fs/fuse/cuse.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * CUSE: Character device in Userspace
0004  *
0005  * Copyright (C) 2008-2009  SUSE Linux Products GmbH
0006  * Copyright (C) 2008-2009  Tejun Heo <tj@kernel.org>
0007  *
0008  * CUSE enables character devices to be implemented from userland much
0009  * like FUSE allows filesystems.  On initialization /dev/cuse is
0010  * created.  By opening the file and replying to the CUSE_INIT request
0011  * userland CUSE server can create a character device.  After that the
0012  * operation is very similar to FUSE.
0013  *
0014  * A CUSE instance involves the following objects.
0015  *
0016  * cuse_conn    : contains fuse_conn and serves as bonding structure
0017  * channel  : file handle connected to the userland CUSE server
0018  * cdev     : the implemented character device
0019  * dev      : generic device for cdev
0020  *
0021  * Note that 'channel' is what 'dev' is in FUSE.  As CUSE deals with
0022  * devices, it's called 'channel' to reduce confusion.
0023  *
0024  * channel determines when the character device dies.  When channel is
0025  * closed, everything begins to destruct.  The cuse_conn is taken off
0026  * the lookup table preventing further access from cdev, cdev and
0027  * generic device are removed and the base reference of cuse_conn is
0028  * put.
0029  *
0030  * On each open, the matching cuse_conn is looked up and if found an
0031  * additional reference is taken which is released when the file is
0032  * closed.
0033  */
0034
0035 #define pr_fmt(fmt) "CUSE: " fmt
0036
0037 #include <linux/fuse.h>
0038 #include <linux/cdev.h>
0039 #include <linux/device.h>
0040 #include <linux/file.h>
0041 #include <linux/fs.h>
0042 #include <linux/kdev_t.h>
0043 #include <linux/kthread.h>
0044 #include <linux/list.h>
0045 #include <linux/magic.h>
0046 #include <linux/miscdevice.h>
0047 #include <linux/mutex.h>
0048 #include <linux/slab.h>
0049 #include <linux/stat.h>
0050 #include <linux/module.h>
0051 #include <linux/uio.h>
0052 #include <linux/user_namespace.h>
0053
0054 #include "fuse_i.h"
0055
0056 #define CUSE_CONNTBL_LEN    64
0057
0058 struct cuse_conn {
0059     struct list_head    list;   /* linked on cuse_conntbl */
0060     struct fuse_mount   fm; /* Dummy mount referencing fc */
0061     struct fuse_conn    fc; /* fuse connection */
0062     struct cdev     *cdev;  /* associated character device */
0063     struct device       *dev;   /* device representing @cdev */
0064
0065     /* init parameters, set once during initialization */
0066     bool            unrestricted_ioctl;
0067 };
0068
0069 static DEFINE_MUTEX(cuse_lock);     /* protects registration */
0070 static struct list_head cuse_conntbl[CUSE_CONNTBL_LEN];
0071 static struct class *cuse_class;
0072
0073 static struct cuse_conn *fc_to_cc(struct fuse_conn *fc)
0074 {
0075     return container_of(fc, struct cuse_conn, fc);
0076 }
0077
0078 static struct list_head *cuse_conntbl_head(dev_t devt)
0079 {
0080     return &cuse_conntbl[(MAJOR(devt) + MINOR(devt)) % CUSE_CONNTBL_LEN];
0081 }
0082
0083
0084 /**************************************************************************
0085  * CUSE frontend operations
0086  *
0087  * These are file operations for the character device.
0088  *
0089  * On open, CUSE opens a file from the FUSE mnt and stores it to
0090  * private_data of the open file.  All other ops call FUSE ops on the
0091  * FUSE file.
0092  */
0093
0094 static ssize_t cuse_read_iter(struct kiocb *kiocb, struct iov_iter *to)
0095 {
0096     struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(kiocb);
0097     loff_t pos = 0;
0098
0099     return fuse_direct_io(&io, to, &pos, FUSE_DIO_CUSE);
0100 }
0101
0102 static ssize_t cuse_write_iter(struct kiocb *kiocb, struct iov_iter *from)
0103 {
0104     struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(kiocb);
0105     loff_t pos = 0;
0106     /*
0107      * No locking or generic_write_checks(), the server is
0108      * responsible for locking and sanity checks.
0109      */
0110     return fuse_direct_io(&io, from, &pos,
0111                   FUSE_DIO_WRITE | FUSE_DIO_CUSE);
0112 }
0113
0114 static int cuse_open(struct inode *inode, struct file *file)
0115 {
0116     dev_t devt = inode->i_cdev->dev;
0117     struct cuse_conn *cc = NULL, *pos;
0118     int rc;
0119
0120     /* look up and get the connection */
0121     mutex_lock(&cuse_lock);
0122     list_for_each_entry(pos, cuse_conntbl_head(devt), list)
0123         if (pos->dev->devt == devt) {
0124             fuse_conn_get(&pos->fc);
0125             cc = pos;
0126             break;
0127         }
0128     mutex_unlock(&cuse_lock);
0129
0130     /* dead? */
0131     if (!cc)
0132         return -ENODEV;
0133
0134     /*
0135      * Generic permission check is already done against the chrdev
0136      * file, proceed to open.
0137      */
0138     rc = fuse_do_open(&cc->fm, 0, file, 0);
0139     if (rc)
0140         fuse_conn_put(&cc->fc);
0141     return rc;
0142 }
0143
0144 static int cuse_release(struct inode *inode, struct file *file)
0145 {
0146     struct fuse_file *ff = file->private_data;
0147     struct fuse_mount *fm = ff->fm;
0148
0149     fuse_sync_release(NULL, ff, file->f_flags);
0150     fuse_conn_put(fm->fc);
0151
0152     return 0;
0153 }
0154
0155 static long cuse_file_ioctl(struct file *file, unsigned int cmd,
0156                 unsigned long arg)
0157 {
0158     struct fuse_file *ff = file->private_data;
0159     struct cuse_conn *cc = fc_to_cc(ff->fm->fc);
0160     unsigned int flags = 0;
0161
0162     if (cc->unrestricted_ioctl)
0163         flags |= FUSE_IOCTL_UNRESTRICTED;
0164
0165     return fuse_do_ioctl(file, cmd, arg, flags);
0166 }
0167
0168 static long cuse_file_compat_ioctl(struct file *file, unsigned int cmd,
0169                    unsigned long arg)
0170 {
0171     struct fuse_file *ff = file->private_data;
0172     struct cuse_conn *cc = fc_to_cc(ff->fm->fc);
0173     unsigned int flags = FUSE_IOCTL_COMPAT;
0174
0175     if (cc->unrestricted_ioctl)
0176         flags |= FUSE_IOCTL_UNRESTRICTED;
0177
0178     return fuse_do_ioctl(file, cmd, arg, flags);
0179 }
0180
0181 static const struct file_operations cuse_frontend_fops = {
0182     .owner          = THIS_MODULE,
0183     .read_iter      = cuse_read_iter,
0184     .write_iter     = cuse_write_iter,
0185     .open           = cuse_open,
0186     .release        = cuse_release,
0187     .unlocked_ioctl     = cuse_file_ioctl,
0188     .compat_ioctl       = cuse_file_compat_ioctl,
0189     .poll           = fuse_file_poll,
0190     .llseek     = noop_llseek,
0191 };
0192
0193
0194 /**************************************************************************
0195  * CUSE channel initialization and destruction
0196  */
0197
0198 struct cuse_devinfo {
0199     const char      *name;
0200 };
0201
0202 /**
0203  * cuse_parse_one - parse one key=value pair
0204  * @pp: i/o parameter for the current position
0205  * @end: points to one past the end of the packed string
0206  * @keyp: out parameter for key
0207  * @valp: out parameter for value
0208  *
0209  * *@pp points to packed strings - "key0=val0\0key1=val1\0" which ends
0210  * at @end - 1.  This function parses one pair and set *@keyp to the
0211  * start of the key and *@valp to the start of the value.  Note that
0212  * the original string is modified such that the key string is
0213  * terminated with '\0'.  *@pp is updated to point to the next string.
0214  *
0215  * RETURNS:
0216  * 1 on successful parse, 0 on EOF, -errno on failure.
0217  */
0218 static int cuse_parse_one(char **pp, char *end, char **keyp, char **valp)
0219 {
0220     char *p = *pp;
0221     char *key, *val;
0222
0223     while (p < end && *p == '\0')
0224         p++;
0225     if (p == end)
0226         return 0;
0227
0228     if (end[-1] != '\0') {
0229         pr_err("info not properly terminated\n");
0230         return -EINVAL;
0231     }
0232
0233     key = val = p;
0234     p += strlen(p);
0235
0236     if (valp) {
0237         strsep(&val, "=");
0238         if (!val)
0239             val = key + strlen(key);
0240         key = strstrip(key);
0241         val = strstrip(val);
0242     } else
0243         key = strstrip(key);
0244
0245     if (!strlen(key)) {
0246         pr_err("zero length info key specified\n");
0247         return -EINVAL;
0248     }
0249
0250     *pp = p;
0251     *keyp = key;
0252     if (valp)
0253         *valp = val;
0254
0255     return 1;
0256 }
0257
0258 /**
0259  * cuse_parse_dev_info - parse device info
0260  * @p: device info string
0261  * @len: length of device info string
0262  * @devinfo: out parameter for parsed device info
0263  *
0264  * Parse @p to extract device info and store it into @devinfo.  String
0265  * pointed to by @p is modified by parsing and @devinfo points into
0266  * them, so @p shouldn't be freed while @devinfo is in use.
0267  *
0268  * RETURNS:
0269  * 0 on success, -errno on failure.
0270  */
0271 static int cuse_parse_devinfo(char *p, size_t len, struct cuse_devinfo *devinfo)
0272 {
0273     char *end = p + len;
0274     char *key, *val;
0275     int rc;
0276
0277     while (true) {
0278         rc = cuse_parse_one(&p, end, &key, &val);
0279         if (rc < 0)
0280             return rc;
0281         if (!rc)
0282             break;
0283         if (strcmp(key, "DEVNAME") == 0)
0284             devinfo->name = val;
0285         else
0286             pr_warn("unknown device info \"%s\"\n", key);
0287     }
0288
0289     if (!devinfo->name || !strlen(devinfo->name)) {
0290         pr_err("DEVNAME unspecified\n");
0291         return -EINVAL;
0292     }
0293
0294     return 0;
0295 }
0296
0297 static void cuse_gendev_release(struct device *dev)
0298 {
0299     kfree(dev);
0300 }
0301
0302 struct cuse_init_args {
0303     struct fuse_args_pages ap;
0304     struct cuse_init_in in;
0305     struct cuse_init_out out;
0306     struct page *page;
0307     struct fuse_page_desc desc;
0308 };
0309
0310 /**
0311  * cuse_process_init_reply - finish initializing CUSE channel
0312  *
0313  * This function creates the character device and sets up all the
0314  * required data structures for it.  Please read the comment at the
0315  * top of this file for high level overview.
0316  */
0317 static void cuse_process_init_reply(struct fuse_mount *fm,
0318                     struct fuse_args *args, int error)
0319 {
0320     struct fuse_conn *fc = fm->fc;
0321     struct cuse_init_args *ia = container_of(args, typeof(*ia), ap.args);
0322     struct fuse_args_pages *ap = &ia->ap;
0323     struct cuse_conn *cc = fc_to_cc(fc), *pos;
0324     struct cuse_init_out *arg = &ia->out;
0325     struct page *page = ap->pages[0];
0326     struct cuse_devinfo devinfo = { };
0327     struct device *dev;
0328     struct cdev *cdev;
0329     dev_t devt;
0330     int rc, i;
0331
0332     if (error || arg->major != FUSE_KERNEL_VERSION || arg->minor < 11)
0333         goto err;
0334
0335     fc->minor = arg->minor;
0336     fc->max_read = max_t(unsigned, arg->max_read, 4096);
0337     fc->max_write = max_t(unsigned, arg->max_write, 4096);
0338
0339     /* parse init reply */
0340     cc->unrestricted_ioctl = arg->flags & CUSE_UNRESTRICTED_IOCTL;
0341
0342     rc = cuse_parse_devinfo(page_address(page), ap->args.out_args[1].size,
0343                 &devinfo);
0344     if (rc)
0345         goto err;
0346
0347     /* determine and reserve devt */
0348     devt = MKDEV(arg->dev_major, arg->dev_minor);
0349     if (!MAJOR(devt))
0350         rc = alloc_chrdev_region(&devt, MINOR(devt), 1, devinfo.name);
0351     else
0352         rc = register_chrdev_region(devt, 1, devinfo.name);
0353     if (rc) {
0354         pr_err("failed to register chrdev region\n");
0355         goto err;
0356     }
0357
0358     /* devt determined, create device */
0359     rc = -ENOMEM;
0360     dev = kzalloc(sizeof(*dev), GFP_KERNEL);
0361     if (!dev)
0362         goto err_region;
0363
0364     device_initialize(dev);
0365     dev_set_uevent_suppress(dev, 1);
0366     dev->class = cuse_class;
0367     dev->devt = devt;
0368     dev->release = cuse_gendev_release;
0369     dev_set_drvdata(dev, cc);
0370     dev_set_name(dev, "%s", devinfo.name);
0371
0372     mutex_lock(&cuse_lock);
0373
0374     /* make sure the device-name is unique */
0375     for (i = 0; i < CUSE_CONNTBL_LEN; ++i) {
0376         list_for_each_entry(pos, &cuse_conntbl[i], list)
0377             if (!strcmp(dev_name(pos->dev), dev_name(dev)))
0378                 goto err_unlock;
0379     }
0380
0381     rc = device_add(dev);
0382     if (rc)
0383         goto err_unlock;
0384
0385     /* register cdev */
0386     rc = -ENOMEM;
0387     cdev = cdev_alloc();
0388     if (!cdev)
0389         goto err_unlock;
0390
0391     cdev->owner = THIS_MODULE;
0392     cdev->ops = &cuse_frontend_fops;
0393
0394     rc = cdev_add(cdev, devt, 1);
0395     if (rc)
0396         goto err_cdev;
0397
0398     cc->dev = dev;
0399     cc->cdev = cdev;
0400
0401     /* make the device available */
0402     list_add(&cc->list, cuse_conntbl_head(devt));
0403     mutex_unlock(&cuse_lock);
0404
0405     /* announce device availability */
0406     dev_set_uevent_suppress(dev, 0);
0407     kobject_uevent(&dev->kobj, KOBJ_ADD);
0408 out:
0409     kfree(ia);
0410     __free_page(page);
0411     return;
0412
0413 err_cdev:
0414     cdev_del(cdev);
0415 err_unlock:
0416     mutex_unlock(&cuse_lock);
0417     put_device(dev);
0418 err_region:
0419     unregister_chrdev_region(devt, 1);
0420 err:
0421     fuse_abort_conn(fc);
0422     goto out;
0423 }
0424
0425 static int cuse_send_init(struct cuse_conn *cc)
0426 {
0427     int rc;
0428     struct page *page;
0429     struct fuse_mount *fm = &cc->fm;
0430     struct cuse_init_args *ia;
0431     struct fuse_args_pages *ap;
0432
0433     BUILD_BUG_ON(CUSE_INIT_INFO_MAX > PAGE_SIZE);
0434
0435     rc = -ENOMEM;
0436     page = alloc_page(GFP_KERNEL | __GFP_ZERO);
0437     if (!page)
0438         goto err;
0439
0440     ia = kzalloc(sizeof(*ia), GFP_KERNEL);
0441     if (!ia)
0442         goto err_free_page;
0443
0444     ap = &ia->ap;
0445     ia->in.major = FUSE_KERNEL_VERSION;
0446     ia->in.minor = FUSE_KERNEL_MINOR_VERSION;
0447     ia->in.flags |= CUSE_UNRESTRICTED_IOCTL;
0448     ap->args.opcode = CUSE_INIT;
0449     ap->args.in_numargs = 1;
0450     ap->args.in_args[0].size = sizeof(ia->in);
0451     ap->args.in_args[0].value = &ia->in;
0452     ap->args.out_numargs = 2;
0453     ap->args.out_args[0].size = sizeof(ia->out);
0454     ap->args.out_args[0].value = &ia->out;
0455     ap->args.out_args[1].size = CUSE_INIT_INFO_MAX;
0456     ap->args.out_argvar = true;
0457     ap->args.out_pages = true;
0458     ap->num_pages = 1;
0459     ap->pages = &ia->page;
0460     ap->descs = &ia->desc;
0461     ia->page = page;
0462     ia->desc.length = ap->args.out_args[1].size;
0463     ap->args.end = cuse_process_init_reply;
0464
0465     rc = fuse_simple_background(fm, &ap->args, GFP_KERNEL);
0466     if (rc) {
0467         kfree(ia);
0468 err_free_page:
0469         __free_page(page);
0470     }
0471 err:
0472     return rc;
0473 }
0474
0475 static void cuse_fc_release(struct fuse_conn *fc)
0476 {
0477     struct cuse_conn *cc = fc_to_cc(fc);
0478     kfree_rcu(cc, fc.rcu);
0479 }
0480
0481 /**
0482  * cuse_channel_open - open method for /dev/cuse
0483  * @inode: inode for /dev/cuse
0484  * @file: file struct being opened
0485  *
0486  * Userland CUSE server can create a CUSE device by opening /dev/cuse
0487  * and replying to the initialization request kernel sends.  This
0488  * function is responsible for handling CUSE device initialization.
0489  * Because the fd opened by this function is used during
0490  * initialization, this function only creates cuse_conn and sends
0491  * init.  The rest is delegated to a kthread.
0492  *
0493  * RETURNS:
0494  * 0 on success, -errno on failure.
0495  */
0496 static int cuse_channel_open(struct inode *inode, struct file *file)
0497 {
0498     struct fuse_dev *fud;
0499     struct cuse_conn *cc;
0500     int rc;
0501
0502     /* set up cuse_conn */
0503     cc = kzalloc(sizeof(*cc), GFP_KERNEL);
0504     if (!cc)
0505         return -ENOMEM;
0506
0507     /*
0508      * Limit the cuse channel to requests that can
0509      * be represented in file->f_cred->user_ns.
0510      */
0511     fuse_conn_init(&cc->fc, &cc->fm, file->f_cred->user_ns,
0512                &fuse_dev_fiq_ops, NULL);
0513
0514     cc->fc.release = cuse_fc_release;
0515     fud = fuse_dev_alloc_install(&cc->fc);
0516     fuse_conn_put(&cc->fc);
0517     if (!fud)
0518         return -ENOMEM;
0519
0520     INIT_LIST_HEAD(&cc->list);
0521
0522     cc->fc.initialized = 1;
0523     rc = cuse_send_init(cc);
0524     if (rc) {
0525         fuse_dev_free(fud);
0526         return rc;
0527     }
0528     file->private_data = fud;
0529
0530     return 0;
0531 }
0532
0533 /**
0534  * cuse_channel_release - release method for /dev/cuse
0535  * @inode: inode for /dev/cuse
0536  * @file: file struct being closed
0537  *
0538  * Disconnect the channel, deregister CUSE device and initiate
0539  * destruction by putting the default reference.
0540  *
0541  * RETURNS:
0542  * 0 on success, -errno on failure.
0543  */
0544 static int cuse_channel_release(struct inode *inode, struct file *file)
0545 {
0546     struct fuse_dev *fud = file->private_data;
0547     struct cuse_conn *cc = fc_to_cc(fud->fc);
0548     int rc;
0549
0550     /* remove from the conntbl, no more access from this point on */
0551     mutex_lock(&cuse_lock);
0552     list_del_init(&cc->list);
0553     mutex_unlock(&cuse_lock);
0554
0555     /* remove device */
0556     if (cc->dev)
0557         device_unregister(cc->dev);
0558     if (cc->cdev) {
0559         unregister_chrdev_region(cc->cdev->dev, 1);
0560         cdev_del(cc->cdev);
0561     }
0562
0563     rc = fuse_dev_release(inode, file); /* puts the base reference */
0564
0565     return rc;
0566 }
0567
0568 static struct file_operations cuse_channel_fops; /* initialized during init */
0569
0570
0571 /**************************************************************************
0572  * Misc stuff and module initializatiion
0573  *
0574  * CUSE exports the same set of attributes to sysfs as fusectl.
0575  */
0576
0577 static ssize_t cuse_class_waiting_show(struct device *dev,
0578                        struct device_attribute *attr, char *buf)
0579 {
0580     struct cuse_conn *cc = dev_get_drvdata(dev);
0581
0582     return sprintf(buf, "%d\n", atomic_read(&cc->fc.num_waiting));
0583 }
0584 static DEVICE_ATTR(waiting, 0400, cuse_class_waiting_show, NULL);
0585
0586 static ssize_t cuse_class_abort_store(struct device *dev,
0587                       struct device_attribute *attr,
0588                       const char *buf, size_t count)
0589 {
0590     struct cuse_conn *cc = dev_get_drvdata(dev);
0591
0592     fuse_abort_conn(&cc->fc);
0593     return count;
0594 }
0595 static DEVICE_ATTR(abort, 0200, NULL, cuse_class_abort_store);
0596
0597 static struct attribute *cuse_class_dev_attrs[] = {
0598     &dev_attr_waiting.attr,
0599     &dev_attr_abort.attr,
0600     NULL,
0601 };
0602 ATTRIBUTE_GROUPS(cuse_class_dev);
0603
0604 static struct miscdevice cuse_miscdev = {
0605     .minor      = CUSE_MINOR,
0606     .name       = "cuse",
0607     .fops       = &cuse_channel_fops,
0608 };
0609
0610 MODULE_ALIAS_MISCDEV(CUSE_MINOR);
0611 MODULE_ALIAS("devname:cuse");
0612
0613 static int __init cuse_init(void)
0614 {
0615     int i, rc;
0616
0617     /* init conntbl */
0618     for (i = 0; i < CUSE_CONNTBL_LEN; i++)
0619         INIT_LIST_HEAD(&cuse_conntbl[i]);
0620
0621     /* inherit and extend fuse_dev_operations */
0622     cuse_channel_fops       = fuse_dev_operations;
0623     cuse_channel_fops.owner     = THIS_MODULE;
0624     cuse_channel_fops.open      = cuse_channel_open;
0625     cuse_channel_fops.release   = cuse_channel_release;
0626     /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
0627     cuse_channel_fops.unlocked_ioctl    = NULL;
0628
0629     cuse_class = class_create(THIS_MODULE, "cuse");
0630     if (IS_ERR(cuse_class))
0631         return PTR_ERR(cuse_class);
0632
0633     cuse_class->dev_groups = cuse_class_dev_groups;
0634
0635     rc = misc_register(&cuse_miscdev);
0636     if (rc) {
0637         class_destroy(cuse_class);
0638         return rc;
0639     }
0640
0641     return 0;
0642 }
0643
0644 static void __exit cuse_exit(void)
0645 {
0646     misc_deregister(&cuse_miscdev);
0647     class_destroy(cuse_class);
0648 }
0649
0650 module_init(cuse_init);
0651 module_exit(cuse_exit);
0652
0653 MODULE_AUTHOR("Tejun Heo <tj@kernel.org>");
0654 MODULE_DESCRIPTION("Character device in Userspace");
0655 MODULE_LICENSE("GPL");