1/* SPDX-License-Identifier: GPL-2.0 */
2
3#include <linux/compiler_types.h>
4#include <linux/errno.h>
5#include <linux/fs.h>
6#include <linux/fsnotify.h>
7#include <linux/gfp.h>
8#include <linux/idr.h>
9#include <linux/init.h>
10#include <linux/ipc_namespace.h>
11#include <linux/kdev_t.h>
12#include <linux/kernel.h>
13#include <linux/list.h>
14#include <linux/namei.h>
15#include <linux/magic.h>
16#include <linux/major.h>
17#include <linux/miscdevice.h>
18#include <linux/module.h>
19#include <linux/mutex.h>
20#include <linux/mount.h>
21#include <linux/parser.h>
22#include <linux/radix-tree.h>
23#include <linux/sched.h>
24#include <linux/seq_file.h>
25#include <linux/slab.h>
26#include <linux/spinlock_types.h>
27#include <linux/stddef.h>
28#include <linux/string.h>
29#include <linux/types.h>
30#include <linux/uaccess.h>
31#include <linux/user_namespace.h>
32#include <linux/xarray.h>
33#include <uapi/asm-generic/errno-base.h>
34#include <uapi/linux/android/binder.h>
35#include <uapi/linux/android/binderfs.h>
36
37#include "binder_internal.h"
38
39#define FIRST_INODE 1
40#define SECOND_INODE 2
41#define INODE_OFFSET 3
42#define INTSTRLEN 21
43#define BINDERFS_MAX_MINOR (1U << MINORBITS)
44/* Ensure that the initial ipc namespace always has devices available. */
45#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
46
47static dev_t binderfs_dev;
48static DEFINE_MUTEX(binderfs_minors_mutex);
49static DEFINE_IDA(binderfs_minors);
50
51/**
52 * binderfs_mount_opts - mount options for binderfs
53 * @max: maximum number of allocatable binderfs binder devices
54 */
55struct binderfs_mount_opts {
56 int max;
57};
58
59enum {
60 Opt_max,
61 Opt_err
62};
63
64static const match_table_t tokens = {
65 { Opt_max, "max=%d" },
66 { Opt_err, NULL }
67};
68
69/**
70 * binderfs_info - information about a binderfs mount
71 * @ipc_ns: The ipc namespace the binderfs mount belongs to.
72 * @control_dentry: This records the dentry of this binderfs mount
73 * binder-control device.
74 * @root_uid: uid that needs to be used when a new binder device is
75 * created.
76 * @root_gid: gid that needs to be used when a new binder device is
77 * created.
78 * @mount_opts: The mount options in use.
79 * @device_count: The current number of allocated binder devices.
80 */
81struct binderfs_info {
82 struct ipc_namespace *ipc_ns;
83 struct dentry *control_dentry;
84 kuid_t root_uid;
85 kgid_t root_gid;
86 struct binderfs_mount_opts mount_opts;
87 int device_count;
88};
89
90static inline struct binderfs_info *BINDERFS_I(const struct inode *inode)
91{
92 return inode->i_sb->s_fs_info;
93}
94
95bool is_binderfs_device(const struct inode *inode)
96{
97 if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC)
98 return true;
99
100 return false;
101}
102
103/**
104 * binderfs_binder_device_create - allocate inode from super block of a
105 * binderfs mount
106 * @ref_inode: inode from wich the super block will be taken
107 * @userp: buffer to copy information about new device for userspace to
108 * @req: struct binderfs_device as copied from userspace
109 *
110 * This function allocates a new binder_device and reserves a new minor
111 * number for it.
112 * Minor numbers are limited and tracked globally in binderfs_minors. The
113 * function will stash a struct binder_device for the specific binder
114 * device in i_private of the inode.
115 * It will go on to allocate a new inode from the super block of the
116 * filesystem mount, stash a struct binder_device in its i_private field
117 * and attach a dentry to that inode.
118 *
119 * Return: 0 on success, negative errno on failure
120 */
121static int binderfs_binder_device_create(struct inode *ref_inode,
122 struct binderfs_device __user *userp,
123 struct binderfs_device *req)
124{
125 int minor, ret;
126 struct dentry *dentry, *root;
127 struct binder_device *device;
128 char *name = NULL;
129 size_t name_len;
130 struct inode *inode = NULL;
131 struct super_block *sb = ref_inode->i_sb;
132 struct binderfs_info *info = sb->s_fs_info;
133#if defined(CONFIG_IPC_NS)
134 bool use_reserve = (info->ipc_ns == &init_ipc_ns);
135#else
136 bool use_reserve = true;
137#endif
138
139 /* Reserve new minor number for the new device. */
140 mutex_lock(&binderfs_minors_mutex);
141 if (++info->device_count <= info->mount_opts.max)
142 minor = ida_alloc_max(&binderfs_minors,
143 use_reserve ? BINDERFS_MAX_MINOR :
144 BINDERFS_MAX_MINOR_CAPPED,
145 GFP_KERNEL);
146 else
147 minor = -ENOSPC;
148 if (minor < 0) {
149 --info->device_count;
150 mutex_unlock(&binderfs_minors_mutex);
151 return minor;
152 }
153 mutex_unlock(&binderfs_minors_mutex);
154
155 ret = -ENOMEM;
156 device = kzalloc(sizeof(*device), GFP_KERNEL);
157 if (!device)
158 goto err;
159
160 inode = new_inode(sb);
161 if (!inode)
162 goto err;
163
164 inode->i_ino = minor + INODE_OFFSET;
165 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
166 init_special_inode(inode, S_IFCHR | 0600,
167 MKDEV(MAJOR(binderfs_dev), minor));
168 inode->i_fop = &binder_fops;
169 inode->i_uid = info->root_uid;
170 inode->i_gid = info->root_gid;
171
172 req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
173 name_len = strlen(req->name);
174 /* Make sure to include terminating NUL byte */
175 name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
176 if (!name)
177 goto err;
178
179 device->binderfs_inode = inode;
180 device->context.binder_context_mgr_uid = INVALID_UID;
181 device->context.name = name;
182 device->miscdev.name = name;
183 device->miscdev.minor = minor;
184 mutex_init(&device->context.context_mgr_node_lock);
185
186 req->major = MAJOR(binderfs_dev);
187 req->minor = minor;
188
189 ret = copy_to_user(userp, req, sizeof(*req));
190 if (ret) {
191 ret = -EFAULT;
192 goto err;
193 }
194
195 root = sb->s_root;
196 inode_lock(d_inode(root));
197
198 /* look it up */
199 dentry = lookup_one_len(name, root, name_len);
200 if (IS_ERR(dentry)) {
201 inode_unlock(d_inode(root));
202 ret = PTR_ERR(dentry);
203 goto err;
204 }
205
206 if (d_really_is_positive(dentry)) {
207 /* already exists */
208 dput(dentry);
209 inode_unlock(d_inode(root));
210 ret = -EEXIST;
211 goto err;
212 }
213
214 inode->i_private = device;
215 d_instantiate(dentry, inode);
216 fsnotify_create(root->d_inode, dentry);
217 inode_unlock(d_inode(root));
218
219 return 0;
220
221err:
222 kfree(name);
223 kfree(device);
224 mutex_lock(&binderfs_minors_mutex);
225 --info->device_count;
226 ida_free(&binderfs_minors, minor);
227 mutex_unlock(&binderfs_minors_mutex);
228 iput(inode);
229
230 return ret;
231}
232
233/**
234 * binderfs_ctl_ioctl - handle binder device node allocation requests
235 *
236 * The request handler for the binder-control device. All requests operate on
237 * the binderfs mount the binder-control device resides in:
238 * - BINDER_CTL_ADD
239 * Allocate a new binder device.
240 *
241 * Return: 0 on success, negative errno on failure
242 */
243static long binder_ctl_ioctl(struct file *file, unsigned int cmd,
244 unsigned long arg)
245{
246 int ret = -EINVAL;
247 struct inode *inode = file_inode(file);
248 struct binderfs_device __user *device = (struct binderfs_device __user *)arg;
249 struct binderfs_device device_req;
250
251 switch (cmd) {
252 case BINDER_CTL_ADD:
253 ret = copy_from_user(&device_req, device, sizeof(device_req));
254 if (ret) {
255 ret = -EFAULT;
256 break;
257 }
258
259 ret = binderfs_binder_device_create(inode, device, &device_req);
260 break;
261 default:
262 break;
263 }
264
265 return ret;
266}
267
268static void binderfs_evict_inode(struct inode *inode)
269{
270 struct binder_device *device = inode->i_private;
271 struct binderfs_info *info = BINDERFS_I(inode);
272
273 clear_inode(inode);
274
275 if (!device)
276 return;
277
278 mutex_lock(&binderfs_minors_mutex);
279 --info->device_count;
280 ida_free(&binderfs_minors, device->miscdev.minor);
281 mutex_unlock(&binderfs_minors_mutex);
282
283 kfree(device->context.name);
284 kfree(device);
285}
286
287/**
288 * binderfs_parse_mount_opts - parse binderfs mount options
289 * @data: options to set (can be NULL in which case defaults are used)
290 */
291static int binderfs_parse_mount_opts(char *data,
292 struct binderfs_mount_opts *opts)
293{
294 char *p;
295 opts->max = BINDERFS_MAX_MINOR;
296
297 while ((p = strsep(&data, ",")) != NULL) {
298 substring_t args[MAX_OPT_ARGS];
299 int token;
300 int max_devices;
301
302 if (!*p)
303 continue;
304
305 token = match_token(p, tokens, args);
306 switch (token) {
307 case Opt_max:
308 if (match_int(&args[0], &max_devices) ||
309 (max_devices < 0 ||
310 (max_devices > BINDERFS_MAX_MINOR)))
311 return -EINVAL;
312
313 opts->max = max_devices;
314 break;
315 default:
316 pr_err("Invalid mount options\n");
317 return -EINVAL;
318 }
319 }
320
321 return 0;
322}
323
324static int binderfs_remount(struct super_block *sb, int *flags, char *data)
325{
326 struct binderfs_info *info = sb->s_fs_info;
327 return binderfs_parse_mount_opts(data, &info->mount_opts);
328}
329
330static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root)
331{
332 struct binderfs_info *info;
333
334 info = root->d_sb->s_fs_info;
335 if (info->mount_opts.max <= BINDERFS_MAX_MINOR)
336 seq_printf(seq, ",max=%d", info->mount_opts.max);
337
338 return 0;
339}
340
341static const struct super_operations binderfs_super_ops = {
342 .evict_inode = binderfs_evict_inode,
343 .remount_fs = binderfs_remount,
344 .show_options = binderfs_show_mount_opts,
345 .statfs = simple_statfs,
346};
347
348static inline bool is_binderfs_control_device(const struct dentry *dentry)
349{
350 struct binderfs_info *info = dentry->d_sb->s_fs_info;
351 return info->control_dentry == dentry;
352}
353
354static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry,
355 struct inode *new_dir, struct dentry *new_dentry,
356 unsigned int flags)
357{
358 if (is_binderfs_control_device(old_dentry) ||
359 is_binderfs_control_device(new_dentry))
360 return -EPERM;
361
362 return simple_rename(old_dir, old_dentry, new_dir, new_dentry, flags);
363}
364
365static int binderfs_unlink(struct inode *dir, struct dentry *dentry)
366{
367 if (is_binderfs_control_device(dentry))
368 return -EPERM;
369
370 return simple_unlink(dir, dentry);
371}
372
373static const struct file_operations binder_ctl_fops = {
374 .owner = THIS_MODULE,
375 .open = nonseekable_open,
376 .unlocked_ioctl = binder_ctl_ioctl,
377 .compat_ioctl = binder_ctl_ioctl,
378 .llseek = noop_llseek,
379};
380
381/**
382 * binderfs_binder_ctl_create - create a new binder-control device
383 * @sb: super block of the binderfs mount
384 *
385 * This function creates a new binder-control device node in the binderfs mount
386 * referred to by @sb.
387 *
388 * Return: 0 on success, negative errno on failure
389 */
390static int binderfs_binder_ctl_create(struct super_block *sb)
391{
392 int minor, ret;
393 struct dentry *dentry;
394 struct binder_device *device;
395 struct inode *inode = NULL;
396 struct dentry *root = sb->s_root;
397 struct binderfs_info *info = sb->s_fs_info;
398#if defined(CONFIG_IPC_NS)
399 bool use_reserve = (info->ipc_ns == &init_ipc_ns);
400#else
401 bool use_reserve = true;
402#endif
403
404 device = kzalloc(sizeof(*device), GFP_KERNEL);
405 if (!device)
406 return -ENOMEM;
407
408 /* If we have already created a binder-control node, return. */
409 if (info->control_dentry) {
410 ret = 0;
411 goto out;
412 }
413
414 ret = -ENOMEM;
415 inode = new_inode(sb);
416 if (!inode)
417 goto out;
418
419 /* Reserve a new minor number for the new device. */
420 mutex_lock(&binderfs_minors_mutex);
421 minor = ida_alloc_max(&binderfs_minors,
422 use_reserve ? BINDERFS_MAX_MINOR :
423 BINDERFS_MAX_MINOR_CAPPED,
424 GFP_KERNEL);
425 mutex_unlock(&binderfs_minors_mutex);
426 if (minor < 0) {
427 ret = minor;
428 goto out;
429 }
430
431 inode->i_ino = SECOND_INODE;
432 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
433 init_special_inode(inode, S_IFCHR | 0600,
434 MKDEV(MAJOR(binderfs_dev), minor));
435 inode->i_fop = &binder_ctl_fops;
436 inode->i_uid = info->root_uid;
437 inode->i_gid = info->root_gid;
438
439 device->binderfs_inode = inode;
440 device->miscdev.minor = minor;
441
442 dentry = d_alloc_name(root, "binder-control");
443 if (!dentry)
444 goto out;
445
446 inode->i_private = device;
447 info->control_dentry = dentry;
448 d_add(dentry, inode);
449
450 return 0;
451
452out:
453 kfree(device);
454 iput(inode);
455
456 return ret;
457}
458
459static const struct inode_operations binderfs_dir_inode_operations = {
460 .lookup = simple_lookup,
461 .rename = binderfs_rename,
462 .unlink = binderfs_unlink,
463};
464
465static int binderfs_fill_super(struct super_block *sb, void *data, int silent)
466{
467 int ret;
468 struct binderfs_info *info;
469 struct inode *inode = NULL;
470
471 sb->s_blocksize = PAGE_SIZE;
472 sb->s_blocksize_bits = PAGE_SHIFT;
473
474 /*
475 * The binderfs filesystem can be mounted by userns root in a
476 * non-initial userns. By default such mounts have the SB_I_NODEV flag
477 * set in s_iflags to prevent security issues where userns root can
478 * just create random device nodes via mknod() since it owns the
479 * filesystem mount. But binderfs does not allow to create any files
480 * including devices nodes. The only way to create binder devices nodes
481 * is through the binder-control device which userns root is explicitly
482 * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both
483 * necessary and safe.
484 */
485 sb->s_iflags &= ~SB_I_NODEV;
486 sb->s_iflags |= SB_I_NOEXEC;
487 sb->s_magic = BINDERFS_SUPER_MAGIC;
488 sb->s_op = &binderfs_super_ops;
489 sb->s_time_gran = 1;
490
491 sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL);
492 if (!sb->s_fs_info)
493 return -ENOMEM;
494 info = sb->s_fs_info;
495
496 info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns);
497
498 ret = binderfs_parse_mount_opts(data, &info->mount_opts);
499 if (ret)
500 return ret;
501
502 info->root_gid = make_kgid(sb->s_user_ns, 0);
503 if (!gid_valid(info->root_gid))
504 info->root_gid = GLOBAL_ROOT_GID;
505 info->root_uid = make_kuid(sb->s_user_ns, 0);
506 if (!uid_valid(info->root_uid))
507 info->root_uid = GLOBAL_ROOT_UID;
508
509 inode = new_inode(sb);
510 if (!inode)
511 return -ENOMEM;
512
513 inode->i_ino = FIRST_INODE;
514 inode->i_fop = &simple_dir_operations;
515 inode->i_mode = S_IFDIR | 0755;
516 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
517 inode->i_op = &binderfs_dir_inode_operations;
518 set_nlink(inode, 2);
519
520 sb->s_root = d_make_root(inode);
521 if (!sb->s_root)
522 return -ENOMEM;
523
524 return binderfs_binder_ctl_create(sb);
525}
526
527static struct dentry *binderfs_mount(struct file_system_type *fs_type,
528 int flags, const char *dev_name,
529 void *data)
530{
531 return mount_nodev(fs_type, flags, data, binderfs_fill_super);
532}
533
534static void binderfs_kill_super(struct super_block *sb)
535{
536 struct binderfs_info *info = sb->s_fs_info;
537
538 kill_litter_super(sb);
539
540 if (info && info->ipc_ns)
541 put_ipc_ns(info->ipc_ns);
542
543 kfree(info);
544}
545
546static struct file_system_type binder_fs_type = {
547 .name = "binder",
548 .mount = binderfs_mount,
549 .kill_sb = binderfs_kill_super,
550 .fs_flags = FS_USERNS_MOUNT,
551};
552
553int __init init_binderfs(void)
554{
555 int ret;
556
557 /* Allocate new major number for binderfs. */
558 ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR,
559 "binder");
560 if (ret)
561 return ret;
562
563 ret = register_filesystem(&binder_fs_type);
564 if (ret) {
565 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
566 return ret;
567 }
568
569 return ret;
570}
571