1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * umd - User mode driver support
4  */
5 #include <linux/shmem_fs.h>
6 #include <linux/pipe_fs_i.h>
7 #include <linux/mount.h>
8 #include <linux/fs_struct.h>
9 #include <linux/task_work.h>
10 #include <linux/usermode_driver.h>
11 
blob_to_mnt(const void * data,size_t len,const char * name)12 static struct vfsmount *blob_to_mnt(const void *data, size_t len, const char *name)
13 {
14 	struct file_system_type *type;
15 	struct vfsmount *mnt;
16 	struct file *file;
17 	ssize_t written;
18 	loff_t pos = 0;
19 
20 	type = get_fs_type("tmpfs");
21 	if (!type)
22 		return ERR_PTR(-ENODEV);
23 
24 	mnt = kern_mount(type);
25 	put_filesystem(type);
26 	if (IS_ERR(mnt))
27 		return mnt;
28 
29 	file = file_open_root_mnt(mnt, name, O_CREAT | O_WRONLY, 0700);
30 	if (IS_ERR(file)) {
31 		mntput(mnt);
32 		return ERR_CAST(file);
33 	}
34 
35 	written = kernel_write(file, data, len, &pos);
36 	if (written != len) {
37 		int err = written;
38 		if (err >= 0)
39 			err = -ENOMEM;
40 		filp_close(file, NULL);
41 		mntput(mnt);
42 		return ERR_PTR(err);
43 	}
44 
45 	fput(file);
46 
47 	/* Flush delayed fput so exec can open the file read-only */
48 	flush_delayed_fput();
49 	task_work_run();
50 	return mnt;
51 }
52 
53 /**
54  * umd_load_blob - Remember a blob of bytes for fork_usermode_driver
55  * @info: information about usermode driver
56  * @data: a blob of bytes that can be executed as a file
57  * @len:  The lentgh of the blob
58  *
59  */
umd_load_blob(struct umd_info * info,const void * data,size_t len)60 int umd_load_blob(struct umd_info *info, const void *data, size_t len)
61 {
62 	struct vfsmount *mnt;
63 
64 	if (WARN_ON_ONCE(info->wd.dentry || info->wd.mnt))
65 		return -EBUSY;
66 
67 	mnt = blob_to_mnt(data, len, info->driver_name);
68 	if (IS_ERR(mnt))
69 		return PTR_ERR(mnt);
70 
71 	info->wd.mnt = mnt;
72 	info->wd.dentry = mnt->mnt_root;
73 	return 0;
74 }
75 EXPORT_SYMBOL_GPL(umd_load_blob);
76 
77 /**
78  * umd_unload_blob - Disassociate @info from a previously loaded blob
79  * @info: information about usermode driver
80  *
81  */
umd_unload_blob(struct umd_info * info)82 int umd_unload_blob(struct umd_info *info)
83 {
84 	if (WARN_ON_ONCE(!info->wd.mnt ||
85 			 !info->wd.dentry ||
86 			 info->wd.mnt->mnt_root != info->wd.dentry))
87 		return -EINVAL;
88 
89 	kern_unmount(info->wd.mnt);
90 	info->wd.mnt = NULL;
91 	info->wd.dentry = NULL;
92 	return 0;
93 }
94 EXPORT_SYMBOL_GPL(umd_unload_blob);
95 
umd_setup(struct subprocess_info * info,struct cred * new)96 static int umd_setup(struct subprocess_info *info, struct cred *new)
97 {
98 	struct umd_info *umd_info = info->data;
99 	struct file *from_umh[2];
100 	struct file *to_umh[2];
101 	int err;
102 
103 	/* create pipe to send data to umh */
104 	err = create_pipe_files(to_umh, 0);
105 	if (err)
106 		return err;
107 	err = replace_fd(0, to_umh[0], 0);
108 	fput(to_umh[0]);
109 	if (err < 0) {
110 		fput(to_umh[1]);
111 		return err;
112 	}
113 
114 	/* create pipe to receive data from umh */
115 	err = create_pipe_files(from_umh, 0);
116 	if (err) {
117 		fput(to_umh[1]);
118 		replace_fd(0, NULL, 0);
119 		return err;
120 	}
121 	err = replace_fd(1, from_umh[1], 0);
122 	fput(from_umh[1]);
123 	if (err < 0) {
124 		fput(to_umh[1]);
125 		replace_fd(0, NULL, 0);
126 		fput(from_umh[0]);
127 		return err;
128 	}
129 
130 	set_fs_pwd(current->fs, &umd_info->wd);
131 	umd_info->pipe_to_umh = to_umh[1];
132 	umd_info->pipe_from_umh = from_umh[0];
133 	umd_info->tgid = get_pid(task_tgid(current));
134 	return 0;
135 }
136 
umd_cleanup(struct subprocess_info * info)137 static void umd_cleanup(struct subprocess_info *info)
138 {
139 	struct umd_info *umd_info = info->data;
140 
141 	/* cleanup if umh_setup() was successful but exec failed */
142 	if (info->retval)
143 		umd_cleanup_helper(umd_info);
144 }
145 
146 /**
147  * umd_cleanup_helper - release the resources which were allocated in umd_setup
148  * @info: information about usermode driver
149  */
umd_cleanup_helper(struct umd_info * info)150 void umd_cleanup_helper(struct umd_info *info)
151 {
152 	fput(info->pipe_to_umh);
153 	fput(info->pipe_from_umh);
154 	put_pid(info->tgid);
155 	info->tgid = NULL;
156 }
157 EXPORT_SYMBOL_GPL(umd_cleanup_helper);
158 
159 /**
160  * fork_usermode_driver - fork a usermode driver
161  * @info: information about usermode driver (shouldn't be NULL)
162  *
163  * Returns either negative error or zero which indicates success in
164  * executing a usermode driver. In such case 'struct umd_info *info'
165  * is populated with two pipes and a tgid of the process. The caller is
166  * responsible for health check of the user process, killing it via
167  * tgid, and closing the pipes when user process is no longer needed.
168  */
fork_usermode_driver(struct umd_info * info)169 int fork_usermode_driver(struct umd_info *info)
170 {
171 	struct subprocess_info *sub_info;
172 	const char *argv[] = { info->driver_name, NULL };
173 	int err;
174 
175 	if (WARN_ON_ONCE(info->tgid))
176 		return -EBUSY;
177 
178 	err = -ENOMEM;
179 	sub_info = call_usermodehelper_setup(info->driver_name,
180 					     (char **)argv, NULL, GFP_KERNEL,
181 					     umd_setup, umd_cleanup, info);
182 	if (!sub_info)
183 		goto out;
184 
185 	err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
186 out:
187 	return err;
188 }
189 EXPORT_SYMBOL_GPL(fork_usermode_driver);
190 
191 
192