LXR linux/drivers/android/binderfs.c

   1// SPDX-License-Identifier: GPL-2.0
   2
   3#include <linux/compiler_types.h>
   4#include <linux/errno.h>
   5#include <linux/fs.h>
   6#include <linux/fsnotify.h>
   7#include <linux/gfp.h>
   8#include <linux/idr.h>
   9#include <linux/init.h>
  10#include <linux/ipc_namespace.h>
  11#include <linux/kdev_t.h>
  12#include <linux/kernel.h>
  13#include <linux/list.h>
  14#include <linux/namei.h>
  15#include <linux/magic.h>
  16#include <linux/major.h>
  17#include <linux/miscdevice.h>
  18#include <linux/module.h>
  19#include <linux/mutex.h>
  20#include <linux/mount.h>
  21#include <linux/fs_parser.h>
  22#include <linux/radix-tree.h>
  23#include <linux/sched.h>
  24#include <linux/seq_file.h>
  25#include <linux/slab.h>
  26#include <linux/spinlock_types.h>
  27#include <linux/stddef.h>
  28#include <linux/string.h>
  29#include <linux/types.h>
  30#include <linux/uaccess.h>
  31#include <linux/user_namespace.h>
  32#include <linux/xarray.h>
  33#include <uapi/asm-generic/errno-base.h>
  34#include <uapi/linux/android/binder.h>
  35#include <uapi/linux/android/binderfs.h>
  36
  37#include "binder_internal.h"
  38
  39#define FIRST_INODE 1
  40#define SECOND_INODE 2
  41#define INODE_OFFSET 3
  42#define INTSTRLEN 21
  43#define BINDERFS_MAX_MINOR (1U << MINORBITS)
  44/* Ensure that the initial ipc namespace always has devices available. */
  45#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
  46
  47static dev_t binderfs_dev;
  48static DEFINE_MUTEX(binderfs_minors_mutex);
  49static DEFINE_IDA(binderfs_minors);
  50
  51enum binderfs_param {
  52        Opt_max,
  53        Opt_stats_mode,
  54};
  55
  56enum binderfs_stats_mode {
  57        binderfs_stats_mode_unset,
  58        binderfs_stats_mode_global,
  59};
  60
  61struct binder_features {
  62        bool oneway_spam_detection;
  63};
  64
  65static const struct constant_table binderfs_param_stats[] = {
  66        { "global", binderfs_stats_mode_global },
  67        {}
  68};
  69
  70static const struct fs_parameter_spec binderfs_fs_parameters[] = {
  71        fsparam_u32("max",      Opt_max),
  72        fsparam_enum("stats",   Opt_stats_mode, binderfs_param_stats),
  73        {}
  74};
  75
  76static struct binder_features binder_features = {
  77        .oneway_spam_detection = true,
  78};
  79
  80static inline struct binderfs_info *BINDERFS_SB(const struct super_block *sb)
  81{
  82        return sb->s_fs_info;
  83}
  84
  85bool is_binderfs_device(const struct inode *inode)
  86{
  87        if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC)
  88                return true;
  89
  90        return false;
  91}
  92
  93/**
  94 * binderfs_binder_device_create - allocate inode from super block of a
  95 *                                 binderfs mount
  96 * @ref_inode: inode from wich the super block will be taken
  97 * @userp:     buffer to copy information about new device for userspace to
  98 * @req:       struct binderfs_device as copied from userspace
  99 *
 100 * This function allocates a new binder_device and reserves a new minor
 101 * number for it.
 102 * Minor numbers are limited and tracked globally in binderfs_minors. The
 103 * function will stash a struct binder_device for the specific binder
 104 * device in i_private of the inode.
 105 * It will go on to allocate a new inode from the super block of the
 106 * filesystem mount, stash a struct binder_device in its i_private field
 107 * and attach a dentry to that inode.
 108 *
 109 * Return: 0 on success, negative errno on failure
 110 */
 111static int binderfs_binder_device_create(struct inode *ref_inode,
 112                                         struct binderfs_device __user *userp,
 113                                         struct binderfs_device *req)
 114{
 115        int minor, ret;
 116        struct dentry *dentry, *root;
 117        struct binder_device *device;
 118        char *name = NULL;
 119        size_t name_len;
 120        struct inode *inode = NULL;
 121        struct super_block *sb = ref_inode->i_sb;
 122        struct binderfs_info *info = sb->s_fs_info;
 123#if defined(CONFIG_IPC_NS)
 124        bool use_reserve = (info->ipc_ns == &init_ipc_ns);
 125#else
 126        bool use_reserve = true;
 127#endif
 128
 129        /* Reserve new minor number for the new device. */
 130        mutex_lock(&binderfs_minors_mutex);
 131        if (++info->device_count <= info->mount_opts.max)
 132                minor = ida_alloc_max(&binderfs_minors,
 133                                      use_reserve ? BINDERFS_MAX_MINOR :
 134                                                    BINDERFS_MAX_MINOR_CAPPED,
 135                                      GFP_KERNEL);
 136        else
 137                minor = -ENOSPC;
 138        if (minor < 0) {
 139                --info->device_count;
 140                mutex_unlock(&binderfs_minors_mutex);
 141                return minor;
 142        }
 143        mutex_unlock(&binderfs_minors_mutex);
 144
 145        ret = -ENOMEM;
 146        device = kzalloc(sizeof(*device), GFP_KERNEL);
 147        if (!device)
 148                goto err;
 149
 150        inode = new_inode(sb);
 151        if (!inode)
 152                goto err;
 153
 154        inode->i_ino = minor + INODE_OFFSET;
 155        inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
 156        init_special_inode(inode, S_IFCHR | 0600,
 157                           MKDEV(MAJOR(binderfs_dev), minor));
 158        inode->i_fop = &binder_fops;
 159        inode->i_uid = info->root_uid;
 160        inode->i_gid = info->root_gid;
 161
 162        req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
 163        name_len = strlen(req->name);
 164        /* Make sure to include terminating NUL byte */
 165        name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
 166        if (!name)
 167                goto err;
 168
 169        refcount_set(&device->ref, 1);
 170        device->binderfs_inode = inode;
 171        device->context.binder_context_mgr_uid = INVALID_UID;
 172        device->context.name = name;
 173        device->miscdev.name = name;
 174        device->miscdev.minor = minor;
 175        mutex_init(&device->context.context_mgr_node_lock);
 176
 177        req->major = MAJOR(binderfs_dev);
 178        req->minor = minor;
 179
 180        if (userp && copy_to_user(userp, req, sizeof(*req))) {
 181                ret = -EFAULT;
 182                goto err;
 183        }
 184
 185        root = sb->s_root;
 186        inode_lock(d_inode(root));
 187
 188        /* look it up */
 189        dentry = lookup_one_len(name, root, name_len);
 190        if (IS_ERR(dentry)) {
 191                inode_unlock(d_inode(root));
 192                ret = PTR_ERR(dentry);
 193                goto err;
 194        }
 195
 196        if (d_really_is_positive(dentry)) {
 197                /* already exists */
 198                dput(dentry);
 199                inode_unlock(d_inode(root));
 200                ret = -EEXIST;
 201                goto err;
 202        }
 203
 204        inode->i_private = device;
 205        d_instantiate(dentry, inode);
 206        fsnotify_create(root->d_inode, dentry);
 207        inode_unlock(d_inode(root));
 208
 209        return 0;
 210
 211err:
 212        kfree(name);
 213        kfree(device);
 214        mutex_lock(&binderfs_minors_mutex);
 215        --info->device_count;
 216        ida_free(&binderfs_minors, minor);
 217        mutex_unlock(&binderfs_minors_mutex);
 218        iput(inode);
 219
 220        return ret;
 221}
 222
 223/**
 224 * binderfs_ctl_ioctl - handle binder device node allocation requests
 225 *
 226 * The request handler for the binder-control device. All requests operate on
 227 * the binderfs mount the binder-control device resides in:
 228 * - BINDER_CTL_ADD
 229 *   Allocate a new binder device.
 230 *
 231 * Return: 0 on success, negative errno on failure
 232 */
 233static long binder_ctl_ioctl(struct file *file, unsigned int cmd,
 234                             unsigned long arg)
 235{
 236        int ret = -EINVAL;
 237        struct inode *inode = file_inode(file);
 238        struct binderfs_device __user *device = (struct binderfs_device __user *)arg;
 239        struct binderfs_device device_req;
 240
 241        switch (cmd) {
 242        case BINDER_CTL_ADD:
 243                ret = copy_from_user(&device_req, device, sizeof(device_req));
 244                if (ret) {
 245                        ret = -EFAULT;
 246                        break;
 247                }
 248
 249                ret = binderfs_binder_device_create(inode, device, &device_req);
 250                break;
 251        default:
 252                break;
 253        }
 254
 255        return ret;
 256}
 257
 258static void binderfs_evict_inode(struct inode *inode)
 259{
 260        struct binder_device *device = inode->i_private;
 261        struct binderfs_info *info = BINDERFS_SB(inode->i_sb);
 262
 263        clear_inode(inode);
 264
 265        if (!S_ISCHR(inode->i_mode) || !device)
 266                return;
 267
 268        mutex_lock(&binderfs_minors_mutex);
 269        --info->device_count;
 270        ida_free(&binderfs_minors, device->miscdev.minor);
 271        mutex_unlock(&binderfs_minors_mutex);
 272
 273        if (refcount_dec_and_test(&device->ref)) {
 274                kfree(device->context.name);
 275                kfree(device);
 276        }
 277}
 278
 279static int binderfs_fs_context_parse_param(struct fs_context *fc,
 280                                           struct fs_parameter *param)
 281{
 282        int opt;
 283        struct binderfs_mount_opts *ctx = fc->fs_private;
 284        struct fs_parse_result result;
 285
 286        opt = fs_parse(fc, binderfs_fs_parameters, param, &result);
 287        if (opt < 0)
 288                return opt;
 289
 290        switch (opt) {
 291        case Opt_max:
 292                if (result.uint_32 > BINDERFS_MAX_MINOR)
 293                        return invalfc(fc, "Bad value for '%s'", param->key);
 294
 295                ctx->max = result.uint_32;
 296                break;
 297        case Opt_stats_mode:
 298                if (!capable(CAP_SYS_ADMIN))
 299                        return -EPERM;
 300
 301                ctx->stats_mode = result.uint_32;
 302                break;
 303        default:
 304                return invalfc(fc, "Unsupported parameter '%s'", param->key);
 305        }
 306
 307        return 0;
 308}
 309
 310static int binderfs_fs_context_reconfigure(struct fs_context *fc)
 311{
 312        struct binderfs_mount_opts *ctx = fc->fs_private;
 313        struct binderfs_info *info = BINDERFS_SB(fc->root->d_sb);
 314
 315        if (info->mount_opts.stats_mode != ctx->stats_mode)
 316                return invalfc(fc, "Binderfs stats mode cannot be changed during a remount");
 317
 318        info->mount_opts.stats_mode = ctx->stats_mode;
 319        info->mount_opts.max = ctx->max;
 320        return 0;
 321}
 322
 323static int binderfs_show_options(struct seq_file *seq, struct dentry *root)
 324{
 325        struct binderfs_info *info = BINDERFS_SB(root->d_sb);
 326
 327        if (info->mount_opts.max <= BINDERFS_MAX_MINOR)
 328                seq_printf(seq, ",max=%d", info->mount_opts.max);
 329
 330        switch (info->mount_opts.stats_mode) {
 331        case binderfs_stats_mode_unset:
 332                break;
 333        case binderfs_stats_mode_global:
 334                seq_printf(seq, ",stats=global");
 335                break;
 336        }
 337
 338        return 0;
 339}
 340
 341static void binderfs_put_super(struct super_block *sb)
 342{
 343        struct binderfs_info *info = sb->s_fs_info;
 344
 345        if (info && info->ipc_ns)
 346                put_ipc_ns(info->ipc_ns);
 347
 348        kfree(info);
 349        sb->s_fs_info = NULL;
 350}
 351
 352static const struct super_operations binderfs_super_ops = {
 353        .evict_inode    = binderfs_evict_inode,
 354        .show_options   = binderfs_show_options,
 355        .statfs         = simple_statfs,
 356        .put_super      = binderfs_put_super,
 357};
 358
 359static inline bool is_binderfs_control_device(const struct dentry *dentry)
 360{
 361        struct binderfs_info *info = dentry->d_sb->s_fs_info;
 362
 363        return info->control_dentry == dentry;
 364}
 365
 366static int binderfs_rename(struct user_namespace *mnt_userns,
 367                           struct inode *old_dir, struct dentry *old_dentry,
 368                           struct inode *new_dir, struct dentry *new_dentry,
 369                           unsigned int flags)
 370{
 371        if (is_binderfs_control_device(old_dentry) ||
 372            is_binderfs_control_device(new_dentry))
 373                return -EPERM;
 374
 375        return simple_rename(&init_user_ns, old_dir, old_dentry, new_dir,
 376                             new_dentry, flags);
 377}
 378
 379static int binderfs_unlink(struct inode *dir, struct dentry *dentry)
 380{
 381        if (is_binderfs_control_device(dentry))
 382                return -EPERM;
 383
 384        return simple_unlink(dir, dentry);
 385}
 386
 387static const struct file_operations binder_ctl_fops = {
 388        .owner          = THIS_MODULE,
 389        .open           = nonseekable_open,
 390        .unlocked_ioctl = binder_ctl_ioctl,
 391        .compat_ioctl   = binder_ctl_ioctl,
 392        .llseek         = noop_llseek,
 393};
 394
 395/**
 396 * binderfs_binder_ctl_create - create a new binder-control device
 397 * @sb: super block of the binderfs mount
 398 *
 399 * This function creates a new binder-control device node in the binderfs mount
 400 * referred to by @sb.
 401 *
 402 * Return: 0 on success, negative errno on failure
 403 */
 404static int binderfs_binder_ctl_create(struct super_block *sb)
 405{
 406        int minor, ret;
 407        struct dentry *dentry;
 408        struct binder_device *device;
 409        struct inode *inode = NULL;
 410        struct dentry *root = sb->s_root;
 411        struct binderfs_info *info = sb->s_fs_info;
 412#if defined(CONFIG_IPC_NS)
 413        bool use_reserve = (info->ipc_ns == &init_ipc_ns);
 414#else
 415        bool use_reserve = true;
 416#endif
 417
 418        device = kzalloc(sizeof(*device), GFP_KERNEL);
 419        if (!device)
 420                return -ENOMEM;
 421
 422        /* If we have already created a binder-control node, return. */
 423        if (info->control_dentry) {
 424                ret = 0;
 425                goto out;
 426        }
 427
 428        ret = -ENOMEM;
 429        inode = new_inode(sb);
 430        if (!inode)
 431                goto out;
 432
 433        /* Reserve a new minor number for the new device. */
 434        mutex_lock(&binderfs_minors_mutex);
 435        minor = ida_alloc_max(&binderfs_minors,
 436                              use_reserve ? BINDERFS_MAX_MINOR :
 437                                            BINDERFS_MAX_MINOR_CAPPED,
 438                              GFP_KERNEL);
 439        mutex_unlock(&binderfs_minors_mutex);
 440        if (minor < 0) {
 441                ret = minor;
 442                goto out;
 443        }
 444
 445        inode->i_ino = SECOND_INODE;
 446        inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
 447        init_special_inode(inode, S_IFCHR | 0600,
 448                           MKDEV(MAJOR(binderfs_dev), minor));
 449        inode->i_fop = &binder_ctl_fops;
 450        inode->i_uid = info->root_uid;
 451        inode->i_gid = info->root_gid;
 452
 453        refcount_set(&device->ref, 1);
 454        device->binderfs_inode = inode;
 455        device->miscdev.minor = minor;
 456
 457        dentry = d_alloc_name(root, "binder-control");
 458        if (!dentry)
 459                goto out;
 460
 461        inode->i_private = device;
 462        info->control_dentry = dentry;
 463        d_add(dentry, inode);
 464
 465        return 0;
 466
 467out:
 468        kfree(device);
 469        iput(inode);
 470
 471        return ret;
 472}
 473
 474static const struct inode_operations binderfs_dir_inode_operations = {
 475        .lookup = simple_lookup,
 476        .rename = binderfs_rename,
 477        .unlink = binderfs_unlink,
 478};
 479
 480static struct inode *binderfs_make_inode(struct super_block *sb, int mode)
 481{
 482        struct inode *ret;
 483
 484        ret = new_inode(sb);
 485        if (ret) {
 486                ret->i_ino = iunique(sb, BINDERFS_MAX_MINOR + INODE_OFFSET);
 487                ret->i_mode = mode;
 488                ret->i_atime = ret->i_mtime = ret->i_ctime = current_time(ret);
 489        }
 490        return ret;
 491}
 492
 493static struct dentry *binderfs_create_dentry(struct dentry *parent,
 494                                             const char *name)
 495{
 496        struct dentry *dentry;
 497
 498        dentry = lookup_one_len(name, parent, strlen(name));
 499        if (IS_ERR(dentry))
 500                return dentry;
 501
 502        /* Return error if the file/dir already exists. */
 503        if (d_really_is_positive(dentry)) {
 504                dput(dentry);
 505                return ERR_PTR(-EEXIST);
 506        }
 507
 508        return dentry;
 509}
 510
 511void binderfs_remove_file(struct dentry *dentry)
 512{
 513        struct inode *parent_inode;
 514
 515        parent_inode = d_inode(dentry->d_parent);
 516        inode_lock(parent_inode);
 517        if (simple_positive(dentry)) {
 518                dget(dentry);
 519                simple_unlink(parent_inode, dentry);
 520                d_delete(dentry);
 521                dput(dentry);
 522        }
 523        inode_unlock(parent_inode);
 524}
 525
 526struct dentry *binderfs_create_file(struct dentry *parent, const char *name,
 527                                    const struct file_operations *fops,
 528                                    void *data)
 529{
 530        struct dentry *dentry;
 531        struct inode *new_inode, *parent_inode;
 532        struct super_block *sb;
 533
 534        parent_inode = d_inode(parent);
 535        inode_lock(parent_inode);
 536
 537        dentry = binderfs_create_dentry(parent, name);
 538        if (IS_ERR(dentry))
 539                goto out;
 540
 541        sb = parent_inode->i_sb;
 542        new_inode = binderfs_make_inode(sb, S_IFREG | 0444);
 543        if (!new_inode) {
 544                dput(dentry);
 545                dentry = ERR_PTR(-ENOMEM);
 546                goto out;
 547        }
 548
 549        new_inode->i_fop = fops;
 550        new_inode->i_private = data;
 551        d_instantiate(dentry, new_inode);
 552        fsnotify_create(parent_inode, dentry);
 553
 554out:
 555        inode_unlock(parent_inode);
 556        return dentry;
 557}
 558
 559static struct dentry *binderfs_create_dir(struct dentry *parent,
 560                                          const char *name)
 561{
 562        struct dentry *dentry;
 563        struct inode *new_inode, *parent_inode;
 564        struct super_block *sb;
 565
 566        parent_inode = d_inode(parent);
 567        inode_lock(parent_inode);
 568
 569        dentry = binderfs_create_dentry(parent, name);
 570        if (IS_ERR(dentry))
 571                goto out;
 572
 573        sb = parent_inode->i_sb;
 574        new_inode = binderfs_make_inode(sb, S_IFDIR | 0755);
 575        if (!new_inode) {
 576                dput(dentry);
 577                dentry = ERR_PTR(-ENOMEM);
 578                goto out;
 579        }
 580
 581        new_inode->i_fop = &simple_dir_operations;
 582        new_inode->i_op = &simple_dir_inode_operations;
 583
 584        set_nlink(new_inode, 2);
 585        d_instantiate(dentry, new_inode);
 586        inc_nlink(parent_inode);
 587        fsnotify_mkdir(parent_inode, dentry);
 588
 589out:
 590        inode_unlock(parent_inode);
 591        return dentry;
 592}
 593
 594static int binder_features_show(struct seq_file *m, void *unused)
 595{
 596        bool *feature = m->private;
 597
 598        seq_printf(m, "%d\n", *feature);
 599
 600        return 0;
 601}
 602DEFINE_SHOW_ATTRIBUTE(binder_features);
 603
 604static int init_binder_features(struct super_block *sb)
 605{
 606        struct dentry *dentry, *dir;
 607
 608        dir = binderfs_create_dir(sb->s_root, "features");
 609        if (IS_ERR(dir))
 610                return PTR_ERR(dir);
 611
 612        dentry = binderfs_create_file(dir, "oneway_spam_detection",
 613                                      &binder_features_fops,
 614                                      &binder_features.oneway_spam_detection);
 615        if (IS_ERR(dentry))
 616                return PTR_ERR(dentry);
 617
 618        return 0;
 619}
 620
 621static int init_binder_logs(struct super_block *sb)
 622{
 623        struct dentry *binder_logs_root_dir, *dentry, *proc_log_dir;
 624        struct binderfs_info *info;
 625        int ret = 0;
 626
 627        binder_logs_root_dir = binderfs_create_dir(sb->s_root,
 628                                                   "binder_logs");
 629        if (IS_ERR(binder_logs_root_dir)) {
 630                ret = PTR_ERR(binder_logs_root_dir);
 631                goto out;
 632        }
 633
 634        dentry = binderfs_create_file(binder_logs_root_dir, "stats",
 635                                      &binder_stats_fops, NULL);
 636        if (IS_ERR(dentry)) {
 637                ret = PTR_ERR(dentry);
 638                goto out;
 639        }
 640
 641        dentry = binderfs_create_file(binder_logs_root_dir, "state",
 642                                      &binder_state_fops, NULL);
 643        if (IS_ERR(dentry)) {
 644                ret = PTR_ERR(dentry);
 645                goto out;
 646        }
 647
 648        dentry = binderfs_create_file(binder_logs_root_dir, "transactions",
 649                                      &binder_transactions_fops, NULL);
 650        if (IS_ERR(dentry)) {
 651                ret = PTR_ERR(dentry);
 652                goto out;
 653        }
 654
 655        dentry = binderfs_create_file(binder_logs_root_dir,
 656                                      "transaction_log",
 657                                      &binder_transaction_log_fops,
 658                                      &binder_transaction_log);
 659        if (IS_ERR(dentry)) {
 660                ret = PTR_ERR(dentry);
 661                goto out;
 662        }
 663
 664        dentry = binderfs_create_file(binder_logs_root_dir,
 665                                      "failed_transaction_log",
 666                                      &binder_transaction_log_fops,
 667                                      &binder_transaction_log_failed);
 668        if (IS_ERR(dentry)) {
 669                ret = PTR_ERR(dentry);
 670                goto out;
 671        }
 672
 673        proc_log_dir = binderfs_create_dir(binder_logs_root_dir, "proc");
 674        if (IS_ERR(proc_log_dir)) {
 675                ret = PTR_ERR(proc_log_dir);
 676                goto out;
 677        }
 678        info = sb->s_fs_info;
 679        info->proc_log_dir = proc_log_dir;
 680
 681out:
 682        return ret;
 683}
 684
 685static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc)
 686{
 687        int ret;
 688        struct binderfs_info *info;
 689        struct binderfs_mount_opts *ctx = fc->fs_private;
 690        struct inode *inode = NULL;
 691        struct binderfs_device device_info = {};
 692        const char *name;
 693        size_t len;
 694
 695        sb->s_blocksize = PAGE_SIZE;
 696        sb->s_blocksize_bits = PAGE_SHIFT;
 697
 698        /*
 699         * The binderfs filesystem can be mounted by userns root in a
 700         * non-initial userns. By default such mounts have the SB_I_NODEV flag
 701         * set in s_iflags to prevent security issues where userns root can
 702         * just create random device nodes via mknod() since it owns the
 703         * filesystem mount. But binderfs does not allow to create any files
 704         * including devices nodes. The only way to create binder devices nodes
 705         * is through the binder-control device which userns root is explicitly
 706         * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both
 707         * necessary and safe.
 708         */
 709        sb->s_iflags &= ~SB_I_NODEV;
 710        sb->s_iflags |= SB_I_NOEXEC;
 711        sb->s_magic = BINDERFS_SUPER_MAGIC;
 712        sb->s_op = &binderfs_super_ops;
 713        sb->s_time_gran = 1;
 714
 715        sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL);
 716        if (!sb->s_fs_info)
 717                return -ENOMEM;
 718        info = sb->s_fs_info;
 719
 720        info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns);
 721
 722        info->root_gid = make_kgid(sb->s_user_ns, 0);
 723        if (!gid_valid(info->root_gid))
 724                info->root_gid = GLOBAL_ROOT_GID;
 725        info->root_uid = make_kuid(sb->s_user_ns, 0);
 726        if (!uid_valid(info->root_uid))
 727                info->root_uid = GLOBAL_ROOT_UID;
 728        info->mount_opts.max = ctx->max;
 729        info->mount_opts.stats_mode = ctx->stats_mode;
 730
 731        inode = new_inode(sb);
 732        if (!inode)
 733                return -ENOMEM;
 734
 735        inode->i_ino = FIRST_INODE;
 736        inode->i_fop = &simple_dir_operations;
 737        inode->i_mode = S_IFDIR | 0755;
 738        inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
 739        inode->i_op = &binderfs_dir_inode_operations;
 740        set_nlink(inode, 2);
 741
 742        sb->s_root = d_make_root(inode);
 743        if (!sb->s_root)
 744                return -ENOMEM;
 745
 746        ret = binderfs_binder_ctl_create(sb);
 747        if (ret)
 748                return ret;
 749
 750        name = binder_devices_param;
 751        for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
 752                strscpy(device_info.name, name, len + 1);
 753                ret = binderfs_binder_device_create(inode, NULL, &device_info);
 754                if (ret)
 755                        return ret;
 756                name += len;
 757                if (*name == ',')
 758                        name++;
 759        }
 760
 761        ret = init_binder_features(sb);
 762        if (ret)
 763                return ret;
 764
 765        if (info->mount_opts.stats_mode == binderfs_stats_mode_global)
 766                return init_binder_logs(sb);
 767
 768        return 0;
 769}
 770
 771static int binderfs_fs_context_get_tree(struct fs_context *fc)
 772{
 773        return get_tree_nodev(fc, binderfs_fill_super);
 774}
 775
 776static void binderfs_fs_context_free(struct fs_context *fc)
 777{
 778        struct binderfs_mount_opts *ctx = fc->fs_private;
 779
 780        kfree(ctx);
 781}
 782
 783static const struct fs_context_operations binderfs_fs_context_ops = {
 784        .free           = binderfs_fs_context_free,
 785        .get_tree       = binderfs_fs_context_get_tree,
 786        .parse_param    = binderfs_fs_context_parse_param,
 787        .reconfigure    = binderfs_fs_context_reconfigure,
 788};
 789
 790static int binderfs_init_fs_context(struct fs_context *fc)
 791{
 792        struct binderfs_mount_opts *ctx;
 793
 794        ctx = kzalloc(sizeof(struct binderfs_mount_opts), GFP_KERNEL);
 795        if (!ctx)
 796                return -ENOMEM;
 797
 798        ctx->max = BINDERFS_MAX_MINOR;
 799        ctx->stats_mode = binderfs_stats_mode_unset;
 800
 801        fc->fs_private = ctx;
 802        fc->ops = &binderfs_fs_context_ops;
 803
 804        return 0;
 805}
 806
 807static struct file_system_type binder_fs_type = {
 808        .name                   = "binder",
 809        .init_fs_context        = binderfs_init_fs_context,
 810        .parameters             = binderfs_fs_parameters,
 811        .kill_sb                = kill_litter_super,
 812        .fs_flags               = FS_USERNS_MOUNT,
 813};
 814
 815int __init init_binderfs(void)
 816{
 817        int ret;
 818        const char *name;
 819        size_t len;
 820
 821        /* Verify that the default binderfs device names are valid. */
 822        name = binder_devices_param;
 823        for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
 824                if (len > BINDERFS_MAX_NAME)
 825                        return -E2BIG;
 826                name += len;
 827                if (*name == ',')
 828                        name++;
 829        }
 830
 831        /* Allocate new major number for binderfs. */
 832        ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR,
 833                                  "binder");
 834        if (ret)
 835                return ret;
 836
 837        ret = register_filesystem(&binder_fs_type);
 838        if (ret) {
 839                unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
 840                return ret;
 841        }
 842
 843        return ret;
 844}
 845