This source file includes following definitions.
- BINDERFS_I
- is_binderfs_device
- binderfs_binder_device_create
- binder_ctl_ioctl
- binderfs_evict_inode
- binderfs_parse_mount_opts
- binderfs_remount
- binderfs_show_mount_opts
- is_binderfs_control_device
- binderfs_rename
- binderfs_unlink
- binderfs_binder_ctl_create
- binderfs_make_inode
- binderfs_create_dentry
- binderfs_remove_file
- binderfs_create_file
- binderfs_create_dir
- init_binder_logs
- binderfs_fill_super
- binderfs_mount
- binderfs_kill_super
- init_binderfs
1
2
3 #include <linux/compiler_types.h>
4 #include <linux/errno.h>
5 #include <linux/fs.h>
6 #include <linux/fsnotify.h>
7 #include <linux/gfp.h>
8 #include <linux/idr.h>
9 #include <linux/init.h>
10 #include <linux/ipc_namespace.h>
11 #include <linux/kdev_t.h>
12 #include <linux/kernel.h>
13 #include <linux/list.h>
14 #include <linux/namei.h>
15 #include <linux/magic.h>
16 #include <linux/major.h>
17 #include <linux/miscdevice.h>
18 #include <linux/module.h>
19 #include <linux/mutex.h>
20 #include <linux/mount.h>
21 #include <linux/parser.h>
22 #include <linux/radix-tree.h>
23 #include <linux/sched.h>
24 #include <linux/seq_file.h>
25 #include <linux/slab.h>
26 #include <linux/spinlock_types.h>
27 #include <linux/stddef.h>
28 #include <linux/string.h>
29 #include <linux/types.h>
30 #include <linux/uaccess.h>
31 #include <linux/user_namespace.h>
32 #include <linux/xarray.h>
33 #include <uapi/asm-generic/errno-base.h>
34 #include <uapi/linux/android/binder.h>
35 #include <uapi/linux/android/binderfs.h>
36
37 #include "binder_internal.h"
38
39 #define FIRST_INODE 1
40 #define SECOND_INODE 2
41 #define INODE_OFFSET 3
42 #define INTSTRLEN 21
43 #define BINDERFS_MAX_MINOR (1U << MINORBITS)
44
45 #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
46
47 static dev_t binderfs_dev;
48 static DEFINE_MUTEX(binderfs_minors_mutex);
49 static DEFINE_IDA(binderfs_minors);
50
51 enum {
52 Opt_max,
53 Opt_stats_mode,
54 Opt_err
55 };
56
57 enum binderfs_stats_mode {
58 STATS_NONE,
59 STATS_GLOBAL,
60 };
61
62 static const match_table_t tokens = {
63 { Opt_max, "max=%d" },
64 { Opt_stats_mode, "stats=%s" },
65 { Opt_err, NULL }
66 };
67
68 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode)
69 {
70 return inode->i_sb->s_fs_info;
71 }
72
73 bool is_binderfs_device(const struct inode *inode)
74 {
75 if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC)
76 return true;
77
78 return false;
79 }
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99 static int binderfs_binder_device_create(struct inode *ref_inode,
100 struct binderfs_device __user *userp,
101 struct binderfs_device *req)
102 {
103 int minor, ret;
104 struct dentry *dentry, *root;
105 struct binder_device *device;
106 char *name = NULL;
107 size_t name_len;
108 struct inode *inode = NULL;
109 struct super_block *sb = ref_inode->i_sb;
110 struct binderfs_info *info = sb->s_fs_info;
111 #if defined(CONFIG_IPC_NS)
112 bool use_reserve = (info->ipc_ns == &init_ipc_ns);
113 #else
114 bool use_reserve = true;
115 #endif
116
117
118 mutex_lock(&binderfs_minors_mutex);
119 if (++info->device_count <= info->mount_opts.max)
120 minor = ida_alloc_max(&binderfs_minors,
121 use_reserve ? BINDERFS_MAX_MINOR :
122 BINDERFS_MAX_MINOR_CAPPED,
123 GFP_KERNEL);
124 else
125 minor = -ENOSPC;
126 if (minor < 0) {
127 --info->device_count;
128 mutex_unlock(&binderfs_minors_mutex);
129 return minor;
130 }
131 mutex_unlock(&binderfs_minors_mutex);
132
133 ret = -ENOMEM;
134 device = kzalloc(sizeof(*device), GFP_KERNEL);
135 if (!device)
136 goto err;
137
138 inode = new_inode(sb);
139 if (!inode)
140 goto err;
141
142 inode->i_ino = minor + INODE_OFFSET;
143 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
144 init_special_inode(inode, S_IFCHR | 0600,
145 MKDEV(MAJOR(binderfs_dev), minor));
146 inode->i_fop = &binder_fops;
147 inode->i_uid = info->root_uid;
148 inode->i_gid = info->root_gid;
149
150 req->name[BINDERFS_MAX_NAME] = '\0';
151 name_len = strlen(req->name);
152
153 name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
154 if (!name)
155 goto err;
156
157 refcount_set(&device->ref, 1);
158 device->binderfs_inode = inode;
159 device->context.binder_context_mgr_uid = INVALID_UID;
160 device->context.name = name;
161 device->miscdev.name = name;
162 device->miscdev.minor = minor;
163 mutex_init(&device->context.context_mgr_node_lock);
164
165 req->major = MAJOR(binderfs_dev);
166 req->minor = minor;
167
168 if (userp && copy_to_user(userp, req, sizeof(*req))) {
169 ret = -EFAULT;
170 goto err;
171 }
172
173 root = sb->s_root;
174 inode_lock(d_inode(root));
175
176
177 dentry = lookup_one_len(name, root, name_len);
178 if (IS_ERR(dentry)) {
179 inode_unlock(d_inode(root));
180 ret = PTR_ERR(dentry);
181 goto err;
182 }
183
184 if (d_really_is_positive(dentry)) {
185
186 dput(dentry);
187 inode_unlock(d_inode(root));
188 ret = -EEXIST;
189 goto err;
190 }
191
192 inode->i_private = device;
193 d_instantiate(dentry, inode);
194 fsnotify_create(root->d_inode, dentry);
195 inode_unlock(d_inode(root));
196
197 return 0;
198
199 err:
200 kfree(name);
201 kfree(device);
202 mutex_lock(&binderfs_minors_mutex);
203 --info->device_count;
204 ida_free(&binderfs_minors, minor);
205 mutex_unlock(&binderfs_minors_mutex);
206 iput(inode);
207
208 return ret;
209 }
210
211
212
213
214
215
216
217
218
219
220
221 static long binder_ctl_ioctl(struct file *file, unsigned int cmd,
222 unsigned long arg)
223 {
224 int ret = -EINVAL;
225 struct inode *inode = file_inode(file);
226 struct binderfs_device __user *device = (struct binderfs_device __user *)arg;
227 struct binderfs_device device_req;
228
229 switch (cmd) {
230 case BINDER_CTL_ADD:
231 ret = copy_from_user(&device_req, device, sizeof(device_req));
232 if (ret) {
233 ret = -EFAULT;
234 break;
235 }
236
237 ret = binderfs_binder_device_create(inode, device, &device_req);
238 break;
239 default:
240 break;
241 }
242
243 return ret;
244 }
245
246 static void binderfs_evict_inode(struct inode *inode)
247 {
248 struct binder_device *device = inode->i_private;
249 struct binderfs_info *info = BINDERFS_I(inode);
250
251 clear_inode(inode);
252
253 if (!S_ISCHR(inode->i_mode) || !device)
254 return;
255
256 mutex_lock(&binderfs_minors_mutex);
257 --info->device_count;
258 ida_free(&binderfs_minors, device->miscdev.minor);
259 mutex_unlock(&binderfs_minors_mutex);
260
261 if (refcount_dec_and_test(&device->ref)) {
262 kfree(device->context.name);
263 kfree(device);
264 }
265 }
266
267
268
269
270
271 static int binderfs_parse_mount_opts(char *data,
272 struct binderfs_mount_opts *opts)
273 {
274 char *p, *stats;
275 opts->max = BINDERFS_MAX_MINOR;
276 opts->stats_mode = STATS_NONE;
277
278 while ((p = strsep(&data, ",")) != NULL) {
279 substring_t args[MAX_OPT_ARGS];
280 int token;
281 int max_devices;
282
283 if (!*p)
284 continue;
285
286 token = match_token(p, tokens, args);
287 switch (token) {
288 case Opt_max:
289 if (match_int(&args[0], &max_devices) ||
290 (max_devices < 0 ||
291 (max_devices > BINDERFS_MAX_MINOR)))
292 return -EINVAL;
293
294 opts->max = max_devices;
295 break;
296 case Opt_stats_mode:
297 if (!capable(CAP_SYS_ADMIN))
298 return -EINVAL;
299
300 stats = match_strdup(&args[0]);
301 if (!stats)
302 return -ENOMEM;
303
304 if (strcmp(stats, "global") != 0) {
305 kfree(stats);
306 return -EINVAL;
307 }
308
309 opts->stats_mode = STATS_GLOBAL;
310 kfree(stats);
311 break;
312 default:
313 pr_err("Invalid mount options\n");
314 return -EINVAL;
315 }
316 }
317
318 return 0;
319 }
320
321 static int binderfs_remount(struct super_block *sb, int *flags, char *data)
322 {
323 int prev_stats_mode, ret;
324 struct binderfs_info *info = sb->s_fs_info;
325
326 prev_stats_mode = info->mount_opts.stats_mode;
327 ret = binderfs_parse_mount_opts(data, &info->mount_opts);
328 if (ret)
329 return ret;
330
331 if (prev_stats_mode != info->mount_opts.stats_mode) {
332 pr_err("Binderfs stats mode cannot be changed during a remount\n");
333 info->mount_opts.stats_mode = prev_stats_mode;
334 return -EINVAL;
335 }
336
337 return 0;
338 }
339
340 static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root)
341 {
342 struct binderfs_info *info;
343
344 info = root->d_sb->s_fs_info;
345 if (info->mount_opts.max <= BINDERFS_MAX_MINOR)
346 seq_printf(seq, ",max=%d", info->mount_opts.max);
347 if (info->mount_opts.stats_mode == STATS_GLOBAL)
348 seq_printf(seq, ",stats=global");
349
350 return 0;
351 }
352
353 static const struct super_operations binderfs_super_ops = {
354 .evict_inode = binderfs_evict_inode,
355 .remount_fs = binderfs_remount,
356 .show_options = binderfs_show_mount_opts,
357 .statfs = simple_statfs,
358 };
359
360 static inline bool is_binderfs_control_device(const struct dentry *dentry)
361 {
362 struct binderfs_info *info = dentry->d_sb->s_fs_info;
363 return info->control_dentry == dentry;
364 }
365
366 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry,
367 struct inode *new_dir, struct dentry *new_dentry,
368 unsigned int flags)
369 {
370 if (is_binderfs_control_device(old_dentry) ||
371 is_binderfs_control_device(new_dentry))
372 return -EPERM;
373
374 return simple_rename(old_dir, old_dentry, new_dir, new_dentry, flags);
375 }
376
377 static int binderfs_unlink(struct inode *dir, struct dentry *dentry)
378 {
379 if (is_binderfs_control_device(dentry))
380 return -EPERM;
381
382 return simple_unlink(dir, dentry);
383 }
384
385 static const struct file_operations binder_ctl_fops = {
386 .owner = THIS_MODULE,
387 .open = nonseekable_open,
388 .unlocked_ioctl = binder_ctl_ioctl,
389 .compat_ioctl = binder_ctl_ioctl,
390 .llseek = noop_llseek,
391 };
392
393
394
395
396
397
398
399
400
401
402 static int binderfs_binder_ctl_create(struct super_block *sb)
403 {
404 int minor, ret;
405 struct dentry *dentry;
406 struct binder_device *device;
407 struct inode *inode = NULL;
408 struct dentry *root = sb->s_root;
409 struct binderfs_info *info = sb->s_fs_info;
410 #if defined(CONFIG_IPC_NS)
411 bool use_reserve = (info->ipc_ns == &init_ipc_ns);
412 #else
413 bool use_reserve = true;
414 #endif
415
416 device = kzalloc(sizeof(*device), GFP_KERNEL);
417 if (!device)
418 return -ENOMEM;
419
420
421 if (info->control_dentry) {
422 ret = 0;
423 goto out;
424 }
425
426 ret = -ENOMEM;
427 inode = new_inode(sb);
428 if (!inode)
429 goto out;
430
431
432 mutex_lock(&binderfs_minors_mutex);
433 minor = ida_alloc_max(&binderfs_minors,
434 use_reserve ? BINDERFS_MAX_MINOR :
435 BINDERFS_MAX_MINOR_CAPPED,
436 GFP_KERNEL);
437 mutex_unlock(&binderfs_minors_mutex);
438 if (minor < 0) {
439 ret = minor;
440 goto out;
441 }
442
443 inode->i_ino = SECOND_INODE;
444 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
445 init_special_inode(inode, S_IFCHR | 0600,
446 MKDEV(MAJOR(binderfs_dev), minor));
447 inode->i_fop = &binder_ctl_fops;
448 inode->i_uid = info->root_uid;
449 inode->i_gid = info->root_gid;
450
451 refcount_set(&device->ref, 1);
452 device->binderfs_inode = inode;
453 device->miscdev.minor = minor;
454
455 dentry = d_alloc_name(root, "binder-control");
456 if (!dentry)
457 goto out;
458
459 inode->i_private = device;
460 info->control_dentry = dentry;
461 d_add(dentry, inode);
462
463 return 0;
464
465 out:
466 kfree(device);
467 iput(inode);
468
469 return ret;
470 }
471
472 static const struct inode_operations binderfs_dir_inode_operations = {
473 .lookup = simple_lookup,
474 .rename = binderfs_rename,
475 .unlink = binderfs_unlink,
476 };
477
478 static struct inode *binderfs_make_inode(struct super_block *sb, int mode)
479 {
480 struct inode *ret;
481
482 ret = new_inode(sb);
483 if (ret) {
484 ret->i_ino = iunique(sb, BINDERFS_MAX_MINOR + INODE_OFFSET);
485 ret->i_mode = mode;
486 ret->i_atime = ret->i_mtime = ret->i_ctime = current_time(ret);
487 }
488 return ret;
489 }
490
491 static struct dentry *binderfs_create_dentry(struct dentry *parent,
492 const char *name)
493 {
494 struct dentry *dentry;
495
496 dentry = lookup_one_len(name, parent, strlen(name));
497 if (IS_ERR(dentry))
498 return dentry;
499
500
501 if (d_really_is_positive(dentry)) {
502 dput(dentry);
503 return ERR_PTR(-EEXIST);
504 }
505
506 return dentry;
507 }
508
509 void binderfs_remove_file(struct dentry *dentry)
510 {
511 struct inode *parent_inode;
512
513 parent_inode = d_inode(dentry->d_parent);
514 inode_lock(parent_inode);
515 if (simple_positive(dentry)) {
516 dget(dentry);
517 simple_unlink(parent_inode, dentry);
518 d_delete(dentry);
519 dput(dentry);
520 }
521 inode_unlock(parent_inode);
522 }
523
524 struct dentry *binderfs_create_file(struct dentry *parent, const char *name,
525 const struct file_operations *fops,
526 void *data)
527 {
528 struct dentry *dentry;
529 struct inode *new_inode, *parent_inode;
530 struct super_block *sb;
531
532 parent_inode = d_inode(parent);
533 inode_lock(parent_inode);
534
535 dentry = binderfs_create_dentry(parent, name);
536 if (IS_ERR(dentry))
537 goto out;
538
539 sb = parent_inode->i_sb;
540 new_inode = binderfs_make_inode(sb, S_IFREG | 0444);
541 if (!new_inode) {
542 dput(dentry);
543 dentry = ERR_PTR(-ENOMEM);
544 goto out;
545 }
546
547 new_inode->i_fop = fops;
548 new_inode->i_private = data;
549 d_instantiate(dentry, new_inode);
550 fsnotify_create(parent_inode, dentry);
551
552 out:
553 inode_unlock(parent_inode);
554 return dentry;
555 }
556
557 static struct dentry *binderfs_create_dir(struct dentry *parent,
558 const char *name)
559 {
560 struct dentry *dentry;
561 struct inode *new_inode, *parent_inode;
562 struct super_block *sb;
563
564 parent_inode = d_inode(parent);
565 inode_lock(parent_inode);
566
567 dentry = binderfs_create_dentry(parent, name);
568 if (IS_ERR(dentry))
569 goto out;
570
571 sb = parent_inode->i_sb;
572 new_inode = binderfs_make_inode(sb, S_IFDIR | 0755);
573 if (!new_inode) {
574 dput(dentry);
575 dentry = ERR_PTR(-ENOMEM);
576 goto out;
577 }
578
579 new_inode->i_fop = &simple_dir_operations;
580 new_inode->i_op = &simple_dir_inode_operations;
581
582 set_nlink(new_inode, 2);
583 d_instantiate(dentry, new_inode);
584 inc_nlink(parent_inode);
585 fsnotify_mkdir(parent_inode, dentry);
586
587 out:
588 inode_unlock(parent_inode);
589 return dentry;
590 }
591
592 static int init_binder_logs(struct super_block *sb)
593 {
594 struct dentry *binder_logs_root_dir, *dentry, *proc_log_dir;
595 struct binderfs_info *info;
596 int ret = 0;
597
598 binder_logs_root_dir = binderfs_create_dir(sb->s_root,
599 "binder_logs");
600 if (IS_ERR(binder_logs_root_dir)) {
601 ret = PTR_ERR(binder_logs_root_dir);
602 goto out;
603 }
604
605 dentry = binderfs_create_file(binder_logs_root_dir, "stats",
606 &binder_stats_fops, NULL);
607 if (IS_ERR(dentry)) {
608 ret = PTR_ERR(dentry);
609 goto out;
610 }
611
612 dentry = binderfs_create_file(binder_logs_root_dir, "state",
613 &binder_state_fops, NULL);
614 if (IS_ERR(dentry)) {
615 ret = PTR_ERR(dentry);
616 goto out;
617 }
618
619 dentry = binderfs_create_file(binder_logs_root_dir, "transactions",
620 &binder_transactions_fops, NULL);
621 if (IS_ERR(dentry)) {
622 ret = PTR_ERR(dentry);
623 goto out;
624 }
625
626 dentry = binderfs_create_file(binder_logs_root_dir,
627 "transaction_log",
628 &binder_transaction_log_fops,
629 &binder_transaction_log);
630 if (IS_ERR(dentry)) {
631 ret = PTR_ERR(dentry);
632 goto out;
633 }
634
635 dentry = binderfs_create_file(binder_logs_root_dir,
636 "failed_transaction_log",
637 &binder_transaction_log_fops,
638 &binder_transaction_log_failed);
639 if (IS_ERR(dentry)) {
640 ret = PTR_ERR(dentry);
641 goto out;
642 }
643
644 proc_log_dir = binderfs_create_dir(binder_logs_root_dir, "proc");
645 if (IS_ERR(proc_log_dir)) {
646 ret = PTR_ERR(proc_log_dir);
647 goto out;
648 }
649 info = sb->s_fs_info;
650 info->proc_log_dir = proc_log_dir;
651
652 out:
653 return ret;
654 }
655
656 static int binderfs_fill_super(struct super_block *sb, void *data, int silent)
657 {
658 int ret;
659 struct binderfs_info *info;
660 struct inode *inode = NULL;
661 struct binderfs_device device_info = { 0 };
662 const char *name;
663 size_t len;
664
665 sb->s_blocksize = PAGE_SIZE;
666 sb->s_blocksize_bits = PAGE_SHIFT;
667
668
669
670
671
672
673
674
675
676
677
678
679 sb->s_iflags &= ~SB_I_NODEV;
680 sb->s_iflags |= SB_I_NOEXEC;
681 sb->s_magic = BINDERFS_SUPER_MAGIC;
682 sb->s_op = &binderfs_super_ops;
683 sb->s_time_gran = 1;
684
685 sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL);
686 if (!sb->s_fs_info)
687 return -ENOMEM;
688 info = sb->s_fs_info;
689
690 info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns);
691
692 ret = binderfs_parse_mount_opts(data, &info->mount_opts);
693 if (ret)
694 return ret;
695
696 info->root_gid = make_kgid(sb->s_user_ns, 0);
697 if (!gid_valid(info->root_gid))
698 info->root_gid = GLOBAL_ROOT_GID;
699 info->root_uid = make_kuid(sb->s_user_ns, 0);
700 if (!uid_valid(info->root_uid))
701 info->root_uid = GLOBAL_ROOT_UID;
702
703 inode = new_inode(sb);
704 if (!inode)
705 return -ENOMEM;
706
707 inode->i_ino = FIRST_INODE;
708 inode->i_fop = &simple_dir_operations;
709 inode->i_mode = S_IFDIR | 0755;
710 inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
711 inode->i_op = &binderfs_dir_inode_operations;
712 set_nlink(inode, 2);
713
714 sb->s_root = d_make_root(inode);
715 if (!sb->s_root)
716 return -ENOMEM;
717
718 ret = binderfs_binder_ctl_create(sb);
719 if (ret)
720 return ret;
721
722 name = binder_devices_param;
723 for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
724 strscpy(device_info.name, name, len + 1);
725 ret = binderfs_binder_device_create(inode, NULL, &device_info);
726 if (ret)
727 return ret;
728 name += len;
729 if (*name == ',')
730 name++;
731 }
732
733 if (info->mount_opts.stats_mode == STATS_GLOBAL)
734 return init_binder_logs(sb);
735
736 return 0;
737 }
738
739 static struct dentry *binderfs_mount(struct file_system_type *fs_type,
740 int flags, const char *dev_name,
741 void *data)
742 {
743 return mount_nodev(fs_type, flags, data, binderfs_fill_super);
744 }
745
746 static void binderfs_kill_super(struct super_block *sb)
747 {
748 struct binderfs_info *info = sb->s_fs_info;
749
750 kill_litter_super(sb);
751
752 if (info && info->ipc_ns)
753 put_ipc_ns(info->ipc_ns);
754
755 kfree(info);
756 }
757
758 static struct file_system_type binder_fs_type = {
759 .name = "binder",
760 .mount = binderfs_mount,
761 .kill_sb = binderfs_kill_super,
762 .fs_flags = FS_USERNS_MOUNT,
763 };
764
765 int __init init_binderfs(void)
766 {
767 int ret;
768 const char *name;
769 size_t len;
770
771
772 name = binder_devices_param;
773 for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
774 if (len > BINDERFS_MAX_NAME)
775 return -E2BIG;
776 name += len;
777 if (*name == ',')
778 name++;
779 }
780
781
782 ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR,
783 "binder");
784 if (ret)
785 return ret;
786
787 ret = register_filesystem(&binder_fs_type);
788 if (ret) {
789 unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
790 return ret;
791 }
792
793 return ret;
794 }