2 kmod, the new module loader (replaces kerneld)
5 Reorganized not to be a daemon by Adam Richter, with guidance
8 Modified to avoid chroot and file sharing problems.
11 Limit the concurrent number of kmod modprobes to catch loops from
12 "modprobe needs a service that is in a module".
13 Keith Owens <kaos@ocs.com.au> December 1999
15 Unblock all signals when we exec a usermode process.
16 Shuu Yamaguchi <shuu@wondernetworkresources.com> December 2000
18 call_usermodehelper wait flag, and remove exec_usermodehelper.
19 Rusty Russell <rusty@rustcorp.com.au> Jan 2003
21 #include <linux/module.h>
22 #include <linux/sched.h>
23 #include <linux/syscalls.h>
24 #include <linux/unistd.h>
25 #include <linux/kmod.h>
26 #include <linux/slab.h>
27 #include <linux/completion.h>
28 #include <linux/cred.h>
29 #include <linux/file.h>
30 #include <linux/fdtable.h>
31 #include <linux/workqueue.h>
32 #include <linux/security.h>
33 #include <linux/mount.h>
34 #include <linux/kernel.h>
35 #include <linux/init.h>
36 #include <linux/resource.h>
37 #include <linux/notifier.h>
38 #include <linux/suspend.h>
39 #include <linux/rwsem.h>
40 #include <linux/ptrace.h>
41 #include <asm/uaccess.h>
43 #include <trace/events/module.h>
45 extern int max_threads;
47 static struct workqueue_struct *khelper_wq;
50 * kmod_thread_locker is used for deadlock avoidance. There is no explicit
51 * locking to protect this global - it is private to the singleton khelper
52 * thread and should only ever be modified by that thread.
54 static const struct task_struct *kmod_thread_locker;
56 #define CAP_BSET (void *)1
57 #define CAP_PI (void *)2
59 static kernel_cap_t usermodehelper_bset = CAP_FULL_SET;
60 static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;
61 static DEFINE_SPINLOCK(umh_sysctl_lock);
62 static DECLARE_RWSEM(umhelper_sem);
67 modprobe_path is set via /proc/sys.
69 char modprobe_path[KMOD_PATH_LEN] = "/sbin/modprobe";
71 static void free_modprobe_argv(struct subprocess_info *info)
73 kfree(info->argv[3]); /* check call_modprobe() */
77 static int call_modprobe(char *module_name, int wait)
79 static char *envp[] = {
82 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
86 char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
90 module_name = kstrdup(module_name, GFP_KERNEL);
94 argv[0] = modprobe_path;
97 argv[3] = module_name; /* check free_modprobe_argv() */
100 return call_usermodehelper_fns(modprobe_path, argv, envp,
101 wait | UMH_KILLABLE, NULL, free_modprobe_argv, NULL);
109 * __request_module - try to load a kernel module
110 * @wait: wait (or not) for the operation to complete
111 * @fmt: printf style format string for the name of the module
112 * @...: arguments as specified in the format string
114 * Load a module using the user mode module loader. The function returns
115 * zero on success or a negative errno code on failure. Note that a
116 * successful module load does not mean the module did not then unload
117 * and exit on an error of its own. Callers must check that the service
118 * they requested is now available not blindly invoke it.
120 * If module auto-loading support is disabled then this function
121 * becomes a no-operation.
123 int __request_module(bool wait, const char *fmt, ...)
126 char module_name[MODULE_NAME_LEN];
127 unsigned int max_modprobes;
129 static atomic_t kmod_concurrent = ATOMIC_INIT(0);
130 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
131 static int kmod_loop_msg;
134 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
136 if (ret >= MODULE_NAME_LEN)
137 return -ENAMETOOLONG;
139 ret = security_kernel_module_request(module_name);
143 /* If modprobe needs a service that is in a module, we get a recursive
144 * loop. Limit the number of running kmod threads to max_threads/2 or
145 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
146 * would be to run the parents of this process, counting how many times
147 * kmod was invoked. That would mean accessing the internals of the
148 * process tables to get the command line, proc_pid_cmdline is static
149 * and it is not worth changing the proc code just to handle this case.
152 * "trace the ppid" is simple, but will fail if someone's
153 * parent exits. I think this is as good as it gets. --RR
155 max_modprobes = min(max_threads/2, MAX_KMOD_CONCURRENT);
156 atomic_inc(&kmod_concurrent);
157 if (atomic_read(&kmod_concurrent) > max_modprobes) {
158 /* We may be blaming an innocent here, but unlikely */
159 if (kmod_loop_msg < 5) {
161 "request_module: runaway loop modprobe %s\n",
165 atomic_dec(&kmod_concurrent);
169 trace_module_request(module_name, wait, _RET_IP_);
171 ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
173 atomic_dec(&kmod_concurrent);
176 EXPORT_SYMBOL(__request_module);
177 #endif /* CONFIG_MODULES */
180 * This is the task which runs the usermode application
182 static int ____call_usermodehelper(void *data)
184 struct subprocess_info *sub_info = data;
188 spin_lock_irq(¤t->sighand->siglock);
189 flush_signal_handlers(current, 1);
190 spin_unlock_irq(¤t->sighand->siglock);
192 /* We can run anywhere, unlike our parent keventd(). */
193 set_cpus_allowed_ptr(current, cpu_all_mask);
196 * Our parent is keventd, which runs with elevated scheduling priority.
197 * Avoid propagating that into the userspace child.
199 set_user_nice(current, 0);
202 new = prepare_kernel_cred(current);
206 spin_lock(&umh_sysctl_lock);
207 new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset);
208 new->cap_inheritable = cap_intersect(usermodehelper_inheritable,
209 new->cap_inheritable);
210 spin_unlock(&umh_sysctl_lock);
212 if (sub_info->init) {
213 retval = sub_info->init(sub_info, new);
222 retval = do_execve(sub_info->path,
223 (const char __user *const __user *)sub_info->argv,
224 (const char __user *const __user *)sub_info->envp);
230 sub_info->retval = retval;
234 static int call_helper(void *data)
236 /* Worker thread started blocking khelper thread. */
237 kmod_thread_locker = current;
238 return ____call_usermodehelper(data);
241 static void call_usermodehelper_freeinfo(struct subprocess_info *info)
244 (*info->cleanup)(info);
248 static void umh_complete(struct subprocess_info *sub_info)
250 struct completion *comp = xchg(&sub_info->complete, NULL);
252 * See call_usermodehelper_exec(). If xchg() returns NULL
253 * we own sub_info, the UMH_KILLABLE caller has gone away.
258 call_usermodehelper_freeinfo(sub_info);
261 /* Keventd can't block, but this (a child) can. */
262 static int wait_for_helper(void *data)
264 struct subprocess_info *sub_info = data;
267 /* If SIGCLD is ignored sys_wait4 won't populate the status. */
268 spin_lock_irq(¤t->sighand->siglock);
269 current->sighand->action[SIGCHLD-1].sa.sa_handler = SIG_DFL;
270 spin_unlock_irq(¤t->sighand->siglock);
272 pid = kernel_thread(____call_usermodehelper, sub_info, SIGCHLD);
274 sub_info->retval = pid;
278 * Normally it is bogus to call wait4() from in-kernel because
279 * wait4() wants to write the exit code to a userspace address.
280 * But wait_for_helper() always runs as keventd, and put_user()
281 * to a kernel address works OK for kernel threads, due to their
282 * having an mm_segment_t which spans the entire address space.
284 * Thus the __user pointer cast is valid here.
286 sys_wait4(pid, (int __user *)&ret, 0, NULL);
289 * If ret is 0, either ____call_usermodehelper failed and the
290 * real error code is already in sub_info->retval or
291 * sub_info->retval is 0 anyway, so don't mess with it then.
294 sub_info->retval = ret;
297 umh_complete(sub_info);
301 /* This is run by khelper thread */
302 static void __call_usermodehelper(struct work_struct *work)
304 struct subprocess_info *sub_info =
305 container_of(work, struct subprocess_info, work);
306 int wait = sub_info->wait & ~UMH_KILLABLE;
309 /* CLONE_VFORK: wait until the usermode helper has execve'd
310 * successfully We need the data structures to stay around
311 * until that is done. */
312 if (wait == UMH_WAIT_PROC)
313 pid = kernel_thread(wait_for_helper, sub_info,
314 CLONE_FS | CLONE_FILES | SIGCHLD);
316 pid = kernel_thread(call_helper, sub_info,
317 CLONE_VFORK | SIGCHLD);
318 /* Worker thread stopped blocking khelper thread. */
319 kmod_thread_locker = NULL;
324 call_usermodehelper_freeinfo(sub_info);
333 sub_info->retval = pid;
334 umh_complete(sub_info);
339 * If set, call_usermodehelper_exec() will exit immediately returning -EBUSY
340 * (used for preventing user land processes from being created after the user
341 * land has been frozen during a system-wide hibernation or suspend operation).
342 * Should always be manipulated under umhelper_sem acquired for write.
344 static enum umh_disable_depth usermodehelper_disabled = UMH_DISABLED;
346 /* Number of helpers running */
347 static atomic_t running_helpers = ATOMIC_INIT(0);
350 * Wait queue head used by usermodehelper_disable() to wait for all running
353 static DECLARE_WAIT_QUEUE_HEAD(running_helpers_waitq);
356 * Used by usermodehelper_read_lock_wait() to wait for usermodehelper_disabled
359 static DECLARE_WAIT_QUEUE_HEAD(usermodehelper_disabled_waitq);
362 * Time to wait for running_helpers to become zero before the setting of
363 * usermodehelper_disabled in usermodehelper_disable() fails
365 #define RUNNING_HELPERS_TIMEOUT (5 * HZ)
367 int usermodehelper_read_trylock(void)
372 down_read(&umhelper_sem);
374 prepare_to_wait(&usermodehelper_disabled_waitq, &wait,
376 if (!usermodehelper_disabled)
379 if (usermodehelper_disabled == UMH_DISABLED)
382 up_read(&umhelper_sem);
390 down_read(&umhelper_sem);
392 finish_wait(&usermodehelper_disabled_waitq, &wait);
395 EXPORT_SYMBOL_GPL(usermodehelper_read_trylock);
397 long usermodehelper_read_lock_wait(long timeout)
404 down_read(&umhelper_sem);
406 prepare_to_wait(&usermodehelper_disabled_waitq, &wait,
407 TASK_UNINTERRUPTIBLE);
408 if (!usermodehelper_disabled)
411 up_read(&umhelper_sem);
413 timeout = schedule_timeout(timeout);
417 down_read(&umhelper_sem);
419 finish_wait(&usermodehelper_disabled_waitq, &wait);
422 EXPORT_SYMBOL_GPL(usermodehelper_read_lock_wait);
424 void usermodehelper_read_unlock(void)
426 up_read(&umhelper_sem);
428 EXPORT_SYMBOL_GPL(usermodehelper_read_unlock);
431 * __usermodehelper_set_disable_depth - Modify usermodehelper_disabled.
432 * @depth: New value to assign to usermodehelper_disabled.
434 * Change the value of usermodehelper_disabled (under umhelper_sem locked for
435 * writing) and wakeup tasks waiting for it to change.
437 void __usermodehelper_set_disable_depth(enum umh_disable_depth depth)
439 down_write(&umhelper_sem);
440 usermodehelper_disabled = depth;
441 wake_up(&usermodehelper_disabled_waitq);
442 up_write(&umhelper_sem);
446 * __usermodehelper_disable - Prevent new helpers from being started.
447 * @depth: New value to assign to usermodehelper_disabled.
449 * Set usermodehelper_disabled to @depth and wait for running helpers to exit.
451 int __usermodehelper_disable(enum umh_disable_depth depth)
458 down_write(&umhelper_sem);
459 usermodehelper_disabled = depth;
460 up_write(&umhelper_sem);
463 * From now on call_usermodehelper_exec() won't start any new
464 * helpers, so it is sufficient if running_helpers turns out to
465 * be zero at one point (it may be increased later, but that
468 retval = wait_event_timeout(running_helpers_waitq,
469 atomic_read(&running_helpers) == 0,
470 RUNNING_HELPERS_TIMEOUT);
474 __usermodehelper_set_disable_depth(UMH_ENABLED);
478 static void helper_lock(void)
480 atomic_inc(&running_helpers);
481 smp_mb__after_atomic_inc();
484 static void helper_unlock(void)
486 if (atomic_dec_and_test(&running_helpers))
487 wake_up(&running_helpers_waitq);
491 * call_usermodehelper_setup - prepare to call a usermode helper
492 * @path: path to usermode executable
493 * @argv: arg vector for process
494 * @envp: environment for process
495 * @gfp_mask: gfp mask for memory allocation
497 * Returns either %NULL on allocation failure, or a subprocess_info
498 * structure. This should be passed to call_usermodehelper_exec to
499 * exec the process and free the structure.
502 struct subprocess_info *call_usermodehelper_setup(char *path, char **argv,
503 char **envp, gfp_t gfp_mask)
505 struct subprocess_info *sub_info;
506 sub_info = kzalloc(sizeof(struct subprocess_info), gfp_mask);
510 INIT_WORK(&sub_info->work, __call_usermodehelper);
511 sub_info->path = path;
512 sub_info->argv = argv;
513 sub_info->envp = envp;
519 * call_usermodehelper_setfns - set a cleanup/init function
520 * @info: a subprocess_info returned by call_usermodehelper_setup
521 * @cleanup: a cleanup function
522 * @init: an init function
523 * @data: arbitrary context sensitive data
525 * The init function is used to customize the helper process prior to
526 * exec. A non-zero return code causes the process to error out, exit,
527 * and return the failure to the calling process
529 * The cleanup function is just before ethe subprocess_info is about to
530 * be freed. This can be used for freeing the argv and envp. The
531 * Function must be runnable in either a process context or the
532 * context in which call_usermodehelper_exec is called.
535 void call_usermodehelper_setfns(struct subprocess_info *info,
536 int (*init)(struct subprocess_info *info, struct cred *new),
537 void (*cleanup)(struct subprocess_info *info),
540 info->cleanup = cleanup;
546 * call_usermodehelper_exec - start a usermode application
547 * @sub_info: information about the subprocessa
548 * @wait: wait for the application to finish and return status.
549 * when -1 don't wait at all, but you get no useful error back when
550 * the program couldn't be exec'ed. This makes it safe to call
551 * from interrupt context.
553 * Runs a user-space application. The application is started
554 * asynchronously if wait is not set, and runs as a child of keventd.
555 * (ie. it runs with full root capabilities).
558 int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait)
560 DECLARE_COMPLETION_ONSTACK(done);
564 if (sub_info->path[0] == '\0')
567 if (!khelper_wq || usermodehelper_disabled) {
572 * Worker thread must not wait for khelper thread at below
573 * wait_for_completion() if the thread was created with CLONE_VFORK
574 * flag, for khelper thread is already waiting for the thread at
575 * wait_for_completion() in do_fork().
577 if (wait != UMH_NO_WAIT && current == kmod_thread_locker) {
582 sub_info->complete = &done;
583 sub_info->wait = wait;
585 queue_work(khelper_wq, &sub_info->work);
586 if (wait == UMH_NO_WAIT) /* task has freed sub_info */
589 if (wait & UMH_KILLABLE) {
590 retval = wait_for_completion_killable(&done);
594 /* umh_complete() will see NULL and free sub_info */
595 if (xchg(&sub_info->complete, NULL))
597 /* fallthrough, umh_complete() was already called */
600 wait_for_completion(&done);
602 retval = sub_info->retval;
604 call_usermodehelper_freeinfo(sub_info);
611 * call_usermodehelper_fns() will not run the caller-provided cleanup function
612 * if a memory allocation failure is experienced. So the caller might need to
613 * check the call_usermodehelper_fns() return value: if it is -ENOMEM, perform
614 * the necessaary cleanup within the caller.
616 int call_usermodehelper_fns(
617 char *path, char **argv, char **envp, int wait,
618 int (*init)(struct subprocess_info *info, struct cred *new),
619 void (*cleanup)(struct subprocess_info *), void *data)
621 struct subprocess_info *info;
622 gfp_t gfp_mask = (wait == UMH_NO_WAIT) ? GFP_ATOMIC : GFP_KERNEL;
624 info = call_usermodehelper_setup(path, argv, envp, gfp_mask);
629 call_usermodehelper_setfns(info, init, cleanup, data);
631 return call_usermodehelper_exec(info, wait);
633 EXPORT_SYMBOL(call_usermodehelper_fns);
635 static int proc_cap_handler(struct ctl_table *table, int write,
636 void __user *buffer, size_t *lenp, loff_t *ppos)
639 unsigned long cap_array[_KERNEL_CAPABILITY_U32S];
640 kernel_cap_t new_cap;
643 if (write && (!capable(CAP_SETPCAP) ||
644 !capable(CAP_SYS_MODULE)))
648 * convert from the global kernel_cap_t to the ulong array to print to
649 * userspace if this is a read.
651 spin_lock(&umh_sysctl_lock);
652 for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++) {
653 if (table->data == CAP_BSET)
654 cap_array[i] = usermodehelper_bset.cap[i];
655 else if (table->data == CAP_PI)
656 cap_array[i] = usermodehelper_inheritable.cap[i];
660 spin_unlock(&umh_sysctl_lock);
666 * actually read or write and array of ulongs from userspace. Remember
667 * these are least significant 32 bits first
669 err = proc_doulongvec_minmax(&t, write, buffer, lenp, ppos);
674 * convert from the sysctl array of ulongs to the kernel_cap_t
675 * internal representation
677 for (i = 0; i < _KERNEL_CAPABILITY_U32S; i++)
678 new_cap.cap[i] = cap_array[i];
681 * Drop everything not in the new_cap (but don't add things)
683 spin_lock(&umh_sysctl_lock);
685 if (table->data == CAP_BSET)
686 usermodehelper_bset = cap_intersect(usermodehelper_bset, new_cap);
687 if (table->data == CAP_PI)
688 usermodehelper_inheritable = cap_intersect(usermodehelper_inheritable, new_cap);
690 spin_unlock(&umh_sysctl_lock);
695 struct ctl_table usermodehelper_table[] = {
699 .maxlen = _KERNEL_CAPABILITY_U32S * sizeof(unsigned long),
701 .proc_handler = proc_cap_handler,
704 .procname = "inheritable",
706 .maxlen = _KERNEL_CAPABILITY_U32S * sizeof(unsigned long),
708 .proc_handler = proc_cap_handler,
713 void __init usermodehelper_init(void)
715 khelper_wq = create_singlethread_workqueue("khelper");