1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 * Copyright 2008 Red Hat, Inc. All rights reserved.
4
 * Copyright 2008 Ian Kent <[email protected]>
5
 */
6

7
#include <linux/module.h>
8
#include <linux/miscdevice.h>
9
#include <linux/compat.h>
10
#include <linux/fdtable.h>
11
#include <linux/magic.h>
12
#include <linux/nospec.h>
13

14
#include "autofs_i.h"
15

16
/*
17
 * This module implements an interface for routing autofs ioctl control
18
 * commands via a miscellaneous device file.
19
 *
20
 * The alternate interface is needed because we need to be able open
21
 * an ioctl file descriptor on an autofs mount that may be covered by
22
 * another mount. This situation arises when starting automount(8)
23
 * or other user space daemon which uses direct mounts or offset
24
 * mounts (used for autofs lazy mount/umount of nested mount trees),
25
 * which have been left busy at service shutdown.
26
 */
27

28
typedef int (*ioctl_fn)(struct file *, struct autofs_sb_info *,
29
			struct autofs_dev_ioctl *);
30

31
static int check_name(const char *name)
32
{
33
	if (!strchr(name, '/'))
34
		return -EINVAL;
35
	return 0;
36
}
37

38
/*
39
 * Check a string doesn't overrun the chunk of
40
 * memory we copied from user land.
41
 */
42
static int invalid_str(char *str, size_t size)
43
{
44
	if (memchr(str, 0, size))
45
		return 0;
46
	return -EINVAL;
47
}
48

49
/*
50
 * Check that the user compiled against correct version of autofs
51
 * misc device code.
52
 *
53
 * As well as checking the version compatibility this always copies
54
 * the kernel interface version out.
55
 */
56
static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param)
57
{
58
	int err = 0;
59

60
	if ((param->ver_major != AUTOFS_DEV_IOCTL_VERSION_MAJOR) ||
61
	    (param->ver_minor > AUTOFS_DEV_IOCTL_VERSION_MINOR)) {
62
		pr_warn("ioctl control interface version mismatch: "
63
			"kernel(%u.%u), user(%u.%u), cmd(0x%08x)\n",
64
			AUTOFS_DEV_IOCTL_VERSION_MAJOR,
65
			AUTOFS_DEV_IOCTL_VERSION_MINOR,
66
			param->ver_major, param->ver_minor, cmd);
67
		err = -EINVAL;
68
	}
69

70
	/* Fill in the kernel version. */
71
	param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
72
	param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
73

74
	return err;
75
}
76

77
/*
78
 * Copy parameter control struct, including a possible path allocated
79
 * at the end of the struct.
80
 */
81
static struct autofs_dev_ioctl *
82
copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
83
{
84
	struct autofs_dev_ioctl tmp, *res;
85

86
	if (copy_from_user(&tmp, in, AUTOFS_DEV_IOCTL_SIZE))
87
		return ERR_PTR(-EFAULT);
88

89
	if (tmp.size < AUTOFS_DEV_IOCTL_SIZE)
90
		return ERR_PTR(-EINVAL);
91

92
	if (tmp.size > AUTOFS_DEV_IOCTL_SIZE + PATH_MAX)
93
		return ERR_PTR(-ENAMETOOLONG);
94

95
	res = memdup_user(in, tmp.size);
96
	if (!IS_ERR(res))
97
		res->size = tmp.size;
98

99
	return res;
100
}
101

102
static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)
103
{
104
	kfree(param);
105
}
106

107
/*
108
 * Check sanity of parameter control fields and if a path is present
109
 * check that it is terminated and contains at least one "/".
110
 */
111
static int validate_dev_ioctl(int cmd, struct autofs_dev_ioctl *param)
112
{
113
	unsigned int inr = _IOC_NR(cmd);
114
	int err;
115

116
	err = check_dev_ioctl_version(cmd, param);
117
	if (err) {
118
		pr_warn("invalid device control module version "
119
			"supplied for cmd(0x%08x)\n", cmd);
120
		goto out;
121
	}
122

123
	if (param->size > AUTOFS_DEV_IOCTL_SIZE) {
124
		err = invalid_str(param->path, param->size - AUTOFS_DEV_IOCTL_SIZE);
125
		if (err) {
126
			pr_warn(
127
			  "path string terminator missing for cmd(0x%08x)\n",
128
			  cmd);
129
			goto out;
130
		}
131

132
		/* Setting the per-dentry expire timeout requires a trailing
133
		 * path component, ie. no '/', so invert the logic of the
134
		 * check_name() return for AUTOFS_DEV_IOCTL_TIMEOUT_CMD.
135
		 */
136
		err = check_name(param->path);
137
		if (inr == AUTOFS_DEV_IOCTL_TIMEOUT_CMD)
138
			err = err ? 0 : -EINVAL;
139
		if (err) {
140
			pr_warn("invalid path supplied for cmd(0x%08x)\n",
141
				cmd);
142
			goto out;
143
		}
144
	} else {
145
		if (inr == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD ||
146
		    inr == AUTOFS_DEV_IOCTL_REQUESTER_CMD ||
147
		    inr == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) {
148
			err = -EINVAL;
149
			goto out;
150
		}
151
	}
152

153
	err = 0;
154
out:
155
	return err;
156
}
157

158
/* Return autofs dev ioctl version */
159
static int autofs_dev_ioctl_version(struct file *fp,
160
				    struct autofs_sb_info *sbi,
161
				    struct autofs_dev_ioctl *param)
162
{
163
	/* This should have already been set. */
164
	param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
165
	param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
166
	return 0;
167
}
168

169
/* Return autofs module protocol version */
170
static int autofs_dev_ioctl_protover(struct file *fp,
171
				     struct autofs_sb_info *sbi,
172
				     struct autofs_dev_ioctl *param)
173
{
174
	param->protover.version = sbi->version;
175
	return 0;
176
}
177

178
/* Return autofs module protocol sub version */
179
static int autofs_dev_ioctl_protosubver(struct file *fp,
180
					struct autofs_sb_info *sbi,
181
					struct autofs_dev_ioctl *param)
182
{
183
	param->protosubver.sub_version = sbi->sub_version;
184
	return 0;
185
}
186

187
/* Find the topmost mount satisfying test() */
188
static int find_autofs_mount(const char *pathname,
189
			     struct path *res,
190
			     int test(const struct path *path, void *data),
191
			     void *data)
192
{
193
	struct path path;
194
	int err;
195

196
	err = kern_path(pathname, LOOKUP_MOUNTPOINT, &path);
197
	if (err)
198
		return err;
199
	err = -ENOENT;
200
	while (path.dentry == path.mnt->mnt_root) {
201
		if (path.dentry->d_sb->s_magic == AUTOFS_SUPER_MAGIC) {
202
			if (test(&path, data)) {
203
				path_get(&path);
204
				*res = path;
205
				err = 0;
206
				break;
207
			}
208
		}
209
		if (!follow_up(&path))
210
			break;
211
	}
212
	path_put(&path);
213
	return err;
214
}
215

216
static int test_by_dev(const struct path *path, void *p)
217
{
218
	return path->dentry->d_sb->s_dev == *(dev_t *)p;
219
}
220

221
static int test_by_type(const struct path *path, void *p)
222
{
223
	struct autofs_info *ino = autofs_dentry_ino(path->dentry);
224

225
	return ino && ino->sbi->type & *(unsigned *)p;
226
}
227

228
/*
229
 * Open a file descriptor on the autofs mount point corresponding
230
 * to the given path and device number (aka. new_encode_dev(sb->s_dev)).
231
 */
232
static int autofs_dev_ioctl_open_mountpoint(const char *name, dev_t devid)
233
{
234
	int err, fd;
235

236
	fd = get_unused_fd_flags(O_CLOEXEC);
237
	if (likely(fd >= 0)) {
238
		struct file *filp;
239
		struct path path;
240

241
		err = find_autofs_mount(name, &path, test_by_dev, &devid);
242
		if (err)
243
			goto out;
244

245
		filp = dentry_open(&path, O_RDONLY, current_cred());
246
		path_put(&path);
247
		if (IS_ERR(filp)) {
248
			err = PTR_ERR(filp);
249
			goto out;
250
		}
251

252
		fd_install(fd, filp);
253
	}
254

255
	return fd;
256

257
out:
258
	put_unused_fd(fd);
259
	return err;
260
}
261

262
/* Open a file descriptor on an autofs mount point */
263
static int autofs_dev_ioctl_openmount(struct file *fp,
264
				      struct autofs_sb_info *sbi,
265
				      struct autofs_dev_ioctl *param)
266
{
267
	const char *path;
268
	dev_t devid;
269
	int err, fd;
270

271
	/* param->path has been checked in validate_dev_ioctl() */
272

273
	if (!param->openmount.devid)
274
		return -EINVAL;
275

276
	param->ioctlfd = -1;
277

278
	path = param->path;
279
	devid = new_decode_dev(param->openmount.devid);
280

281
	err = 0;
282
	fd = autofs_dev_ioctl_open_mountpoint(path, devid);
283
	if (unlikely(fd < 0)) {
284
		err = fd;
285
		goto out;
286
	}
287

288
	param->ioctlfd = fd;
289
out:
290
	return err;
291
}
292

293
/* Close file descriptor allocated above (user can also use close(2)). */
294
static int autofs_dev_ioctl_closemount(struct file *fp,
295
				       struct autofs_sb_info *sbi,
296
				       struct autofs_dev_ioctl *param)
297
{
298
	return close_fd(param->ioctlfd);
299
}
300

301
/*
302
 * Send "ready" status for an existing wait (either a mount or an expire
303
 * request).
304
 */
305
static int autofs_dev_ioctl_ready(struct file *fp,
306
				  struct autofs_sb_info *sbi,
307
				  struct autofs_dev_ioctl *param)
308
{
309
	autofs_wqt_t token;
310

311
	token = (autofs_wqt_t) param->ready.token;
312
	return autofs_wait_release(sbi, token, 0);
313
}
314

315
/*
316
 * Send "fail" status for an existing wait (either a mount or an expire
317
 * request).
318
 */
319
static int autofs_dev_ioctl_fail(struct file *fp,
320
				 struct autofs_sb_info *sbi,
321
				 struct autofs_dev_ioctl *param)
322
{
323
	autofs_wqt_t token;
324
	int status;
325

326
	token = (autofs_wqt_t) param->fail.token;
327
	status = param->fail.status < 0 ? param->fail.status : -ENOENT;
328
	return autofs_wait_release(sbi, token, status);
329
}
330

331
/*
332
 * Set the pipe fd for kernel communication to the daemon.
333
 *
334
 * Normally this is set at mount using an option but if we
335
 * are reconnecting to a busy mount then we need to use this
336
 * to tell the autofs mount about the new kernel pipe fd. In
337
 * order to protect mounts against incorrectly setting the
338
 * pipefd we also require that the autofs mount be catatonic.
339
 *
340
 * This also sets the process group id used to identify the
341
 * controlling process (eg. the owning automount(8) daemon).
342
 */
343
static int autofs_dev_ioctl_setpipefd(struct file *fp,
344
				      struct autofs_sb_info *sbi,
345
				      struct autofs_dev_ioctl *param)
346
{
347
	int pipefd;
348
	int err = 0;
349
	struct pid *new_pid = NULL;
350

351
	if (param->setpipefd.pipefd == -1)
352
		return -EINVAL;
353

354
	pipefd = param->setpipefd.pipefd;
355

356
	mutex_lock(&sbi->wq_mutex);
357
	if (!(sbi->flags & AUTOFS_SBI_CATATONIC)) {
358
		mutex_unlock(&sbi->wq_mutex);
359
		return -EBUSY;
360
	} else {
361
		struct file *pipe;
362

363
		new_pid = get_task_pid(current, PIDTYPE_PGID);
364

365
		if (ns_of_pid(new_pid) != ns_of_pid(sbi->oz_pgrp)) {
366
			pr_warn("not allowed to change PID namespace\n");
367
			err = -EINVAL;
368
			goto out;
369
		}
370

371
		pipe = fget(pipefd);
372
		if (!pipe) {
373
			err = -EBADF;
374
			goto out;
375
		}
376
		if (autofs_prepare_pipe(pipe) < 0) {
377
			err = -EPIPE;
378
			fput(pipe);
379
			goto out;
380
		}
381
		swap(sbi->oz_pgrp, new_pid);
382
		sbi->pipefd = pipefd;
383
		sbi->pipe = pipe;
384
		sbi->flags &= ~AUTOFS_SBI_CATATONIC;
385
	}
386
out:
387
	put_pid(new_pid);
388
	mutex_unlock(&sbi->wq_mutex);
389
	return err;
390
}
391

392
/*
393
 * Make the autofs mount point catatonic, no longer responsive to
394
 * mount requests. Also closes the kernel pipe file descriptor.
395
 */
396
static int autofs_dev_ioctl_catatonic(struct file *fp,
397
				      struct autofs_sb_info *sbi,
398
				      struct autofs_dev_ioctl *param)
399
{
400
	autofs_catatonic_mode(sbi);
401
	return 0;
402
}
403

404
/*
405
 * Set the autofs mount expire timeout.
406
 *
407
 * There are two places an expire timeout can be set, in the autofs
408
 * super block info. (this is all that's needed for direct and offset
409
 * mounts because there's a distinct mount corresponding to each of
410
 * these) and per-dentry within within the dentry info. If a per-dentry
411
 * timeout is set it will override the expire timeout set in the parent
412
 * autofs super block info.
413
 *
414
 * If setting the autofs super block expire timeout the autofs_dev_ioctl
415
 * size field will be equal to the autofs_dev_ioctl structure size. If
416
 * setting the per-dentry expire timeout the mount point name is passed
417
 * in the autofs_dev_ioctl path field and the size field updated to
418
 * reflect this.
419
 *
420
 * Setting the autofs mount expire timeout sets the timeout in the super
421
 * block info. struct. Setting the per-dentry timeout does a little more.
422
 * If the timeout is equal to -1 the per-dentry timeout (and flag) is
423
 * cleared which reverts to using the super block timeout, otherwise if
424
 * timeout is 0 the timeout is set to this value and the flag is left
425
 * set which disables expiration for the mount point, lastly the flag
426
 * and the timeout are set enabling the dentry to use this timeout.
427
 */
428
static int autofs_dev_ioctl_timeout(struct file *fp,
429
				    struct autofs_sb_info *sbi,
430
				    struct autofs_dev_ioctl *param)
431
{
432
	unsigned long timeout = param->timeout.timeout;
433

434
	/* If setting the expire timeout for an individual indirect
435
	 * mount point dentry the mount trailing component path is
436
	 * placed in param->path and param->size adjusted to account
437
	 * for it otherwise param->size it is set to the structure
438
	 * size.
439
	 */
440
	if (param->size == AUTOFS_DEV_IOCTL_SIZE) {
441
		param->timeout.timeout = sbi->exp_timeout / HZ;
442
		sbi->exp_timeout = timeout * HZ;
443
	} else {
444
		struct dentry *base = fp->f_path.dentry;
445
		int path_len = param->size - AUTOFS_DEV_IOCTL_SIZE - 1;
446
		struct dentry *dentry;
447
		struct autofs_info *ino;
448

449
		if (!autofs_type_indirect(sbi->type))
450
			return -EINVAL;
451

452
		/* An expire timeout greater than the superblock timeout
453
		 * could be a problem at shutdown but the super block
454
		 * timeout itself can change so all we can really do is
455
		 * warn the user.
456
		 */
457
		if (timeout >= sbi->exp_timeout)
458
			pr_warn("per-mount expire timeout is greater than "
459
				"the parent autofs mount timeout which could "
460
				"prevent shutdown\n");
461

462
		dentry = try_lookup_noperm(&QSTR_LEN(param->path, path_len),
463
					   base);
464
		if (IS_ERR_OR_NULL(dentry))
465
			return dentry ? PTR_ERR(dentry) : -ENOENT;
466
		ino = autofs_dentry_ino(dentry);
467
		if (!ino) {
468
			dput(dentry);
469
			return -ENOENT;
470
		}
471

472
		if (ino->exp_timeout && ino->flags & AUTOFS_INF_EXPIRE_SET)
473
			param->timeout.timeout = ino->exp_timeout / HZ;
474
		else
475
			param->timeout.timeout = sbi->exp_timeout / HZ;
476

477
		if (timeout == -1) {
478
			/* Revert to using the super block timeout */
479
			ino->flags &= ~AUTOFS_INF_EXPIRE_SET;
480
			ino->exp_timeout = 0;
481
		} else {
482
			/* Set the dentry expire flag and timeout.
483
			 *
484
			 * If timeout is 0 it will prevent the expire
485
			 * of this particular automount.
486
			 */
487
			ino->flags |= AUTOFS_INF_EXPIRE_SET;
488
			ino->exp_timeout = timeout * HZ;
489
		}
490
		dput(dentry);
491
	}
492

493
	return 0;
494
}
495

496
/*
497
 * Return the uid and gid of the last request for the mount
498
 *
499
 * When reconstructing an autofs mount tree with active mounts
500
 * we need to re-connect to mounts that may have used the original
501
 * process uid and gid (or string variations of them) for mount
502
 * lookups within the map entry.
503
 */
504
static int autofs_dev_ioctl_requester(struct file *fp,
505
				      struct autofs_sb_info *sbi,
506
				      struct autofs_dev_ioctl *param)
507
{
508
	struct autofs_info *ino;
509
	struct path path;
510
	dev_t devid;
511
	int err = -ENOENT;
512

513
	/* param->path has been checked in validate_dev_ioctl() */
514

515
	devid = sbi->sb->s_dev;
516

517
	param->requester.uid = param->requester.gid = -1;
518

519
	err = find_autofs_mount(param->path, &path, test_by_dev, &devid);
520
	if (err)
521
		goto out;
522

523
	ino = autofs_dentry_ino(path.dentry);
524
	if (ino) {
525
		err = 0;
526
		autofs_expire_wait(&path, 0);
527
		spin_lock(&sbi->fs_lock);
528
		param->requester.uid =
529
			from_kuid_munged(current_user_ns(), ino->uid);
530
		param->requester.gid =
531
			from_kgid_munged(current_user_ns(), ino->gid);
532
		spin_unlock(&sbi->fs_lock);
533
	}
534
	path_put(&path);
535
out:
536
	return err;
537
}
538

539
/*
540
 * Call repeatedly until it returns -EAGAIN, meaning there's nothing
541
 * more that can be done.
542
 */
543
static int autofs_dev_ioctl_expire(struct file *fp,
544
				   struct autofs_sb_info *sbi,
545
				   struct autofs_dev_ioctl *param)
546
{
547
	struct vfsmount *mnt;
548
	int how;
549

550
	how = param->expire.how;
551
	mnt = fp->f_path.mnt;
552

553
	return autofs_do_expire_multi(sbi->sb, mnt, sbi, how);
554
}
555

556
/* Check if autofs mount point is in use */
557
static int autofs_dev_ioctl_askumount(struct file *fp,
558
				      struct autofs_sb_info *sbi,
559
				      struct autofs_dev_ioctl *param)
560
{
561
	param->askumount.may_umount = 0;
562
	if (may_umount(fp->f_path.mnt))
563
		param->askumount.may_umount = 1;
564
	return 0;
565
}
566

567
/*
568
 * Check if the given path is a mountpoint.
569
 *
570
 * If we are supplied with the file descriptor of an autofs
571
 * mount we're looking for a specific mount. In this case
572
 * the path is considered a mountpoint if it is itself a
573
 * mountpoint or contains a mount, such as a multi-mount
574
 * without a root mount. In this case we return 1 if the
575
 * path is a mount point and the super magic of the covering
576
 * mount if there is one or 0 if it isn't a mountpoint.
577
 *
578
 * If we aren't supplied with a file descriptor then we
579
 * lookup the path and check if it is the root of a mount.
580
 * If a type is given we are looking for a particular autofs
581
 * mount and if we don't find a match we return fail. If the
582
 * located path is the root of a mount we return 1 along with
583
 * the super magic of the mount or 0 otherwise.
584
 *
585
 * In both cases the device number (as returned by
586
 * new_encode_dev()) is also returned.
587
 */
588
static int autofs_dev_ioctl_ismountpoint(struct file *fp,
589
					 struct autofs_sb_info *sbi,
590
					 struct autofs_dev_ioctl *param)
591
{
592
	struct path path;
593
	const char *name;
594
	unsigned int type;
595
	unsigned int devid, magic;
596
	int err = -ENOENT;
597

598
	/* param->path has been checked in validate_dev_ioctl() */
599

600
	name = param->path;
601
	type = param->ismountpoint.in.type;
602

603
	param->ismountpoint.out.devid = devid = 0;
604
	param->ismountpoint.out.magic = magic = 0;
605

606
	if (!fp || param->ioctlfd == -1) {
607
		if (autofs_type_any(type))
608
			err = kern_path(name, LOOKUP_FOLLOW | LOOKUP_MOUNTPOINT,
609
					&path);
610
		else
611
			err = find_autofs_mount(name, &path,
612
						test_by_type, &type);
613
		if (err)
614
			goto out;
615
		devid = new_encode_dev(path.dentry->d_sb->s_dev);
616
		err = 0;
617
		if (path.mnt->mnt_root == path.dentry) {
618
			err = 1;
619
			magic = path.dentry->d_sb->s_magic;
620
		}
621
	} else {
622
		dev_t dev = sbi->sb->s_dev;
623

624
		err = find_autofs_mount(name, &path, test_by_dev, &dev);
625
		if (err)
626
			goto out;
627

628
		devid = new_encode_dev(dev);
629

630
		err = path_has_submounts(&path);
631

632
		if (follow_down_one(&path))
633
			magic = path.dentry->d_sb->s_magic;
634
	}
635

636
	param->ismountpoint.out.devid = devid;
637
	param->ismountpoint.out.magic = magic;
638
	path_put(&path);
639
out:
640
	return err;
641
}
642

643
/*
644
 * Our range of ioctl numbers isn't 0 based so we need to shift
645
 * the array index by _IOC_NR(AUTOFS_CTL_IOC_FIRST) for the table
646
 * lookup.
647
 */
648
#define cmd_idx(cmd)	(cmd - _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST))
649

650
static ioctl_fn lookup_dev_ioctl(unsigned int cmd)
651
{
652
	static const ioctl_fn _ioctls[] = {
653
		autofs_dev_ioctl_version,
654
		autofs_dev_ioctl_protover,
655
		autofs_dev_ioctl_protosubver,
656
		autofs_dev_ioctl_openmount,
657
		autofs_dev_ioctl_closemount,
658
		autofs_dev_ioctl_ready,
659
		autofs_dev_ioctl_fail,
660
		autofs_dev_ioctl_setpipefd,
661
		autofs_dev_ioctl_catatonic,
662
		autofs_dev_ioctl_timeout,
663
		autofs_dev_ioctl_requester,
664
		autofs_dev_ioctl_expire,
665
		autofs_dev_ioctl_askumount,
666
		autofs_dev_ioctl_ismountpoint,
667
	};
668
	unsigned int idx = cmd_idx(cmd);
669

670
	if (idx >= ARRAY_SIZE(_ioctls))
671
		return NULL;
672
	idx = array_index_nospec(idx, ARRAY_SIZE(_ioctls));
673
	return _ioctls[idx];
674
}
675

676
/* ioctl dispatcher */
677
static int _autofs_dev_ioctl(unsigned int command,
678
			     struct autofs_dev_ioctl __user *user)
679
{
680
	struct autofs_dev_ioctl *param;
681
	struct file *fp;
682
	struct autofs_sb_info *sbi;
683
	unsigned int cmd_first, cmd;
684
	ioctl_fn fn = NULL;
685
	int err = 0;
686

687
	cmd_first = _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST);
688
	cmd = _IOC_NR(command);
689

690
	if (_IOC_TYPE(command) != _IOC_TYPE(AUTOFS_DEV_IOCTL_IOC_FIRST) ||
691
	    cmd - cmd_first > AUTOFS_DEV_IOCTL_IOC_COUNT) {
692
		return -ENOTTY;
693
	}
694

695
	/* Only root can use ioctls other than AUTOFS_DEV_IOCTL_VERSION_CMD
696
	 * and AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD
697
	 */
698
	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
699
	    cmd != AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD &&
700
	    !capable(CAP_SYS_ADMIN))
701
		return -EPERM;
702

703
	/* Copy the parameters into kernel space. */
704
	param = copy_dev_ioctl(user);
705
	if (IS_ERR(param))
706
		return PTR_ERR(param);
707

708
	err = validate_dev_ioctl(command, param);
709
	if (err)
710
		goto out;
711

712
	fn = lookup_dev_ioctl(cmd);
713
	if (!fn) {
714
		pr_warn("unknown command 0x%08x\n", command);
715
		err = -ENOTTY;
716
		goto out;
717
	}
718

719
	fp = NULL;
720
	sbi = NULL;
721

722
	/*
723
	 * For obvious reasons the openmount can't have a file
724
	 * descriptor yet. We don't take a reference to the
725
	 * file during close to allow for immediate release,
726
	 * and the same for retrieving ioctl version.
727
	 */
728
	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
729
	    cmd != AUTOFS_DEV_IOCTL_OPENMOUNT_CMD &&
730
	    cmd != AUTOFS_DEV_IOCTL_CLOSEMOUNT_CMD) {
731
		struct super_block *sb;
732

733
		fp = fget(param->ioctlfd);
734
		if (!fp) {
735
			if (cmd == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD)
736
				goto cont;
737
			err = -EBADF;
738
			goto out;
739
		}
740

741
		sb = file_inode(fp)->i_sb;
742
		if (sb->s_type != &autofs_fs_type) {
743
			err = -EINVAL;
744
			fput(fp);
745
			goto out;
746
		}
747
		sbi = autofs_sbi(sb);
748

749
		/*
750
		 * Admin needs to be able to set the mount catatonic in
751
		 * order to be able to perform the re-open.
752
		 */
753
		if (!autofs_oz_mode(sbi) &&
754
		    cmd != AUTOFS_DEV_IOCTL_CATATONIC_CMD) {
755
			err = -EACCES;
756
			fput(fp);
757
			goto out;
758
		}
759
	}
760
cont:
761
	err = fn(fp, sbi, param);
762

763
	if (fp)
764
		fput(fp);
765
	if (err >= 0 && copy_to_user(user, param, AUTOFS_DEV_IOCTL_SIZE))
766
		err = -EFAULT;
767
out:
768
	free_dev_ioctl(param);
769
	return err;
770
}
771

772
static long autofs_dev_ioctl(struct file *file, unsigned int command,
773
			     unsigned long u)
774
{
775
	int err;
776

777
	err = _autofs_dev_ioctl(command, (struct autofs_dev_ioctl __user *) u);
778
	return (long) err;
779
}
780

781
#ifdef CONFIG_COMPAT
782
static long autofs_dev_ioctl_compat(struct file *file, unsigned int command,
783
				    unsigned long u)
784
{
785
	return autofs_dev_ioctl(file, command, (unsigned long) compat_ptr(u));
786
}
787
#else
788
#define autofs_dev_ioctl_compat NULL
789
#endif
790

791
static const struct file_operations _dev_ioctl_fops = {
792
	.unlocked_ioctl	 = autofs_dev_ioctl,
793
	.compat_ioctl = autofs_dev_ioctl_compat,
794
	.owner	 = THIS_MODULE,
795
	.llseek = noop_llseek,
796
};
797

798
static struct miscdevice _autofs_dev_ioctl_misc = {
799
	.minor		= AUTOFS_MINOR,
800
	.name		= AUTOFS_DEVICE_NAME,
801
	.fops		= &_dev_ioctl_fops,
802
	.mode           = 0644,
803
};
804

805
MODULE_ALIAS_MISCDEV(AUTOFS_MINOR);
806
MODULE_ALIAS("devname:autofs");
807

808
/* Register/deregister misc character device */
809
int __init autofs_dev_ioctl_init(void)
810
{
811
	int r;
812

813
	r = misc_register(&_autofs_dev_ioctl_misc);
814
	if (r) {
815
		pr_err("misc_register failed for control device\n");
816
		return r;
817
	}
818

819
	return 0;
820
}
821

822
void autofs_dev_ioctl_exit(void)
823
{
824
	misc_deregister(&_autofs_dev_ioctl_misc);
825
}
826

827