drivers/android/binderfs.c

0001 // SPDX-License-Identifier: GPL-2.0
0002
0003 #include <linux/compiler_types.h>
0004 #include <linux/errno.h>
0005 #include <linux/fs.h>
0006 #include <linux/fsnotify.h>
0007 #include <linux/gfp.h>
0008 #include <linux/idr.h>
0009 #include <linux/init.h>
0010 #include <linux/ipc_namespace.h>
0011 #include <linux/kdev_t.h>
0012 #include <linux/kernel.h>
0013 #include <linux/list.h>
0014 #include <linux/namei.h>
0015 #include <linux/magic.h>
0016 #include <linux/major.h>
0017 #include <linux/miscdevice.h>
0018 #include <linux/module.h>
0019 #include <linux/mutex.h>
0020 #include <linux/mount.h>
0021 #include <linux/fs_parser.h>
0022 #include <linux/radix-tree.h>
0023 #include <linux/sched.h>
0024 #include <linux/seq_file.h>
0025 #include <linux/slab.h>
0026 #include <linux/spinlock_types.h>
0027 #include <linux/stddef.h>
0028 #include <linux/string.h>
0029 #include <linux/types.h>
0030 #include <linux/uaccess.h>
0031 #include <linux/user_namespace.h>
0032 #include <linux/xarray.h>
0033 #include <uapi/asm-generic/errno-base.h>
0034 #include <uapi/linux/android/binder.h>
0035 #include <uapi/linux/android/binderfs.h>
0036
0037 #include "binder_internal.h"
0038
0039 #define FIRST_INODE 1
0040 #define SECOND_INODE 2
0041 #define INODE_OFFSET 3
0042 #define INTSTRLEN 21
0043 #define BINDERFS_MAX_MINOR (1U << MINORBITS)
0044 /* Ensure that the initial ipc namespace always has devices available. */
0045 #define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
0046
0047 static dev_t binderfs_dev;
0048 static DEFINE_MUTEX(binderfs_minors_mutex);
0049 static DEFINE_IDA(binderfs_minors);
0050
0051 enum binderfs_param {
0052     Opt_max,
0053     Opt_stats_mode,
0054 };
0055
0056 enum binderfs_stats_mode {
0057     binderfs_stats_mode_unset,
0058     binderfs_stats_mode_global,
0059 };
0060
0061 struct binder_features {
0062     bool oneway_spam_detection;
0063     bool extended_error;
0064 };
0065
0066 static const struct constant_table binderfs_param_stats[] = {
0067     { "global", binderfs_stats_mode_global },
0068     {}
0069 };
0070
0071 static const struct fs_parameter_spec binderfs_fs_parameters[] = {
0072     fsparam_u32("max",  Opt_max),
0073     fsparam_enum("stats",   Opt_stats_mode, binderfs_param_stats),
0074     {}
0075 };
0076
0077 static struct binder_features binder_features = {
0078     .oneway_spam_detection = true,
0079     .extended_error = true,
0080 };
0081
0082 static inline struct binderfs_info *BINDERFS_SB(const struct super_block *sb)
0083 {
0084     return sb->s_fs_info;
0085 }
0086
0087 bool is_binderfs_device(const struct inode *inode)
0088 {
0089     if (inode->i_sb->s_magic == BINDERFS_SUPER_MAGIC)
0090         return true;
0091
0092     return false;
0093 }
0094
0095 /**
0096  * binderfs_binder_device_create - allocate inode from super block of a
0097  *                                 binderfs mount
0098  * @ref_inode: inode from wich the super block will be taken
0099  * @userp:     buffer to copy information about new device for userspace to
0100  * @req:       struct binderfs_device as copied from userspace
0101  *
0102  * This function allocates a new binder_device and reserves a new minor
0103  * number for it.
0104  * Minor numbers are limited and tracked globally in binderfs_minors. The
0105  * function will stash a struct binder_device for the specific binder
0106  * device in i_private of the inode.
0107  * It will go on to allocate a new inode from the super block of the
0108  * filesystem mount, stash a struct binder_device in its i_private field
0109  * and attach a dentry to that inode.
0110  *
0111  * Return: 0 on success, negative errno on failure
0112  */
0113 static int binderfs_binder_device_create(struct inode *ref_inode,
0114                      struct binderfs_device __user *userp,
0115                      struct binderfs_device *req)
0116 {
0117     int minor, ret;
0118     struct dentry *dentry, *root;
0119     struct binder_device *device;
0120     char *name = NULL;
0121     size_t name_len;
0122     struct inode *inode = NULL;
0123     struct super_block *sb = ref_inode->i_sb;
0124     struct binderfs_info *info = sb->s_fs_info;
0125 #if defined(CONFIG_IPC_NS)
0126     bool use_reserve = (info->ipc_ns == &init_ipc_ns);
0127 #else
0128     bool use_reserve = true;
0129 #endif
0130
0131     /* Reserve new minor number for the new device. */
0132     mutex_lock(&binderfs_minors_mutex);
0133     if (++info->device_count <= info->mount_opts.max)
0134         minor = ida_alloc_max(&binderfs_minors,
0135                       use_reserve ? BINDERFS_MAX_MINOR :
0136                             BINDERFS_MAX_MINOR_CAPPED,
0137                       GFP_KERNEL);
0138     else
0139         minor = -ENOSPC;
0140     if (minor < 0) {
0141         --info->device_count;
0142         mutex_unlock(&binderfs_minors_mutex);
0143         return minor;
0144     }
0145     mutex_unlock(&binderfs_minors_mutex);
0146
0147     ret = -ENOMEM;
0148     device = kzalloc(sizeof(*device), GFP_KERNEL);
0149     if (!device)
0150         goto err;
0151
0152     inode = new_inode(sb);
0153     if (!inode)
0154         goto err;
0155
0156     inode->i_ino = minor + INODE_OFFSET;
0157     inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
0158     init_special_inode(inode, S_IFCHR | 0600,
0159                MKDEV(MAJOR(binderfs_dev), minor));
0160     inode->i_fop = &binder_fops;
0161     inode->i_uid = info->root_uid;
0162     inode->i_gid = info->root_gid;
0163
0164     req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
0165     name_len = strlen(req->name);
0166     /* Make sure to include terminating NUL byte */
0167     name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
0168     if (!name)
0169         goto err;
0170
0171     refcount_set(&device->ref, 1);
0172     device->binderfs_inode = inode;
0173     device->context.binder_context_mgr_uid = INVALID_UID;
0174     device->context.name = name;
0175     device->miscdev.name = name;
0176     device->miscdev.minor = minor;
0177     mutex_init(&device->context.context_mgr_node_lock);
0178
0179     req->major = MAJOR(binderfs_dev);
0180     req->minor = minor;
0181
0182     if (userp && copy_to_user(userp, req, sizeof(*req))) {
0183         ret = -EFAULT;
0184         goto err;
0185     }
0186
0187     root = sb->s_root;
0188     inode_lock(d_inode(root));
0189
0190     /* look it up */
0191     dentry = lookup_one_len(name, root, name_len);
0192     if (IS_ERR(dentry)) {
0193         inode_unlock(d_inode(root));
0194         ret = PTR_ERR(dentry);
0195         goto err;
0196     }
0197
0198     if (d_really_is_positive(dentry)) {
0199         /* already exists */
0200         dput(dentry);
0201         inode_unlock(d_inode(root));
0202         ret = -EEXIST;
0203         goto err;
0204     }
0205
0206     inode->i_private = device;
0207     d_instantiate(dentry, inode);
0208     fsnotify_create(root->d_inode, dentry);
0209     inode_unlock(d_inode(root));
0210
0211     return 0;
0212
0213 err:
0214     kfree(name);
0215     kfree(device);
0216     mutex_lock(&binderfs_minors_mutex);
0217     --info->device_count;
0218     ida_free(&binderfs_minors, minor);
0219     mutex_unlock(&binderfs_minors_mutex);
0220     iput(inode);
0221
0222     return ret;
0223 }
0224
0225 /**
0226  * binderfs_ctl_ioctl - handle binder device node allocation requests
0227  *
0228  * The request handler for the binder-control device. All requests operate on
0229  * the binderfs mount the binder-control device resides in:
0230  * - BINDER_CTL_ADD
0231  *   Allocate a new binder device.
0232  *
0233  * Return: 0 on success, negative errno on failure
0234  */
0235 static long binder_ctl_ioctl(struct file *file, unsigned int cmd,
0236                  unsigned long arg)
0237 {
0238     int ret = -EINVAL;
0239     struct inode *inode = file_inode(file);
0240     struct binderfs_device __user *device = (struct binderfs_device __user *)arg;
0241     struct binderfs_device device_req;
0242
0243     switch (cmd) {
0244     case BINDER_CTL_ADD:
0245         ret = copy_from_user(&device_req, device, sizeof(device_req));
0246         if (ret) {
0247             ret = -EFAULT;
0248             break;
0249         }
0250
0251         ret = binderfs_binder_device_create(inode, device, &device_req);
0252         break;
0253     default:
0254         break;
0255     }
0256
0257     return ret;
0258 }
0259
0260 static void binderfs_evict_inode(struct inode *inode)
0261 {
0262     struct binder_device *device = inode->i_private;
0263     struct binderfs_info *info = BINDERFS_SB(inode->i_sb);
0264
0265     clear_inode(inode);
0266
0267     if (!S_ISCHR(inode->i_mode) || !device)
0268         return;
0269
0270     mutex_lock(&binderfs_minors_mutex);
0271     --info->device_count;
0272     ida_free(&binderfs_minors, device->miscdev.minor);
0273     mutex_unlock(&binderfs_minors_mutex);
0274
0275     if (refcount_dec_and_test(&device->ref)) {
0276         kfree(device->context.name);
0277         kfree(device);
0278     }
0279 }
0280
0281 static int binderfs_fs_context_parse_param(struct fs_context *fc,
0282                        struct fs_parameter *param)
0283 {
0284     int opt;
0285     struct binderfs_mount_opts *ctx = fc->fs_private;
0286     struct fs_parse_result result;
0287
0288     opt = fs_parse(fc, binderfs_fs_parameters, param, &result);
0289     if (opt < 0)
0290         return opt;
0291
0292     switch (opt) {
0293     case Opt_max:
0294         if (result.uint_32 > BINDERFS_MAX_MINOR)
0295             return invalfc(fc, "Bad value for '%s'", param->key);
0296
0297         ctx->max = result.uint_32;
0298         break;
0299     case Opt_stats_mode:
0300         if (!capable(CAP_SYS_ADMIN))
0301             return -EPERM;
0302
0303         ctx->stats_mode = result.uint_32;
0304         break;
0305     default:
0306         return invalfc(fc, "Unsupported parameter '%s'", param->key);
0307     }
0308
0309     return 0;
0310 }
0311
0312 static int binderfs_fs_context_reconfigure(struct fs_context *fc)
0313 {
0314     struct binderfs_mount_opts *ctx = fc->fs_private;
0315     struct binderfs_info *info = BINDERFS_SB(fc->root->d_sb);
0316
0317     if (info->mount_opts.stats_mode != ctx->stats_mode)
0318         return invalfc(fc, "Binderfs stats mode cannot be changed during a remount");
0319
0320     info->mount_opts.stats_mode = ctx->stats_mode;
0321     info->mount_opts.max = ctx->max;
0322     return 0;
0323 }
0324
0325 static int binderfs_show_options(struct seq_file *seq, struct dentry *root)
0326 {
0327     struct binderfs_info *info = BINDERFS_SB(root->d_sb);
0328
0329     if (info->mount_opts.max <= BINDERFS_MAX_MINOR)
0330         seq_printf(seq, ",max=%d", info->mount_opts.max);
0331
0332     switch (info->mount_opts.stats_mode) {
0333     case binderfs_stats_mode_unset:
0334         break;
0335     case binderfs_stats_mode_global:
0336         seq_printf(seq, ",stats=global");
0337         break;
0338     }
0339
0340     return 0;
0341 }
0342
0343 static void binderfs_put_super(struct super_block *sb)
0344 {
0345     struct binderfs_info *info = sb->s_fs_info;
0346
0347     if (info && info->ipc_ns)
0348         put_ipc_ns(info->ipc_ns);
0349
0350     kfree(info);
0351     sb->s_fs_info = NULL;
0352 }
0353
0354 static const struct super_operations binderfs_super_ops = {
0355     .evict_inode    = binderfs_evict_inode,
0356     .show_options   = binderfs_show_options,
0357     .statfs         = simple_statfs,
0358     .put_super  = binderfs_put_super,
0359 };
0360
0361 static inline bool is_binderfs_control_device(const struct dentry *dentry)
0362 {
0363     struct binderfs_info *info = dentry->d_sb->s_fs_info;
0364
0365     return info->control_dentry == dentry;
0366 }
0367
0368 static int binderfs_rename(struct user_namespace *mnt_userns,
0369                struct inode *old_dir, struct dentry *old_dentry,
0370                struct inode *new_dir, struct dentry *new_dentry,
0371                unsigned int flags)
0372 {
0373     if (is_binderfs_control_device(old_dentry) ||
0374         is_binderfs_control_device(new_dentry))
0375         return -EPERM;
0376
0377     return simple_rename(&init_user_ns, old_dir, old_dentry, new_dir,
0378                  new_dentry, flags);
0379 }
0380
0381 static int binderfs_unlink(struct inode *dir, struct dentry *dentry)
0382 {
0383     if (is_binderfs_control_device(dentry))
0384         return -EPERM;
0385
0386     return simple_unlink(dir, dentry);
0387 }
0388
0389 static const struct file_operations binder_ctl_fops = {
0390     .owner      = THIS_MODULE,
0391     .open       = nonseekable_open,
0392     .unlocked_ioctl = binder_ctl_ioctl,
0393     .compat_ioctl   = binder_ctl_ioctl,
0394     .llseek     = noop_llseek,
0395 };
0396
0397 /**
0398  * binderfs_binder_ctl_create - create a new binder-control device
0399  * @sb: super block of the binderfs mount
0400  *
0401  * This function creates a new binder-control device node in the binderfs mount
0402  * referred to by @sb.
0403  *
0404  * Return: 0 on success, negative errno on failure
0405  */
0406 static int binderfs_binder_ctl_create(struct super_block *sb)
0407 {
0408     int minor, ret;
0409     struct dentry *dentry;
0410     struct binder_device *device;
0411     struct inode *inode = NULL;
0412     struct dentry *root = sb->s_root;
0413     struct binderfs_info *info = sb->s_fs_info;
0414 #if defined(CONFIG_IPC_NS)
0415     bool use_reserve = (info->ipc_ns == &init_ipc_ns);
0416 #else
0417     bool use_reserve = true;
0418 #endif
0419
0420     device = kzalloc(sizeof(*device), GFP_KERNEL);
0421     if (!device)
0422         return -ENOMEM;
0423
0424     /* If we have already created a binder-control node, return. */
0425     if (info->control_dentry) {
0426         ret = 0;
0427         goto out;
0428     }
0429
0430     ret = -ENOMEM;
0431     inode = new_inode(sb);
0432     if (!inode)
0433         goto out;
0434
0435     /* Reserve a new minor number for the new device. */
0436     mutex_lock(&binderfs_minors_mutex);
0437     minor = ida_alloc_max(&binderfs_minors,
0438                   use_reserve ? BINDERFS_MAX_MINOR :
0439                         BINDERFS_MAX_MINOR_CAPPED,
0440                   GFP_KERNEL);
0441     mutex_unlock(&binderfs_minors_mutex);
0442     if (minor < 0) {
0443         ret = minor;
0444         goto out;
0445     }
0446
0447     inode->i_ino = SECOND_INODE;
0448     inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
0449     init_special_inode(inode, S_IFCHR | 0600,
0450                MKDEV(MAJOR(binderfs_dev), minor));
0451     inode->i_fop = &binder_ctl_fops;
0452     inode->i_uid = info->root_uid;
0453     inode->i_gid = info->root_gid;
0454
0455     refcount_set(&device->ref, 1);
0456     device->binderfs_inode = inode;
0457     device->miscdev.minor = minor;
0458
0459     dentry = d_alloc_name(root, "binder-control");
0460     if (!dentry)
0461         goto out;
0462
0463     inode->i_private = device;
0464     info->control_dentry = dentry;
0465     d_add(dentry, inode);
0466
0467     return 0;
0468
0469 out:
0470     kfree(device);
0471     iput(inode);
0472
0473     return ret;
0474 }
0475
0476 static const struct inode_operations binderfs_dir_inode_operations = {
0477     .lookup = simple_lookup,
0478     .rename = binderfs_rename,
0479     .unlink = binderfs_unlink,
0480 };
0481
0482 static struct inode *binderfs_make_inode(struct super_block *sb, int mode)
0483 {
0484     struct inode *ret;
0485
0486     ret = new_inode(sb);
0487     if (ret) {
0488         ret->i_ino = iunique(sb, BINDERFS_MAX_MINOR + INODE_OFFSET);
0489         ret->i_mode = mode;
0490         ret->i_atime = ret->i_mtime = ret->i_ctime = current_time(ret);
0491     }
0492     return ret;
0493 }
0494
0495 static struct dentry *binderfs_create_dentry(struct dentry *parent,
0496                          const char *name)
0497 {
0498     struct dentry *dentry;
0499
0500     dentry = lookup_one_len(name, parent, strlen(name));
0501     if (IS_ERR(dentry))
0502         return dentry;
0503
0504     /* Return error if the file/dir already exists. */
0505     if (d_really_is_positive(dentry)) {
0506         dput(dentry);
0507         return ERR_PTR(-EEXIST);
0508     }
0509
0510     return dentry;
0511 }
0512
0513 void binderfs_remove_file(struct dentry *dentry)
0514 {
0515     struct inode *parent_inode;
0516
0517     parent_inode = d_inode(dentry->d_parent);
0518     inode_lock(parent_inode);
0519     if (simple_positive(dentry)) {
0520         dget(dentry);
0521         simple_unlink(parent_inode, dentry);
0522         d_delete(dentry);
0523         dput(dentry);
0524     }
0525     inode_unlock(parent_inode);
0526 }
0527
0528 struct dentry *binderfs_create_file(struct dentry *parent, const char *name,
0529                     const struct file_operations *fops,
0530                     void *data)
0531 {
0532     struct dentry *dentry;
0533     struct inode *new_inode, *parent_inode;
0534     struct super_block *sb;
0535
0536     parent_inode = d_inode(parent);
0537     inode_lock(parent_inode);
0538
0539     dentry = binderfs_create_dentry(parent, name);
0540     if (IS_ERR(dentry))
0541         goto out;
0542
0543     sb = parent_inode->i_sb;
0544     new_inode = binderfs_make_inode(sb, S_IFREG | 0444);
0545     if (!new_inode) {
0546         dput(dentry);
0547         dentry = ERR_PTR(-ENOMEM);
0548         goto out;
0549     }
0550
0551     new_inode->i_fop = fops;
0552     new_inode->i_private = data;
0553     d_instantiate(dentry, new_inode);
0554     fsnotify_create(parent_inode, dentry);
0555
0556 out:
0557     inode_unlock(parent_inode);
0558     return dentry;
0559 }
0560
0561 static struct dentry *binderfs_create_dir(struct dentry *parent,
0562                       const char *name)
0563 {
0564     struct dentry *dentry;
0565     struct inode *new_inode, *parent_inode;
0566     struct super_block *sb;
0567
0568     parent_inode = d_inode(parent);
0569     inode_lock(parent_inode);
0570
0571     dentry = binderfs_create_dentry(parent, name);
0572     if (IS_ERR(dentry))
0573         goto out;
0574
0575     sb = parent_inode->i_sb;
0576     new_inode = binderfs_make_inode(sb, S_IFDIR | 0755);
0577     if (!new_inode) {
0578         dput(dentry);
0579         dentry = ERR_PTR(-ENOMEM);
0580         goto out;
0581     }
0582
0583     new_inode->i_fop = &simple_dir_operations;
0584     new_inode->i_op = &simple_dir_inode_operations;
0585
0586     set_nlink(new_inode, 2);
0587     d_instantiate(dentry, new_inode);
0588     inc_nlink(parent_inode);
0589     fsnotify_mkdir(parent_inode, dentry);
0590
0591 out:
0592     inode_unlock(parent_inode);
0593     return dentry;
0594 }
0595
0596 static int binder_features_show(struct seq_file *m, void *unused)
0597 {
0598     bool *feature = m->private;
0599
0600     seq_printf(m, "%d\n", *feature);
0601
0602     return 0;
0603 }
0604 DEFINE_SHOW_ATTRIBUTE(binder_features);
0605
0606 static int init_binder_features(struct super_block *sb)
0607 {
0608     struct dentry *dentry, *dir;
0609
0610     dir = binderfs_create_dir(sb->s_root, "features");
0611     if (IS_ERR(dir))
0612         return PTR_ERR(dir);
0613
0614     dentry = binderfs_create_file(dir, "oneway_spam_detection",
0615                       &binder_features_fops,
0616                       &binder_features.oneway_spam_detection);
0617     if (IS_ERR(dentry))
0618         return PTR_ERR(dentry);
0619
0620     dentry = binderfs_create_file(dir, "extended_error",
0621                       &binder_features_fops,
0622                       &binder_features.extended_error);
0623     if (IS_ERR(dentry))
0624         return PTR_ERR(dentry);
0625
0626     return 0;
0627 }
0628
0629 static int init_binder_logs(struct super_block *sb)
0630 {
0631     struct dentry *binder_logs_root_dir, *dentry, *proc_log_dir;
0632     const struct binder_debugfs_entry *db_entry;
0633     struct binderfs_info *info;
0634     int ret = 0;
0635
0636     binder_logs_root_dir = binderfs_create_dir(sb->s_root,
0637                            "binder_logs");
0638     if (IS_ERR(binder_logs_root_dir)) {
0639         ret = PTR_ERR(binder_logs_root_dir);
0640         goto out;
0641     }
0642
0643     binder_for_each_debugfs_entry(db_entry) {
0644         dentry = binderfs_create_file(binder_logs_root_dir,
0645                           db_entry->name,
0646                           db_entry->fops,
0647                           db_entry->data);
0648         if (IS_ERR(dentry)) {
0649             ret = PTR_ERR(dentry);
0650             goto out;
0651         }
0652     }
0653
0654     proc_log_dir = binderfs_create_dir(binder_logs_root_dir, "proc");
0655     if (IS_ERR(proc_log_dir)) {
0656         ret = PTR_ERR(proc_log_dir);
0657         goto out;
0658     }
0659     info = sb->s_fs_info;
0660     info->proc_log_dir = proc_log_dir;
0661
0662 out:
0663     return ret;
0664 }
0665
0666 static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc)
0667 {
0668     int ret;
0669     struct binderfs_info *info;
0670     struct binderfs_mount_opts *ctx = fc->fs_private;
0671     struct inode *inode = NULL;
0672     struct binderfs_device device_info = {};
0673     const char *name;
0674     size_t len;
0675
0676     sb->s_blocksize = PAGE_SIZE;
0677     sb->s_blocksize_bits = PAGE_SHIFT;
0678
0679     /*
0680      * The binderfs filesystem can be mounted by userns root in a
0681      * non-initial userns. By default such mounts have the SB_I_NODEV flag
0682      * set in s_iflags to prevent security issues where userns root can
0683      * just create random device nodes via mknod() since it owns the
0684      * filesystem mount. But binderfs does not allow to create any files
0685      * including devices nodes. The only way to create binder devices nodes
0686      * is through the binder-control device which userns root is explicitly
0687      * allowed to do. So removing the SB_I_NODEV flag from s_iflags is both
0688      * necessary and safe.
0689      */
0690     sb->s_iflags &= ~SB_I_NODEV;
0691     sb->s_iflags |= SB_I_NOEXEC;
0692     sb->s_magic = BINDERFS_SUPER_MAGIC;
0693     sb->s_op = &binderfs_super_ops;
0694     sb->s_time_gran = 1;
0695
0696     sb->s_fs_info = kzalloc(sizeof(struct binderfs_info), GFP_KERNEL);
0697     if (!sb->s_fs_info)
0698         return -ENOMEM;
0699     info = sb->s_fs_info;
0700
0701     info->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns);
0702
0703     info->root_gid = make_kgid(sb->s_user_ns, 0);
0704     if (!gid_valid(info->root_gid))
0705         info->root_gid = GLOBAL_ROOT_GID;
0706     info->root_uid = make_kuid(sb->s_user_ns, 0);
0707     if (!uid_valid(info->root_uid))
0708         info->root_uid = GLOBAL_ROOT_UID;
0709     info->mount_opts.max = ctx->max;
0710     info->mount_opts.stats_mode = ctx->stats_mode;
0711
0712     inode = new_inode(sb);
0713     if (!inode)
0714         return -ENOMEM;
0715
0716     inode->i_ino = FIRST_INODE;
0717     inode->i_fop = &simple_dir_operations;
0718     inode->i_mode = S_IFDIR | 0755;
0719     inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
0720     inode->i_op = &binderfs_dir_inode_operations;
0721     set_nlink(inode, 2);
0722
0723     sb->s_root = d_make_root(inode);
0724     if (!sb->s_root)
0725         return -ENOMEM;
0726
0727     ret = binderfs_binder_ctl_create(sb);
0728     if (ret)
0729         return ret;
0730
0731     name = binder_devices_param;
0732     for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
0733         strscpy(device_info.name, name, len + 1);
0734         ret = binderfs_binder_device_create(inode, NULL, &device_info);
0735         if (ret)
0736             return ret;
0737         name += len;
0738         if (*name == ',')
0739             name++;
0740     }
0741
0742     ret = init_binder_features(sb);
0743     if (ret)
0744         return ret;
0745
0746     if (info->mount_opts.stats_mode == binderfs_stats_mode_global)
0747         return init_binder_logs(sb);
0748
0749     return 0;
0750 }
0751
0752 static int binderfs_fs_context_get_tree(struct fs_context *fc)
0753 {
0754     return get_tree_nodev(fc, binderfs_fill_super);
0755 }
0756
0757 static void binderfs_fs_context_free(struct fs_context *fc)
0758 {
0759     struct binderfs_mount_opts *ctx = fc->fs_private;
0760
0761     kfree(ctx);
0762 }
0763
0764 static const struct fs_context_operations binderfs_fs_context_ops = {
0765     .free       = binderfs_fs_context_free,
0766     .get_tree   = binderfs_fs_context_get_tree,
0767     .parse_param    = binderfs_fs_context_parse_param,
0768     .reconfigure    = binderfs_fs_context_reconfigure,
0769 };
0770
0771 static int binderfs_init_fs_context(struct fs_context *fc)
0772 {
0773     struct binderfs_mount_opts *ctx;
0774
0775     ctx = kzalloc(sizeof(struct binderfs_mount_opts), GFP_KERNEL);
0776     if (!ctx)
0777         return -ENOMEM;
0778
0779     ctx->max = BINDERFS_MAX_MINOR;
0780     ctx->stats_mode = binderfs_stats_mode_unset;
0781
0782     fc->fs_private = ctx;
0783     fc->ops = &binderfs_fs_context_ops;
0784
0785     return 0;
0786 }
0787
0788 static struct file_system_type binder_fs_type = {
0789     .name           = "binder",
0790     .init_fs_context    = binderfs_init_fs_context,
0791     .parameters     = binderfs_fs_parameters,
0792     .kill_sb        = kill_litter_super,
0793     .fs_flags       = FS_USERNS_MOUNT,
0794 };
0795
0796 int __init init_binderfs(void)
0797 {
0798     int ret;
0799     const char *name;
0800     size_t len;
0801
0802     /* Verify that the default binderfs device names are valid. */
0803     name = binder_devices_param;
0804     for (len = strcspn(name, ","); len > 0; len = strcspn(name, ",")) {
0805         if (len > BINDERFS_MAX_NAME)
0806             return -E2BIG;
0807         name += len;
0808         if (*name == ',')
0809             name++;
0810     }
0811
0812     /* Allocate new major number for binderfs. */
0813     ret = alloc_chrdev_region(&binderfs_dev, 0, BINDERFS_MAX_MINOR,
0814                   "binder");
0815     if (ret)
0816         return ret;
0817
0818     ret = register_filesystem(&binder_fs_type);
0819     if (ret) {
0820         unregister_chrdev_region(binderfs_dev, BINDERFS_MAX_MINOR);
0821         return ret;
0822     }
0823
0824     return ret;
0825 }