1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 * Copyright 2008 Red Hat, Inc. All rights reserved.
4
 * Copyright 2008 Ian Kent <[email protected]>
5
 */
6

7
#include <linux/module.h>
8
#include <linux/miscdevice.h>
9
#include <linux/compat.h>
10
#include <linux/fdtable.h>
11
#include <linux/magic.h>
12
#include <linux/nospec.h>
13

14
#include "autofs_i.h"
15

16
/*
17
 * This module implements an interface for routing autofs ioctl control
18
 * commands via a miscellaneous device file.
19
 *
20
 * The alternate interface is needed because we need to be able open
21
 * an ioctl file descriptor on an autofs mount that may be covered by
22
 * another mount. This situation arises when starting automount(8)
23
 * or other user space daemon which uses direct mounts or offset
24
 * mounts (used for autofs lazy mount/umount of nested mount trees),
25
 * which have been left busy at service shutdown.
26
 */
27

28
typedef int (*ioctl_fn)(struct file *, struct autofs_sb_info *,
29
			struct autofs_dev_ioctl *);
30

31
static int check_name(const char *name)
32
{
33
	if (!strchr(name, '/'))
34
		return -EINVAL;
35
	return 0;
36
}
37

38
/*
39
 * Check a string doesn't overrun the chunk of
40
 * memory we copied from user land.
41
 */
42
static int invalid_str(char *str, size_t size)
43
{
44
	if (memchr(str, 0, size))
45
		return 0;
46
	return -EINVAL;
47
}
48

49
/*
50
 * Check that the user compiled against correct version of autofs
51
 * misc device code.
52
 *
53
 * As well as checking the version compatibility this always copies
54
 * the kernel interface version out.
55
 */
56
static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param)
57
{
58
	int err = 0;
59

60
	if ((param->ver_major != AUTOFS_DEV_IOCTL_VERSION_MAJOR) ||
61
	    (param->ver_minor > AUTOFS_DEV_IOCTL_VERSION_MINOR)) {
62
		pr_warn("ioctl control interface version mismatch: "
63
			"kernel(%u.%u), user(%u.%u), cmd(0x%08x)\n",
64
			AUTOFS_DEV_IOCTL_VERSION_MAJOR,
65
			AUTOFS_DEV_IOCTL_VERSION_MINOR,
66
			param->ver_major, param->ver_minor, cmd);
67
		err = -EINVAL;
68
	}
69

70
	/* Fill in the kernel version. */
71
	param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
72
	param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
73

74
	return err;
75
}
76

77
/*
78
 * Copy parameter control struct, including a possible path allocated
79
 * at the end of the struct.
80
 */
81
static struct autofs_dev_ioctl *
82
copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
83
{
84
	struct autofs_dev_ioctl tmp, *res;
85

86
	if (copy_from_user(&tmp, in, AUTOFS_DEV_IOCTL_SIZE))
87
		return ERR_PTR(-EFAULT);
88

89
	if (tmp.size < AUTOFS_DEV_IOCTL_SIZE)
90
		return ERR_PTR(-EINVAL);
91

92
	if (tmp.size > AUTOFS_DEV_IOCTL_SIZE + PATH_MAX)
93
		return ERR_PTR(-ENAMETOOLONG);
94

95
	res = memdup_user(in, tmp.size);
96
	if (!IS_ERR(res))
97
		res->size = tmp.size;
98

99
	return res;
100
}
101

102
static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)
103
{
104
	kfree(param);
105
}
106

107
/*
108
 * Check sanity of parameter control fields and if a path is present
109
 * check that it is terminated and contains at least one "/".
110
 */
111
static int validate_dev_ioctl(int cmd, struct autofs_dev_ioctl *param)
112
{
113
	unsigned int inr = _IOC_NR(cmd);
114
	int err;
115

116
	err = check_dev_ioctl_version(cmd, param);
117
	if (err) {
118
		pr_warn("invalid device control module version "
119
			"supplied for cmd(0x%08x)\n", cmd);
120
		goto out;
121
	}
122

123
	if (param->size > AUTOFS_DEV_IOCTL_SIZE) {
124
		err = invalid_str(param->path, param->size - AUTOFS_DEV_IOCTL_SIZE);
125
		if (err) {
126
			pr_warn(
127
			  "path string terminator missing for cmd(0x%08x)\n",
128
			  cmd);
129
			goto out;
130
		}
131

132
		/* Setting the per-dentry expire timeout requires a trailing
133
		 * path component, ie. no '/', so invert the logic of the
134
		 * check_name() return for AUTOFS_DEV_IOCTL_TIMEOUT_CMD.
135
		 */
136
		err = check_name(param->path);
137
		if (inr == AUTOFS_DEV_IOCTL_TIMEOUT_CMD)
138
			err = err ? 0 : -EINVAL;
139
		if (err) {
140
			pr_warn("invalid path supplied for cmd(0x%08x)\n",
141
				cmd);
142
			goto out;
143
		}
144
	} else {
145
		if (inr == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD ||
146
		    inr == AUTOFS_DEV_IOCTL_REQUESTER_CMD ||
147
		    inr == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) {
148
			err = -EINVAL;
149
			goto out;
150
		}
151
	}
152

153
	err = 0;
154
out:
155
	return err;
156
}
157

158
/* Return autofs dev ioctl version */
159
static int autofs_dev_ioctl_version(struct file *fp,
160
				    struct autofs_sb_info *sbi,
161
				    struct autofs_dev_ioctl *param)
162
{
163
	/* This should have already been set. */
164
	param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
165
	param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
166
	return 0;
167
}
168

169
/* Return autofs module protocol version */
170
static int autofs_dev_ioctl_protover(struct file *fp,
171
				     struct autofs_sb_info *sbi,
172
				     struct autofs_dev_ioctl *param)
173
{
174
	param->protover.version = sbi->version;
175
	return 0;
176
}
177

178
/* Return autofs module protocol sub version */
179
static int autofs_dev_ioctl_protosubver(struct file *fp,
180
					struct autofs_sb_info *sbi,
181
					struct autofs_dev_ioctl *param)
182
{
183
	param->protosubver.sub_version = sbi->sub_version;
184
	return 0;
185
}
186

187
/* Find the topmost mount satisfying test() */
188
static int find_autofs_mount(const char *pathname,
189
			     struct path *res,
190
			     int test(const struct path *path, void *data),
191
			     void *data)
192
{
193
	struct path path;
194
	int err;
195

196
	err = kern_path(pathname, LOOKUP_MOUNTPOINT, &path);
197
	if (err)
198
		return err;
199
	err = -ENOENT;
200
	while (path.dentry == path.mnt->mnt_root) {
201
		if (path.dentry->d_sb->s_magic == AUTOFS_SUPER_MAGIC) {
202
			if (test(&path, data)) {
203
				path_get(&path);
204
				*res = path;
205
				err = 0;
206
				break;
207
			}
208
		}
209
		if (!follow_up(&path))
210
			break;
211
	}
212
	path_put(&path);
213
	return err;
214
}
215

216
static int test_by_dev(const struct path *path, void *p)
217
{
218
	return path->dentry->d_sb->s_dev == *(dev_t *)p;
219
}
220

221
static int test_by_type(const struct path *path, void *p)
222
{
223
	struct autofs_info *ino = autofs_dentry_ino(path->dentry);
224

225
	return ino && ino->sbi->type & *(unsigned *)p;
226
}
227

228
/*
229
 * Open a file descriptor on the autofs mount point corresponding
230
 * to the given path and device number (aka. new_encode_dev(sb->s_dev)).
231
 */
232
static int autofs_dev_ioctl_open_mountpoint(const char *name, dev_t devid)
233
{
234
	struct path path __free(path_put) = {};
235
	int err;
236

237
	err = find_autofs_mount(name, &path, test_by_dev, &devid);
238
	if (err)
239
		return err;
240

241
	return FD_ADD(O_CLOEXEC, dentry_open(&path, O_RDONLY, current_cred()));
242
}
243

244
/* Open a file descriptor on an autofs mount point */
245
static int autofs_dev_ioctl_openmount(struct file *fp,
246
				      struct autofs_sb_info *sbi,
247
				      struct autofs_dev_ioctl *param)
248
{
249
	const char *path;
250
	dev_t devid;
251
	int err, fd;
252

253
	/* param->path has been checked in validate_dev_ioctl() */
254

255
	if (!param->openmount.devid)
256
		return -EINVAL;
257

258
	param->ioctlfd = -1;
259

260
	path = param->path;
261
	devid = new_decode_dev(param->openmount.devid);
262

263
	err = 0;
264
	fd = autofs_dev_ioctl_open_mountpoint(path, devid);
265
	if (unlikely(fd < 0)) {
266
		err = fd;
267
		goto out;
268
	}
269

270
	param->ioctlfd = fd;
271
out:
272
	return err;
273
}
274

275
/* Close file descriptor allocated above (user can also use close(2)). */
276
static int autofs_dev_ioctl_closemount(struct file *fp,
277
				       struct autofs_sb_info *sbi,
278
				       struct autofs_dev_ioctl *param)
279
{
280
	return close_fd(param->ioctlfd);
281
}
282

283
/*
284
 * Send "ready" status for an existing wait (either a mount or an expire
285
 * request).
286
 */
287
static int autofs_dev_ioctl_ready(struct file *fp,
288
				  struct autofs_sb_info *sbi,
289
				  struct autofs_dev_ioctl *param)
290
{
291
	autofs_wqt_t token;
292

293
	token = (autofs_wqt_t) param->ready.token;
294
	return autofs_wait_release(sbi, token, 0);
295
}
296

297
/*
298
 * Send "fail" status for an existing wait (either a mount or an expire
299
 * request).
300
 */
301
static int autofs_dev_ioctl_fail(struct file *fp,
302
				 struct autofs_sb_info *sbi,
303
				 struct autofs_dev_ioctl *param)
304
{
305
	autofs_wqt_t token;
306
	int status;
307

308
	token = (autofs_wqt_t) param->fail.token;
309
	status = param->fail.status < 0 ? param->fail.status : -ENOENT;
310
	return autofs_wait_release(sbi, token, status);
311
}
312

313
/*
314
 * Set the pipe fd for kernel communication to the daemon.
315
 *
316
 * Normally this is set at mount using an option but if we
317
 * are reconnecting to a busy mount then we need to use this
318
 * to tell the autofs mount about the new kernel pipe fd. In
319
 * order to protect mounts against incorrectly setting the
320
 * pipefd we also require that the autofs mount be catatonic.
321
 *
322
 * This also sets the process group id used to identify the
323
 * controlling process (eg. the owning automount(8) daemon).
324
 */
325
static int autofs_dev_ioctl_setpipefd(struct file *fp,
326
				      struct autofs_sb_info *sbi,
327
				      struct autofs_dev_ioctl *param)
328
{
329
	int pipefd;
330
	int err = 0;
331
	struct pid *new_pid = NULL;
332

333
	if (param->setpipefd.pipefd == -1)
334
		return -EINVAL;
335

336
	pipefd = param->setpipefd.pipefd;
337

338
	mutex_lock(&sbi->wq_mutex);
339
	if (!(sbi->flags & AUTOFS_SBI_CATATONIC)) {
340
		mutex_unlock(&sbi->wq_mutex);
341
		return -EBUSY;
342
	} else {
343
		struct file *pipe;
344

345
		new_pid = get_task_pid(current, PIDTYPE_PGID);
346

347
		if (ns_of_pid(new_pid) != ns_of_pid(sbi->oz_pgrp)) {
348
			pr_warn("not allowed to change PID namespace\n");
349
			err = -EINVAL;
350
			goto out;
351
		}
352

353
		pipe = fget(pipefd);
354
		if (!pipe) {
355
			err = -EBADF;
356
			goto out;
357
		}
358
		if (autofs_prepare_pipe(pipe) < 0) {
359
			err = -EPIPE;
360
			fput(pipe);
361
			goto out;
362
		}
363
		swap(sbi->oz_pgrp, new_pid);
364
		sbi->pipefd = pipefd;
365
		sbi->pipe = pipe;
366
		sbi->mnt_ns_id = to_ns_common(current->nsproxy->mnt_ns)->ns_id;
367
		sbi->flags &= ~AUTOFS_SBI_CATATONIC;
368
	}
369
out:
370
	put_pid(new_pid);
371
	mutex_unlock(&sbi->wq_mutex);
372
	return err;
373
}
374

375
/*
376
 * Make the autofs mount point catatonic, no longer responsive to
377
 * mount requests. Also closes the kernel pipe file descriptor.
378
 */
379
static int autofs_dev_ioctl_catatonic(struct file *fp,
380
				      struct autofs_sb_info *sbi,
381
				      struct autofs_dev_ioctl *param)
382
{
383
	autofs_catatonic_mode(sbi);
384
	return 0;
385
}
386

387
/*
388
 * Set the autofs mount expire timeout.
389
 *
390
 * There are two places an expire timeout can be set, in the autofs
391
 * super block info. (this is all that's needed for direct and offset
392
 * mounts because there's a distinct mount corresponding to each of
393
 * these) and per-dentry within within the dentry info. If a per-dentry
394
 * timeout is set it will override the expire timeout set in the parent
395
 * autofs super block info.
396
 *
397
 * If setting the autofs super block expire timeout the autofs_dev_ioctl
398
 * size field will be equal to the autofs_dev_ioctl structure size. If
399
 * setting the per-dentry expire timeout the mount point name is passed
400
 * in the autofs_dev_ioctl path field and the size field updated to
401
 * reflect this.
402
 *
403
 * Setting the autofs mount expire timeout sets the timeout in the super
404
 * block info. struct. Setting the per-dentry timeout does a little more.
405
 * If the timeout is equal to -1 the per-dentry timeout (and flag) is
406
 * cleared which reverts to using the super block timeout, otherwise if
407
 * timeout is 0 the timeout is set to this value and the flag is left
408
 * set which disables expiration for the mount point, lastly the flag
409
 * and the timeout are set enabling the dentry to use this timeout.
410
 */
411
static int autofs_dev_ioctl_timeout(struct file *fp,
412
				    struct autofs_sb_info *sbi,
413
				    struct autofs_dev_ioctl *param)
414
{
415
	unsigned long timeout = param->timeout.timeout;
416

417
	/* If setting the expire timeout for an individual indirect
418
	 * mount point dentry the mount trailing component path is
419
	 * placed in param->path and param->size adjusted to account
420
	 * for it otherwise param->size it is set to the structure
421
	 * size.
422
	 */
423
	if (param->size == AUTOFS_DEV_IOCTL_SIZE) {
424
		param->timeout.timeout = sbi->exp_timeout / HZ;
425
		sbi->exp_timeout = timeout * HZ;
426
	} else {
427
		struct dentry *base = fp->f_path.dentry;
428
		int path_len = param->size - AUTOFS_DEV_IOCTL_SIZE - 1;
429
		struct dentry *dentry;
430
		struct autofs_info *ino;
431

432
		if (!autofs_type_indirect(sbi->type))
433
			return -EINVAL;
434

435
		dentry = try_lookup_noperm(&QSTR_LEN(param->path, path_len),
436
					   base);
437
		if (IS_ERR_OR_NULL(dentry))
438
			return dentry ? PTR_ERR(dentry) : -ENOENT;
439
		ino = autofs_dentry_ino(dentry);
440
		if (!ino) {
441
			dput(dentry);
442
			return -ENOENT;
443
		}
444

445
		if (ino->exp_timeout && ino->flags & AUTOFS_INF_EXPIRE_SET)
446
			param->timeout.timeout = ino->exp_timeout / HZ;
447
		else
448
			param->timeout.timeout = sbi->exp_timeout / HZ;
449

450
		if (timeout == -1) {
451
			/* Revert to using the super block timeout */
452
			ino->flags &= ~AUTOFS_INF_EXPIRE_SET;
453
			ino->exp_timeout = 0;
454
		} else {
455
			/* Set the dentry expire flag and timeout.
456
			 *
457
			 * If timeout is 0 it will prevent the expire
458
			 * of this particular automount.
459
			 */
460
			ino->flags |= AUTOFS_INF_EXPIRE_SET;
461
			ino->exp_timeout = timeout * HZ;
462
		}
463

464
		/* An expire timeout greater than the superblock timeout
465
		 * could be a problem at shutdown but the super block
466
		 * timeout itself can change so all we can really do is
467
		 * warn the user.
468
		 */
469
		if (ino->flags & AUTOFS_INF_EXPIRE_SET &&
470
		    ino->exp_timeout > sbi->exp_timeout)
471
			pr_warn("per-mount expire timeout is greater than "
472
				"the parent autofs mount timeout which could "
473
				"prevent shutdown\n");
474

475
		dput(dentry);
476
	}
477

478
	return 0;
479
}
480

481
/*
482
 * Return the uid and gid of the last request for the mount
483
 *
484
 * When reconstructing an autofs mount tree with active mounts
485
 * we need to re-connect to mounts that may have used the original
486
 * process uid and gid (or string variations of them) for mount
487
 * lookups within the map entry.
488
 */
489
static int autofs_dev_ioctl_requester(struct file *fp,
490
				      struct autofs_sb_info *sbi,
491
				      struct autofs_dev_ioctl *param)
492
{
493
	struct autofs_info *ino;
494
	struct path path;
495
	dev_t devid;
496
	int err = -ENOENT;
497

498
	/* param->path has been checked in validate_dev_ioctl() */
499

500
	devid = sbi->sb->s_dev;
501

502
	param->requester.uid = param->requester.gid = -1;
503

504
	err = find_autofs_mount(param->path, &path, test_by_dev, &devid);
505
	if (err)
506
		goto out;
507

508
	ino = autofs_dentry_ino(path.dentry);
509
	if (ino) {
510
		err = 0;
511
		autofs_expire_wait(&path, 0);
512
		spin_lock(&sbi->fs_lock);
513
		param->requester.uid =
514
			from_kuid_munged(current_user_ns(), ino->uid);
515
		param->requester.gid =
516
			from_kgid_munged(current_user_ns(), ino->gid);
517
		spin_unlock(&sbi->fs_lock);
518
	}
519
	path_put(&path);
520
out:
521
	return err;
522
}
523

524
/*
525
 * Call repeatedly until it returns -EAGAIN, meaning there's nothing
526
 * more that can be done.
527
 */
528
static int autofs_dev_ioctl_expire(struct file *fp,
529
				   struct autofs_sb_info *sbi,
530
				   struct autofs_dev_ioctl *param)
531
{
532
	struct vfsmount *mnt;
533
	int how;
534

535
	how = param->expire.how;
536
	mnt = fp->f_path.mnt;
537

538
	return autofs_do_expire_multi(sbi->sb, mnt, sbi, how);
539
}
540

541
/* Check if autofs mount point is in use */
542
static int autofs_dev_ioctl_askumount(struct file *fp,
543
				      struct autofs_sb_info *sbi,
544
				      struct autofs_dev_ioctl *param)
545
{
546
	param->askumount.may_umount = 0;
547
	if (may_umount(fp->f_path.mnt))
548
		param->askumount.may_umount = 1;
549
	return 0;
550
}
551

552
/*
553
 * Check if the given path is a mountpoint.
554
 *
555
 * If we are supplied with the file descriptor of an autofs
556
 * mount we're looking for a specific mount. In this case
557
 * the path is considered a mountpoint if it is itself a
558
 * mountpoint or contains a mount, such as a multi-mount
559
 * without a root mount. In this case we return 1 if the
560
 * path is a mount point and the super magic of the covering
561
 * mount if there is one or 0 if it isn't a mountpoint.
562
 *
563
 * If we aren't supplied with a file descriptor then we
564
 * lookup the path and check if it is the root of a mount.
565
 * If a type is given we are looking for a particular autofs
566
 * mount and if we don't find a match we return fail. If the
567
 * located path is the root of a mount we return 1 along with
568
 * the super magic of the mount or 0 otherwise.
569
 *
570
 * In both cases the device number (as returned by
571
 * new_encode_dev()) is also returned.
572
 */
573
static int autofs_dev_ioctl_ismountpoint(struct file *fp,
574
					 struct autofs_sb_info *sbi,
575
					 struct autofs_dev_ioctl *param)
576
{
577
	struct path path;
578
	const char *name;
579
	unsigned int type;
580
	unsigned int devid, magic;
581
	int err = -ENOENT;
582

583
	/* param->path has been checked in validate_dev_ioctl() */
584

585
	name = param->path;
586
	type = param->ismountpoint.in.type;
587

588
	param->ismountpoint.out.devid = devid = 0;
589
	param->ismountpoint.out.magic = magic = 0;
590

591
	if (!fp || param->ioctlfd == -1) {
592
		if (autofs_type_any(type))
593
			err = kern_path(name, LOOKUP_FOLLOW | LOOKUP_MOUNTPOINT,
594
					&path);
595
		else
596
			err = find_autofs_mount(name, &path,
597
						test_by_type, &type);
598
		if (err)
599
			goto out;
600
		devid = new_encode_dev(path.dentry->d_sb->s_dev);
601
		err = 0;
602
		if (path.mnt->mnt_root == path.dentry) {
603
			err = 1;
604
			magic = path.dentry->d_sb->s_magic;
605
		}
606
	} else {
607
		dev_t dev = sbi->sb->s_dev;
608

609
		err = find_autofs_mount(name, &path, test_by_dev, &dev);
610
		if (err)
611
			goto out;
612

613
		devid = new_encode_dev(dev);
614

615
		err = path_has_submounts(&path);
616

617
		if (follow_down_one(&path))
618
			magic = path.dentry->d_sb->s_magic;
619
	}
620

621
	param->ismountpoint.out.devid = devid;
622
	param->ismountpoint.out.magic = magic;
623
	path_put(&path);
624
out:
625
	return err;
626
}
627

628
/*
629
 * Our range of ioctl numbers isn't 0 based so we need to shift
630
 * the array index by _IOC_NR(AUTOFS_CTL_IOC_FIRST) for the table
631
 * lookup.
632
 */
633
#define cmd_idx(cmd)	(cmd - _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST))
634

635
static ioctl_fn lookup_dev_ioctl(unsigned int cmd)
636
{
637
	static const ioctl_fn _ioctls[] = {
638
		autofs_dev_ioctl_version,
639
		autofs_dev_ioctl_protover,
640
		autofs_dev_ioctl_protosubver,
641
		autofs_dev_ioctl_openmount,
642
		autofs_dev_ioctl_closemount,
643
		autofs_dev_ioctl_ready,
644
		autofs_dev_ioctl_fail,
645
		autofs_dev_ioctl_setpipefd,
646
		autofs_dev_ioctl_catatonic,
647
		autofs_dev_ioctl_timeout,
648
		autofs_dev_ioctl_requester,
649
		autofs_dev_ioctl_expire,
650
		autofs_dev_ioctl_askumount,
651
		autofs_dev_ioctl_ismountpoint,
652
	};
653
	unsigned int idx = cmd_idx(cmd);
654

655
	if (idx >= ARRAY_SIZE(_ioctls))
656
		return NULL;
657
	idx = array_index_nospec(idx, ARRAY_SIZE(_ioctls));
658
	return _ioctls[idx];
659
}
660

661
/* ioctl dispatcher */
662
static int _autofs_dev_ioctl(unsigned int command,
663
			     struct autofs_dev_ioctl __user *user)
664
{
665
	struct autofs_dev_ioctl *param;
666
	struct file *fp;
667
	struct autofs_sb_info *sbi;
668
	unsigned int cmd_first, cmd;
669
	ioctl_fn fn = NULL;
670
	int err = 0;
671

672
	cmd_first = _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST);
673
	cmd = _IOC_NR(command);
674

675
	if (_IOC_TYPE(command) != _IOC_TYPE(AUTOFS_DEV_IOCTL_IOC_FIRST) ||
676
	    cmd - cmd_first > AUTOFS_DEV_IOCTL_IOC_COUNT) {
677
		return -ENOTTY;
678
	}
679

680
	/* Only root can use ioctls other than AUTOFS_DEV_IOCTL_VERSION_CMD
681
	 * and AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD
682
	 */
683
	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
684
	    cmd != AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD &&
685
	    !capable(CAP_SYS_ADMIN))
686
		return -EPERM;
687

688
	/* Copy the parameters into kernel space. */
689
	param = copy_dev_ioctl(user);
690
	if (IS_ERR(param))
691
		return PTR_ERR(param);
692

693
	err = validate_dev_ioctl(command, param);
694
	if (err)
695
		goto out;
696

697
	fn = lookup_dev_ioctl(cmd);
698
	if (!fn) {
699
		pr_warn("unknown command 0x%08x\n", command);
700
		err = -ENOTTY;
701
		goto out;
702
	}
703

704
	fp = NULL;
705
	sbi = NULL;
706

707
	/*
708
	 * For obvious reasons the openmount can't have a file
709
	 * descriptor yet. We don't take a reference to the
710
	 * file during close to allow for immediate release,
711
	 * and the same for retrieving ioctl version.
712
	 */
713
	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
714
	    cmd != AUTOFS_DEV_IOCTL_OPENMOUNT_CMD &&
715
	    cmd != AUTOFS_DEV_IOCTL_CLOSEMOUNT_CMD) {
716
		struct super_block *sb;
717

718
		fp = fget(param->ioctlfd);
719
		if (!fp) {
720
			if (cmd == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD)
721
				goto cont;
722
			err = -EBADF;
723
			goto out;
724
		}
725

726
		sb = file_inode(fp)->i_sb;
727
		if (sb->s_type != &autofs_fs_type) {
728
			err = -EINVAL;
729
			fput(fp);
730
			goto out;
731
		}
732
		sbi = autofs_sbi(sb);
733

734
		/*
735
		 * Admin needs to be able to set the mount catatonic in
736
		 * order to be able to perform the re-open.
737
		 */
738
		if (!autofs_oz_mode(sbi) &&
739
		    cmd != AUTOFS_DEV_IOCTL_CATATONIC_CMD) {
740
			err = -EACCES;
741
			fput(fp);
742
			goto out;
743
		}
744
	}
745
cont:
746
	err = fn(fp, sbi, param);
747

748
	if (fp)
749
		fput(fp);
750
	if (err >= 0 && copy_to_user(user, param, AUTOFS_DEV_IOCTL_SIZE))
751
		err = -EFAULT;
752
out:
753
	free_dev_ioctl(param);
754
	return err;
755
}
756

757
static long autofs_dev_ioctl(struct file *file, unsigned int command,
758
			     unsigned long u)
759
{
760
	int err;
761

762
	err = _autofs_dev_ioctl(command, (struct autofs_dev_ioctl __user *) u);
763
	return (long) err;
764
}
765

766
#ifdef CONFIG_COMPAT
767
static long autofs_dev_ioctl_compat(struct file *file, unsigned int command,
768
				    unsigned long u)
769
{
770
	return autofs_dev_ioctl(file, command, (unsigned long) compat_ptr(u));
771
}
772
#else
773
#define autofs_dev_ioctl_compat NULL
774
#endif
775

776
static const struct file_operations _dev_ioctl_fops = {
777
	.unlocked_ioctl	 = autofs_dev_ioctl,
778
	.compat_ioctl = autofs_dev_ioctl_compat,
779
	.owner	 = THIS_MODULE,
780
	.llseek = noop_llseek,
781
};
782

783
static struct miscdevice _autofs_dev_ioctl_misc = {
784
	.minor		= AUTOFS_MINOR,
785
	.name		= AUTOFS_DEVICE_NAME,
786
	.fops		= &_dev_ioctl_fops,
787
	.mode           = 0644,
788
};
789

790
MODULE_ALIAS_MISCDEV(AUTOFS_MINOR);
791
MODULE_ALIAS("devname:autofs");
792

793
/* Register/deregister misc character device */
794
int __init autofs_dev_ioctl_init(void)
795
{
796
	int r;
797

798
	r = misc_register(&_autofs_dev_ioctl_misc);
799
	if (r) {
800
		pr_err("misc_register failed for control device\n");
801
		return r;
802
	}
803

804
	return 0;
805
}
806

807
void autofs_dev_ioctl_exit(void)
808
{
809
	misc_deregister(&_autofs_dev_ioctl_misc);
810
}
811

812