1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/* -*- linux-c -*- --------------------------------------------------------- *
3
 *
4
 * linux/fs/devpts/inode.c
5
 *
6
 *  Copyright 1998-2004 H. Peter Anvin -- All Rights Reserved
7
 *
8
 * ------------------------------------------------------------------------- */
9

10
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11

12
#include <linux/module.h>
13
#include <linux/init.h>
14
#include <linux/fs.h>
15
#include <linux/fs_context.h>
16
#include <linux/fs_parser.h>
17
#include <linux/sched.h>
18
#include <linux/namei.h>
19
#include <linux/slab.h>
20
#include <linux/mount.h>
21
#include <linux/tty.h>
22
#include <linux/mutex.h>
23
#include <linux/magic.h>
24
#include <linux/idr.h>
25
#include <linux/devpts_fs.h>
26
#include <linux/fsnotify.h>
27
#include <linux/seq_file.h>
28

29
#define DEVPTS_DEFAULT_MODE 0600
30
/*
31
 * ptmx is a new node in /dev/pts and will be unused in legacy (single-
32
 * instance) mode. To prevent surprises in user space, set permissions of
33
 * ptmx to 0. Use 'chmod' or remount with '-o ptmxmode' to set meaningful
34
 * permissions.
35
 */
36
#define DEVPTS_DEFAULT_PTMX_MODE 0000
37
#define PTMX_MINOR	2
38

39
/*
40
 * sysctl support for setting limits on the number of Unix98 ptys allocated.
41
 * Otherwise one can eat up all kernel memory by opening /dev/ptmx repeatedly.
42
 */
43
static int pty_limit = NR_UNIX98_PTY_DEFAULT;
44
static int pty_reserve = NR_UNIX98_PTY_RESERVE;
45
static int pty_limit_min;
46
static int pty_limit_max = INT_MAX;
47
static atomic_t pty_count = ATOMIC_INIT(0);
48

49
static const struct ctl_table pty_table[] = {
50
	{
51
		.procname	= "max",
52
		.maxlen		= sizeof(int),
53
		.mode		= 0644,
54
		.data		= &pty_limit,
55
		.proc_handler	= proc_dointvec_minmax,
56
		.extra1		= &pty_limit_min,
57
		.extra2		= &pty_limit_max,
58
	}, {
59
		.procname	= "reserve",
60
		.maxlen		= sizeof(int),
61
		.mode		= 0644,
62
		.data		= &pty_reserve,
63
		.proc_handler	= proc_dointvec_minmax,
64
		.extra1		= &pty_limit_min,
65
		.extra2		= &pty_limit_max,
66
	}, {
67
		.procname	= "nr",
68
		.maxlen		= sizeof(int),
69
		.mode		= 0444,
70
		.data		= &pty_count,
71
		.proc_handler	= proc_dointvec,
72
	},
73
};
74

75
struct pts_mount_opts {
76
	int setuid;
77
	int setgid;
78
	kuid_t   uid;
79
	kgid_t   gid;
80
	umode_t mode;
81
	umode_t ptmxmode;
82
	int reserve;
83
	int max;
84
};
85

86
enum {
87
	Opt_uid, Opt_gid, Opt_mode, Opt_ptmxmode, Opt_newinstance,  Opt_max,
88
	Opt_err
89
};
90

91
static const struct fs_parameter_spec devpts_param_specs[] = {
92
	fsparam_gid	("gid",		Opt_gid),
93
	fsparam_s32	("max",		Opt_max),
94
	fsparam_u32oct	("mode",	Opt_mode),
95
	fsparam_flag	("newinstance",	Opt_newinstance),
96
	fsparam_u32oct	("ptmxmode",	Opt_ptmxmode),
97
	fsparam_uid	("uid",		Opt_uid),
98
	{}
99
};
100

101
struct pts_fs_info {
102
	struct ida allocated_ptys;
103
	struct pts_mount_opts mount_opts;
104
	struct super_block *sb;
105
	struct inode *ptmx_inode; // borrowed
106
};
107

108
static inline struct pts_fs_info *DEVPTS_SB(struct super_block *sb)
109
{
110
	return sb->s_fs_info;
111
}
112

113
static int devpts_ptmx_path(struct path *path)
114
{
115
	struct super_block *sb;
116
	int err;
117

118
	/* Is a devpts filesystem at "pts" in the same directory? */
119
	err = path_pts(path);
120
	if (err)
121
		return err;
122

123
	/* Is the path the root of a devpts filesystem? */
124
	sb = path->mnt->mnt_sb;
125
	if ((sb->s_magic != DEVPTS_SUPER_MAGIC) ||
126
	    (path->mnt->mnt_root != sb->s_root))
127
		return -ENODEV;
128

129
	return 0;
130
}
131

132
/*
133
 * Try to find a suitable devpts filesystem. We support the following
134
 * scenarios:
135
 * - The ptmx device node is located in the same directory as the devpts
136
 *   mount where the pts device nodes are located.
137
 *   This is e.g. the case when calling open on the /dev/pts/ptmx device
138
 *   node when the devpts filesystem is mounted at /dev/pts.
139
 * - The ptmx device node is located outside the devpts filesystem mount
140
 *   where the pts device nodes are located. For example, the ptmx device
141
 *   is a symlink, separate device node, or bind-mount.
142
 *   A supported scenario is bind-mounting /dev/pts/ptmx to /dev/ptmx and
143
 *   then calling open on /dev/ptmx. In this case a suitable pts
144
 *   subdirectory can be found in the common parent directory /dev of the
145
 *   devpts mount and the ptmx bind-mount, after resolving the /dev/ptmx
146
 *   bind-mount.
147
 *   If no suitable pts subdirectory can be found this function will fail.
148
 *   This is e.g. the case when bind-mounting /dev/pts/ptmx to /ptmx.
149
 */
150
struct vfsmount *devpts_mntget(struct file *filp, struct pts_fs_info *fsi)
151
{
152
	struct path path;
153
	int err = 0;
154

155
	path = filp->f_path;
156
	path_get(&path);
157

158
	/* Walk upward while the start point is a bind mount of
159
	 * a single file.
160
	 */
161
	while (path.mnt->mnt_root == path.dentry)
162
		if (follow_up(&path) == 0)
163
			break;
164

165
	/* devpts_ptmx_path() finds a devpts fs or returns an error. */
166
	if ((path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) ||
167
	    (DEVPTS_SB(path.mnt->mnt_sb) != fsi))
168
		err = devpts_ptmx_path(&path);
169
	dput(path.dentry);
170
	if (!err) {
171
		if (DEVPTS_SB(path.mnt->mnt_sb) == fsi)
172
			return path.mnt;
173

174
		err = -ENODEV;
175
	}
176

177
	mntput(path.mnt);
178
	return ERR_PTR(err);
179
}
180

181
struct pts_fs_info *devpts_acquire(struct file *filp)
182
{
183
	struct pts_fs_info *result;
184
	struct path path;
185
	struct super_block *sb;
186

187
	path = filp->f_path;
188
	path_get(&path);
189

190
	/* Has the devpts filesystem already been found? */
191
	if (path.mnt->mnt_sb->s_magic != DEVPTS_SUPER_MAGIC) {
192
		int err;
193

194
		err = devpts_ptmx_path(&path);
195
		if (err) {
196
			result = ERR_PTR(err);
197
			goto out;
198
		}
199
	}
200

201
	/*
202
	 * pty code needs to hold extra references in case of last /dev/tty close
203
	 */
204
	sb = path.mnt->mnt_sb;
205
	atomic_inc(&sb->s_active);
206
	result = DEVPTS_SB(sb);
207

208
out:
209
	path_put(&path);
210
	return result;
211
}
212

213
void devpts_release(struct pts_fs_info *fsi)
214
{
215
	deactivate_super(fsi->sb);
216
}
217

218
/*
219
 * devpts_parse_param - Parse mount parameters
220
 */
221
static int devpts_parse_param(struct fs_context *fc, struct fs_parameter *param)
222
{
223
	struct pts_fs_info *fsi = fc->s_fs_info;
224
	struct pts_mount_opts *opts = &fsi->mount_opts;
225
	struct fs_parse_result result;
226
	int opt;
227

228
	opt = fs_parse(fc, devpts_param_specs, param, &result);
229
	if (opt < 0)
230
		return opt;
231

232
	switch (opt) {
233
	case Opt_uid:
234
		opts->uid = result.uid;
235
		opts->setuid = 1;
236
		break;
237
	case Opt_gid:
238
		opts->gid = result.gid;
239
		opts->setgid = 1;
240
		break;
241
	case Opt_mode:
242
		opts->mode = result.uint_32 & S_IALLUGO;
243
		break;
244
	case Opt_ptmxmode:
245
		opts->ptmxmode = result.uint_32 & S_IALLUGO;
246
		break;
247
	case Opt_newinstance:
248
		break;
249
	case Opt_max:
250
		if (result.uint_32 > NR_UNIX98_PTY_MAX)
251
			return invalf(fc, "max out of range");
252
		opts->max = result.uint_32;
253
		break;
254
	}
255

256
	return 0;
257
}
258

259
static int mknod_ptmx(struct super_block *sb, struct fs_context *fc)
260
{
261
	int mode;
262
	struct dentry *dentry;
263
	struct inode *inode;
264
	struct dentry *root = sb->s_root;
265
	struct pts_fs_info *fsi = DEVPTS_SB(sb);
266
	struct pts_mount_opts *opts = &fsi->mount_opts;
267
	kuid_t ptmx_uid = current_fsuid();
268
	kgid_t ptmx_gid = current_fsgid();
269

270
	dentry = simple_start_creating(root, "ptmx");
271
	if (IS_ERR(dentry)) {
272
		pr_err("Unable to alloc dentry for ptmx node\n");
273
		return PTR_ERR(dentry);
274
	}
275

276
	/*
277
	 * Create a new 'ptmx' node in this mount of devpts.
278
	 */
279
	inode = new_inode(sb);
280
	if (!inode) {
281
		simple_done_creating(dentry);
282
		pr_err("Unable to alloc inode for ptmx node\n");
283
		return -ENOMEM;
284
	}
285

286
	inode->i_ino = 2;
287
	simple_inode_init_ts(inode);
288

289
	mode = S_IFCHR|opts->ptmxmode;
290
	init_special_inode(inode, mode, MKDEV(TTYAUX_MAJOR, 2));
291
	inode->i_uid = ptmx_uid;
292
	inode->i_gid = ptmx_gid;
293
	fsi->ptmx_inode = inode;
294

295
	d_make_persistent(dentry, inode);
296

297
	simple_done_creating(dentry);
298

299
	return 0;
300
}
301

302
static void update_ptmx_mode(struct pts_fs_info *fsi)
303
{
304
	fsi->ptmx_inode->i_mode = S_IFCHR|fsi->mount_opts.ptmxmode;
305
}
306

307
static int devpts_reconfigure(struct fs_context *fc)
308
{
309
	struct pts_fs_info *fsi = DEVPTS_SB(fc->root->d_sb);
310
	struct pts_fs_info *new = fc->s_fs_info;
311

312
	/* Apply the revised options.  We don't want to change ->reserve.
313
	 * Ideally, we'd update each option conditionally on it having been
314
	 * explicitly changed, but the default is to reset everything so that
315
	 * would break UAPI...
316
	 */
317
	fsi->mount_opts.setuid		= new->mount_opts.setuid;
318
	fsi->mount_opts.setgid		= new->mount_opts.setgid;
319
	fsi->mount_opts.uid		= new->mount_opts.uid;
320
	fsi->mount_opts.gid		= new->mount_opts.gid;
321
	fsi->mount_opts.mode		= new->mount_opts.mode;
322
	fsi->mount_opts.ptmxmode	= new->mount_opts.ptmxmode;
323
	fsi->mount_opts.max		= new->mount_opts.max;
324

325
	/*
326
	 * parse_mount_options() restores options to default values
327
	 * before parsing and may have changed ptmxmode. So, update the
328
	 * mode in the inode too. Bogus options don't fail the remount,
329
	 * so do this even on error return.
330
	 */
331
	update_ptmx_mode(fsi);
332

333
	return 0;
334
}
335

336
static int devpts_show_options(struct seq_file *seq, struct dentry *root)
337
{
338
	struct pts_fs_info *fsi = DEVPTS_SB(root->d_sb);
339
	struct pts_mount_opts *opts = &fsi->mount_opts;
340

341
	if (opts->setuid)
342
		seq_printf(seq, ",uid=%u",
343
			   from_kuid_munged(&init_user_ns, opts->uid));
344
	if (opts->setgid)
345
		seq_printf(seq, ",gid=%u",
346
			   from_kgid_munged(&init_user_ns, opts->gid));
347
	seq_printf(seq, ",mode=%03o", opts->mode);
348
	seq_printf(seq, ",ptmxmode=%03o", opts->ptmxmode);
349
	if (opts->max < NR_UNIX98_PTY_MAX)
350
		seq_printf(seq, ",max=%d", opts->max);
351

352
	return 0;
353
}
354

355
static const struct super_operations devpts_sops = {
356
	.statfs		= simple_statfs,
357
	.show_options	= devpts_show_options,
358
};
359

360
static int devpts_fill_super(struct super_block *s, struct fs_context *fc)
361
{
362
	struct pts_fs_info *fsi = DEVPTS_SB(s);
363
	struct inode *inode;
364

365
	s->s_iflags &= ~SB_I_NODEV;
366
	s->s_blocksize = 1024;
367
	s->s_blocksize_bits = 10;
368
	s->s_magic = DEVPTS_SUPER_MAGIC;
369
	s->s_op = &devpts_sops;
370
	s->s_d_flags = DCACHE_DONTCACHE;
371
	s->s_time_gran = 1;
372
	fsi->sb = s;
373

374
	inode = new_inode(s);
375
	if (!inode)
376
		return -ENOMEM;
377
	inode->i_ino = 1;
378
	simple_inode_init_ts(inode);
379
	inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR;
380
	inode->i_op = &simple_dir_inode_operations;
381
	inode->i_fop = &simple_dir_operations;
382
	set_nlink(inode, 2);
383

384
	s->s_root = d_make_root(inode);
385
	if (!s->s_root) {
386
		pr_err("get root dentry failed\n");
387
		return -ENOMEM;
388
	}
389

390
	return mknod_ptmx(s, fc);
391
}
392

393
/*
394
 * devpts_get_tree()
395
 *
396
 *     Mount a new (private) instance of devpts.  PTYs created in this
397
 *     instance are independent of the PTYs in other devpts instances.
398
 */
399
static int devpts_get_tree(struct fs_context *fc)
400
{
401
	return get_tree_nodev(fc, devpts_fill_super);
402
}
403

404
static void devpts_free_fc(struct fs_context *fc)
405
{
406
	kfree(fc->s_fs_info);
407
}
408

409
static const struct fs_context_operations devpts_context_ops = {
410
	.free		= devpts_free_fc,
411
	.parse_param	= devpts_parse_param,
412
	.get_tree	= devpts_get_tree,
413
	.reconfigure	= devpts_reconfigure,
414
};
415

416
/*
417
 * Set up the filesystem mount context.
418
 */
419
static int devpts_init_fs_context(struct fs_context *fc)
420
{
421
	struct pts_fs_info *fsi;
422

423
	fsi = kzalloc(sizeof(struct pts_fs_info), GFP_KERNEL);
424
	if (!fsi)
425
		return -ENOMEM;
426

427
	ida_init(&fsi->allocated_ptys);
428
	fsi->mount_opts.uid     = GLOBAL_ROOT_UID;
429
	fsi->mount_opts.gid     = GLOBAL_ROOT_GID;
430
	fsi->mount_opts.mode    = DEVPTS_DEFAULT_MODE;
431
	fsi->mount_opts.ptmxmode = DEVPTS_DEFAULT_PTMX_MODE;
432
	fsi->mount_opts.max     = NR_UNIX98_PTY_MAX;
433

434
	if (fc->purpose == FS_CONTEXT_FOR_MOUNT &&
435
	    current->nsproxy->mnt_ns == init_task.nsproxy->mnt_ns)
436
		fsi->mount_opts.reserve = true;
437

438
	fc->s_fs_info = fsi;
439
	fc->ops = &devpts_context_ops;
440
	return 0;
441
}
442

443
static void devpts_kill_sb(struct super_block *sb)
444
{
445
	struct pts_fs_info *fsi = DEVPTS_SB(sb);
446

447
	if (fsi)
448
		ida_destroy(&fsi->allocated_ptys);
449
	kfree(fsi);
450
	kill_anon_super(sb);
451
}
452

453
static struct file_system_type devpts_fs_type = {
454
	.name		= "devpts",
455
	.init_fs_context = devpts_init_fs_context,
456
	.parameters	= devpts_param_specs,
457
	.kill_sb	= devpts_kill_sb,
458
	.fs_flags	= FS_USERNS_MOUNT,
459
};
460

461
/*
462
 * The normal naming convention is simply /dev/pts/<number>; this conforms
463
 * to the System V naming convention
464
 */
465

466
int devpts_new_index(struct pts_fs_info *fsi)
467
{
468
	int index = -ENOSPC;
469

470
	if (atomic_inc_return(&pty_count) >= (pty_limit -
471
			  (fsi->mount_opts.reserve ? 0 : pty_reserve)))
472
		goto out;
473

474
	index = ida_alloc_max(&fsi->allocated_ptys, fsi->mount_opts.max - 1,
475
			GFP_KERNEL);
476

477
out:
478
	if (index < 0)
479
		atomic_dec(&pty_count);
480
	return index;
481
}
482

483
void devpts_kill_index(struct pts_fs_info *fsi, int idx)
484
{
485
	ida_free(&fsi->allocated_ptys, idx);
486
	atomic_dec(&pty_count);
487
}
488

489
/**
490
 * devpts_pty_new -- create a new inode in /dev/pts/
491
 * @fsi: Filesystem info for this instance.
492
 * @index: used as a name of the node
493
 * @priv: what's given back by devpts_get_priv
494
 *
495
 * The dentry for the created inode is returned.
496
 * Remove it from /dev/pts/ with devpts_pty_kill().
497
 */
498
struct dentry *devpts_pty_new(struct pts_fs_info *fsi, int index, void *priv)
499
{
500
	struct dentry *dentry;
501
	struct super_block *sb = fsi->sb;
502
	struct inode *inode;
503
	struct dentry *root;
504
	struct pts_mount_opts *opts;
505
	char s[12];
506

507
	root = sb->s_root;
508
	opts = &fsi->mount_opts;
509

510
	inode = new_inode(sb);
511
	if (!inode)
512
		return ERR_PTR(-ENOMEM);
513

514
	inode->i_ino = index + 3;
515
	inode->i_uid = opts->setuid ? opts->uid : current_fsuid();
516
	inode->i_gid = opts->setgid ? opts->gid : current_fsgid();
517
	simple_inode_init_ts(inode);
518
	init_special_inode(inode, S_IFCHR|opts->mode, MKDEV(UNIX98_PTY_SLAVE_MAJOR, index));
519

520
	sprintf(s, "%d", index);
521

522
	dentry = d_alloc_name(root, s);
523
	if (!dentry) {
524
		iput(inode);
525
		return ERR_PTR(-ENOMEM);
526
	}
527
	dentry->d_fsdata = priv;
528
	d_make_persistent(dentry, inode);
529
	fsnotify_create(d_inode(root), dentry);
530
	dput(dentry);
531
	return dentry; // borrowed
532
}
533

534
/**
535
 * devpts_get_priv -- get private data for a slave
536
 * @dentry: dentry of the slave
537
 *
538
 * Returns whatever was passed as priv in devpts_pty_new for a given inode.
539
 */
540
void *devpts_get_priv(struct dentry *dentry)
541
{
542
	if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC)
543
		return NULL;
544
	return dentry->d_fsdata;
545
}
546

547
/**
548
 * devpts_pty_kill -- remove inode form /dev/pts/
549
 * @dentry: dentry of the slave to be removed
550
 *
551
 * This is an inverse operation of devpts_pty_new.
552
 */
553
void devpts_pty_kill(struct dentry *dentry)
554
{
555
	WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC);
556

557
	dentry->d_fsdata = NULL;
558
	drop_nlink(dentry->d_inode);
559
	d_drop(dentry);
560
	fsnotify_unlink(d_inode(dentry->d_parent), dentry);
561
	d_make_discardable(dentry);
562
}
563

564
static int __init init_devpts_fs(void)
565
{
566
	int err = register_filesystem(&devpts_fs_type);
567
	if (!err) {
568
		register_sysctl("kernel/pty", pty_table);
569
	}
570
	return err;
571
}
572
module_init(init_devpts_fs)
573

574