binderfs.c source code [linux/drivers/android/binderfs.c]

1	// SPDX-License-Identifier: GPL-2.0
2
3	#include <linux/compiler_types.h>
4	#include <linux/errno.h>
5	#include <linux/fs.h>
6	#include <linux/fsnotify.h>
7	#include <linux/gfp.h>
8	#include <linux/idr.h>
9	#include <linux/init.h>
10	#include <linux/ipc_namespace.h>
11	#include <linux/kdev_t.h>
12	#include <linux/kernel.h>
13	#include <linux/list.h>
14	#include <linux/namei.h>
15	#include <linux/magic.h>
16	#include <linux/major.h>
17	#include <linux/miscdevice.h>
18	#include <linux/module.h>
19	#include <linux/mutex.h>
20	#include <linux/mount.h>
21	#include <linux/fs_parser.h>
22	#include <linux/sched.h>
23	#include <linux/seq_file.h>
24	#include <linux/slab.h>
25	#include <linux/spinlock_types.h>
26	#include <linux/stddef.h>
27	#include <linux/string.h>
28	#include <linux/types.h>
29	#include <linux/uaccess.h>
30	#include <linux/user_namespace.h>
31	#include <linux/xarray.h>
32	#include <uapi/asm-generic/errno-base.h>
33	#include <uapi/linux/android/binder.h>
34	#include <uapi/linux/android/binderfs.h>
35
36	#include "binder_internal.h"
37
38	#define FIRST_INODE 1
39	#define SECOND_INODE 2
40	#define INODE_OFFSET 3
41	#define BINDERFS_MAX_MINOR (1U << MINORBITS)
42	/ Ensure that the initial ipc namespace always has devices available. /
43	#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
44
45	static dev_t binderfs_dev;
46	static DEFINE_MUTEX(binderfs_minors_mutex);
47	static DEFINE_IDA(binderfs_minors);
48
49	enum binderfs_param {
50	Opt_max,
51	Opt_stats_mode,
52	};
53
54	enum binderfs_stats_mode {
55	binderfs_stats_mode_unset,
56	binderfs_stats_mode_global,
57	};
58
59	struct binder_features {
60	bool oneway_spam_detection;
61	bool extended_error;
62	};
63
64	static const struct constant_table binderfs_param_stats[] = {
65	{ "global", binderfs_stats_mode_global },
66	{}
67	};
68
69	static const struct fs_parameter_spec binderfs_fs_parameters[] = {
70	fsparam_u32("max", Opt_max),
71	fsparam_enum("stats", Opt_stats_mode, binderfs_param_stats),
72	{}
73	};
74
75	static struct binder_features binder_features = {
76	.oneway_spam_detection = true,
77	.extended_error = true,
78	};
79
80	static inline struct binderfs_info BINDERFS_SB(const* struct super_block *sb)
81	{
82	return sb->s_fs_info;
83	}
84
85	bool is_binderfs_device(const struct inode *inode)
86	{
87	if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC)
88	return true;
89
90	return false;
91	}
92
93	/**
94	* binderfs_binder_device_create - allocate inode from super block of a
95	* binderfs mount
96	* @ref_inode: inode from which the super block will be taken
97	* @userp: buffer to copy information about new device for userspace to
98	* @req: struct binderfs_device as copied from userspace
99	*
100	* This function allocates a new binder_device and reserves a new minor
101	* number for it.
102	* Minor numbers are limited and tracked globally in binderfs_minors. The
103	* function will stash a struct binder_device for the specific binder
104	* device in i_private of the inode.
105	* It will go on to allocate a new inode from the super block of the
106	* filesystem mount, stash a struct binder_device in its i_private field
107	* and attach a dentry to that inode.
108	*
109	* Return: 0 on success, negative errno on failure
110	*/
111	static int binderfs_binder_device_create(struct inode *ref_inode,
112	struct binderfs_device __user *userp,
113	struct binderfs_device *req)
114	{
115	int minor, ret;
116	struct dentry dentry, root;
117	struct binder_device *device;
118	char *name = NULL;
119	size_t name_len;
120	struct inode *inode = NULL;
121	struct super_block *sb = ref_inode->i_sb;
122	struct binderfs_info *info = sb->s_fs_info;
123	#if defined(CONFIG_IPC_NS)
124	bool use_reserve = (info->ipc_ns == &init_ipc_ns);
125	#else
126	bool use_reserve = true;
127	#endif
128
129	/ Reserve new minor number for the new device. /
130	mutex_lock(&binderfs_minors_mutex);
131	if (++info->device_count <= info->mount_opts.max)
132	minor = ida_alloc_max(ida: &binderfs_minors,
133	max: use_reserve ? BINDERFS_MAX_MINOR :
134	BINDERFS_MAX_MINOR_CAPPED,
135	GFP_KERNEL);
136	else
137	minor = -ENOSPC;
138	if (minor < `0`) {
139	--info->device_count;
140	mutex_unlock(lock: &binderfs_minors_mutex);
141	return minor;
142	}
143	mutex_unlock(lock: &binderfs_minors_mutex);
144
145	ret = -ENOMEM;
146	device = kzalloc(size: sizeof(*device), GFP_KERNEL);
147	if (!device)
148	goto err;
149
150	inode = new_inode(sb);
151	if (!inode)
152	goto err;
153
154	inode->i_ino = minor + INODE_OFFSET;
155	simple_inode_init_ts(inode);
156	init_special_inode(inode, S_IFCHR \| `0600`,
157	MKDEV(MAJOR(binderfs_dev), minor));
158	inode->i_fop = &binder_fops;
159	inode->i_uid = info->root_uid;
160	inode->i_gid = info->root_gid;
161
162	req->name[BINDERFS_MAX_NAME] = `'\0'`; / NUL-terminate /
163	name_len = strlen(req->name);
164	/ Make sure to include terminating NUL byte /
165	name = kmemdup(p: req->name, size: name_len + `1`, GFP_KERNEL);
166	if (!name)
167	goto err;
168
169	refcount_set(r: &device->ref, n: `1`);
170	device->binderfs_inode = inode;
171	device->context.binder_context_mgr_uid = INVALID_UID;
172	device->context.name = name;
173	device->miscdev.name = name;
174	device->miscdev.minor = minor;
175	mutex_init(&device->context.context_mgr_node_lock);
176
177	req->major = MAJOR(binderfs_dev);
178	req->minor = minor;
179
180	if (userp && copy_to_user(to: userp, from: req, n: sizeof(*req))) {
181	ret = -EFAULT;
182	goto err;
183	}
184
185	root = sb->s_root;
186	inode_lock(inode: d_inode(dentry: root));
187
188	/ look it up /
189	dentry = lookup_one_len(name, root, name_len);
190	if (IS_ERR(ptr: dentry)) {
191	inode_unlock(inode: d_inode(dentry: root));
192	ret = PTR_ERR(ptr: dentry);
193	goto err;
194	}
195
196	if (d_really_is_positive(dentry)) {
197	/ already exists /
198	dput(dentry);
199	inode_unlock(inode: d_inode(dentry: root));
200	ret = -EEXIST;
201	goto err;
202	}
203
204	inode->i_private = device;
205	d_instantiate(dentry, inode);
206	fsnotify_create(dir: root->d_inode, dentry);
207	inode_unlock(inode: d_inode(dentry: root));
208
209	return `0`;
210
211	err:
212	kfree(objp: name);
213	kfree(objp: device);
214	mutex_lock(&binderfs_minors_mutex);
215	--info->device_count;
216	ida_free(&binderfs_minors, id: minor);
217	mutex_unlock(lock: &binderfs_minors_mutex);
218	iput(inode);
219
220	return ret;
221	}
222
223	/**
224	* binder_ctl_ioctl - handle binder device node allocation requests
225	*
226	* The request handler for the binder-control device. All requests operate on
227	* the binderfs mount the binder-control device resides in:
228	* - BINDER_CTL_ADD
229	* Allocate a new binder device.
230	*
231	* Return: %0 on success, negative errno on failure.
232	*/
233	static long binder_ctl_ioctl(struct file file, unsigned* int cmd,
234	unsigned long arg)
235	{
236	int ret = -EINVAL;
237	struct inode *inode = file_inode(f: file);
238	struct binderfs_device __user device = (struct* binderfs_device __user *)arg;
239	struct binderfs_device device_req;
240
241	switch (cmd) {
242	case BINDER_CTL_ADD:
243	ret = copy_from_user(to: &device_req, from: device, n: sizeof(device_req));
244	if (ret) {
245	ret = -EFAULT;
246	break;
247	}
248
249	ret = binderfs_binder_device_create(ref_inode: inode, userp: device, req: &device_req);
250	break;
251	default:
252	break;
253	}
254
255	return ret;
256	}
257
258	static void binderfs_evict_inode(struct inode *inode)
259	{
260	struct binder_device *device = inode->i_private;
261	struct binderfs_info *info = BINDERFS_SB(sb: inode->i_sb);
262
263	clear_inode(inode);
264
265	if (!S_ISCHR(inode->i_mode) \|\| !device)
266	return;
267
268	mutex_lock(&binderfs_minors_mutex);
269	--info->device_count;
270	ida_free(&binderfs_minors, id: device->miscdev.minor);
271	mutex_unlock(lock: &binderfs_minors_mutex);
272
273	if (refcount_dec_and_test(r: &device->ref)) {
274	kfree(objp: device->context.name);
275	kfree(objp: device);
276	}
277	}
278
279	static int binderfs_fs_context_parse_param(struct fs_context *fc,
280	struct fs_parameter *param)
281	{
282	int opt;
283	struct binderfs_mount_opts *ctx = fc->fs_private;
284	struct fs_parse_result result;
285
286	opt = fs_parse(fc, desc: binderfs_fs_parameters, param, result: &result);
287	if (opt < `0`)
288	return opt;
289
290	switch (opt) {
291	case Opt_max:
292	if (result.uint_32 > BINDERFS_MAX_MINOR)
293	return invalfc(fc, "Bad value for '%s'", param->key);
294
295	ctx->max = result.uint_32;
296	break;
297	case Opt_stats_mode:
298	if (!capable(CAP_SYS_ADMIN))
299	return -EPERM;
300
301	ctx->stats_mode = result.uint_32;
302	break;
303	default:
304	return invalfc(fc, "Unsupported parameter '%s'", param->key);
305	}
306
307	return `0`;
308	}
309
310	static int binderfs_fs_context_reconfigure(struct fs_context *fc)
311	{
312	struct binderfs_mount_opts *ctx = fc->fs_private;
313	struct binderfs_info *info = BINDERFS_SB(sb: fc->root->d_sb);
314
315	if (info->mount_opts.stats_mode != ctx->stats_mode)
316	return invalfc(fc, "Binderfs stats mode cannot be changed during a remount");
317
318	info->mount_opts.stats_mode = ctx->stats_mode;
319	info->mount_opts.max = ctx->max;
320	return `0`;
321	}
322
323	static int binderfs_show_options(struct seq_file seq, struct* dentry *root)
324	{
325	struct binderfs_info *info = BINDERFS_SB(sb: root->d_sb);
326
327	if (info->mount_opts.max <= BINDERFS_MAX_MINOR)
328	seq_printf(m: seq, fmt: ",max=%d", info->mount_opts.max);
329
330	switch (info->mount_opts.stats_mode) {
331	case binderfs_stats_mode_unset:
332	break;
333	case binderfs_stats_mode_global:
334	seq_printf(m: seq, fmt: ",stats=global");
335	break;
336	}
337
338	return `0`;
339	}
340
341	static const struct super_operations binderfs_super_ops = {
342	.evict_inode = binderfs_evict_inode,
343	.show_options = binderfs_show_options,
344	.statfs = simple_statfs,
345	};
346
347	static inline bool is_binderfs_control_device(const struct dentry *dentry)
348	{
349	struct binderfs_info *info = dentry->d_sb->s_fs_info;
350
351	return info->control_dentry == dentry;
352	}
353
354	static int binderfs_rename(struct mnt_idmap *idmap,
355	struct inode old_dir, struct* dentry *old_dentry,
356	struct inode new_dir, struct* dentry *new_dentry,
357	unsigned int flags)
358	{
359	if (is_binderfs_control_device(dentry: old_dentry) \|\|
360	is_binderfs_control_device(dentry: new_dentry))
361	return -EPERM;
362
363	return simple_rename(idmap, old_dir, old_dentry, new_dir,
364	new_dentry, flags);
365	}
366
367	static int binderfs_unlink(struct inode dir, struct* dentry *dentry)
368	{
369	if (is_binderfs_control_device(dentry))
370	return -EPERM;
371
372	return simple_unlink(dir, dentry);
373	}
374
375	static const struct file_operations binder_ctl_fops = {
376	.owner = THIS_MODULE,
377	.open = nonseekable_open,
378	.unlocked_ioctl = binder_ctl_ioctl,
379	.compat_ioctl = binder_ctl_ioctl,
380	.llseek = noop_llseek,
381	};
382
383	/**
384	* binderfs_binder_ctl_create - create a new binder-control device
385	* @sb: super block of the binderfs mount
386	*
387	* This function creates a new binder-control device node in the binderfs mount
388	* referred to by @sb.
389	*
390	* Return: 0 on success, negative errno on failure
391	*/
392	static int binderfs_binder_ctl_create(struct super_block *sb)
393	{
394	int minor, ret;
395	struct dentry *dentry;
396	struct binder_device *device;
397	struct inode *inode = NULL;
398	struct dentry *root = sb->s_root;
399	struct binderfs_info *info = sb->s_fs_info;
400	#if defined(CONFIG_IPC_NS)
401	bool use_reserve = (info->ipc_ns == &init_ipc_ns);
402	#else
403	bool use_reserve = true;
404	#endif
405
406	device = kzalloc(size: sizeof(*device), GFP_KERNEL);
407	if (!device)
408	return -ENOMEM;
409
410	/ If we have already created a binder-control node, return. /
411	if (info->control_dentry) {
412	ret = `0`;
413	goto out;
414	}
415
416	ret = -ENOMEM;
417	inode = new_inode(sb);
418	if (!inode)
419	goto out;
420
421	/ Reserve a new minor number for the new device. /
422	mutex_lock(&binderfs_minors_mutex);
423	minor = ida_alloc_max(ida: &binderfs_minors,
424	max: use_reserve ? BINDERFS_MAX_MINOR :
425	BINDERFS_MAX_MINOR_CAPPED,
426	GFP_KERNEL);
427	mutex_unlock(lock: &binderfs_minors_mutex);
428	if (minor < `0`) {
429	ret = minor;
430	goto out;
431	}
432
433	inode->i_ino = SECOND_INODE;
434	simple_inode_init_ts(inode);
435	init_special_inode(inode, S_IFCHR \| `0600`,
436	MKDEV(MAJOR(binderfs_dev), minor));
437	inode->i_fop = &binder_ctl_fops;
438	inode->i_uid = info->root_uid;
439	inode->i_gid = info->root_gid;
440
441	refcount_set(r: &device->ref, n: `1`);
442	device->binderfs_inode = inode;
443	device->miscdev.minor = minor;
444
445	dentry = d_alloc_name(root, "binder-control");
446	if (!dentry)
447	goto out;
448
449	inode->i_private = device;
450	info->control_dentry = dentry;
451	d_add(dentry, inode);
452
453	return `0`;
454
455	out:
456	kfree(objp: device);
457	iput(inode);
458
459	return ret;
460	}
461
462	static const struct inode_operations binderfs_dir_inode_operations = {
463	.lookup = simple_lookup,
464	.rename = binderfs_rename,
465	.unlink = binderfs_unlink,
466	};
467
468	static struct inode binderfs_make_inode(struct* super_block sb, int* mode)
469	{
470	struct inode *ret;
471
472	ret = new_inode(sb);
473	if (ret) {
474	ret->i_ino = iunique(sb, BINDERFS_MAX_MINOR + INODE_OFFSET);
475	ret->i_mode = mode;
476	simple_inode_init_ts(inode: ret);
477	}
478	return ret;
479	}
480
481	static struct dentry binderfs_create_dentry(struct* dentry *parent,
482	const char *name)
483	{
484	struct dentry *dentry;
485
486	dentry = lookup_one_len(name, parent, strlen(name));
487	if (IS_ERR(ptr: dentry))
488	return dentry;
489
490	/ Return error if the file/dir already exists. /
491	if (d_really_is_positive(dentry)) {
492	dput(dentry);
493	return ERR_PTR(error: -EEXIST);
494	}
495
496	return dentry;
497	}
498
499	void binderfs_remove_file(struct dentry *dentry)
500	{
501	struct inode *parent_inode;
502
503	parent_inode = d_inode(dentry: dentry->d_parent);
504	inode_lock(inode: parent_inode);
505	if (simple_positive(dentry)) {
506	dget(dentry);
507	simple_unlink(parent_inode, dentry);
508	d_delete(dentry);
509	dput(dentry);
510	}
511	inode_unlock(inode: parent_inode);
512	}
513
514	struct dentry binderfs_create_file(struct* dentry parent, const* char *name,
515	const struct file_operations *fops,
516	void *data)
517	{
518	struct dentry *dentry;
519	struct inode new_inode, parent_inode;
520	struct super_block *sb;
521
522	parent_inode = d_inode(dentry: parent);
523	inode_lock(inode: parent_inode);
524
525	dentry = binderfs_create_dentry(parent, name);
526	if (IS_ERR(ptr: dentry))
527	goto out;
528
529	sb = parent_inode->i_sb;
530	new_inode = binderfs_make_inode(sb, S_IFREG \| `0444`);
531	if (!new_inode) {
532	dput(dentry);
533	dentry = ERR_PTR(error: -ENOMEM);
534	goto out;
535	}
536
537	new_inode->i_fop = fops;
538	new_inode->i_private = data;
539	d_instantiate(dentry, new_inode);
540	fsnotify_create(dir: parent_inode, dentry);
541
542	out:
543	inode_unlock(inode: parent_inode);
544	return dentry;
545	}
546
547	static struct dentry binderfs_create_dir(struct* dentry *parent,
548	const char *name)
549	{
550	struct dentry *dentry;
551	struct inode new_inode, parent_inode;
552	struct super_block *sb;
553
554	parent_inode = d_inode(dentry: parent);
555	inode_lock(inode: parent_inode);
556
557	dentry = binderfs_create_dentry(parent, name);
558	if (IS_ERR(ptr: dentry))
559	goto out;
560
561	sb = parent_inode->i_sb;
562	new_inode = binderfs_make_inode(sb, S_IFDIR \| `0755`);
563	if (!new_inode) {
564	dput(dentry);
565	dentry = ERR_PTR(error: -ENOMEM);
566	goto out;
567	}
568
569	new_inode->i_fop = &simple_dir_operations;
570	new_inode->i_op = &simple_dir_inode_operations;
571
572	set_nlink(inode: new_inode, nlink: `2`);
573	d_instantiate(dentry, new_inode);
574	inc_nlink(inode: parent_inode);
575	fsnotify_mkdir(dir: parent_inode, dentry);
576
577	out:
578	inode_unlock(inode: parent_inode);
579	return dentry;
580	}
581
582	static int binder_features_show(struct seq_file m, void* *unused)
583	{
584	bool *feature = m->private;
585
586	seq_printf(m, fmt: "%d\n", *feature);
587
588	return `0`;
589	}
590	DEFINE_SHOW_ATTRIBUTE(binder_features);
591
592	static int init_binder_features(struct super_block *sb)
593	{
594	struct dentry dentry, dir;
595
596	dir = binderfs_create_dir(parent: sb->s_root, name: "features");
597	if (IS_ERR(ptr: dir))
598	return PTR_ERR(ptr: dir);
599
600	dentry = binderfs_create_file(parent: dir, name: "oneway_spam_detection",
601	fops: &binder_features_fops,
602	data: &binder_features.oneway_spam_detection);
603	if (IS_ERR(ptr: dentry))
604	return PTR_ERR(ptr: dentry);
605
606	dentry = binderfs_create_file(parent: dir, name: "extended_error",
607	fops: &binder_features_fops,
608	data: &binder_features.extended_error);
609	if (IS_ERR(ptr: dentry))
610	return PTR_ERR(ptr: dentry);
611
612	return `0`;
613	}
614
615	static int init_binder_logs(struct super_block *sb)
616	{
617	struct dentry binder_logs_root_dir, dentry, *proc_log_dir;
618	const struct binder_debugfs_entry *db_entry;
619	struct binderfs_info *info;
620	int ret = `0`;
621
622	binder_logs_root_dir = binderfs_create_dir(parent: sb->s_root,
623	name: "binder_logs");
624	if (IS_ERR(ptr: binder_logs_root_dir)) {
625	ret = PTR_ERR(ptr: binder_logs_root_dir);
626	goto out;
627	}
628
629	binder_for_each_debugfs_entry(db_entry) {
630	dentry = binderfs_create_file(parent: binder_logs_root_dir,
631	name: db_entry->name,
632	fops: db_entry->fops,
633	data: db_entry->data);
634	if (IS_ERR(ptr: dentry)) {
635	ret = PTR_ERR(ptr: dentry);
636	goto out;
637	}
638	}
639
640	proc_log_dir = binderfs_create_dir(parent: binder_logs_root_dir, name: "proc");
641	if (IS_ERR(ptr: proc_log_dir)) {
642	ret = PTR_ERR(ptr: proc_log_dir);
643	goto out;
644	}
645	info = sb->s_fs_info;
646	info->proc_log_dir = proc_log_dir;
647
648	out:
649	return ret;
650	}
651
652	static int binderfs_fill_super(struct super_block sb, struct* fs_context *fc)
653	{
654	int ret;
655	struct binderfs_info *info;
656	struct binderfs_mount_opts *ctx = fc->fs_private;
657	struct inode *inode = NULL;
658	struct binderfs_device device_info = {};
659	const char *name;
660	size_t len;
661
662	sb->s_blocksize = PAGE_SIZE;
663	sb->s_blocksize_bits = PAGE_SHIFT;
664
665	/*
666	* The binderfs filesystem can be mounted by userns root in a
667	* non-initial userns. By default such mounts have the SB_I_NODEV flag
668	* set in s_iflags to prevent security issues where userns root can
669	* just create random device nodes via mknod() since it owns the
670	* filesystem mount. But binderfs does not allow to create any files
671	* including devices nodes. The only way to create binder devices nodes
672	* is through the binder-control device which userns root is explicitly
673	* allowed to do. So removing the SB_I_NODEV flag from s_iflags is both
674	* necessary and safe.
675	*/
676	sb->s_iflags &= ~SB_I_NODEV;
677	sb->s_iflags \|= SB_I_NOEXEC;
678	sb->s_magic = BINDERFS_SUPER_MAGIC;
679	sb->s_op = &binderfs_super_ops;
680	sb->s_time_gran = `1`;
681
682	sb->s_fs_info = kzalloc(size: sizeof(struct binderfs_info), GFP_KERNEL);
683	if (!sb->s_fs_info)
684	return -ENOMEM;
685	info = sb->s_fs_info;
686
687	info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns);
688
689	info->root_gid = make_kgid(from: sb->s_user_ns, gid: `0`);
690	if (!gid_valid(gid: info->root_gid))
691	info->root_gid = GLOBAL_ROOT_GID;
692	info->root_uid = make_kuid(sb->s_user_ns, `0`);
693	if (!uid_valid(info->root_uid))
694	info->root_uid = GLOBAL_ROOT_UID;
695	info->mount_opts.max = ctx->max;
696	info->mount_opts.stats_mode = ctx->stats_mode;
697
698	inode = new_inode(sb);
699	if (!inode)
700	return -ENOMEM;
701
702	inode->i_ino = FIRST_INODE;
703	inode->i_fop = &simple_dir_operations;
704	inode->i_mode = S_IFDIR \| `0755`;
705	simple_inode_init_ts(inode);
706	inode->i_op = &binderfs_dir_inode_operations;
707	set_nlink(inode, `2`);
708
709	sb->s_root = d_make_root(inode);
710	if (!sb->s_root)
711	return -ENOMEM;
712
713	ret = binderfs_binder_ctl_create(sb);
714	if (ret)
715	return ret;
716
717	name = binder_devices_param;
718	for (len = strcspn(name, ","); len > `0`; len = strcspn(name, ",")) {
719	strscpy(device_info.name, name, len + `1`);
720	ret = binderfs_binder_device_create(inode, NULL, &device_info);
721	if (ret)
722	return ret;
723	name += len;
724	if (*name == `','`)
725	name++;
726	}
727
728	ret = init_binder_features(sb);
729	if (ret)
730	return ret;
731
732	if (info->mount_opts.stats_mode == binderfs_stats_mode_global)
733	return init_binder_logs(sb);
734
735	return `0`;
736	}
737
738	static int binderfs_fs_context_get_tree(struct fs_context *fc)
739	{
740	return get_tree_nodev(fc, fill_super: binderfs_fill_super);
741	}
742
743	static void binderfs_fs_context_free(struct fs_context *fc)
744	{
745	struct binderfs_mount_opts *ctx = fc->fs_private;
746
747	kfree(objp: ctx);
748	}
749
750	static const struct fs_context_operations binderfs_fs_context_ops = {
751	.free = binderfs_fs_context_free,
752	.get_tree = binderfs_fs_context_get_tree,
753	.parse_param = binderfs_fs_context_parse_param,
754	.reconfigure = binderfs_fs_context_reconfigure,
755	};
756
757	static int binderfs_init_fs_context(struct fs_context *fc)
758	{
759	struct binderfs_mount_opts *ctx;
760
761	ctx = kzalloc(size: sizeof(struct binderfs_mount_opts), GFP_KERNEL);
762	if (!ctx)
763	return -ENOMEM;
764
765	ctx->max = BINDERFS_MAX_MINOR;
766	ctx->stats_mode = binderfs_stats_mode_unset;
767
768	fc->fs_private = ctx;
769	fc->ops = &binderfs_fs_context_ops;
770
771	return `0`;
772	}
773
774	static void binderfs_kill_super(struct super_block *sb)
775	{
776	struct binderfs_info *info = sb->s_fs_info;
777
778	/*
779	* During inode eviction struct binderfs_info is needed.
780	* So first wipe the super_block then free struct binderfs_info.
781	*/
782	kill_litter_super(sb);
783
784	if (info && info->ipc_ns)
785	put_ipc_ns(ns: info->ipc_ns);
786
787	kfree(objp: info);
788	}
789
790	static struct file_system_type binder_fs_type = {
791	.name = "binder",
792	.init_fs_context = binderfs_init_fs_context,
793	.parameters = binderfs_fs_parameters,
794	.kill_sb = binderfs_kill_super,
795	.fs_flags = FS_USERNS_MOUNT,
796	};
797
798	int __init init_binderfs(void)
799	{
800	int ret;
801	const char *name;
802	size_t len;
803
804	/ Verify that the default binderfs device names are valid. /
805	name = binder_devices_param;
806	for (len = strcspn(name, ","); len > `0`; len = strcspn(name, ",")) {
807	if (len > BINDERFS_MAX_NAME)
808	return -E2BIG;
809	name += len;
810	if (*name == `','`)
811	name++;
812	}
813
814	/ Allocate new major number for binderfs. /
815	ret = alloc_chrdev_region(&binderfs_dev, `0`, BINDERFS_MAX_MINOR,
816	"binder");
817	if (ret)
818	return ret;
819
820	ret = register_filesystem(&binder_fs_type);
821	if (ret) {
822	unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
823	return ret;
824	}
825
826	return ret;
827	}
828

source code of linux/drivers/android/binderfs.c