xref: /openbmc/linux/fs/binfmt_misc.c (revision 26d0dfbb16fcb17d128a79dc70f3020ea6992af0)
1  // SPDX-License-Identifier: GPL-2.0-only
2  /*
3   * binfmt_misc.c
4   *
5   * Copyright (C) 1997 Richard Günther
6   *
7   * binfmt_misc detects binaries via a magic or filename extension and invokes
8   * a specified wrapper. See Documentation/admin-guide/binfmt-misc.rst for more details.
9   */
10  
11  #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12  
13  #include <linux/kernel.h>
14  #include <linux/module.h>
15  #include <linux/init.h>
16  #include <linux/sched/mm.h>
17  #include <linux/magic.h>
18  #include <linux/binfmts.h>
19  #include <linux/slab.h>
20  #include <linux/ctype.h>
21  #include <linux/string_helpers.h>
22  #include <linux/file.h>
23  #include <linux/pagemap.h>
24  #include <linux/namei.h>
25  #include <linux/mount.h>
26  #include <linux/fs_context.h>
27  #include <linux/syscalls.h>
28  #include <linux/fs.h>
29  #include <linux/uaccess.h>
30  
31  #include "internal.h"
32  
33  #ifdef DEBUG
34  # define USE_DEBUG 1
35  #else
36  # define USE_DEBUG 0
37  #endif
38  
39  enum {
40  	VERBOSE_STATUS = 1 /* make it zero to save 400 bytes kernel memory */
41  };
42  
43  static LIST_HEAD(entries);
44  static int enabled = 1;
45  
46  enum {Enabled, Magic};
47  #define MISC_FMT_PRESERVE_ARGV0 (1UL << 31)
48  #define MISC_FMT_OPEN_BINARY (1UL << 30)
49  #define MISC_FMT_CREDENTIALS (1UL << 29)
50  #define MISC_FMT_OPEN_FILE (1UL << 28)
51  
52  typedef struct {
53  	struct list_head list;
54  	unsigned long flags;		/* type, status, etc. */
55  	int offset;			/* offset of magic */
56  	int size;			/* size of magic/mask */
57  	char *magic;			/* magic or filename extension */
58  	char *mask;			/* mask, NULL for exact match */
59  	const char *interpreter;	/* filename of interpreter */
60  	char *name;
61  	struct dentry *dentry;
62  	struct file *interp_file;
63  	refcount_t users;		/* sync removal with load_misc_binary() */
64  } Node;
65  
66  static DEFINE_RWLOCK(entries_lock);
67  static struct file_system_type bm_fs_type;
68  
69  /*
70   * Max length of the register string.  Determined by:
71   *  - 7 delimiters
72   *  - name:   ~50 bytes
73   *  - type:   1 byte
74   *  - offset: 3 bytes (has to be smaller than BINPRM_BUF_SIZE)
75   *  - magic:  128 bytes (512 in escaped form)
76   *  - mask:   128 bytes (512 in escaped form)
77   *  - interp: ~50 bytes
78   *  - flags:  5 bytes
79   * Round that up a bit, and then back off to hold the internal data
80   * (like struct Node).
81   */
82  #define MAX_REGISTER_LENGTH 1920
83  
84  /**
85   * search_binfmt_handler - search for a binary handler for @bprm
86   * @misc: handle to binfmt_misc instance
87   * @bprm: binary for which we are looking for a handler
88   *
89   * Search for a binary type handler for @bprm in the list of registered binary
90   * type handlers.
91   *
92   * Return: binary type list entry on success, NULL on failure
93   */
search_binfmt_handler(struct linux_binprm * bprm)94  static Node *search_binfmt_handler(struct linux_binprm *bprm)
95  {
96  	char *p = strrchr(bprm->interp, '.');
97  	Node *e;
98  
99  	/* Walk all the registered handlers. */
100  	list_for_each_entry(e, &entries, list) {
101  		char *s;
102  		int j;
103  
104  		/* Make sure this one is currently enabled. */
105  		if (!test_bit(Enabled, &e->flags))
106  			continue;
107  
108  		/* Do matching based on extension if applicable. */
109  		if (!test_bit(Magic, &e->flags)) {
110  			if (p && !strcmp(e->magic, p + 1))
111  				return e;
112  			continue;
113  		}
114  
115  		/* Do matching based on magic & mask. */
116  		s = bprm->buf + e->offset;
117  		if (e->mask) {
118  			for (j = 0; j < e->size; j++)
119  				if ((*s++ ^ e->magic[j]) & e->mask[j])
120  					break;
121  		} else {
122  			for (j = 0; j < e->size; j++)
123  				if ((*s++ ^ e->magic[j]))
124  					break;
125  		}
126  		if (j == e->size)
127  			return e;
128  	}
129  
130  	return NULL;
131  }
132  
133  /**
134   * get_binfmt_handler - try to find a binary type handler
135   * @misc: handle to binfmt_misc instance
136   * @bprm: binary for which we are looking for a handler
137   *
138   * Try to find a binfmt handler for the binary type. If one is found take a
139   * reference to protect against removal via bm_{entry,status}_write().
140   *
141   * Return: binary type list entry on success, NULL on failure
142   */
get_binfmt_handler(struct linux_binprm * bprm)143  static Node *get_binfmt_handler(struct linux_binprm *bprm)
144  {
145  	Node *e;
146  
147  	read_lock(&entries_lock);
148  	e = search_binfmt_handler(bprm);
149  	if (e)
150  		refcount_inc(&e->users);
151  	read_unlock(&entries_lock);
152  	return e;
153  }
154  
155  /**
156   * put_binfmt_handler - put binary handler node
157   * @e: node to put
158   *
159   * Free node syncing with load_misc_binary() and defer final free to
160   * load_misc_binary() in case it is using the binary type handler we were
161   * requested to remove.
162   */
put_binfmt_handler(Node * e)163  static void put_binfmt_handler(Node *e)
164  {
165  	if (refcount_dec_and_test(&e->users)) {
166  		if (e->flags & MISC_FMT_OPEN_FILE)
167  			filp_close(e->interp_file, NULL);
168  		kfree(e);
169  	}
170  }
171  
172  /*
173   * the loader itself
174   */
load_misc_binary(struct linux_binprm * bprm)175  static int load_misc_binary(struct linux_binprm *bprm)
176  {
177  	Node *fmt;
178  	struct file *interp_file = NULL;
179  	int retval;
180  
181  	retval = -ENOEXEC;
182  	if (!enabled)
183  		return retval;
184  
185  	fmt = get_binfmt_handler(bprm);
186  	if (!fmt)
187  		return retval;
188  
189  	/* Need to be able to load the file after exec */
190  	retval = -ENOENT;
191  	if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
192  		goto ret;
193  
194  	if (fmt->flags & MISC_FMT_PRESERVE_ARGV0) {
195  		bprm->interp_flags |= BINPRM_FLAGS_PRESERVE_ARGV0;
196  	} else {
197  		retval = remove_arg_zero(bprm);
198  		if (retval)
199  			goto ret;
200  	}
201  
202  	if (fmt->flags & MISC_FMT_OPEN_BINARY)
203  		bprm->have_execfd = 1;
204  
205  	/* make argv[1] be the path to the binary */
206  	retval = copy_string_kernel(bprm->interp, bprm);
207  	if (retval < 0)
208  		goto ret;
209  	bprm->argc++;
210  
211  	/* add the interp as argv[0] */
212  	retval = copy_string_kernel(fmt->interpreter, bprm);
213  	if (retval < 0)
214  		goto ret;
215  	bprm->argc++;
216  
217  	/* Update interp in case binfmt_script needs it. */
218  	retval = bprm_change_interp(fmt->interpreter, bprm);
219  	if (retval < 0)
220  		goto ret;
221  
222  	if (fmt->flags & MISC_FMT_OPEN_FILE) {
223  		interp_file = file_clone_open(fmt->interp_file);
224  		if (!IS_ERR(interp_file))
225  			deny_write_access(interp_file);
226  	} else {
227  		interp_file = open_exec(fmt->interpreter);
228  	}
229  	retval = PTR_ERR(interp_file);
230  	if (IS_ERR(interp_file))
231  		goto ret;
232  
233  	bprm->interpreter = interp_file;
234  	if (fmt->flags & MISC_FMT_CREDENTIALS)
235  		bprm->execfd_creds = 1;
236  
237  	retval = 0;
238  ret:
239  
240  	/*
241  	 * If we actually put the node here all concurrent calls to
242  	 * load_misc_binary() will have finished. We also know
243  	 * that for the refcount to be zero ->evict_inode() must have removed
244  	 * the node to be deleted from the list. All that is left for us is to
245  	 * close and free.
246  	 */
247  	put_binfmt_handler(fmt);
248  
249  	return retval;
250  }
251  
252  /* Command parsers */
253  
254  /*
255   * parses and copies one argument enclosed in del from *sp to *dp,
256   * recognising the \x special.
257   * returns pointer to the copied argument or NULL in case of an
258   * error (and sets err) or null argument length.
259   */
scanarg(char * s,char del)260  static char *scanarg(char *s, char del)
261  {
262  	char c;
263  
264  	while ((c = *s++) != del) {
265  		if (c == '\\' && *s == 'x') {
266  			s++;
267  			if (!isxdigit(*s++))
268  				return NULL;
269  			if (!isxdigit(*s++))
270  				return NULL;
271  		}
272  	}
273  	s[-1] ='\0';
274  	return s;
275  }
276  
check_special_flags(char * sfs,Node * e)277  static char *check_special_flags(char *sfs, Node *e)
278  {
279  	char *p = sfs;
280  	int cont = 1;
281  
282  	/* special flags */
283  	while (cont) {
284  		switch (*p) {
285  		case 'P':
286  			pr_debug("register: flag: P (preserve argv0)\n");
287  			p++;
288  			e->flags |= MISC_FMT_PRESERVE_ARGV0;
289  			break;
290  		case 'O':
291  			pr_debug("register: flag: O (open binary)\n");
292  			p++;
293  			e->flags |= MISC_FMT_OPEN_BINARY;
294  			break;
295  		case 'C':
296  			pr_debug("register: flag: C (preserve creds)\n");
297  			p++;
298  			/* this flags also implies the
299  			   open-binary flag */
300  			e->flags |= (MISC_FMT_CREDENTIALS |
301  					MISC_FMT_OPEN_BINARY);
302  			break;
303  		case 'F':
304  			pr_debug("register: flag: F: open interpreter file now\n");
305  			p++;
306  			e->flags |= MISC_FMT_OPEN_FILE;
307  			break;
308  		default:
309  			cont = 0;
310  		}
311  	}
312  
313  	return p;
314  }
315  
316  /*
317   * This registers a new binary format, it recognises the syntax
318   * ':name:type:offset:magic:mask:interpreter:flags'
319   * where the ':' is the IFS, that can be chosen with the first char
320   */
create_entry(const char __user * buffer,size_t count)321  static Node *create_entry(const char __user *buffer, size_t count)
322  {
323  	Node *e;
324  	int memsize, err;
325  	char *buf, *p;
326  	char del;
327  
328  	pr_debug("register: received %zu bytes\n", count);
329  
330  	/* some sanity checks */
331  	err = -EINVAL;
332  	if ((count < 11) || (count > MAX_REGISTER_LENGTH))
333  		goto out;
334  
335  	err = -ENOMEM;
336  	memsize = sizeof(Node) + count + 8;
337  	e = kmalloc(memsize, GFP_KERNEL);
338  	if (!e)
339  		goto out;
340  
341  	p = buf = (char *)e + sizeof(Node);
342  
343  	memset(e, 0, sizeof(Node));
344  	if (copy_from_user(buf, buffer, count))
345  		goto efault;
346  
347  	del = *p++;	/* delimeter */
348  
349  	pr_debug("register: delim: %#x {%c}\n", del, del);
350  
351  	/* Pad the buffer with the delim to simplify parsing below. */
352  	memset(buf + count, del, 8);
353  
354  	/* Parse the 'name' field. */
355  	e->name = p;
356  	p = strchr(p, del);
357  	if (!p)
358  		goto einval;
359  	*p++ = '\0';
360  	if (!e->name[0] ||
361  	    !strcmp(e->name, ".") ||
362  	    !strcmp(e->name, "..") ||
363  	    strchr(e->name, '/'))
364  		goto einval;
365  
366  	pr_debug("register: name: {%s}\n", e->name);
367  
368  	/* Parse the 'type' field. */
369  	switch (*p++) {
370  	case 'E':
371  		pr_debug("register: type: E (extension)\n");
372  		e->flags = 1 << Enabled;
373  		break;
374  	case 'M':
375  		pr_debug("register: type: M (magic)\n");
376  		e->flags = (1 << Enabled) | (1 << Magic);
377  		break;
378  	default:
379  		goto einval;
380  	}
381  	if (*p++ != del)
382  		goto einval;
383  
384  	if (test_bit(Magic, &e->flags)) {
385  		/* Handle the 'M' (magic) format. */
386  		char *s;
387  
388  		/* Parse the 'offset' field. */
389  		s = strchr(p, del);
390  		if (!s)
391  			goto einval;
392  		*s = '\0';
393  		if (p != s) {
394  			int r = kstrtoint(p, 10, &e->offset);
395  			if (r != 0 || e->offset < 0)
396  				goto einval;
397  		}
398  		p = s;
399  		if (*p++)
400  			goto einval;
401  		pr_debug("register: offset: %#x\n", e->offset);
402  
403  		/* Parse the 'magic' field. */
404  		e->magic = p;
405  		p = scanarg(p, del);
406  		if (!p)
407  			goto einval;
408  		if (!e->magic[0])
409  			goto einval;
410  		if (USE_DEBUG)
411  			print_hex_dump_bytes(
412  				KBUILD_MODNAME ": register: magic[raw]: ",
413  				DUMP_PREFIX_NONE, e->magic, p - e->magic);
414  
415  		/* Parse the 'mask' field. */
416  		e->mask = p;
417  		p = scanarg(p, del);
418  		if (!p)
419  			goto einval;
420  		if (!e->mask[0]) {
421  			e->mask = NULL;
422  			pr_debug("register:  mask[raw]: none\n");
423  		} else if (USE_DEBUG)
424  			print_hex_dump_bytes(
425  				KBUILD_MODNAME ": register:  mask[raw]: ",
426  				DUMP_PREFIX_NONE, e->mask, p - e->mask);
427  
428  		/*
429  		 * Decode the magic & mask fields.
430  		 * Note: while we might have accepted embedded NUL bytes from
431  		 * above, the unescape helpers here will stop at the first one
432  		 * it encounters.
433  		 */
434  		e->size = string_unescape_inplace(e->magic, UNESCAPE_HEX);
435  		if (e->mask &&
436  		    string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
437  			goto einval;
438  		if (e->size > BINPRM_BUF_SIZE ||
439  		    BINPRM_BUF_SIZE - e->size < e->offset)
440  			goto einval;
441  		pr_debug("register: magic/mask length: %i\n", e->size);
442  		if (USE_DEBUG) {
443  			print_hex_dump_bytes(
444  				KBUILD_MODNAME ": register: magic[decoded]: ",
445  				DUMP_PREFIX_NONE, e->magic, e->size);
446  
447  			if (e->mask) {
448  				int i;
449  				char *masked = kmalloc(e->size, GFP_KERNEL);
450  
451  				print_hex_dump_bytes(
452  					KBUILD_MODNAME ": register:  mask[decoded]: ",
453  					DUMP_PREFIX_NONE, e->mask, e->size);
454  
455  				if (masked) {
456  					for (i = 0; i < e->size; ++i)
457  						masked[i] = e->magic[i] & e->mask[i];
458  					print_hex_dump_bytes(
459  						KBUILD_MODNAME ": register:  magic[masked]: ",
460  						DUMP_PREFIX_NONE, masked, e->size);
461  
462  					kfree(masked);
463  				}
464  			}
465  		}
466  	} else {
467  		/* Handle the 'E' (extension) format. */
468  
469  		/* Skip the 'offset' field. */
470  		p = strchr(p, del);
471  		if (!p)
472  			goto einval;
473  		*p++ = '\0';
474  
475  		/* Parse the 'magic' field. */
476  		e->magic = p;
477  		p = strchr(p, del);
478  		if (!p)
479  			goto einval;
480  		*p++ = '\0';
481  		if (!e->magic[0] || strchr(e->magic, '/'))
482  			goto einval;
483  		pr_debug("register: extension: {%s}\n", e->magic);
484  
485  		/* Skip the 'mask' field. */
486  		p = strchr(p, del);
487  		if (!p)
488  			goto einval;
489  		*p++ = '\0';
490  	}
491  
492  	/* Parse the 'interpreter' field. */
493  	e->interpreter = p;
494  	p = strchr(p, del);
495  	if (!p)
496  		goto einval;
497  	*p++ = '\0';
498  	if (!e->interpreter[0])
499  		goto einval;
500  	pr_debug("register: interpreter: {%s}\n", e->interpreter);
501  
502  	/* Parse the 'flags' field. */
503  	p = check_special_flags(p, e);
504  	if (*p == '\n')
505  		p++;
506  	if (p != buf + count)
507  		goto einval;
508  
509  	return e;
510  
511  out:
512  	return ERR_PTR(err);
513  
514  efault:
515  	kfree(e);
516  	return ERR_PTR(-EFAULT);
517  einval:
518  	kfree(e);
519  	return ERR_PTR(-EINVAL);
520  }
521  
522  /*
523   * Set status of entry/binfmt_misc:
524   * '1' enables, '0' disables and '-1' clears entry/binfmt_misc
525   */
parse_command(const char __user * buffer,size_t count)526  static int parse_command(const char __user *buffer, size_t count)
527  {
528  	char s[4];
529  
530  	if (count > 3)
531  		return -EINVAL;
532  	if (copy_from_user(s, buffer, count))
533  		return -EFAULT;
534  	if (!count)
535  		return 0;
536  	if (s[count - 1] == '\n')
537  		count--;
538  	if (count == 1 && s[0] == '0')
539  		return 1;
540  	if (count == 1 && s[0] == '1')
541  		return 2;
542  	if (count == 2 && s[0] == '-' && s[1] == '1')
543  		return 3;
544  	return -EINVAL;
545  }
546  
547  /* generic stuff */
548  
entry_status(Node * e,char * page)549  static void entry_status(Node *e, char *page)
550  {
551  	char *dp = page;
552  	const char *status = "disabled";
553  
554  	if (test_bit(Enabled, &e->flags))
555  		status = "enabled";
556  
557  	if (!VERBOSE_STATUS) {
558  		sprintf(page, "%s\n", status);
559  		return;
560  	}
561  
562  	dp += sprintf(dp, "%s\ninterpreter %s\n", status, e->interpreter);
563  
564  	/* print the special flags */
565  	dp += sprintf(dp, "flags: ");
566  	if (e->flags & MISC_FMT_PRESERVE_ARGV0)
567  		*dp++ = 'P';
568  	if (e->flags & MISC_FMT_OPEN_BINARY)
569  		*dp++ = 'O';
570  	if (e->flags & MISC_FMT_CREDENTIALS)
571  		*dp++ = 'C';
572  	if (e->flags & MISC_FMT_OPEN_FILE)
573  		*dp++ = 'F';
574  	*dp++ = '\n';
575  
576  	if (!test_bit(Magic, &e->flags)) {
577  		sprintf(dp, "extension .%s\n", e->magic);
578  	} else {
579  		dp += sprintf(dp, "offset %i\nmagic ", e->offset);
580  		dp = bin2hex(dp, e->magic, e->size);
581  		if (e->mask) {
582  			dp += sprintf(dp, "\nmask ");
583  			dp = bin2hex(dp, e->mask, e->size);
584  		}
585  		*dp++ = '\n';
586  		*dp = '\0';
587  	}
588  }
589  
bm_get_inode(struct super_block * sb,int mode)590  static struct inode *bm_get_inode(struct super_block *sb, int mode)
591  {
592  	struct inode *inode = new_inode(sb);
593  
594  	if (inode) {
595  		inode->i_ino = get_next_ino();
596  		inode->i_mode = mode;
597  		inode->i_atime = inode->i_mtime = inode_set_ctime_current(inode);
598  	}
599  	return inode;
600  }
601  
602  /**
603   * bm_evict_inode - cleanup data associated with @inode
604   * @inode: inode to which the data is attached
605   *
606   * Cleanup the binary type handler data associated with @inode if a binary type
607   * entry is removed or the filesystem is unmounted and the super block is
608   * shutdown.
609   *
610   * If the ->evict call was not caused by a super block shutdown but by a write
611   * to remove the entry or all entries via bm_{entry,status}_write() the entry
612   * will have already been removed from the list. We keep the list_empty() check
613   * to make that explicit.
614  */
bm_evict_inode(struct inode * inode)615  static void bm_evict_inode(struct inode *inode)
616  {
617  	Node *e = inode->i_private;
618  
619  	clear_inode(inode);
620  
621  	if (e) {
622  		write_lock(&entries_lock);
623  		if (!list_empty(&e->list))
624  			list_del_init(&e->list);
625  		write_unlock(&entries_lock);
626  		put_binfmt_handler(e);
627  	}
628  }
629  
630  /**
631   * unlink_binfmt_dentry - remove the dentry for the binary type handler
632   * @dentry: dentry associated with the binary type handler
633   *
634   * Do the actual filesystem work to remove a dentry for a registered binary
635   * type handler. Since binfmt_misc only allows simple files to be created
636   * directly under the root dentry of the filesystem we ensure that we are
637   * indeed passed a dentry directly beneath the root dentry, that the inode
638   * associated with the root dentry is locked, and that it is a regular file we
639   * are asked to remove.
640   */
unlink_binfmt_dentry(struct dentry * dentry)641  static void unlink_binfmt_dentry(struct dentry *dentry)
642  {
643  	struct dentry *parent = dentry->d_parent;
644  	struct inode *inode, *parent_inode;
645  
646  	/* All entries are immediate descendants of the root dentry. */
647  	if (WARN_ON_ONCE(dentry->d_sb->s_root != parent))
648  		return;
649  
650  	/* We only expect to be called on regular files. */
651  	inode = d_inode(dentry);
652  	if (WARN_ON_ONCE(!S_ISREG(inode->i_mode)))
653  		return;
654  
655  	/* The parent inode must be locked. */
656  	parent_inode = d_inode(parent);
657  	if (WARN_ON_ONCE(!inode_is_locked(parent_inode)))
658  		return;
659  
660  	if (simple_positive(dentry)) {
661  		dget(dentry);
662  		simple_unlink(parent_inode, dentry);
663  		d_delete(dentry);
664  		dput(dentry);
665  	}
666  }
667  
668  /**
669   * remove_binfmt_handler - remove a binary type handler
670   * @misc: handle to binfmt_misc instance
671   * @e: binary type handler to remove
672   *
673   * Remove a binary type handler from the list of binary type handlers and
674   * remove its associated dentry. This is called from
675   * binfmt_{entry,status}_write(). In the future, we might want to think about
676   * adding a proper ->unlink() method to binfmt_misc instead of forcing caller's
677   * to use writes to files in order to delete binary type handlers. But it has
678   * worked for so long that it's not a pressing issue.
679   */
remove_binfmt_handler(Node * e)680  static void remove_binfmt_handler(Node *e)
681  {
682  	write_lock(&entries_lock);
683  	list_del_init(&e->list);
684  	write_unlock(&entries_lock);
685  	unlink_binfmt_dentry(e->dentry);
686  }
687  
688  /* /<entry> */
689  
690  static ssize_t
bm_entry_read(struct file * file,char __user * buf,size_t nbytes,loff_t * ppos)691  bm_entry_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
692  {
693  	Node *e = file_inode(file)->i_private;
694  	ssize_t res;
695  	char *page;
696  
697  	page = (char *) __get_free_page(GFP_KERNEL);
698  	if (!page)
699  		return -ENOMEM;
700  
701  	entry_status(e, page);
702  
703  	res = simple_read_from_buffer(buf, nbytes, ppos, page, strlen(page));
704  
705  	free_page((unsigned long) page);
706  	return res;
707  }
708  
bm_entry_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)709  static ssize_t bm_entry_write(struct file *file, const char __user *buffer,
710  				size_t count, loff_t *ppos)
711  {
712  	struct inode *inode = file_inode(file);
713  	Node *e = inode->i_private;
714  	int res = parse_command(buffer, count);
715  
716  	switch (res) {
717  	case 1:
718  		/* Disable this handler. */
719  		clear_bit(Enabled, &e->flags);
720  		break;
721  	case 2:
722  		/* Enable this handler. */
723  		set_bit(Enabled, &e->flags);
724  		break;
725  	case 3:
726  		/* Delete this handler. */
727  		inode = d_inode(inode->i_sb->s_root);
728  		inode_lock(inode);
729  
730  		/*
731  		 * In order to add new element or remove elements from the list
732  		 * via bm_{entry,register,status}_write() inode_lock() on the
733  		 * root inode must be held.
734  		 * The lock is exclusive ensuring that the list can't be
735  		 * modified. Only load_misc_binary() can access but does so
736  		 * read-only. So we only need to take the write lock when we
737  		 * actually remove the entry from the list.
738  		 */
739  		if (!list_empty(&e->list))
740  			remove_binfmt_handler(e);
741  
742  		inode_unlock(inode);
743  		break;
744  	default:
745  		return res;
746  	}
747  
748  	return count;
749  }
750  
751  static const struct file_operations bm_entry_operations = {
752  	.read		= bm_entry_read,
753  	.write		= bm_entry_write,
754  	.llseek		= default_llseek,
755  };
756  
757  /* /register */
758  
bm_register_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)759  static ssize_t bm_register_write(struct file *file, const char __user *buffer,
760  			       size_t count, loff_t *ppos)
761  {
762  	Node *e;
763  	struct inode *inode;
764  	struct super_block *sb = file_inode(file)->i_sb;
765  	struct dentry *root = sb->s_root, *dentry;
766  	int err = 0;
767  	struct file *f = NULL;
768  
769  	e = create_entry(buffer, count);
770  
771  	if (IS_ERR(e))
772  		return PTR_ERR(e);
773  
774  	if (e->flags & MISC_FMT_OPEN_FILE) {
775  		f = open_exec(e->interpreter);
776  		if (IS_ERR(f)) {
777  			pr_notice("register: failed to install interpreter file %s\n",
778  				 e->interpreter);
779  			kfree(e);
780  			return PTR_ERR(f);
781  		}
782  		e->interp_file = f;
783  	}
784  
785  	inode_lock(d_inode(root));
786  	dentry = lookup_one_len(e->name, root, strlen(e->name));
787  	err = PTR_ERR(dentry);
788  	if (IS_ERR(dentry))
789  		goto out;
790  
791  	err = -EEXIST;
792  	if (d_really_is_positive(dentry))
793  		goto out2;
794  
795  	inode = bm_get_inode(sb, S_IFREG | 0644);
796  
797  	err = -ENOMEM;
798  	if (!inode)
799  		goto out2;
800  
801  	refcount_set(&e->users, 1);
802  	e->dentry = dget(dentry);
803  	inode->i_private = e;
804  	inode->i_fop = &bm_entry_operations;
805  
806  	d_instantiate(dentry, inode);
807  	write_lock(&entries_lock);
808  	list_add(&e->list, &entries);
809  	write_unlock(&entries_lock);
810  
811  	err = 0;
812  out2:
813  	dput(dentry);
814  out:
815  	inode_unlock(d_inode(root));
816  
817  	if (err) {
818  		if (f)
819  			filp_close(f, NULL);
820  		kfree(e);
821  		return err;
822  	}
823  	return count;
824  }
825  
826  static const struct file_operations bm_register_operations = {
827  	.write		= bm_register_write,
828  	.llseek		= noop_llseek,
829  };
830  
831  /* /status */
832  
833  static ssize_t
bm_status_read(struct file * file,char __user * buf,size_t nbytes,loff_t * ppos)834  bm_status_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
835  {
836  	char *s = enabled ? "enabled\n" : "disabled\n";
837  
838  	return simple_read_from_buffer(buf, nbytes, ppos, s, strlen(s));
839  }
840  
bm_status_write(struct file * file,const char __user * buffer,size_t count,loff_t * ppos)841  static ssize_t bm_status_write(struct file *file, const char __user *buffer,
842  		size_t count, loff_t *ppos)
843  {
844  	int res = parse_command(buffer, count);
845  	Node *e, *next;
846  	struct inode *inode;
847  
848  	switch (res) {
849  	case 1:
850  		/* Disable all handlers. */
851  		enabled = 0;
852  		break;
853  	case 2:
854  		/* Enable all handlers. */
855  		enabled = 1;
856  		break;
857  	case 3:
858  		/* Delete all handlers. */
859  		inode = d_inode(file_inode(file)->i_sb->s_root);
860  		inode_lock(inode);
861  
862  		/*
863  		 * In order to add new element or remove elements from the list
864  		 * via bm_{entry,register,status}_write() inode_lock() on the
865  		 * root inode must be held.
866  		 * The lock is exclusive ensuring that the list can't be
867  		 * modified. Only load_misc_binary() can access but does so
868  		 * read-only. So we only need to take the write lock when we
869  		 * actually remove the entry from the list.
870  		 */
871  		list_for_each_entry_safe(e, next, &entries, list)
872  			remove_binfmt_handler(e);
873  
874  		inode_unlock(inode);
875  		break;
876  	default:
877  		return res;
878  	}
879  
880  	return count;
881  }
882  
883  static const struct file_operations bm_status_operations = {
884  	.read		= bm_status_read,
885  	.write		= bm_status_write,
886  	.llseek		= default_llseek,
887  };
888  
889  /* Superblock handling */
890  
891  static const struct super_operations s_ops = {
892  	.statfs		= simple_statfs,
893  	.evict_inode	= bm_evict_inode,
894  };
895  
bm_fill_super(struct super_block * sb,struct fs_context * fc)896  static int bm_fill_super(struct super_block *sb, struct fs_context *fc)
897  {
898  	int err;
899  	static const struct tree_descr bm_files[] = {
900  		[2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
901  		[3] = {"register", &bm_register_operations, S_IWUSR},
902  		/* last one */ {""}
903  	};
904  
905  	err = simple_fill_super(sb, BINFMTFS_MAGIC, bm_files);
906  	if (!err)
907  		sb->s_op = &s_ops;
908  	return err;
909  }
910  
bm_get_tree(struct fs_context * fc)911  static int bm_get_tree(struct fs_context *fc)
912  {
913  	return get_tree_single(fc, bm_fill_super);
914  }
915  
916  static const struct fs_context_operations bm_context_ops = {
917  	.get_tree	= bm_get_tree,
918  };
919  
bm_init_fs_context(struct fs_context * fc)920  static int bm_init_fs_context(struct fs_context *fc)
921  {
922  	fc->ops = &bm_context_ops;
923  	return 0;
924  }
925  
926  static struct linux_binfmt misc_format = {
927  	.module = THIS_MODULE,
928  	.load_binary = load_misc_binary,
929  };
930  
931  static struct file_system_type bm_fs_type = {
932  	.owner		= THIS_MODULE,
933  	.name		= "binfmt_misc",
934  	.init_fs_context = bm_init_fs_context,
935  	.kill_sb	= kill_litter_super,
936  };
937  MODULE_ALIAS_FS("binfmt_misc");
938  
init_misc_binfmt(void)939  static int __init init_misc_binfmt(void)
940  {
941  	int err = register_filesystem(&bm_fs_type);
942  	if (!err)
943  		insert_binfmt(&misc_format);
944  	return err;
945  }
946  
exit_misc_binfmt(void)947  static void __exit exit_misc_binfmt(void)
948  {
949  	unregister_binfmt(&misc_format);
950  	unregister_filesystem(&bm_fs_type);
951  }
952  
953  core_initcall(init_misc_binfmt);
954  module_exit(exit_misc_binfmt);
955  MODULE_LICENSE("GPL");
956