *mm)
    1520             : {
    1521           0 :         futex_exec_release(tsk);
    1522           0 :         mm_release(tsk, mm);
    1523           0 : }
    1524             : 
    1525             : /**
    1526             :  * dup_mm() - duplicates an existing mm structure
    1527             :  * @tsk: the task_struct with which the new mm will be associated.
    1528             :  * @oldmm: the mm to duplicate.
    1529             :  *
    1530             :  * Allocates a new mm structure and duplicates the provided @oldmm structure
    1531             :  * content into it.
    1532             :  *
    1533             :  * Return: the duplicated mm or NULL on failure.
    1534             :  */
    1535           0 : static struct mm_struct *dup_mm(struct task_struct *tsk,
    1536             :                                 struct mm_struct *oldmm)
    1537             : {
    1538             :         struct mm_struct *mm;
    1539             :         int err;
    1540             : 
    1541           0 :         mm = allocate_mm();
    1542           0 :         if (!mm)
    1543             :                 goto fail_nomem;
    1544             : 
    1545           0 :         memcpy(mm, oldmm, sizeof(*mm));
    1546             : 
    1547           0 :         if (!mm_init(mm, tsk, mm->user_ns))
    1548             :                 goto fail_nomem;
    1549             : 
    1550           0 :         err = dup_mmap(mm, oldmm);
    1551           0 :         if (err)
    1552             :                 goto free_pt;
    1553             : 
    1554           0 :         mm->hiwater_rss = get_mm_rss(mm);
    1555           0 :         mm->hiwater_vm = mm->total_vm;
    1556             : 
    1557           0 :         if (mm->binfmt && !try_module_get(mm->binfmt->module))
    1558             :                 goto free_pt;
    1559             : 
    1560             :         return mm;
    1561             : 
    1562             : free_pt:
    1563             :         /* don't put binfmt in mmput, we haven't got module yet */
    1564           0 :         mm->binfmt = NULL;
    1565           0 :         mm_init_owner(mm, NULL);
    1566             :         mmput(mm);
    1567             : 
    1568             : fail_nomem:
    1569             :         return NULL;
    1570             : }
    1571             : 
    1572         348 : static int copy_mm(unsigned long clone_flags, struct task_struct *tsk)
    1573             : {
    1574             :         struct mm_struct *mm, *oldmm;
    1575             : 
    1576         348 :         tsk->min_flt = tsk->maj_flt = 0;
    1577         348 :         tsk->nvcsw = tsk->nivcsw = 0;
    1578             : #ifdef CONFIG_DETECT_HUNG_TASK
    1579             :         tsk->last_switch_count = tsk->nvcsw + tsk->nivcsw;
    1580             :         tsk->last_switch_time = 0;
    1581             : #endif
    1582             : 
    1583         348 :         tsk->mm = NULL;
    1584         348 :         tsk->active_mm = NULL;
    1585             : 
    1586             :         /*
    1587             :          * Are we cloning a kernel thread?
    1588             :          *
    1589             :          * We need to steal a active VM for that..
    1590             :          */
    1591         348 :         oldmm = current->mm;
    1592         348 :         if (!oldmm)
    1593             :                 return 0;
    1594             : 
    1595           0 :         if (clone_flags & CLONE_VM) {
    1596           0 :                 mmget(oldmm);
    1597           0 :                 mm = oldmm;
    1598             :         } else {
    1599           0 :                 mm = dup_mm(tsk, current->mm);
    1600           0 :                 if (!mm)
    1601             :                         return -ENOMEM;
    1602             :         }
    1603             : 
    1604           0 :         tsk->mm = mm;
    1605           0 :         tsk->active_mm = mm;
    1606           0 :         sched_mm_cid_fork(tsk);
    1607           0 :         return 0;
    1608             : }
    1609             : 
    1610         348 : static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
    1611             : {
    1612         348 :         struct fs_struct *fs = current->fs;
    1613         348 :         if (clone_flags & CLONE_FS) {
    1614             :                 /* tsk->fs is already what we want */
    1615         696 :                 spin_lock(&fs->lock);
    1616         348 :                 if (fs->in_exec) {
    1617           0 :                         spin_unlock(&fs->lock);
    1618             :                         return -EAGAIN;
    1619             :                 }
    1620         348 :                 fs->users++;
    1621         696 :                 spin_unlock(&fs->lock);
    1622             :                 return 0;
    1623             :         }
    1624           0 :         tsk->fs = copy_fs_struct(fs);
    1625           0 :         if (!tsk->fs)
    1626             :                 return -ENOMEM;
    1627             :         return 0;
    1628             : }
    1629             : 
    1630         348 : static int copy_files(unsigned long clone_flags, struct task_struct *tsk)
    1631             : {
    1632             :         struct files_struct *oldf, *newf;
    1633         348 :         int error = 0;
    1634             : 
    1635             :         /*
    1636             :          * A background process may not have any files ...
    1637             :          */
    1638         348 :         oldf = current->files;
    1639         348 :         if (!oldf)
    1640             :                 goto out;
    1641             : 
    1642         348 :         if (clone_flags & CLONE_FILES) {
    1643         347 :                 atomic_inc(&oldf->count);
    1644             :                 goto out;
    1645             :         }
    1646             : 
    1647           1 :         newf = dup_fd(oldf, NR_OPEN_MAX, &error);
    1648           1 :         if (!newf)
    1649             :                 goto out;
    1650             : 
    1651           1 :         tsk->files = newf;
    1652           1 :         error = 0;
    1653             : out:
    1654         348 :         return error;
    1655             : }
    1656             : 
    1657         348 : static int copy_sighand(unsigned long clone_flags, struct task_struct *tsk)
    1658             : {
    1659             :         struct sighand_struct *sig;
    1660             : 
    1661         348 :         if (clone_flags & CLONE_SIGHAND) {
    1662           0 :                 refcount_inc(&current->sighand->count);
    1663           0 :                 return 0;
    1664             :         }
    1665         348 :         sig = kmem_cache_alloc(sighand_cachep, GFP_KERNEL);
    1666         348 :         RCU_INIT_POINTER(tsk->sighand, sig);
    1667         348 :         if (!sig)
    1668             :                 return -ENOMEM;
    1669             : 
    1670         696 :         refcount_set(&sig->count, 1);
    1671         696 :         spin_lock_irq(&current->sighand->siglock);
    1672         348 :         memcpy(sig->action, current->sighand->action, sizeof(sig->action));
    1673         696 :         spin_unlock_irq(&current->sighand->siglock);
    1674             : 
    1675             :         /* Reset all signal handler not set to SIG_IGN to SIG_DFL. */
    1676         348 :         if (clone_flags & CLONE_CLEAR_SIGHAND)
    1677           0 :                 flush_signal_handlers(tsk, 0);
    1678             : 
    1679             :         return 0;
    1680             : }
    1681             : 
    1682         333 : void __cleanup_sighand(struct sighand_struct *sighand)
    1683             : {
    1684         666 :         if (refcount_dec_and_test(&sighand->count)) {
    1685         333 :                 signalfd_cleanup(sighand);
    1686             :                 /*
    1687             :                  * sighand_cachep is SLAB_TYPESAFE_BY_RCU so we can free it
    1688             :                  * without an RCU grace period, see __lock_task_sighand().
    1689             :                  */
    1690         333 :                 kmem_cache_free(sighand_cachep, sighand);
    1691             :         }
    1692         333 : }
    1693             : 
    1694             : /*
    1695             :  * Initialize POSIX timer handling for a thread group.
    1696             :  */
    1697             : static void posix_cpu_timers_init_group(struct signal_struct *sig)
    1698             : {
    1699         348 :         struct posix_cputimers *pct = &sig->posix_cputimers;
    1700             :         unsigned long cpu_limit;
    1701             : 
    1702         348 :         cpu_limit = READ_ONCE(sig->rlim[RLIMIT_CPU].rlim_cur);
    1703         348 :         posix_cputimers_group_init(pct, cpu_limit);
    1704             : }
    1705             : 
    1706         348 : static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
    1707             : {
    1708             :         struct signal_struct *sig;
    1709             : 
    1710         348 :         if (clone_flags & CLONE_THREAD)
    1711             :                 return 0;
    1712             : 
    1713         696 :         sig = kmem_cache_zalloc(signal_cachep, GFP_KERNEL);
    1714         348 :         tsk->signal = sig;
    1715         348 :         if (!sig)
    1716             :                 return -ENOMEM;
    1717             : 
    1718         348 :         sig->nr_threads = 1;
    1719         348 :         sig->quick_threads = 1;
    1720         696 :         atomic_set(&sig->live, 1);
    1721         696 :         refcount_set(&sig->sigcnt, 1);
    1722             : 
    1723             :         /* list_add(thread_node, thread_head) without INIT_LIST_HEAD() */
    1724         348 :         sig->thread_head = (struct list_head)LIST_HEAD_INIT(tsk->thread_node);
    1725         348 :         tsk->thread_node = (struct list_head)LIST_HEAD_INIT(sig->thread_head);
    1726             : 
    1727         348 :         init_waitqueue_head(&sig->wait_chldexit);
    1728         348 :         sig->curr_target = tsk;
    1729         696 :         init_sigpending(&sig->shared_pending);
    1730         348 :         INIT_HLIST_HEAD(&sig->multiprocess);
    1731         696 :         seqlock_init(&sig->stats_lock);
    1732         696 :         prev_cputime_init(&sig->prev_cputime);
    1733             : 
    1734             : #ifdef CONFIG_POSIX_TIMERS
    1735         696 :         INIT_LIST_HEAD(&sig->posix_timers);
    1736         348 :         hrtimer_init(&sig->real_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
    1737         348 :         sig->real_timer.function = it_real_fn;
    1738             : #endif
    1739             : 
    1740         348 :         task_lock(current->group_leader);
    1741         348 :         memcpy(sig->rlim, current->signal->rlim, sizeof sig->rlim);
    1742         696 :         task_unlock(current->group_leader);
    1743             : 
    1744         348 :         posix_cpu_timers_init_group(sig);
    1745             : 
    1746             :         tty_audit_fork(sig);
    1747             :         sched_autogroup_fork(sig);
    1748             : 
    1749         348 :         sig->oom_score_adj = current->signal->oom_score_adj;
    1750         348 :         sig->oom_score_adj_min = current->signal->oom_score_adj_min;
    1751             : 
    1752         348 :         mutex_init(&sig->cred_guard_mutex);
    1753         348 :         init_rwsem(&sig->exec_update_lock);
    1754             : 
    1755         348 :         return 0;
    1756             : }
    1757             : 
    1758         348 : static void copy_seccomp(struct task_struct *p)
    1759             : {
    1760             : #ifdef CONFIG_SECCOMP
    1761             :         /*
    1762             :          * Must be called with sighand->lock held, which is common to
    1763             :          * all threads in the group. Holding cred_guard_mutex is not
    1764             :          * needed because this new task is not yet running and cannot
    1765             :          * be racing exec.
    1766             :          */
    1767         348 :         assert_spin_locked(&current->sighand->siglock);
    1768             : 
    1769             :         /* Ref-count the new filter user, and assign it. */
    1770         348 :         get_seccomp_filter(current);
    1771         348 :         p->seccomp = current->seccomp;
    1772             : 
    1773             :         /*
    1774             :          * Explicitly enable no_new_privs here in case it got set
    1775             :          * between the task_struct being duplicated and holding the
    1776             :          * sighand lock. The seccomp state and nnp must be in sync.
    1777             :          */
    1778         696 :         if (task_no_new_privs(current))
    1779             :                 task_set_no_new_privs(p);
    1780             : 
    1781             :         /*
    1782             :          * If the parent gained a seccomp mode after copying thread
    1783             :          * flags and between before we held the sighand lock, we have
    1784             :          * to manually enable the seccomp thread flag here.
    1785             :          */
    1786         348 :         if (p->seccomp.mode != SECCOMP_MODE_DISABLED)
    1787           0 :                 set_task_syscall_work(p, SECCOMP);
    1788             : #endif
    1789         348 : }
    1790             : 
    1791           0 : SYSCALL_DEFINE1(set_tid_address, int __user *, tidptr)
    1792             : {
    1793           0 :         current->clear_child_tid = tidptr;
    1794             : 
    1795           0 :         return task_pid_vnr(current);
    1796             : }
    1797             : 
    1798             : static void rt_mutex_init_task(struct task_struct *p)
    1799             : {
    1800             :         raw_spin_lock_init(&p->pi_lock);
    1801             : #ifdef CONFIG_RT_MUTEXES
    1802         348 :         p->pi_waiters = RB_ROOT_CACHED;
    1803         348 :         p->pi_top_task = NULL;
    1804         348 :         p->pi_blocked_on = NULL;
    1805             : #endif
    1806             : }
    1807             : 
    1808             : static inline void init_task_pid_links(struct task_struct *task)
    1809             : {
    1810             :         enum pid_type type;
    1811             : 
    1812        1740 :         for (type = PIDTYPE_PID; type < PIDTYPE_MAX; ++type)
    1813        2784 :                 INIT_HLIST_NODE(&task->pid_links[type]);
    1814             : }
    1815             : 
    1816             : static inline void
    1817             : init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid)
    1818             : {
    1819           0 :         if (type == PIDTYPE_PID)
    1820         348 :                 task->thread_pid = pid;
    1821             :         else
    1822        1044 :                 task->signal->pids[type] = pid;
    1823             : }
    1824             : 
    1825             : static inline void rcu_copy_process(struct task_struct *p)
    1826             : {
    1827             : #ifdef CONFIG_PREEMPT_RCU
    1828             :         p->rcu_read_lock_nesting = 0;
    1829             :         p->rcu_read_unlock_special.s = 0;
    1830             :         p->rcu_blocked_node = NULL;
    1831             :         INIT_LIST_HEAD(&p->rcu_node_entry);
    1832             : #endif /* #ifdef CONFIG_PREEMPT_RCU */
    1833             : #ifdef CONFIG_TASKS_RCU
    1834             :         p->rcu_tasks_holdout = false;
    1835             :         INIT_LIST_HEAD(&p->rcu_tasks_holdout_list);
    1836             :         p->rcu_tasks_idle_cpu = -1;
    1837             : #endif /* #ifdef CONFIG_TASKS_RCU */
    1838             : #ifdef CONFIG_TASKS_TRACE_RCU
    1839             :         p->trc_reader_nesting = 0;
    1840             :         p->trc_reader_special.s = 0;
    1841             :         INIT_LIST_HEAD(&p->trc_holdout_list);
    1842             :         INIT_LIST_HEAD(&p->trc_blkd_node);
    1843             : #endif /* #ifdef CONFIG_TASKS_TRACE_RCU */
    1844             : }
    1845             : 
    1846           0 : struct pid *pidfd_pid(const struct file *file)
    1847             : {
    1848           0 :         if (file->f_op == &pidfd_fops)
    1849           0 :                 return file->private_data;
    1850             : 
    1851             :         return ERR_PTR(-EBADF);
    1852             : }
    1853             : 
    1854           0 : static int pidfd_release(struct inode *inode, struct file *file)
    1855             : {
    1856           0 :         struct pid *pid = file->private_data;
    1857             : 
    1858           0 :         file->private_data = NULL;
    1859           0 :         put_pid(pid);
    1860           0 :         return 0;
    1861             : }
    1862             : 
    1863             : #ifdef CONFIG_PROC_FS
    1864             : /**
    1865             :  * pidfd_show_fdinfo - print information about a pidfd
    1866             :  * @m: proc fdinfo file
    1867             :  * @f: file referencing a pidfd
    1868             :  *
    1869             :  * Pid:
    1870             :  * This function will print the pid that a given pidfd refers to in the
    1871             :  * pid namespace of the procfs instance.
    1872             :  * If the pid namespace of the process is not a descendant of the pid
    1873             :  * namespace of the procfs instance 0 will be shown as its pid. This is
    1874             :  * similar to calling getppid() on a process whose parent is outside of
    1875             :  * its pid namespace.
    1876             :  *
    1877             :  * NSpid:
    1878             :  * If pid namespaces are supported then this function will also print
    1879             :  * the pid of a given pidfd refers to for all descendant pid namespaces
    1880             :  * starting from the current pid namespace of the instance, i.e. the
    1881             :  * Pid field and the first entry in the NSpid field will be identical.
    1882             :  * If the pid namespace of the process is not a descendant of the pid
    1883             :  * namespace of the procfs instance 0 will be shown as its first NSpid
    1884             :  * entry and no others will be shown.
    1885             :  * Note that this differs from the Pid and NSpid fields in
    1886             :  * /proc/<pid>/status where Pid and NSpid are always shown relative to
    1887             :  * the  pid namespace of the procfs instance. The difference becomes
    1888             :  * obvious when sending around a pidfd between pid namespaces from a
    1889             :  * different branch of the tree, i.e. where no ancestral relation is
    1890             :  * present between the pid namespaces:
    1891             :  * - create two new pid namespaces ns1 and ns2 in the initial pid
    1892             :  *   namespace (also take care to create new mount namespaces in the
    1893             :  *   new pid namespace and mount procfs)
    1894             :  * - create a process with a pidfd in ns1
    1895             :  * - send pidfd from ns1 to ns2
    1896             :  * - read /proc/self/fdinfo/<pidfd> and observe that both Pid and NSpid
    1897             :  *   have exactly one entry, which is 0
    1898             :  */
    1899           0 : static void pidfd_show_fdinfo(struct seq_file *m, struct file *f)
    1900             : {
    1901           0 :         struct pid *pid = f->private_data;
    1902             :         struct pid_namespace *ns;
    1903           0 :         pid_t nr = -1;
    1904             : 
    1905           0 :         if (likely(pid_has_task(pid, PIDTYPE_PID))) {
    1906           0 :                 ns = proc_pid_ns(file_inode(m->file)->i_sb);
    1907           0 :                 nr = pid_nr_ns(pid, ns);
    1908             :         }
    1909             : 
    1910           0 :         seq_put_decimal_ll(m, "Pid:\t", nr);
    1911             : 
    1912             : #ifdef CONFIG_PID_NS
    1913           0 :         seq_put_decimal_ll(m, "\nNSpid:\t", nr);
    1914           0 :         if (nr > 0) {
    1915             :                 int i;
    1916             : 
    1917             :                 /* If nr is non-zero it means that 'pid' is valid and that
    1918             :                  * ns, i.e. the pid namespace associated with the procfs
    1919             :                  * instance, is in the pid namespace hierarchy of pid.
    1920             :                  * Start at one below the already printed level.
    1921             :                  */
    1922           0 :                 for (i = ns->level + 1; i <= pid->level; i++)
    1923           0 :                         seq_put_decimal_ll(m, "\t", pid->numbers[i].nr);
    1924             :         }
    1925             : #endif
    1926           0 :         seq_putc(m, '\n');
    1927           0 : }
    1928             : #endif
    1929             : 
    1930             : /*
    1931             :  * Poll support for process exit notification.
    1932             :  */
    1933           0 : static __poll_t pidfd_poll(struct file *file, struct poll_table_struct *pts)
    1934             : {
    1935           0 :         struct pid *pid = file->private_data;
    1936           0 :         __poll_t poll_flags = 0;
    1937             : 
    1938           0 :         poll_wait(file, &pid->wait_pidfd, pts);
    1939             : 
    1940             :         /*
    1941             :          * Inform pollers only when the whole thread group exits.
    1942             :          * If the thread group leader exits before all other threads in the
    1943             :          * group, then poll(2) should block, similar to the wait(2) family.
    1944             :          */
    1945           0 :         if (thread_group_exited(pid))
    1946           0 :                 poll_flags = EPOLLIN | EPOLLRDNORM;
    1947             : 
    1948           0 :         return poll_flags;
    1949             : }
    1950             : 
    1951             : const struct file_operations pidfd_fops = {
    1952             :         .release = pidfd_release,
    1953             :         .poll = pidfd_poll,
    1954             : #ifdef CONFIG_PROC_FS
    1955             :         .show_fdinfo = pidfd_show_fdinfo,
    1956             : #endif
    1957             : };
    1958             : 
    1959             : static void __delayed_free_task(struct rcu_head *rhp)
    1960             : {
    1961             :         struct task_struct *tsk = container_of(rhp, struct task_struct, rcu);
    1962             : 
    1963             :         free_task(tsk);
    1964             : }
    1965             : 
    1966             : static __always_inline void delayed_free_task(struct task_struct *tsk)
    1967             : {
    1968             :         if (IS_ENABLED(CONFIG_MEMCG))
    1969             :                 call_rcu(&tsk->rcu, __delayed_free_task);
    1970             :         else
    1971           0 :                 free_task(tsk);
    1972             : }
    1973             : 
    1974         348 : static void copy_oom_score_adj(u64 clone_flags, struct task_struct *tsk)
    1975             : {
    1976             :         /* Skip if kernel thread */
    1977         348 :         if (!tsk->mm)
    1978             :                 return;
    1979             : 
    1980             :         /* Skip if spawning a thread or using vfork */
    1981           0 :         if ((clone_flags & (CLONE_VM | CLONE_THREAD | CLONE_VFORK)) != CLONE_VM)
    1982             :                 return;
    1983             : 
    1984             :         /* We need to synchronize with __set_oom_adj */
    1985           0 :         mutex_lock(&oom_adj_mutex);
    1986           0 :         set_bit(MMF_MULTIPROCESS, &tsk->mm->flags);
    1987             :         /* Update the values in case they were changed after copy_signal */
    1988           0 :         tsk->signal->oom_score_adj = current->signal->oom_score_adj;
    1989           0 :         tsk->signal->oom_score_adj_min = current->signal->oom_score_adj_min;
    1990           0 :         mutex_unlock(&oom_adj_mutex);
    1991             : }
    1992             : 
    1993             : #ifdef CONFIG_RV
    1994             : static void rv_task_fork(struct task_struct *p)
    1995             : {
    1996             :         int i;
    1997             : 
    1998             :         for (i = 0; i < RV_PER_TASK_MONITORS; i++)
    1999             :                 p->rv[i].da_mon.monitoring = false;
    2000             : }
    2001             : #else
    2002             : #define rv_task_fork(p) do {} while (0)
    2003             : #endif
    2004             : 
    2005             : /*
    2006             :  * This creates a new process as a copy of the old one,
    2007             :  * but does not actually start it yet.
    2008             :  *
    2009             :  * It copies the registers, and all the appropriate
    2010             :  * parts of the process environment (as per the clone
    2011             :  * flags). The actual kick-off is left to the caller.
    2012             :  */
    2013         348 : static __latent_entropy struct task_struct *copy_process(
    2014             :                                         struct pid *pid,
    2015             :                                         int trace,
    2016             :                                         int node,
    2017             :                                         struct kernel_clone_args *args)
    2018             : {
    2019         348 :         int pidfd = -1, retval;
    2020             :         struct task_struct *p;
    2021             :         struct multiprocess_signals delayed;
    2022         348 :         struct file *pidfile = NULL;
    2023         348 :         const u64 clone_flags = args->flags;
    2024         348 :         struct nsproxy *nsp = current->nsproxy;
    2025             : 
    2026             :         /*
    2027             :          * Don't allow sharing the root directory with processes in a different
    2028             :          * namespace
    2029             :          */
    2030         348 :         if ((clone_flags & (CLONE_NEWNS|CLONE_FS)) == (CLONE_NEWNS|CLONE_FS))
    2031             :                 return ERR_PTR(-EINVAL);
    2032             : 
    2033         348 :         if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
    2034             :                 return ERR_PTR(-EINVAL);
    2035             : 
    2036             :         /*
    2037             :          * Thread groups must share signals as well, and detached threads
    2038             :          * can only be started up within the thread group.
    2039             :          */
    2040         348 :         if ((clone_flags & CLONE_THREAD) && !(clone_flags & CLONE_SIGHAND))
    2041             :                 return ERR_PTR(-EINVAL);
    2042             : 
    2043             :         /*
    2044             :          * Shared signal handlers imply shared VM. By way of the above,
    2045             :          * thread groups also imply shared VM. Blocking this case allows
    2046             :          * for various simplifications in other code.
    2047             :          */
    2048         348 :         if ((clone_flags & CLONE_SIGHAND) && !(clone_flags & CLONE_VM))
    2049             :                 return ERR_PTR(-EINVAL);
    2050             : 
    2051             :         /*
    2052             :          * Siblings of global init remain as zombies on exit since they are
    2053             :          * not reaped by their parent (swapper). To solve this and to avoid
    2054             :          * multi-rooted process trees, prevent global and container-inits
    2055             :          * from creating siblings.
    2056             :          */
    2057         348 :         if ((clone_flags & CLONE_PARENT) &&
    2058           0 :                                 current->signal->flags & SIGNAL_UNKILLABLE)
    2059             :                 return ERR_PTR(-EINVAL);
    2060             : 
    2061             :         /*
    2062             :          * If the new process will be in a different pid or user namespace
    2063             :          * do not allow it to share a thread group with the forking task.
    2064             :          */
    2065         348 :         if (clone_flags & CLONE_THREAD) {
    2066           0 :                 if ((clone_flags & (CLONE_NEWUSER | CLONE_NEWPID)) ||
    2067           0 :                     (task_active_pid_ns(current) != nsp->pid_ns_for_children))
    2068             :                         return ERR_PTR(-EINVAL);
    2069             :         }
    2070             : 
    2071         348 :         if (clone_flags & CLONE_PIDFD) {
    2072             :                 /*
    2073             :                  * - CLONE_DETACHED is blocked so that we can potentially
    2074             :                  *   reuse it later for CLONE_PIDFD.
    2075             :                  * - CLONE_THREAD is blocked until someone really needs it.
    2076             :                  */
    2077           0 :                 if (clone_flags & (CLONE_DETACHED | CLONE_THREAD))
    2078             :                         return ERR_PTR(-EINVAL);
    2079             :         }
    2080             : 
    2081             :         /*
    2082             :          * Force any signals received before this point to be delivered
    2083             :          * before the fork happens.  Collect up signals sent to multiple
    2084             :          * processes that happen during the fork and delay them so that
    2085             :          * they appear to happen after the fork.
    2086             :          */
    2087         348 :         sigemptyset(&delayed.signal);
    2088         348 :         INIT_HLIST_NODE(&delayed.node);
    2089             : 
    2090         696 :         spin_lock_irq(&current->sighand->siglock);
    2091         348 :         if (!(clone_flags & CLONE_THREAD))
    2092         348 :                 hlist_add_head(&delayed.node, &current->signal->multiprocess);
    2093         348 :         recalc_sigpending();
    2094         696 :         spin_unlock_irq(&current->sighand->siglock);
    2095         348 :         retval = -ERESTARTNOINTR;
    2096         696 :         if (task_sigpending(current))
    2097             :                 goto fork_out;
    2098             : 
    2099         348 :         retval = -ENOMEM;
    2100         348 :         p = dup_task_struct(current, node);
    2101         348 :         if (!p)
    2102             :                 goto fork_out;
    2103         348 :         p->flags &= ~PF_KTHREAD;
    2104         348 :         if (args->kthread)
    2105         347 :                 p->flags |= PF_KTHREAD;
    2106         348 :         if (args->io_thread) {
    2107             :                 /*
    2108             :                  * Mark us an IO worker, and block any signal that isn't
    2109             :                  * fatal or STOP
    2110             :                  */
    2111           0 :                 p->flags |= PF_IO_WORKER;
    2112           0 :                 siginitsetinv(&p->blocked, sigmask(SIGKILL)|sigmask(SIGSTOP));
    2113             :         }
    2114             : 
    2115         348 :         p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? args->child_tid : NULL;
    2116             :         /*
    2117             :          * Clear TID on mm_release()?
    2118             :          */
    2119         348 :         p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? args->child_tid : NULL;
    2120             : 
    2121         348 :         ftrace_graph_init_task(p);
    2122             : 
    2123         348 :         rt_mutex_init_task(p);
    2124             : 
    2125             :         lockdep_assert_irqs_enabled();
    2126             : #ifdef CONFIG_PROVE_LOCKING
    2127             :         DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
    2128             : #endif
    2129         348 :         retval = copy_creds(p, clone_flags);
    2130         348 :         if (retval < 0)
    2131             :                 goto bad_fork_free;
    2132             : 
    2133         348 :         retval = -EAGAIN;
    2134        1044 :         if (is_rlimit_overlimit(task_ucounts(p), UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC))) {
    2135           0 :                 if (p->real_cred->user != INIT_USER &&
    2136           0 :                     !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
    2137             :                         goto bad_fork_cleanup_count;
    2138             :         }
    2139         348 :         current->flags &= ~PF_NPROC_EXCEEDED;
    2140             : 
    2141             :         /*
    2142             :          * If multiple threads are within copy_process(), then this check
    2143             :          * triggers too late. This doesn't hurt, the check is only there
    2144             :          * to stop root fork bombs.
    2145             :          */
    2146         348 :         retval = -EAGAIN;
    2147         348 :         if (data_race(nr_threads >= max_threads))
    2148             :                 goto bad_fork_cleanup_count;
    2149             : 
    2150         348 :         delayacct_tsk_init(p);  /* Must remain after dup_task_struct() */
    2151         348 :         p->flags &= ~(PF_SUPERPRIV | PF_WQ_WORKER | PF_IDLE | PF_NO_SETAFFINITY);
    2152         348 :         p->flags |= PF_FORKNOEXEC;
    2153         696 :         INIT_LIST_HEAD(&p->children);
    2154         696 :         INIT_LIST_HEAD(&p->sibling);
    2155         348 :         rcu_copy_process(p);
    2156         348 :         p->vfork_done = NULL;
    2157         348 :         spin_lock_init(&p->alloc_lock);
    2158             : 
    2159         696 :         init_sigpending(&p->pending);
    2160             : 
    2161         348 :         p->utime = p->stime = p->gtime = 0;
    2162             : #ifdef CONFIG_ARCH_HAS_SCALED_CPUTIME
    2163             :         p->utimescaled = p->stimescaled = 0;
    2164             : #endif
    2165         696 :         prev_cputime_init(&p->prev_cputime);
    2166             : 
    2167             : #ifdef CONFIG_VIRT_CPU_ACCOUNTING_GEN
    2168             :         seqcount_init(&p->vtime.seqcount);
    2169             :         p->vtime.starttime = 0;
    2170             :         p->vtime.state = VTIME_INACTIVE;
    2171             : #endif
    2172             : 
    2173             : #ifdef CONFIG_IO_URING
    2174         348 :         p->io_uring = NULL;
    2175             : #endif
    2176             : 
    2177             : #if defined(SPLIT_RSS_COUNTING)
    2178             :         memset(&p->rss_stat, 0, sizeof(p->rss_stat));
    2179             : #endif
    2180             : 
    2181         348 :         p->default_timer_slack_ns = current->timer_slack_ns;
    2182             : 
    2183             : #ifdef CONFIG_PSI
    2184             :         p->psi_flags = 0;
    2185             : #endif
    2186             : 
    2187         348 :         task_io_accounting_init(&p->ioac);
    2188         348 :         acct_clear_integrals(p);
    2189             : 
    2190         696 :         posix_cputimers_init(&p->posix_cputimers);
    2191             : 
    2192         348 :         p->io_context = NULL;
    2193         348 :         audit_set_context(p, NULL);
    2194         348 :         cgroup_fork(p);
    2195         348 :         if (args->kthread) {
    2196         347 :                 if (!set_kthread_struct(p))
    2197             :                         goto bad_fork_cleanup_delayacct;
    2198             :         }
    2199             : #ifdef CONFIG_NUMA
    2200             :         p->mempolicy = mpol_dup(p->mempolicy);
    2201             :         if (IS_ERR(p->mempolicy)) {
    2202             :                 retval = PTR_ERR(p->mempolicy);
    2203             :                 p->mempolicy = NULL;
    2204             :                 goto bad_fork_cleanup_delayacct;
    2205             :         }
    2206             : #endif
    2207             : #ifdef CONFIG_CPUSETS
    2208             :         p->cpuset_mem_spread_rotor = NUMA_NO_NODE;
    2209             :         p->cpuset_slab_spread_rotor = NUMA_NO_NODE;
    2210             :         seqcount_spinlock_init(&p->mems_allowed_seq, &p->alloc_lock);
    2211             : #endif
    2212             : #ifdef CONFIG_TRACE_IRQFLAGS
    2213             :         memset(&p->irqtrace, 0, sizeof(p->irqtrace));
    2214             :         p->irqtrace.hardirq_disable_ip       = _THIS_IP_;
    2215             :         p->irqtrace.softirq_enable_ip        = _THIS_IP_;
    2216             :         p->softirqs_enabled          = 1;
    2217             :         p->softirq_context           = 0;
    2218             : #endif
    2219             : 
    2220         348 :         p->pagefault_disabled = 0;
    2221             : 
    2222             : #ifdef CONFIG_LOCKDEP
    2223             :         lockdep_init_task(p);
    2224             : #endif
    2225             : 
    2226             : #ifdef CONFIG_DEBUG_MUTEXES
    2227             :         p->blocked_on = NULL; /* not blocked yet */
    2228             : #endif
    2229             : #ifdef CONFIG_BCACHE
    2230             :         p->sequential_io     = 0;
    2231             :         p->sequential_io_avg = 0;
    2232             : #endif
    2233             : #ifdef CONFIG_BPF_SYSCALL
    2234             :         RCU_INIT_POINTER(p->bpf_storage, NULL);
    2235             :         p->bpf_ctx = NULL;
    2236             : #endif
    2237             : 
    2238             :         /* Perform scheduler related setup. Assign this task to a CPU. */
    2239         348 :         retval = sched_fork(clone_flags, p);
    2240         348 :         if (retval)
    2241             :                 goto bad_fork_cleanup_policy;
    2242             : 
    2243         348 :         retval = perf_event_init_task(p, clone_flags);
    2244             :         if (retval)
    2245             :                 goto bad_fork_cleanup_policy;
    2246         348 :         retval = audit_alloc(p);
    2247             :         if (retval)
    2248             :                 goto bad_fork_cleanup_perf;
    2249             :         /* copy all the process information */
    2250         348 :         shm_init_task(p);
    2251         348 :         retval = security_task_alloc(p, clone_flags);
    2252             :         if (retval)
    2253             :                 goto bad_fork_cleanup_audit;
    2254         348 :         retval = copy_semundo(clone_flags, p);
    2255             :         if (retval)
    2256             :                 goto bad_fork_cleanup_security;
    2257         348 :         retval = copy_files(clone_flags, p);
    2258         348 :         if (retval)
    2259             :                 goto bad_fork_cleanup_semundo;
    2260         348 :         retval = copy_fs(clone_flags, p);
    2261         348 :         if (retval)
    2262             :                 goto bad_fork_cleanup_files;
    2263         348 :         retval = copy_sighand(clone_flags, p);
    2264         348 :         if (retval)
    2265             :                 goto bad_fork_cleanup_fs;
    2266         348 :         retval = copy_signal(clone_flags, p);
    2267         348 :         if (retval)
    2268             :                 goto bad_fork_cleanup_sighand;
    2269         348 :         retval = copy_mm(clone_flags, p);
    2270         348 :         if (retval)
    2271             :                 goto bad_fork_cleanup_signal;
    2272         348 :         retval = copy_namespaces(clone_flags, p);
    2273         348 :         if (retval)
    2274             :                 goto bad_fork_cleanup_mm;
    2275         348 :         retval = copy_io(clone_flags, p);
    2276         348 :         if (retval)
    2277             :                 goto bad_fork_cleanup_namespaces;
    2278         348 :         retval = copy_thread(p, args);
    2279         348 :         if (retval)
    2280             :                 goto bad_fork_cleanup_io;
    2281             : 
    2282         348 :         stackleak_task_init(p);
    2283             : 
    2284         348 :         if (pid != &init_struct_pid) {
    2285         348 :                 pid = alloc_pid(p->nsproxy->pid_ns_for_children, args->set_tid,
    2286             :                                 args->set_tid_size);
    2287         348 :                 if (IS_ERR(pid)) {
    2288           0 :                         retval = PTR_ERR(pid);
    2289           0 :                         goto bad_fork_cleanup_thread;
    2290             :                 }
    2291             :         }
    2292             : 
    2293             :         /*
    2294             :          * This has to happen after we've potentially unshared the file
    2295             :          * descriptor table (so that the pidfd doesn't leak into the child
    2296             :          * if the fd table isn't shared).
    2297             :          */
    2298         348 :         if (clone_flags & CLONE_PIDFD) {
    2299           0 :                 retval = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
    2300           0 :                 if (retval < 0)
    2301             :                         goto bad_fork_free_pid;
    2302             : 
    2303           0 :                 pidfd = retval;
    2304             : 
    2305           0 :                 pidfile = anon_inode_getfile("[pidfd]", &pidfd_fops, pid,
    2306             :                                               O_RDWR | O_CLOEXEC);
    2307           0 :                 if (IS_ERR(pidfile)) {
    2308           0 :                         put_unused_fd(pidfd);
    2309           0 :                         retval = PTR_ERR(pidfile);
    2310           0 :                         goto bad_fork_free_pid;
    2311             :                 }
    2312           0 :                 get_pid(pid);   /* held by pidfile now */
    2313             : 
    2314           0 :                 retval = put_user(pidfd, args->pidfd);
    2315           0 :                 if (retval)
    2316             :                         goto bad_fork_put_pidfd;
    2317             :         }
    2318             : 
    2319             : #ifdef CONFIG_BLOCK
    2320         348 :         p->plug = NULL;
    2321             : #endif
    2322         348 :         futex_init_task(p);
    2323             : 
    2324             :         /*
    2325             :          * sigaltstack should be cleared when sharing the same VM
    2326             :          */
    2327         348 :         if ((clone_flags & (CLONE_VM|CLONE_VFORK)) == CLONE_VM)
    2328             :                 sas_ss_reset(p);
    2329             : 
    2330             :         /*
    2331             :          * Syscall tracing and stepping should be turned off in the
    2332             :          * child regardless of CLONE_PTRACE.
    2333             :          */
    2334         348 :         user_disable_single_step(p);
    2335         696 :         clear_task_syscall_work(p, SYSCALL_TRACE);
    2336             : #if defined(CONFIG_GENERIC_ENTRY) || defined(TIF_SYSCALL_EMU)
    2337             :         clear_task_syscall_work(p, SYSCALL_EMU);
    2338             : #endif
    2339         348 :         clear_tsk_latency_tracing(p);
    2340             : 
    2341             :         /* ok, now we should be set up.. */
    2342         348 :         p->pid = pid_nr(pid);
    2343         348 :         if (clone_flags & CLONE_THREAD) {
    2344           0 :                 p->group_leader = current->group_leader;
    2345           0 :                 p->tgid = current->tgid;
    2346             :         } else {
    2347         348 :                 p->group_leader = p;
    2348         348 :                 p->tgid = p->pid;
    2349             :         }
    2350             : 
    2351         348 :         p->nr_dirtied = 0;
    2352         348 :         p->nr_dirtied_pause = 128 >> (PAGE_SHIFT - 10);
    2353         348 :         p->dirty_paused_when = 0;
    2354             : 
    2355         348 :         p->pdeath_signal = 0;
    2356         696 :         INIT_LIST_HEAD(&p->thread_group);
    2357         348 :         p->task_works = NULL;
    2358         348 :         clear_posix_cputimers_work(p);
    2359             : 
    2360             : #ifdef CONFIG_KRETPROBES
    2361             :         p->kretprobe_instances.first = NULL;
    2362             : #endif
    2363             : #ifdef CONFIG_RETHOOK
    2364             :         p->rethooks.first = NULL;
    2365             : #endif
    2366             : 
    2367             :         /*
    2368             :          * Ensure that the cgroup subsystem policies allow the new process to be
    2369             :          * forked. It should be noted that the new process's css_set can be changed
    2370             :          * between here and cgroup_post_fork() if an organisation operation is in
    2371             :          * progress.
    2372             :          */
    2373         348 :         retval = cgroup_can_fork(p, args);
    2374             :         if (retval)
    2375             :                 goto bad_fork_put_pidfd;
    2376             : 
    2377             :         /*
    2378             :          * Now that the cgroups are pinned, re-clone the parent cgroup and put
    2379             :          * the new task on the correct runqueue. All this *before* the task
    2380             :          * becomes visible.
    2381             :          *
    2382             :          * This isn't part of ->can_fork() because while the re-cloning is
    2383             :          * cgroup specific, it unconditionally needs to place the task on a
    2384             :          * runqueue.
    2385             :          */
    2386         348 :         sched_cgroup_fork(p, args);
    2387             : 
    2388             :         /*
    2389             :          * From this point on we must avoid any synchronous user-space
    2390             :          * communication until we take the tasklist-lock. In particular, we do
    2391             :          * not want user-space to be able to predict the process start-time by
    2392             :          * stalling fork(2) after we recorded the start_time but before it is
    2393             :          * visible to the system.
    2394             :          */
    2395             : 
    2396         348 :         p->start_time = ktime_get_ns();
    2397         348 :         p->start_boottime = ktime_get_boottime_ns();
    2398             : 
    2399             :         /*
    2400             :          * Make it visible to the rest of the system, but dont wake it up yet.
    2401             :          * Need tasklist lock for parent etc handling!
    2402             :          */
    2403         348 :         write_lock_irq(&tasklist_lock);
    2404             : 
    2405             :         /* CLONE_PARENT re-uses the old parent */
    2406         348 :         if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) {
    2407           0 :                 p->real_parent = current->real_parent;
    2408           0 :                 p->parent_exec_id = current->parent_exec_id;
    2409           0 :                 if (clone_flags & CLONE_THREAD)
    2410           0 :                         p->exit_signal = -1;
    2411             :                 else
    2412           0 :                         p->exit_signal = current->group_leader->exit_signal;
    2413             :         } else {
    2414         348 :                 p->real_parent = current;
    2415         348 :                 p->parent_exec_id = current->self_exec_id;
    2416         348 :                 p->exit_signal = args->exit_signal;
    2417             :         }
    2418             : 
    2419         348 :         klp_copy_process(p);
    2420             : 
    2421         348 :         sched_core_fork(p);
    2422             : 
    2423         696 :         spin_lock(&current->sighand->siglock);
    2424             : 
    2425             :         rv_task_fork(p);
    2426             : 
    2427         348 :         rseq_fork(p, clone_flags);
    2428             : 
    2429             :         /* Don't start children in a dying pid namespace */
    2430         348 :         if (unlikely(!(ns_of_pid(pid)->pid_allocated & PIDNS_ADDING))) {
    2431             :                 retval = -ENOMEM;
    2432             :                 goto bad_fork_cancel_cgroup;
    2433             :         }
    2434             : 
    2435             :         /* Let kill terminate clone/fork in the middle */
    2436         348 :         if (fatal_signal_pending(current)) {
    2437             :                 retval = -EINTR;
    2438             :                 goto bad_fork_cancel_cgroup;
    2439             :         }
    2440             : 
    2441             :         /* No more failure paths after this point. */
    2442             : 
    2443             :         /*
    2444             :          * Copy seccomp details explicitly here, in case they were changed
    2445             :          * before holding sighand lock.
    2446             :          */
    2447         348 :         copy_seccomp(p);
    2448             : 
    2449         348 :         init_task_pid_links(p);
    2450         348 :         if (likely(p->pid)) {
    2451         348 :                 ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
    2452             : 
    2453         696 :                 init_task_pid(p, PIDTYPE_PID, pid);
    2454         348 :                 if (thread_group_leader(p)) {
    2455         696 :                         init_task_pid(p, PIDTYPE_TGID, pid);
    2456        1044 :                         init_task_pid(p, PIDTYPE_PGID, task_pgrp(current));
    2457        1044 :                         init_task_pid(p, PIDTYPE_SID, task_session(current));
    2458             : 
    2459         348 :                         if (is_child_reaper(pid)) {
    2460           1 :                                 ns_of_pid(pid)->child_reaper = p;
    2461           1 :                                 p->signal->flags |= SIGNAL_UNKILLABLE;
    2462             :                         }
    2463         348 :                         p->signal->shared_pending.signal = delayed.signal;
    2464        1044 :                         p->signal->tty = tty_kref_get(current->signal->tty);
    2465             :                         /*
    2466             :                          * Inherit has_child_subreaper flag under the same
    2467             :                          * tasklist_lock with adding child to the process tree
    2468             :                          * for propagate_has_child_subreaper optimization.
    2469             :                          */
    2470         348 :                         p->signal->has_child_subreaper = p->real_parent->signal->has_child_subreaper ||
    2471             :                                                          p->real_parent->signal->is_child_subreaper;
    2472         696 :                         list_add_tail(&p->sibling, &p->real_parent->children);
    2473         696 :                         list_add_tail_rcu(&p->tasks, &init_task.tasks);
    2474         348 :                         attach_pid(p, PIDTYPE_TGID);
    2475         348 :                         attach_pid(p, PIDTYPE_PGID);
    2476         348 :                         attach_pid(p, PIDTYPE_SID);
    2477         348 :                         __this_cpu_inc(process_counts);
    2478             :                 } else {
    2479           0 :                         current->signal->nr_threads++;
    2480           0 :                         current->signal->quick_threads++;
    2481           0 :                         atomic_inc(&current->signal->live);
    2482           0 :                         refcount_inc(&current->signal->sigcnt);
    2483           0 :                         task_join_group_stop(p);
    2484           0 :                         list_add_tail_rcu(&p->thread_group,
    2485           0 :                                           &p->group_leader->thread_group);
    2486           0 :                         list_add_tail_rcu(&p->thread_node,
    2487           0 :                                           &p->signal->thread_head);
    2488             :                 }
    2489         348 :                 attach_pid(p, PIDTYPE_PID);
    2490         348 :                 nr_threads++;
    2491             :         }
    2492         348 :         total_forks++;
    2493         348 :         hlist_del_init(&delayed.node);
    2494         696 :         spin_unlock(&current->sighand->siglock);
    2495         348 :         syscall_tracepoint_update(p);
    2496         348 :         write_unlock_irq(&tasklist_lock);
    2497             : 
    2498         348 :         if (pidfile)
    2499           0 :                 fd_install(pidfd, pidfile);
    2500             : 
    2501         348 :         proc_fork_connector(p);
    2502         348 :         sched_post_fork(p);
    2503         348 :         cgroup_post_fork(p, args);
    2504         348 :         perf_event_fork(p);
    2505             : 
    2506         348 :         trace_task_newtask(p, clone_flags);
    2507         348 :         uprobe_copy_process(p, clone_flags);
    2508             : 
    2509         348 :         copy_oom_score_adj(clone_flags, p);
    2510             : 
    2511         348 :         return p;
    2512             : 
    2513             : bad_fork_cancel_cgroup:
    2514           0 :         sched_core_free(p);
    2515           0 :         spin_unlock(&current->sighand->siglock);
    2516           0 :         write_unlock_irq(&tasklist_lock);
    2517           0 :         cgroup_cancel_fork(p, args);
    2518             : bad_fork_put_pidfd:
    2519           0 :         if (clone_flags & CLONE_PIDFD) {
    2520           0 :                 fput(pidfile);
    2521           0 :                 put_unused_fd(pidfd);
    2522             :         }
    2523             : bad_fork_free_pid:
    2524           0 :         if (pid != &init_struct_pid)
    2525           0 :                 free_pid(pid);
    2526             : bad_fork_cleanup_thread:
    2527             :         exit_thread(p);
    2528             : bad_fork_cleanup_io:
    2529           0 :         if (p->io_context)
    2530           0 :                 exit_io_context(p);
    2531             : bad_fork_cleanup_namespaces:
    2532           0 :         exit_task_namespaces(p);
    2533             : bad_fork_cleanup_mm:
    2534           0 :         if (p->mm) {
    2535           0 :                 mm_clear_owner(p->mm, p);
    2536           0 :                 mmput(p->mm);
    2537             :         }
    2538             : bad_fork_cleanup_signal:
    2539           0 :         if (!(clone_flags & CLONE_THREAD))
    2540           0 :                 free_signal_struct(p->signal);
    2541             : bad_fork_cleanup_sighand:
    2542           0 :         __cleanup_sighand(p->sighand);
    2543             : bad_fork_cleanup_fs:
    2544           0 :         exit_fs(p); /* blocking */
    2545             : bad_fork_cleanup_files:
    2546           0 :         exit_files(p); /* blocking */
    2547             : bad_fork_cleanup_semundo:
    2548             :         exit_sem(p);
    2549             : bad_fork_cleanup_security:
    2550             :         security_task_free(p);
    2551             : bad_fork_cleanup_audit:
    2552             :         audit_free(p);
    2553             : bad_fork_cleanup_perf:
    2554             :         perf_event_free_task(p);
    2555             : bad_fork_cleanup_policy:
    2556             :         lockdep_free_task(p);
    2557             : #ifdef CONFIG_NUMA
    2558             :         mpol_put(p->mempolicy);
    2559             : #endif
    2560             : bad_fork_cleanup_delayacct:
    2561             :         delayacct_tsk_free(p);
    2562             : bad_fork_cleanup_count:
    2563           0 :         dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
    2564           0 :         exit_creds(p);
    2565             : bad_fork_free:
    2566           0 :         WRITE_ONCE(p->__state, TASK_DEAD);
    2567           0 :         exit_task_stack_account(p);
    2568           0 :         put_task_stack(p);
    2569             :         delayed_free_task(p);
    2570             : fork_out:
    2571           0 :         spin_lock_irq(&current->sighand->siglock);
    2572           0 :         hlist_del_init(&delayed.node);
    2573           0 :         spin_unlock_irq(&current->sighand->siglock);
    2574           0 :         return ERR_PTR(retval);
    2575             : }
    2576             : 
    2577             : static inline void init_idle_pids(struct task_struct *idle)
    2578             : {
    2579             :         enum pid_type type;
    2580             : 
    2581           0 :         for (type = PIDTYPE_PID; type < PIDTYPE_MAX; ++type) {
    2582           0 :                 INIT_HLIST_NODE(&idle->pid_links[type]); /* not really needed */
    2583           0 :                 init_task_pid(idle, type, &init_struct_pid);
    2584             :         }
    2585             : }
    2586             : 
    2587           0 : static int idle_dummy(void *dummy)
    2588             : {
    2589             :         /* This function is never called */
    2590           0 :         return 0;
    2591             : }
    2592             : 
    2593           0 : struct task_struct * __init fork_idle(int cpu)
    2594             : {
    2595             :         struct task_struct *task;
    2596           0 :         struct kernel_clone_args args = {
    2597             :                 .flags          = CLONE_VM,
    2598             :                 .fn             = &idle_dummy,
    2599             :                 .fn_arg         = NULL,
    2600             :                 .kthread        = 1,
    2601             :                 .idle           = 1,
    2602             :         };
    2603             : 
    2604           0 :         task = copy_process(&init_struct_pid, 0, cpu_to_node(cpu), &args);
    2605           0 :         if (!IS_ERR(task)) {
    2606           0 :                 init_idle_pids(task);
    2607           0 :                 init_idle(task, cpu);
    2608             :         }
    2609             : 
    2610           0 :         return task;
    2611             : }
    2612             : 
    2613             : /*
    2614             :  * This is like kernel_clone(), but shaved down and tailored to just
    2615             :  * creating io_uring workers. It returns a created task, or an error pointer.
    2616             :  * The returned task is inactive, and the caller must fire it up through
    2617             :  * wake_up_new_task(p). All signals are blocked in the created task.
    2618             :  */
    2619           0 : struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
    2620             : {
    2621           0 :         unsigned long flags = CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|
    2622             :                                 CLONE_IO;
    2623           0 :         struct kernel_clone_args args = {
    2624             :                 .flags          = ((lower_32_bits(flags) | CLONE_VM |
    2625             :                                     CLONE_UNTRACED) & ~CSIGNAL),
    2626             :                 .exit_signal    = (lower_32_bits(flags) & CSIGNAL),
    2627             :                 .fn             = fn,
    2628             :                 .fn_arg         = arg,
    2629             :                 .io_thread      = 1,
    2630             :         };
    2631             : 
    2632           0 :         return copy_process(NULL, 0, node, &args);
    2633             : }
    2634             : 
    2635             : /*
    2636             :  *  Ok, this is the main fork-routine.
    2637             :  *
    2638             :  * It copies the process, and if successful kick-starts
    2639             :  * it and waits for it to finish using the VM if required.
    2640             :  *
    2641             :  * args->exit_signal is expected to be checked for sanity by the caller.
    2642             :  */
    2643         348 : pid_t kernel_clone(struct kernel_clone_args *args)
    2644             : {
    2645         348 :         u64 clone_flags = args->flags;
    2646             :         struct completion vfork;
    2647             :         struct pid *pid;
    2648             :         struct task_struct *p;
    2649         348 :         int trace = 0;
    2650             :         pid_t nr;
    2651             : 
    2652             :         /*
    2653             :          * For legacy clone() calls, CLONE_PIDFD uses the parent_tid argument
    2654             :          * to return the pidfd. Hence, CLONE_PIDFD and CLONE_PARENT_SETTID are
    2655             :          * mutually exclusive. With clone3() CLONE_PIDFD has grown a separate
    2656             :          * field in struct clone_args and it still doesn't make sense to have
    2657             :          * them both point at the same memory location. Performing this check
    2658             :          * here has the advantage that we don't need to have a separate helper
    2659             :          * to check for legacy clone().
    2660             :          */
    2661         348 :         if ((args->flags & CLONE_PIDFD) &&
    2662           0 :             (args->flags & CLONE_PARENT_SETTID) &&
    2663           0 :             (args->pidfd == args->parent_tid))
    2664             :                 return -EINVAL;
    2665             : 
    2666             :         /*
    2667             :          * Determine whether and which event to report to ptracer.  When
    2668             :          * called from kernel_thread or CLONE_UNTRACED is explicitly
    2669             :          * requested, no event is reported; otherwise, report if the event
    2670             :          * for the type of forking is enabled.
    2671             :          */
    2672         348 :         if (!(clone_flags & CLONE_UNTRACED)) {
    2673           0 :                 if (clone_flags & CLONE_VFORK)
    2674             :                         trace = PTRACE_EVENT_VFORK;
    2675           0 :                 else if (args->exit_signal != SIGCHLD)
    2676             :                         trace = PTRACE_EVENT_CLONE;
    2677             :                 else
    2678           0 :                         trace = PTRACE_EVENT_FORK;
    2679             : 
    2680           0 :                 if (likely(!ptrace_event_enabled(current, trace)))
    2681           0 :                         trace = 0;
    2682             :         }
    2683             : 
    2684         348 :         p = copy_process(NULL, trace, NUMA_NO_NODE, args);
    2685         348 :         add_latent_entropy();
    2686             : 
    2687         348 :         if (IS_ERR(p))
    2688           0 :                 return PTR_ERR(p);
    2689             : 
    2690             :         /*
    2691             :          * Do this prior waking up the new thread - the thread pointer
    2692             :          * might get invalid after that point, if the thread exits quickly.
    2693             :          */
    2694         348 :         trace_sched_process_fork(current, p);
    2695             : 
    2696         348 :         pid = get_task_pid(p, PIDTYPE_PID);
    2697         348 :         nr = pid_vnr(pid);
    2698             : 
    2699         348 :         if (clone_flags & CLONE_PARENT_SETTID)
    2700           0 :                 put_user(nr, args->parent_tid);
    2701             : 
    2702         348 :         if (clone_flags & CLONE_VFORK) {
    2703           0 :                 p->vfork_done = &vfork;
    2704           0 :                 init_completion(&vfork);
    2705             :                 get_task_struct(p);
    2706             :         }
    2707             : 
    2708             :         if (IS_ENABLED(CONFIG_LRU_GEN) && !(clone_flags & CLONE_VM)) {
    2709             :                 /* lock the task to synchronize with memcg migration */
    2710             :                 task_lock(p);
    2711             :                 lru_gen_add_mm(p->mm);
    2712             :                 task_unlock(p);
    2713             :         }
    2714             : 
    2715         348 :         wake_up_new_task(p);
    2716             : 
    2717             :         /* forking complete and child started to run, tell ptracer */
    2718         348 :         if (unlikely(trace))
    2719           0 :                 ptrace_event_pid(trace, pid);
    2720             : 
    2721         348 :         if (clone_flags & CLONE_VFORK) {
    2722           0 :                 if (!wait_for_vfork_done(p, &vfork))
    2723           0 :                         ptrace_event_pid(PTRACE_EVENT_VFORK_DONE, pid);
    2724             :         }
    2725             : 
    2726         348 :         put_pid(pid);
    2727         348 :         return nr;
    2728             : }
    2729             : 
    2730             : /*
    2731             :  * Create a kernel thread.
    2732             :  */
    2733         347 : pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
    2734             : {
    2735        1041 :         struct kernel_clone_args args = {
    2736         347 :                 .flags          = ((lower_32_bits(flags) | CLONE_VM |
    2737         347 :                                     CLONE_UNTRACED) & ~CSIGNAL),
    2738         347 :                 .exit_signal    = (lower_32_bits(flags) & CSIGNAL),
    2739             :                 .fn             = fn,
    2740             :                 .fn_arg         = arg,
    2741             :                 .kthread        = 1,
    2742             :         };
    2743             : 
    2744         347 :         return kernel_clone(&args);
    2745             : }
    2746             : 
    2747             : /*
    2748             :  * Create a user mode thread.
    2749             :  */
    2750           1 : pid_t user_mode_thread(int (*fn)(void *), void *arg, unsigned long flags)
    2751             : {
    2752           3 :         struct kernel_clone_args args = {
    2753           1 :                 .flags          = ((lower_32_bits(flags) | CLONE_VM |
    2754           1 :                                     CLONE_UNTRACED) & ~CSIGNAL),
    2755           1 :                 .exit_signal    = (lower_32_bits(flags) & CSIGNAL),
    2756             :                 .fn             = fn,
    2757             :                 .fn_arg         = arg,
    2758             :         };
    2759             : 
    2760           1 :         return kernel_clone(&args);
    2761             : }
    2762             : 
    2763             : #ifdef __ARCH_WANT_SYS_FORK
    2764           0 : SYSCALL_DEFINE0(fork)
    2765             : {
    2766             : #ifdef CONFIG_MMU
    2767           0 :         struct kernel_clone_args args = {
    2768             :                 .exit_signal = SIGCHLD,
    2769             :         };
    2770             : 
    2771           0 :         return kernel_clone(&args);
    2772             : #else
    2773             :         /* can not support in nommu mode */
    2774             :         return -EINVAL;
    2775             : #endif
    2776             : }
    2777             : #endif
    2778             : 
    2779             : #ifdef __ARCH_WANT_SYS_VFORK
    2780           0 : SYSCALL_DEFINE0(vfork)
    2781             : {
    2782           0 :         struct kernel_clone_args args = {
    2783             :                 .flags          = CLONE_VFORK | CLONE_VM,
    2784             :                 .exit_signal    = SIGCHLD,
    2785             :         };
    2786             : 
    2787           0 :         return kernel_clone(&args);
    2788             : }
    2789             : #endif
    2790             : 
    2791             : #ifdef __ARCH_WANT_SYS_CLONE
    2792             : #ifdef CONFIG_CLONE_BACKWARDS
    2793             : SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp,
    2794             :                  int __user *, parent_tidptr,
    2795             :                  unsigned long, tls,
    2796             :                  int __user *, child_tidptr)
    2797             : #elif defined(CONFIG_CLONE_BACKWARDS2)
    2798             : SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
    2799             :                  int __user *, parent_tidptr,
    2800             :                  int __user *, child_tidptr,
    2801             :                  unsigned long, tls)
    2802             : #elif defined(CONFIG_CLONE_BACKWARDS3)
    2803             : SYSCALL_DEFINE6(clone, unsigned long, clone_flags, unsigned long, newsp,
    2804             :                 int, stack_size,
    2805             :                 int __user *, parent_tidptr,
    2806             :                 int __user *, child_tidptr,
    2807             :                 unsigned long, tls)
    2808             : #else
    2809           0 : SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp,
    2810             :                  int __user *, parent_tidptr,
    2811             :                  int __user *, child_tidptr,
    2812             :                  unsigned long, tls)
    2813             : #endif
    2814             : {
    2815           0 :         struct kernel_clone_args args = {
    2816           0 :                 .flags          = (lower_32_bits(clone_flags) & ~CSIGNAL),
    2817             :                 .pidfd          = parent_tidptr,
    2818             :                 .child_tid      = child_tidptr,
    2819             :                 .parent_tid     = parent_tidptr,
    2820           0 :                 .exit_signal    = (lower_32_bits(clone_flags) & CSIGNAL),
    2821             :                 .stack          = newsp,
    2822             :                 .tls            = tls,
    2823             :         };
    2824             : 
    2825           0 :         return kernel_clone(&args);
    2826             : }
    2827             : #endif
    2828             : 
    2829             : #ifdef __ARCH_WANT_SYS_CLONE3
    2830             : 
    2831           0 : noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
    2832             :                                               struct clone_args __user *uargs,
    2833             :                                               size_t usize)
    2834             : {
    2835             :         int err;
    2836             :         struct clone_args args;
    2837           0 :         pid_t *kset_tid = kargs->set_tid;
    2838             : 
    2839             :         BUILD_BUG_ON(offsetofend(struct clone_args, tls) !=
    2840             :                      CLONE_ARGS_SIZE_VER0);
    2841             :         BUILD_BUG_ON(offsetofend(struct clone_args, set_tid_size) !=
    2842             :                      CLONE_ARGS_SIZE_VER1);
    2843             :         BUILD_BUG_ON(offsetofend(struct clone_args, cgroup) !=
    2844             :                      CLONE_ARGS_SIZE_VER2);
    2845             :         BUILD_BUG_ON(sizeof(struct clone_args) != CLONE_ARGS_SIZE_VER2);
    2846             : 
    2847           0 :         if (unlikely(usize > PAGE_SIZE))
    2848             :                 return -E2BIG;
    2849           0 :         if (unlikely(usize < CLONE_ARGS_SIZE_VER0))
    2850             :                 return -EINVAL;
    2851             : 
    2852           0 :         err = copy_struct_from_user(&args, sizeof(args), uargs, usize);
    2853           0 :         if (err)
    2854             :                 return err;
    2855             : 
    2856           0 :         if (unlikely(args.set_tid_size > MAX_PID_NS_LEVEL))
    2857             :                 return -EINVAL;
    2858             : 
    2859           0 :         if (unlikely(!args.set_tid && args.set_tid_size > 0))
    2860             :                 return -EINVAL;
    2861             : 
    2862           0 :         if (unlikely(args.set_tid && args.set_tid_size == 0))
    2863             :                 return -EINVAL;
    2864             : 
    2865             :         /*
    2866             :          * Verify that higher 32bits of exit_signal are unset and that
    2867             :          * it is a valid signal
    2868             :          */
    2869           0 :         if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
    2870             :                      !valid_signal(args.exit_signal)))
    2871             :                 return -EINVAL;
    2872             : 
    2873           0 :         if ((args.flags & CLONE_INTO_CGROUP) &&
    2874           0 :             (args.cgroup > INT_MAX || usize < CLONE_ARGS_SIZE_VER2))
    2875             :                 return -EINVAL;
    2876             : 
    2877           0 :         *kargs = (struct kernel_clone_args){
    2878             :                 .flags          = args.flags,
    2879           0 :                 .pidfd          = u64_to_user_ptr(args.pidfd),
    2880           0 :                 .child_tid      = u64_to_user_ptr(args.child_tid),
    2881           0 :                 .parent_tid     = u64_to_user_ptr(args.parent_tid),
    2882             :                 .exit_signal    = args.exit_signal,
    2883           0 :                 .stack          = args.stack,
    2884           0 :                 .stack_size     = args.stack_size,
    2885           0 :                 .tls            = args.tls,
    2886             :                 .set_tid_size   = args.set_tid_size,
    2887           0 :                 .cgroup         = args.cgroup,
    2888             :         };
    2889             : 
    2890           0 :         if (args.set_tid &&
    2891           0 :                 copy_from_user(kset_tid, u64_to_user_ptr(args.set_tid),
    2892             :                         (kargs->set_tid_size * sizeof(pid_t))))
    2893             :                 return -EFAULT;
    2894             : 
    2895           0 :         kargs->set_tid = kset_tid;
    2896             : 
    2897           0 :         return 0;
    2898             : }
    2899             : 
    2900             : /**
    2901             :  * clone3_stack_valid - check and prepare stack
    2902             :  * @kargs: kernel clone args
    2903             :  *
    2904             :  * Verify that the stack arguments userspace gave us are sane.
    2905             :  * In addition, set the stack direction for userspace since it's easy for us to
    2906             :  * determine.
    2907             :  */
    2908           0 : static inline bool clone3_stack_valid(struct kernel_clone_args *kargs)
    2909             : {
    2910           0 :         if (kargs->stack == 0) {
    2911           0 :                 if (kargs->stack_size > 0)
    2912             :                         return false;
    2913             :         } else {
    2914           0 :                 if (kargs->stack_size == 0)
    2915             :                         return false;
    2916             : 
    2917           0 :                 if (!access_ok((void __user *)kargs->stack, kargs->stack_size))
    2918             :                         return false;
    2919             : 
    2920             : #if !defined(CONFIG_STACK_GROWSUP) && !defined(CONFIG_IA64)
    2921           0 :                 kargs->stack += kargs->stack_size;
    2922             : #endif
    2923             :         }
    2924             : 
    2925             :         return true;
    2926             : }
    2927             : 
    2928           0 : static bool clone3_args_valid(struct kernel_clone_args *kargs)
    2929             : {
    2930             :         /* Verify that no unknown flags are passed along. */
    2931           0 :         if (kargs->flags &
    2932             :             ~(CLONE_LEGACY_FLAGS | CLONE_CLEAR_SIGHAND | CLONE_INTO_CGROUP))
    2933             :                 return false;
    2934             : 
    2935             :         /*
    2936             :          * - make the CLONE_DETACHED bit reusable for clone3
    2937             :          * - make the CSIGNAL bits reusable for clone3
    2938             :          */
    2939           0 :         if (kargs->flags & (CLONE_DETACHED | CSIGNAL))
    2940             :                 return false;
    2941             : 
    2942           0 :         if ((kargs->flags & (CLONE_SIGHAND | CLONE_CLEAR_SIGHAND)) ==
    2943             :             (CLONE_SIGHAND | CLONE_CLEAR_SIGHAND))
    2944             :                 return false;
    2945             : 
    2946           0 :         if ((kargs->flags & (CLONE_THREAD | CLONE_PARENT)) &&
    2947           0 :             kargs->exit_signal)
    2948             :                 return false;
    2949             : 
    2950           0 :         if (!clone3_stack_valid(kargs))
    2951             :                 return false;
    2952             : 
    2953           0 :         return true;
    2954             : }
    2955             : 
    2956             : /**
    2957             :  * clone3 - create a new process with specific properties
    2958             :  * @uargs: argument structure
    2959             :  * @size:  size of @uargs
    2960             :  *
    2961             :  * clone3() is the extensible successor to clone()/clone2().
    2962             :  * It takes a struct as argument that is versioned by its size.
    2963             :  *
    2964             :  * Return: On success, a positive PID for the child process.
    2965             :  *         On error, a negative errno number.
    2966             :  */
    2967           0 : SYSCALL_DEFINE2(clone3, struct clone_args __user *, uargs, size_t, size)
    2968             : {
    2969             :         int err;
    2970             : 
    2971             :         struct kernel_clone_args kargs;
    2972             :         pid_t set_tid[MAX_PID_NS_LEVEL];
    2973             : 
    2974           0 :         kargs.set_tid = set_tid;
    2975             : 
    2976           0 :         err = copy_clone_args_from_user(&kargs, uargs, size);
    2977           0 :         if (err)
    2978           0 :                 return err;
    2979             : 
    2980           0 :         if (!clone3_args_valid(&kargs))
    2981             :                 return -EINVAL;
    2982             : 
    2983           0 :         return kernel_clone(&kargs);
    2984             : }
    2985             : #endif
    2986             : 
    2987           0 : void walk_process_tree(struct task_struct *top, proc_visitor visitor, void *data)
    2988             : {
    2989             :         struct task_struct *leader, *parent, *child;
    2990             :         int res;
    2991             : 
    2992           0 :         read_lock(&tasklist_lock);
    2993           0 :         leader = top = top->group_leader;
    2994             : down:
    2995           0 :         for_each_thread(leader, parent) {
    2996           0 :                 list_for_each_entry(child, &parent->children, sibling) {
    2997           0 :                         res = visitor(child, data);
    2998           0 :                         if (res) {
    2999           0 :                                 if (res < 0)
    3000             :                                         goto out;
    3001             :                                 leader = child;
    3002             :                                 goto down;
    3003             :                         }
    3004             : up:
    3005             :                         ;
    3006             :                 }
    3007             :         }
    3008             : 
    3009           0 :         if (leader != top) {
    3010           0 :                 child = leader;
    3011           0 :                 parent = child->real_parent;
    3012           0 :                 leader = parent->group_leader;
    3013           0 :                 goto up;
    3014             :         }
    3015             : out:
    3016           0 :         read_unlock(&tasklist_lock);
    3017           0 : }
    3018             : 
    3019             : #ifndef ARCH_MIN_MMSTRUCT_ALIGN
    3020             : #define ARCH_MIN_MMSTRUCT_ALIGN 0
    3021             : #endif
    3022             : 
    3023          30 : static void sighand_ctor(void *data)
    3024             : {
    3025          30 :         struct sighand_struct *sighand = data;
    3026             : 
    3027          30 :         spin_lock_init(&sighand->siglock);
    3028          30 :         init_waitqueue_head(&sighand->signalfd_wqh);
    3029          30 : }
    3030             : 
    3031           1 : void __init mm_cache_init(void)
    3032             : {
    3033             :         unsigned int mm_size;
    3034             : 
    3035             :         /*
    3036             :          * The mm_cpumask is located at the end of mm_struct, and is
    3037             :          * dynamically sized based on the maximum CPU number this system
    3038             :          * can have, taking hotplug into account (nr_cpu_ids).
    3039             :          */
    3040           1 :         mm_size = sizeof(struct mm_struct) + cpumask_size() + mm_cid_size();
    3041             : 
    3042           1 :         mm_cachep = kmem_cache_create_usercopy("mm_struct",
    3043             :                         mm_size, ARCH_MIN_MMSTRUCT_ALIGN,
    3044             :                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT,
    3045             :                         offsetof(struct mm_struct, saved_auxv),
    3046             :                         sizeof_field(struct mm_struct, saved_auxv),
    3047             :                         NULL);
    3048           1 : }
    3049             : 
    3050           1 : void __init proc_caches_init(void)
    3051             : {
    3052           1 :         sighand_cachep = kmem_cache_create("sighand_cache",
    3053             :                         sizeof(struct sighand_struct), 0,
    3054             :                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_TYPESAFE_BY_RCU|
    3055             :                         SLAB_ACCOUNT, sighand_ctor);
    3056           1 :         signal_cachep = kmem_cache_create("signal_cache",
    3057             :                         sizeof(struct signal_struct), 0,
    3058             :                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT,
    3059             :                         NULL);
    3060           1 :         files_cachep = kmem_cache_create("files_cache",
    3061             :                         sizeof(struct files_struct), 0,
    3062             :                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT,
    3063             :                         NULL);
    3064           1 :         fs_cachep = kmem_cache_create("fs_cache",
    3065             :                         sizeof(struct fs_struct), 0,
    3066             :                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT,
    3067             :                         NULL);
    3068             : 
    3069           1 :         vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC|SLAB_ACCOUNT);
    3070           1 :         mmap_init();
    3071           1 :         nsproxy_cache_init();
    3072           1 : }
    3073             : 
    3074             : /*
    3075             :  * Check constraints on flags passed to the unshare system call.
    3076             :  */
    3077           0 : static int check_unshare_flags(unsigned long unshare_flags)
    3078             : {
    3079           0 :         if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
    3080             :                                 CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
    3081             :                                 CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|
    3082             :                                 CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWCGROUP|
    3083             :                                 CLONE_NEWTIME))
    3084             :                 return -EINVAL;
    3085             :         /*
    3086             :          * Not implemented, but pretend it works if there is nothing
    3087             :          * to unshare.  Note that unsharing the address space or the
    3088             :          * signal handlers also need to unshare the signal queues (aka
    3089             :          * CLONE_THREAD).
    3090             :          */
    3091           0 :         if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
    3092           0 :                 if (!thread_group_empty(current))
    3093             :                         return -EINVAL;
    3094             :         }
    3095           0 :         if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
    3096           0 :                 if (refcount_read(&current->sighand->count) > 1)
    3097             :                         return -EINVAL;
    3098             :         }
    3099           0 :         if (unshare_flags & CLONE_VM) {
    3100           0 :                 if (!current_is_single_threaded())
    3101             :                         return -EINVAL;
    3102             :         }
    3103             : 
    3104             :         return 0;
    3105             : }
    3106             : 
    3107             : /*
    3108             :  * Unshare the filesystem structure if it is being shared
    3109             :  */
    3110           0 : static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
    3111             : {
    3112           0 :         struct fs_struct *fs = current->fs;
    3113             : 
    3114           0 :         if (!(unshare_flags & CLONE_FS) || !fs)
    3115             :                 return 0;
    3116             : 
    3117             :         /* don't need lock here; in the worst case we'll do useless copy */
    3118           0 :         if (fs->users == 1)
    3119             :                 return 0;
    3120             : 
    3121           0 :         *new_fsp = copy_fs_struct(fs);
    3122           0 :         if (!*new_fsp)
    3123             :                 return -ENOMEM;
    3124             : 
    3125           0 :         return 0;
    3126             : }
    3127             : 
    3128             : /*
    3129             :  * Unshare file descriptor table if it is being shared
    3130             :  */
    3131           0 : int unshare_fd(unsigned long unshare_flags, unsigned int max_fds,
    3132             :                struct files_struct **new_fdp)
    3133             : {
    3134           0 :         struct files_struct *fd = current->files;
    3135           0 :         int error = 0;
    3136             : 
    3137           0 :         if ((unshare_flags & CLONE_FILES) &&
    3138           0 :             (fd && atomic_read(&fd->count) > 1)) {
    3139           0 :                 *new_fdp = dup_fd(fd, max_fds, &error);
    3140           0 :                 if (!*new_fdp)
    3141           0 :                         return error;
    3142             :         }
    3143             : 
    3144             :         return 0;
    3145             : }
    3146             : 
    3147             : /*
    3148             :  * unshare allows a process to 'unshare' part of the process
    3149             :  * context which was originally shared using clone.  copy_*
    3150             :  * functions used by kernel_clone() cannot be used here directly
    3151             :  * because they modify an inactive task_struct that is being
    3152             :  * constructed. Here we are modifying the current, active,
    3153             :  * task_struct.
    3154             :  */
    3155           0 : int ksys_unshare(unsigned long unshare_flags)
    3156             : {
    3157           0 :         struct fs_struct *fs, *new_fs = NULL;
    3158           0 :         struct files_struct *new_fd = NULL;
    3159           0 :         struct cred *new_cred = NULL;
    3160           0 :         struct nsproxy *new_nsproxy = NULL;
    3161           0 :         int do_sysvsem = 0;
    3162             :         int err;
    3163             : 
    3164             :         /*
    3165             :          * If unsharing a user namespace must also unshare the thread group
    3166             :          * and unshare the filesystem root and working directories.
    3167             :          */
    3168           0 :         if (unshare_flags & CLONE_NEWUSER)
    3169           0 :                 unshare_flags |= CLONE_THREAD | CLONE_FS;
    3170             :         /*
    3171             :          * If unsharing vm, must also unshare signal handlers.
    3172             :          */
    3173           0 :         if (unshare_flags & CLONE_VM)
    3174           0 :                 unshare_flags |= CLONE_SIGHAND;
    3175             :         /*
    3176             :          * If unsharing a signal handlers, must also unshare the signal queues.
    3177             :          */
    3178           0 :         if (unshare_flags & CLONE_SIGHAND)
    3179           0 :                 unshare_flags |= CLONE_THREAD;
    3180             :         /*
    3181             :          * If unsharing namespace, must also unshare filesystem information.
    3182             :          */
    3183           0 :         if (unshare_flags & CLONE_NEWNS)
    3184           0 :                 unshare_flags |= CLONE_FS;
    3185             : 
    3186           0 :         err = check_unshare_flags(unshare_flags);
    3187           0 :         if (err)
    3188             :                 goto bad_unshare_out;
    3189             :         /*
    3190             :          * CLONE_NEWIPC must also detach from the undolist: after switching
    3191             :          * to a new ipc namespace, the semaphore arrays from the old
    3192             :          * namespace are unreachable.
    3193             :          */
    3194           0 :         if (unshare_flags & (CLONE_NEWIPC|CLONE_SYSVSEM))
    3195           0 :                 do_sysvsem = 1;
    3196           0 :         err = unshare_fs(unshare_flags, &new_fs);
    3197           0 :         if (err)
    3198             :                 goto bad_unshare_out;
    3199           0 :         err = unshare_fd(unshare_flags, NR_OPEN_MAX, &new_fd);
    3200           0 :         if (err)
    3201             :                 goto bad_unshare_cleanup_fs;
    3202           0 :         err = unshare_userns(unshare_flags, &new_cred);
    3203           0 :         if (err)
    3204             :                 goto bad_unshare_cleanup_fd;
    3205           0 :         err = unshare_nsproxy_namespaces(unshare_flags, &new_nsproxy,
    3206             :                                          new_cred, new_fs);
    3207           0 :         if (err)
    3208             :                 goto bad_unshare_cleanup_cred;
    3209             : 
    3210             :         if (new_cred) {
    3211             :                 err = set_cred_ucounts(new_cred);
    3212             :                 if (err)
    3213             :                         goto bad_unshare_cleanup_cred;
    3214             :         }
    3215             : 
    3216           0 :         if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
    3217           0 :                 if (do_sysvsem) {
    3218             :                         /*
    3219             :                          * CLONE_SYSVSEM is equivalent to sys_exit().
    3220             :                          */
    3221           0 :                         exit_sem(current);
    3222             :                 }
    3223           0 :                 if (unshare_flags & CLONE_NEWIPC) {
    3224             :                         /* Orphan segments in old ns (see sem above). */
    3225           0 :                         exit_shm(current);
    3226           0 :                         shm_init_task(current);
    3227             :                 }
    3228             : 
    3229           0 :                 if (new_nsproxy)
    3230           0 :                         switch_task_namespaces(current, new_nsproxy);
    3231             : 
    3232           0 :                 task_lock(current);
    3233             : 
    3234           0 :                 if (new_fs) {
    3235           0 :                         fs = current->fs;
    3236           0 :                         spin_lock(&fs->lock);
    3237           0 :                         current->fs = new_fs;
    3238           0 :                         if (--fs->users)
    3239           0 :                                 new_fs = NULL;
    3240             :                         else
    3241           0 :                                 new_fs = fs;
    3242           0 :                         spin_unlock(&fs->lock);
    3243             :                 }
    3244             : 
    3245           0 :                 if (new_fd)
    3246           0 :                         swap(current->files, new_fd);
    3247             : 
    3248           0 :                 task_unlock(current);
    3249             : 
    3250             :                 if (new_cred) {
    3251             :                         /* Install the new user namespace */
    3252             :                         commit_creds(new_cred);
    3253             :                         new_cred = NULL;
    3254             :                 }
    3255             :         }
    3256             : 
    3257           0 :         perf_event_namespaces(current);
    3258             : 
    3259             : bad_unshare_cleanup_cred:
    3260             :         if (new_cred)
    3261             :                 put_cred(new_cred);
    3262             : bad_unshare_cleanup_fd:
    3263           0 :         if (new_fd)
    3264           0 :                 put_files_struct(new_fd);
    3265             : 
    3266             : bad_unshare_cleanup_fs:
    3267           0 :         if (new_fs)
    3268           0 :                 free_fs_struct(new_fs);
    3269             : 
    3270             : bad_unshare_out:
    3271           0 :         return err;
    3272             : }
    3273             : 
    3274           0 : SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
    3275             : {
    3276           0 :         return ksys_unshare(unshare_flags);
    3277             : }
    3278             : 
    3279             : /*
    3280             :  *      Helper to unshare the files of the current task.
    3281             :  *      We don't want to expose copy_files internals to
    3282             :  *      the exec layer of the kernel.
    3283             :  */
    3284             : 
    3285           0 : int unshare_files(void)
    3286             : {
    3287           0 :         struct task_struct *task = current;
    3288           0 :         struct files_struct *old, *copy = NULL;
    3289             :         int error;
    3290             : 
    3291           0 :         error = unshare_fd(CLONE_FILES, NR_OPEN_MAX, &copy);
    3292           0 :         if (error || !copy)
    3293             :                 return error;
    3294             : 
    3295           0 :         old = task->files;
    3296           0 :         task_lock(task);
    3297           0 :         task->files = copy;
    3298           0 :         task_unlock(task);
    3299           0 :         put_files_struct(old);
    3300           0 :         return 0;
    3301             : }
    3302             : 
    3303           0 : int sysctl_max_threads(struct ctl_table *table, int write,
    3304             :                        void *buffer, size_t *lenp, loff_t *ppos)
    3305             : {
    3306             :         struct ctl_table t;
    3307             :         int ret;
    3308           0 :         int threads = max_threads;
    3309           0 :         int min = 1;
    3310           0 :         int max = MAX_THREADS;
    3311             : 
    3312           0 :         t = *table;
    3313           0 :         t.data = &threads;
    3314           0 :         t.extra1 = &min;
    3315           0 :         t.extra2 = &max;
    3316             : 
    3317           0 :         ret = proc_dointvec_minmax(&t, write, buffer, lenp, ppos);
    3318           0 :         if (ret || !write)
    3319             :                 return ret;
    3320             : 
    3321           0 :         max_threads = threads;
    3322             : 
    3323           0 :         return 0;
    3324             : }

Generated by: LCOV version 1.14