[PATCH v1 1/2] binderfs: implement "max" mount option

[PATCH v1 1/2] binderfs: implement "max" mount option

[Christian Brauner]

Since binderfs can be mounted by userns root in non-initial user namespaces
some precautions are in order. First, a way to set a maximum on the number
of binder devices that can be allocated per binderfs instance and second, a
way to reserve a reasonable chunk of binderfs devices for the initial ipc
namespace.
A first approach as seen in [1] used sysctls similiar to devpts but was
shown to be flawed (cf. [2] and [3]) since some aspects were unneeded. This
is an alternative approach which avoids sysctls completely and instead
switches to a single mount option.

Starting with this commit binderfs instances can be mounted with a limit on
the number of binder devices that can be allocated. The max=<count> mount
option serves as a per-instance limit. If max=<count> is set then only
<count> number of binder devices can be allocated in this binderfs
instance.

This allows to safely bind-mount binderfs instances into unprivileged user
namespaces since userns root in a non-initial user namespace cannot change
the mount option as long as it does not own the mount namespace the
binderfs mount was created in and hence cannot drain the host of minor
device numbers

[1]: https://lore.kernel.org/lkml/20181221133909.18794-1-christian@brauner.io/
[2]; https://lore.kernel.org/lkml/20181221163316.GA8517@kroah.com/
[3]: https://lore.kernel.org/lkml/CAHRSSEx+gDVW4fKKK8oZNAir9G5icJLyodO8hykv3O0O1jt2FQ@mail.gmail.com/
[4]: https://lore.kernel.org/lkml/20181221192044.5yvfnuri7gdop4rs@brauner.io/

Cc: Todd Kjos <tkjos@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
v1:
- split reserving devices for the binderfs instance in the initial ipc
  namespace into a separate patch (cf. [1])
- s/</<=/g for capping at max=<count>
- use simple int instead of atomic_t for counting devices since we're
  incrementing and decrementing under a mutex anyway (cf. [1])
- correctly use match_int() (cf. [2])
v0:
- patch introduced

[1]: https://lore.kernel.org/lkml/20181223112944.GC27818@kroah.com/
[2]: https://lore.kernel.org/lkml/20181223135755.sqnv5ave62jtj4se@brauner.io/
---
 drivers/android/binderfs.c | 101 +++++++++++++++++++++++++++++++++++--
 1 file changed, 96 insertions(+), 5 deletions(-)

diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
index 7496b10532aa..873adda064ac 100644
--- a/drivers/android/binderfs.c
+++ b/drivers/android/binderfs.c
@@ -20,6 +20,7 @@
 #include <linux/parser.h>
 #include <linux/radix-tree.h>
 #include <linux/sched.h>
+#include <linux/seq_file.h>
 #include <linux/slab.h>
 #include <linux/spinlock_types.h>
 #include <linux/stddef.h>
@@ -46,6 +47,24 @@ static dev_t binderfs_dev;
 static DEFINE_MUTEX(binderfs_minors_mutex);
 static DEFINE_IDA(binderfs_minors);
 
+/**
+ * binderfs_mount_opts - mount options for binderfs
+ * @max: maximum number of allocatable binderfs binder devices
+ */
+struct binderfs_mount_opts {
+	int max;
+};
+
+enum {
+	Opt_max,
+	Opt_err
+};
+
+static const match_table_t tokens = {
+	{ Opt_max, "max=%d" },
+	{ Opt_err, NULL     }
+};
+
 /**
  * binderfs_info - information about a binderfs mount
  * @ipc_ns:         The ipc namespace the binderfs mount belongs to.
@@ -55,13 +74,16 @@ static DEFINE_IDA(binderfs_minors);
  *                  created.
  * @root_gid:       gid that needs to be used when a new binder device is
  *                  created.
+ * @mount_opts:     The mount options in use.
+ * @device_count:   The current number of allocated binder devices.
  */
 struct binderfs_info {
 	struct ipc_namespace *ipc_ns;
 	struct dentry *control_dentry;
 	kuid_t root_uid;
 	kgid_t root_gid;
-
+	struct binderfs_mount_opts mount_opts;
+	int device_count;
 };
 
 static inline struct binderfs_info *BINDERFS_I(const struct inode *inode)
@@ -110,10 +132,16 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
 
 	/* Reserve new minor number for the new device. */
 	mutex_lock(&binderfs_minors_mutex);
-	minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL);
+	if (++info->device_count <= info->mount_opts.max)
+		minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR,
+				      GFP_KERNEL);
+	else
+		minor = -ENOSPC;
 	mutex_unlock(&binderfs_minors_mutex);
-	if (minor < 0)
+	if (minor < 0) {
+		--info->device_count;
 		return minor;
+	}
 
 	ret = -ENOMEM;
 	device = kzalloc(sizeof(*device), GFP_KERNEL);
@@ -187,6 +215,7 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
 	kfree(name);
 	kfree(device);
 	mutex_lock(&binderfs_minors_mutex);
+	--info->device_count;
 	ida_free(&binderfs_minors, minor);
 	mutex_unlock(&binderfs_minors_mutex);
 	iput(inode);
@@ -232,6 +261,7 @@ static long binder_ctl_ioctl(struct file *file, unsigned int cmd,
 static void binderfs_evict_inode(struct inode *inode)
 {
 	struct binder_device *device = inode->i_private;
+	struct binderfs_info *info = BINDERFS_I(inode);
 
 	clear_inode(inode);
 
@@ -239,6 +269,7 @@ static void binderfs_evict_inode(struct inode *inode)
 		return;
 
 	mutex_lock(&binderfs_minors_mutex);
+	--info->device_count;
 	ida_free(&binderfs_minors, device->miscdev.minor);
 	mutex_unlock(&binderfs_minors_mutex);
 
@@ -246,9 +277,65 @@ static void binderfs_evict_inode(struct inode *inode)
 	kfree(device);
 }
 
+/**
+ * binderfs_parse_mount_opts - parse binderfs mount options
+ * @data: options to set (can be NULL in which case defaults are used)
+ */
+static int binderfs_parse_mount_opts(char *data,
+				     struct binderfs_mount_opts *opts)
+{
+	char *p;
+	opts->max = BINDERFS_MAX_MINOR;
+
+	while ((p = strsep(&data, ",")) != NULL) {
+		substring_t args[MAX_OPT_ARGS];
+		int token;
+		int max_devices;
+
+		if (!*p)
+			continue;
+
+		token = match_token(p, tokens, args);
+		switch (token) {
+		case Opt_max:
+			if (match_int(&args[0], &max_devices) ||
+			    (max_devices < 0 ||
+			     (max_devices > BINDERFS_MAX_MINOR)))
+				return -EINVAL;
+
+			opts->max = max_devices;
+			break;
+		default:
+			pr_err("Invalid mount options\n");
+			return -EINVAL;
+		}
+	}
+
+	return 0;
+}
+
+static int binderfs_remount(struct super_block *sb, int *flags, char *data)
+{
+	struct binderfs_info *info = sb->s_fs_info;
+	return binderfs_parse_mount_opts(data, &info->mount_opts);
+}
+
+static int binderfs_show_mount_opts(struct seq_file *seq, struct dentry *root)
+{
+	struct binderfs_info *info;
+
+	info = root->d_sb->s_fs_info;
+	if (info->mount_opts.max <= BINDERFS_MAX_MINOR)
+		seq_printf(seq, ",max=%d", info->mount_opts.max);
+
+	return 0;
+}
+
 static const struct super_operations binderfs_super_ops = {
-	.statfs = simple_statfs,
-	.evict_inode = binderfs_evict_inode,
+	.evict_inode    = binderfs_evict_inode,
+	.remount_fs	= binderfs_remount,
+	.show_options	= binderfs_show_mount_opts,
+	.statfs         = simple_statfs,
 };
 
 static int binderfs_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -409,6 +496,10 @@ static int binderfs_fill_super(struct super_block *sb, void *data, int silent)
 	if (!info)
 		goto err_without_dentry;
 
+	ret = binderfs_parse_mount_opts(data, &info->mount_opts);
+	if (ret)
+		goto err_without_dentry;
+
 	info->ipc_ns = ipc_ns;
 	info->root_gid = make_kgid(sb->s_user_ns, 0);
 	if (!gid_valid(info->root_gid))
-- 
2.19.1

[PATCH v1 2/2] binderfs: reserve devices for initial mount

[Christian Brauner]

The binderfs instance in the initial ipc namespace will always have a
reserve of 4 binder devices unless explicitly capped by specifying a lower
value via the "max" mount option.
This ensures when binder devices are removed (on accident or on purpose)
they can always be recreated without risking that all minor numbers have
already been used up.

Cc: Todd Kjos <tkjos@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
v1:
- patch introduced
v0:
- patch not present
---
 drivers/android/binderfs.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
index 873adda064ac..aa635c7ea727 100644
--- a/drivers/android/binderfs.c
+++ b/drivers/android/binderfs.c
@@ -40,6 +40,8 @@
 #define INODE_OFFSET 3
 #define INTSTRLEN 21
 #define BINDERFS_MAX_MINOR (1U << MINORBITS)
+/* Ensure that the initial ipc namespace always has a devices available. */
+#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
 
 static struct vfsmount *binderfs_mnt;
 
@@ -129,11 +131,14 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
 	struct inode *inode = NULL;
 	struct super_block *sb = ref_inode->i_sb;
 	struct binderfs_info *info = sb->s_fs_info;
+	bool use_reserve = (info->ipc_ns == &init_ipc_ns);
 
 	/* Reserve new minor number for the new device. */
 	mutex_lock(&binderfs_minors_mutex);
 	if (++info->device_count <= info->mount_opts.max)
-		minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR,
+		minor = ida_alloc_max(&binderfs_minors,
+				      use_reserve ? BINDERFS_MAX_MINOR :
+						    BINDERFS_MAX_MINOR_CAPPED,
 				      GFP_KERNEL);
 	else
 		minor = -ENOSPC;
-- 
2.19.1

Re: [PATCH v1 1/2] binderfs: implement "max" mount option

[Christian Brauner]

On Sun, Dec 23, 2018 at 03:35:49PM +0100, Christian Brauner wrote:
> Since binderfs can be mounted by userns root in non-initial user namespaces
> some precautions are in order. First, a way to set a maximum on the number
> of binder devices that can be allocated per binderfs instance and second, a
> way to reserve a reasonable chunk of binderfs devices for the initial ipc
> namespace.
> A first approach as seen in [1] used sysctls similiar to devpts but was
> shown to be flawed (cf. [2] and [3]) since some aspects were unneeded. This
> is an alternative approach which avoids sysctls completely and instead
> switches to a single mount option.
> 
> Starting with this commit binderfs instances can be mounted with a limit on
> the number of binder devices that can be allocated. The max=<count> mount
> option serves as a per-instance limit. If max=<count> is set then only
> <count> number of binder devices can be allocated in this binderfs
> instance.
> 
> This allows to safely bind-mount binderfs instances into unprivileged user
> namespaces since userns root in a non-initial user namespace cannot change
> the mount option as long as it does not own the mount namespace the
> binderfs mount was created in and hence cannot drain the host of minor
> device numbers
> 
> [1]: https://lore.kernel.org/lkml/20181221133909.18794-1-christian@brauner.io/
> [2]; https://lore.kernel.org/lkml/20181221163316.GA8517@kroah.com/
> [3]: https://lore.kernel.org/lkml/CAHRSSEx+gDVW4fKKK8oZNAir9G5icJLyodO8hykv3O0O1jt2FQ@mail.gmail.com/
> [4]: https://lore.kernel.org/lkml/20181221192044.5yvfnuri7gdop4rs@brauner.io/
> 
> Cc: Todd Kjos <tkjos@google.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Right, I forgot to ask. Do we still have time to land this alongside the
other patches in 4.21? :)

Christian

Re: [PATCH v1 1/2] binderfs: implement "max" mount option

[Greg KH]

On Mon, Dec 24, 2018 at 12:09:37PM +0100, Christian Brauner wrote:
> On Sun, Dec 23, 2018 at 03:35:49PM +0100, Christian Brauner wrote:
> > Since binderfs can be mounted by userns root in non-initial user namespaces
> > some precautions are in order. First, a way to set a maximum on the number
> > of binder devices that can be allocated per binderfs instance and second, a
> > way to reserve a reasonable chunk of binderfs devices for the initial ipc
> > namespace.
> > A first approach as seen in [1] used sysctls similiar to devpts but was
> > shown to be flawed (cf. [2] and [3]) since some aspects were unneeded. This
> > is an alternative approach which avoids sysctls completely and instead
> > switches to a single mount option.
> > 
> > Starting with this commit binderfs instances can be mounted with a limit on
> > the number of binder devices that can be allocated. The max=<count> mount
> > option serves as a per-instance limit. If max=<count> is set then only
> > <count> number of binder devices can be allocated in this binderfs
> > instance.
> > 
> > This allows to safely bind-mount binderfs instances into unprivileged user
> > namespaces since userns root in a non-initial user namespace cannot change
> > the mount option as long as it does not own the mount namespace the
> > binderfs mount was created in and hence cannot drain the host of minor
> > device numbers
> > 
> > [1]: https://lore.kernel.org/lkml/20181221133909.18794-1-christian@brauner.io/
> > [2]; https://lore.kernel.org/lkml/20181221163316.GA8517@kroah.com/
> > [3]: https://lore.kernel.org/lkml/CAHRSSEx+gDVW4fKKK8oZNAir9G5icJLyodO8hykv3O0O1jt2FQ@mail.gmail.com/
> > [4]: https://lore.kernel.org/lkml/20181221192044.5yvfnuri7gdop4rs@brauner.io/
> > 
> > Cc: Todd Kjos <tkjos@google.com>
> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> 
> Right, I forgot to ask. Do we still have time to land this alongside the
> other patches in 4.21? :)

It's too late for 4.21-rc1, but let's see what happens after that :)

greg k-h

Re: [PATCH v1 1/2] binderfs: implement "max" mount option

[Christian Brauner]

On Mon, Dec 24, 2018 at 12:45:59PM +0100, Greg KH wrote:
> On Mon, Dec 24, 2018 at 12:09:37PM +0100, Christian Brauner wrote:
> > On Sun, Dec 23, 2018 at 03:35:49PM +0100, Christian Brauner wrote:
> > > Since binderfs can be mounted by userns root in non-initial user namespaces
> > > some precautions are in order. First, a way to set a maximum on the number
> > > of binder devices that can be allocated per binderfs instance and second, a
> > > way to reserve a reasonable chunk of binderfs devices for the initial ipc
> > > namespace.
> > > A first approach as seen in [1] used sysctls similiar to devpts but was
> > > shown to be flawed (cf. [2] and [3]) since some aspects were unneeded. This
> > > is an alternative approach which avoids sysctls completely and instead
> > > switches to a single mount option.
> > > 
> > > Starting with this commit binderfs instances can be mounted with a limit on
> > > the number of binder devices that can be allocated. The max=<count> mount
> > > option serves as a per-instance limit. If max=<count> is set then only
> > > <count> number of binder devices can be allocated in this binderfs
> > > instance.
> > > 
> > > This allows to safely bind-mount binderfs instances into unprivileged user
> > > namespaces since userns root in a non-initial user namespace cannot change
> > > the mount option as long as it does not own the mount namespace the
> > > binderfs mount was created in and hence cannot drain the host of minor
> > > device numbers
> > > 
> > > [1]: https://lore.kernel.org/lkml/20181221133909.18794-1-christian@brauner.io/
> > > [2]; https://lore.kernel.org/lkml/20181221163316.GA8517@kroah.com/
> > > [3]: https://lore.kernel.org/lkml/CAHRSSEx+gDVW4fKKK8oZNAir9G5icJLyodO8hykv3O0O1jt2FQ@mail.gmail.com/
> > > [4]: https://lore.kernel.org/lkml/20181221192044.5yvfnuri7gdop4rs@brauner.io/
> > > 
> > > Cc: Todd Kjos <tkjos@google.com>
> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > 
> > Right, I forgot to ask. Do we still have time to land this alongside the
> > other patches in 4.21? :)
> 
> It's too late for 4.21-rc1, but let's see what happens after that :)

Sweet! Much appreciated. :)

Christian

Re: [PATCH v1 1/2] binderfs: implement "max" mount option

[Dan Carpenter]

On Sun, Dec 23, 2018 at 03:35:49PM +0100, Christian Brauner wrote:
>  static inline struct binderfs_info *BINDERFS_I(const struct inode *inode)
> @@ -110,10 +132,16 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
>  
>  	/* Reserve new minor number for the new device. */
>  	mutex_lock(&binderfs_minors_mutex);
> -	minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL);
> +	if (++info->device_count <= info->mount_opts.max)
> +		minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR,
> +				      GFP_KERNEL);
> +	else
> +		minor = -ENOSPC;
>  	mutex_unlock(&binderfs_minors_mutex);
> -	if (minor < 0)
> +	if (minor < 0) {
> +		--info->device_count;

Isn't this decrement supposed to happen under binderfs_minors_mutex?

>  		return minor;
> +	}


regards,
dan carpenter

Re: [PATCH v1 1/2] binderfs: implement "max" mount option

[Christian Brauner]

On Wed, Jan 02, 2019 at 12:17:31PM +0300, Dan Carpenter wrote:
> On Sun, Dec 23, 2018 at 03:35:49PM +0100, Christian Brauner wrote:
> >  static inline struct binderfs_info *BINDERFS_I(const struct inode *inode)
> > @@ -110,10 +132,16 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
> >  
> >  	/* Reserve new minor number for the new device. */
> >  	mutex_lock(&binderfs_minors_mutex);
> > -	minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR, GFP_KERNEL);
> > +	if (++info->device_count <= info->mount_opts.max)
> > +		minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR,
> > +				      GFP_KERNEL);
> > +	else
> > +		minor = -ENOSPC;
> >  	mutex_unlock(&binderfs_minors_mutex);
> > -	if (minor < 0)
> > +	if (minor < 0) {
> > +		--info->device_count;
> 
> Isn't this decrement supposed to happen under binderfs_minors_mutex?

Indeed. Good catch!
Leftover from when this was an atomic_t.

Thanks!
Christian

Re: [PATCH v1 2/2] binderfs: reserve devices for initial mount

[Todd Kjos]

On Sun, Dec 23, 2018 at 6:36 AM Christian Brauner <christian@brauner.io> wrote:
>
> The binderfs instance in the initial ipc namespace will always have a
> reserve of 4 binder devices unless explicitly capped by specifying a lower
> value via the "max" mount option.
> This ensures when binder devices are removed (on accident or on purpose)
> they can always be recreated without risking that all minor numbers have
> already been used up.
>
> Cc: Todd Kjos <tkjos@google.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> ---
> v1:
> - patch introduced
> v0:
> - patch not present
> ---
>  drivers/android/binderfs.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
> index 873adda064ac..aa635c7ea727 100644
> --- a/drivers/android/binderfs.c
> +++ b/drivers/android/binderfs.c
> @@ -40,6 +40,8 @@
>  #define INODE_OFFSET 3
>  #define INTSTRLEN 21
>  #define BINDERFS_MAX_MINOR (1U << MINORBITS)
> +/* Ensure that the initial ipc namespace always has a devices available. */
> +#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)

Why do you ever need more minors per instance than the number of
devices listed in CONFIG_ANDROID_BINDER_DEVICES?

>
>  static struct vfsmount *binderfs_mnt;
>
> @@ -129,11 +131,14 @@ static int binderfs_binder_device_create(struct inode *ref_inode,
>         struct inode *inode = NULL;
>         struct super_block *sb = ref_inode->i_sb;
>         struct binderfs_info *info = sb->s_fs_info;
> +       bool use_reserve = (info->ipc_ns == &init_ipc_ns);
>
>         /* Reserve new minor number for the new device. */
>         mutex_lock(&binderfs_minors_mutex);
>         if (++info->device_count <= info->mount_opts.max)
> -               minor = ida_alloc_max(&binderfs_minors, BINDERFS_MAX_MINOR,
> +               minor = ida_alloc_max(&binderfs_minors,
> +                                     use_reserve ? BINDERFS_MAX_MINOR :
> +                                                   BINDERFS_MAX_MINOR_CAPPED,
>                                       GFP_KERNEL);
>         else
>                 minor = -ENOSPC;
> --
> 2.19.1
>

Re: [PATCH v1 2/2] binderfs: reserve devices for initial mount

[Christian Brauner]

On Thu, Jan 03, 2019 at 12:25:24PM -0800, Todd Kjos wrote:
> On Sun, Dec 23, 2018 at 6:36 AM Christian Brauner <christian@brauner.io> wrote:
> >
> > The binderfs instance in the initial ipc namespace will always have a
> > reserve of 4 binder devices unless explicitly capped by specifying a lower
> > value via the "max" mount option.
> > This ensures when binder devices are removed (on accident or on purpose)
> > they can always be recreated without risking that all minor numbers have
> > already been used up.
> >
> > Cc: Todd Kjos <tkjos@google.com>
> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > ---
> > v1:
> > - patch introduced
> > v0:
> > - patch not present
> > ---
> >  drivers/android/binderfs.c | 7 ++++++-
> >  1 file changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
> > index 873adda064ac..aa635c7ea727 100644
> > --- a/drivers/android/binderfs.c
> > +++ b/drivers/android/binderfs.c
> > @@ -40,6 +40,8 @@
> >  #define INODE_OFFSET 3
> >  #define INTSTRLEN 21
> >  #define BINDERFS_MAX_MINOR (1U << MINORBITS)
> > +/* Ensure that the initial ipc namespace always has a devices available. */
> > +#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
> 
> Why do you ever need more minors per instance than the number of
> devices listed in CONFIG_ANDROID_BINDER_DEVICES?

Are you asking asking why this is 4 and not 3? In that case we should
probably parse CONFIG_ANDROID_BINDER_DEVICES once at init time and then
reserve that many binder devices. Thoughts?

Christian

Re: [PATCH v1 2/2] binderfs: reserve devices for initial mount

[Todd Kjos]

On Thu, Jan 3, 2019 at 12:34 PM Christian Brauner <christian@brauner.io> wrote:
>
> On Thu, Jan 03, 2019 at 12:25:24PM -0800, Todd Kjos wrote:
> > On Sun, Dec 23, 2018 at 6:36 AM Christian Brauner <christian@brauner.io> wrote:
> > >
> > > The binderfs instance in the initial ipc namespace will always have a
> > > reserve of 4 binder devices unless explicitly capped by specifying a lower
> > > value via the "max" mount option.
> > > This ensures when binder devices are removed (on accident or on purpose)
> > > they can always be recreated without risking that all minor numbers have
> > > already been used up.
> > >
> > > Cc: Todd Kjos <tkjos@google.com>
> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > > ---
> > > v1:
> > > - patch introduced
> > > v0:
> > > - patch not present
> > > ---
> > >  drivers/android/binderfs.c | 7 ++++++-
> > >  1 file changed, 6 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
> > > index 873adda064ac..aa635c7ea727 100644
> > > --- a/drivers/android/binderfs.c
> > > +++ b/drivers/android/binderfs.c
> > > @@ -40,6 +40,8 @@
> > >  #define INODE_OFFSET 3
> > >  #define INTSTRLEN 21
> > >  #define BINDERFS_MAX_MINOR (1U << MINORBITS)
> > > +/* Ensure that the initial ipc namespace always has a devices available. */
> > > +#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
> >
> > Why do you ever need more minors per instance than the number of
> > devices listed in CONFIG_ANDROID_BINDER_DEVICES?
>
> Are you asking asking why this is 4 and not 3? In that case we should
> probably parse CONFIG_ANDROID_BINDER_DEVICES once at init time and then
> reserve that many binder devices. Thoughts?

I'm asking why CONFIG_ANDROID_BINDER_DEVICES isn't the source of truth
for the number of devices (it normally specifies 3 devices, but could
be different). I can't think of a reason why you'd want
CONFIG_MAX_MINOR_CAPPED to be different than the number of devices
indicated by CONFIG_ANDROID_BINDER_DEVICES and having it specified in
two places seems error prone.

>
> Christian

Re: [PATCH v1 2/2] binderfs: reserve devices for initial mount

[Christian Brauner]

On Thu, Jan 03, 2019 at 01:47:13PM -0800, Todd Kjos wrote:
> On Thu, Jan 3, 2019 at 12:34 PM Christian Brauner <christian@brauner.io> wrote:
> >
> > On Thu, Jan 03, 2019 at 12:25:24PM -0800, Todd Kjos wrote:
> > > On Sun, Dec 23, 2018 at 6:36 AM Christian Brauner <christian@brauner.io> wrote:
> > > >
> > > > The binderfs instance in the initial ipc namespace will always have a
> > > > reserve of 4 binder devices unless explicitly capped by specifying a lower
> > > > value via the "max" mount option.
> > > > This ensures when binder devices are removed (on accident or on purpose)
> > > > they can always be recreated without risking that all minor numbers have
> > > > already been used up.
> > > >
> > > > Cc: Todd Kjos <tkjos@google.com>
> > > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > > > ---
> > > > v1:
> > > > - patch introduced
> > > > v0:
> > > > - patch not present
> > > > ---
> > > >  drivers/android/binderfs.c | 7 ++++++-
> > > >  1 file changed, 6 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
> > > > index 873adda064ac..aa635c7ea727 100644
> > > > --- a/drivers/android/binderfs.c
> > > > +++ b/drivers/android/binderfs.c
> > > > @@ -40,6 +40,8 @@
> > > >  #define INODE_OFFSET 3
> > > >  #define INTSTRLEN 21
> > > >  #define BINDERFS_MAX_MINOR (1U << MINORBITS)
> > > > +/* Ensure that the initial ipc namespace always has a devices available. */
> > > > +#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
> > >
> > > Why do you ever need more minors per instance than the number of
> > > devices listed in CONFIG_ANDROID_BINDER_DEVICES?
> >
> > Are you asking asking why this is 4 and not 3? In that case we should
> > probably parse CONFIG_ANDROID_BINDER_DEVICES once at init time and then
> > reserve that many binder devices. Thoughts?
> 
> I'm asking why CONFIG_ANDROID_BINDER_DEVICES isn't the source of truth
> for the number of devices (it normally specifies 3 devices, but could
> be different). I can't think of a reason why you'd want
> CONFIG_MAX_MINOR_CAPPED to be different than the number of devices
> indicated by CONFIG_ANDROID_BINDER_DEVICES and having it specified in
> two places seems error prone.

I'm not following. The CONFIG_MAX_MINOR_CAPPED and
CONFIG_ANDROID_BINDER_DEVICES do not have a relation to each other just
like binder devices requested in CONFIG_ANDROID_BINDER_DEVICES do not
have a relation to binderfs binder devices as was requested for this
patchset.
I also don't know what you mean "appear in two places".

The fact is, binderfs binder devices are independent of binderfs binder
devices. So it is perfectly reasonable for someone to say
CONFIG_ANDROID_BINDER_DEVICES="" and *only* rely on binderfs itself.
Which absolutely need to be possible.
What I want in such scenarios is that people always have a number of
binderfs binder devices guaranteed to be available in the binderfs mount
in the initial ipc namespace no matter how many devices are allocated in
non-initial ipc namespace binderfs mounts. That's why allo non-initial
ipc namespace binderfs mounts will use the CONFIG_MAX_MINOR_CAPPED macro
which guarantees that there's number of devices reserved for the
binderfs instance in the initial ipc namespace.

Re: [PATCH v1 2/2] binderfs: reserve devices for initial mount

[Todd Kjos]

On Thu, Jan 3, 2019 at 2:08 PM Christian Brauner <christian@brauner.io> wrote:
>
> On Thu, Jan 03, 2019 at 01:47:13PM -0800, Todd Kjos wrote:
> > On Thu, Jan 3, 2019 at 12:34 PM Christian Brauner <christian@brauner.io> wrote:
> > >
> > > On Thu, Jan 03, 2019 at 12:25:24PM -0800, Todd Kjos wrote:
> > > > On Sun, Dec 23, 2018 at 6:36 AM Christian Brauner <christian@brauner.io> wrote:
> > > > >
> > > > > The binderfs instance in the initial ipc namespace will always have a
> > > > > reserve of 4 binder devices unless explicitly capped by specifying a lower
> > > > > value via the "max" mount option.
> > > > > This ensures when binder devices are removed (on accident or on purpose)
> > > > > they can always be recreated without risking that all minor numbers have
> > > > > already been used up.
> > > > >
> > > > > Cc: Todd Kjos <tkjos@google.com>
> > > > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > > > > ---
> > > > > v1:
> > > > > - patch introduced
> > > > > v0:
> > > > > - patch not present
> > > > > ---
> > > > >  drivers/android/binderfs.c | 7 ++++++-
> > > > >  1 file changed, 6 insertions(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
> > > > > index 873adda064ac..aa635c7ea727 100644
> > > > > --- a/drivers/android/binderfs.c
> > > > > +++ b/drivers/android/binderfs.c
> > > > > @@ -40,6 +40,8 @@
> > > > >  #define INODE_OFFSET 3
> > > > >  #define INTSTRLEN 21
> > > > >  #define BINDERFS_MAX_MINOR (1U << MINORBITS)
> > > > > +/* Ensure that the initial ipc namespace always has a devices available. */
> > > > > +#define BINDERFS_MAX_MINOR_CAPPED (BINDERFS_MAX_MINOR - 4)
> > > >
> > > > Why do you ever need more minors per instance than the number of
> > > > devices listed in CONFIG_ANDROID_BINDER_DEVICES?
> > >
> > > Are you asking asking why this is 4 and not 3? In that case we should
> > > probably parse CONFIG_ANDROID_BINDER_DEVICES once at init time and then
> > > reserve that many binder devices. Thoughts?
> >
> > I'm asking why CONFIG_ANDROID_BINDER_DEVICES isn't the source of truth
> > for the number of devices (it normally specifies 3 devices, but could
> > be different). I can't think of a reason why you'd want
> > CONFIG_MAX_MINOR_CAPPED to be different than the number of devices
> > indicated by CONFIG_ANDROID_BINDER_DEVICES and having it specified in
> > two places seems error prone.
>
> I'm not following. The CONFIG_MAX_MINOR_CAPPED and
> CONFIG_ANDROID_BINDER_DEVICES do not have a relation to each other just
> like binder devices requested in CONFIG_ANDROID_BINDER_DEVICES do not
> have a relation to binderfs binder devices as was requested for this
> patchset.
> I also don't know what you mean "appear in two places".
>
> The fact is, binderfs binder devices are independent of binderfs binder
> devices. So it is perfectly reasonable for someone to say
> CONFIG_ANDROID_BINDER_DEVICES="" and *only* rely on binderfs itself.
> Which absolutely need to be possible.
> What I want in such scenarios is that people always have a number of
> binderfs binder devices guaranteed to be available in the binderfs mount
> in the initial ipc namespace no matter how many devices are allocated in
> non-initial ipc namespace binderfs mounts. That's why allo non-initial
> ipc namespace binderfs mounts will use the CONFIG_MAX_MINOR_CAPPED macro
> which guarantees that there's number of devices reserved for the
> binderfs instance in the initial ipc namespace.

Yes, you are right. Cobwebs from vacation -- I confused this with the
previous non-binderfs implementation that was posted that did use
CONFIG_ANDROID_BINDER_DEVICES to instantiate the devices in all
containers. In binderfs, that is only used for the initial (default)
devices.