1 /*
2  * Copyright 2008 Red Hat, Inc. All rights reserved.
3  * Copyright 2008 Ian Kent <raven@themaw.net>
4  *
5  * This file is part of the Linux kernel and is made available under
6  * the terms of the GNU General Public License, version 2, or at your
7  * option, any later version, incorporated herein by reference.
8  */
9 
10 #include <linux/miscdevice.h>
11 #include <linux/compat.h>
12 #include <linux/syscalls.h>
13 #include <linux/magic.h>
14 
15 #include "autofs_i.h"
16 
17 /*
18  * This module implements an interface for routing autofs ioctl control
19  * commands via a miscellaneous device file.
20  *
21  * The alternate interface is needed because we need to be able open
22  * an ioctl file descriptor on an autofs mount that may be covered by
23  * another mount. This situation arises when starting automount(8)
24  * or other user space daemon which uses direct mounts or offset
25  * mounts (used for autofs lazy mount/umount of nested mount trees),
26  * which have been left busy at at service shutdown.
27  */
28 
29 typedef int (*ioctl_fn)(struct file *, struct autofs_sb_info *,
30 			struct autofs_dev_ioctl *);
31 
check_name(const char * name)32 static int check_name(const char *name)
33 {
34 	if (!strchr(name, '/'))
35 		return -EINVAL;
36 	return 0;
37 }
38 
39 /*
40  * Check a string doesn't overrun the chunk of
41  * memory we copied from user land.
42  */
invalid_str(char * str,size_t size)43 static int invalid_str(char *str, size_t size)
44 {
45 	if (memchr(str, 0, size))
46 		return 0;
47 	return -EINVAL;
48 }
49 
50 /*
51  * Check that the user compiled against correct version of autofs
52  * misc device code.
53  *
54  * As well as checking the version compatibility this always copies
55  * the kernel interface version out.
56  */
check_dev_ioctl_version(int cmd,struct autofs_dev_ioctl * param)57 static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param)
58 {
59 	int err = 0;
60 
61 	if ((param->ver_major != AUTOFS_DEV_IOCTL_VERSION_MAJOR) ||
62 	    (param->ver_minor > AUTOFS_DEV_IOCTL_VERSION_MINOR)) {
63 		pr_warn("ioctl control interface version mismatch: "
64 			"kernel(%u.%u), user(%u.%u), cmd(0x%08x)\n",
65 			AUTOFS_DEV_IOCTL_VERSION_MAJOR,
66 			AUTOFS_DEV_IOCTL_VERSION_MINOR,
67 			param->ver_major, param->ver_minor, cmd);
68 		err = -EINVAL;
69 	}
70 
71 	/* Fill in the kernel version. */
72 	param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
73 	param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
74 
75 	return err;
76 }
77 
78 /*
79  * Copy parameter control struct, including a possible path allocated
80  * at the end of the struct.
81  */
82 static struct autofs_dev_ioctl *
copy_dev_ioctl(struct autofs_dev_ioctl __user * in)83 copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
84 {
85 	struct autofs_dev_ioctl tmp, *res;
86 
87 	if (copy_from_user(&tmp, in, AUTOFS_DEV_IOCTL_SIZE))
88 		return ERR_PTR(-EFAULT);
89 
90 	if (tmp.size < AUTOFS_DEV_IOCTL_SIZE)
91 		return ERR_PTR(-EINVAL);
92 
93 	if (tmp.size > AUTOFS_DEV_IOCTL_SIZE + PATH_MAX)
94 		return ERR_PTR(-ENAMETOOLONG);
95 
96 	res = memdup_user(in, tmp.size);
97 	if (!IS_ERR(res))
98 		res->size = tmp.size;
99 
100 	return res;
101 }
102 
free_dev_ioctl(struct autofs_dev_ioctl * param)103 static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)
104 {
105 	kfree(param);
106 }
107 
108 /*
109  * Check sanity of parameter control fields and if a path is present
110  * check that it is terminated and contains at least one "/".
111  */
validate_dev_ioctl(int cmd,struct autofs_dev_ioctl * param)112 static int validate_dev_ioctl(int cmd, struct autofs_dev_ioctl *param)
113 {
114 	int err;
115 
116 	err = check_dev_ioctl_version(cmd, param);
117 	if (err) {
118 		pr_warn("invalid device control module version "
119 			"supplied for cmd(0x%08x)\n", cmd);
120 		goto out;
121 	}
122 
123 	if (param->size > AUTOFS_DEV_IOCTL_SIZE) {
124 		err = invalid_str(param->path, param->size - AUTOFS_DEV_IOCTL_SIZE);
125 		if (err) {
126 			pr_warn(
127 			  "path string terminator missing for cmd(0x%08x)\n",
128 			  cmd);
129 			goto out;
130 		}
131 
132 		err = check_name(param->path);
133 		if (err) {
134 			pr_warn("invalid path supplied for cmd(0x%08x)\n",
135 				cmd);
136 			goto out;
137 		}
138 	} else {
139 		unsigned int inr = _IOC_NR(cmd);
140 
141 		if (inr == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD ||
142 		    inr == AUTOFS_DEV_IOCTL_REQUESTER_CMD ||
143 		    inr == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) {
144 			err = -EINVAL;
145 			goto out;
146 		}
147 	}
148 
149 	err = 0;
150 out:
151 	return err;
152 }
153 
154 /*
155  * Get the autofs super block info struct from the file opened on
156  * the autofs mount point.
157  */
autofs_dev_ioctl_sbi(struct file * f)158 static struct autofs_sb_info *autofs_dev_ioctl_sbi(struct file *f)
159 {
160 	struct autofs_sb_info *sbi = NULL;
161 	struct inode *inode;
162 
163 	if (f) {
164 		inode = file_inode(f);
165 		sbi = autofs_sbi(inode->i_sb);
166 	}
167 	return sbi;
168 }
169 
170 /* Return autofs dev ioctl version */
autofs_dev_ioctl_version(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)171 static int autofs_dev_ioctl_version(struct file *fp,
172 				    struct autofs_sb_info *sbi,
173 				    struct autofs_dev_ioctl *param)
174 {
175 	/* This should have already been set. */
176 	param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
177 	param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
178 	return 0;
179 }
180 
181 /* Return autofs module protocol version */
autofs_dev_ioctl_protover(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)182 static int autofs_dev_ioctl_protover(struct file *fp,
183 				     struct autofs_sb_info *sbi,
184 				     struct autofs_dev_ioctl *param)
185 {
186 	param->protover.version = sbi->version;
187 	return 0;
188 }
189 
190 /* Return autofs module protocol sub version */
autofs_dev_ioctl_protosubver(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)191 static int autofs_dev_ioctl_protosubver(struct file *fp,
192 					struct autofs_sb_info *sbi,
193 					struct autofs_dev_ioctl *param)
194 {
195 	param->protosubver.sub_version = sbi->sub_version;
196 	return 0;
197 }
198 
199 /* Find the topmost mount satisfying test() */
find_autofs_mount(const char * pathname,struct path * res,int test (const struct path * path,void * data),void * data)200 static int find_autofs_mount(const char *pathname,
201 			     struct path *res,
202 			     int test(const struct path *path, void *data),
203 			     void *data)
204 {
205 	struct path path;
206 	int err;
207 
208 	err = kern_path_mountpoint(AT_FDCWD, pathname, &path, 0);
209 	if (err)
210 		return err;
211 	err = -ENOENT;
212 	while (path.dentry == path.mnt->mnt_root) {
213 		if (path.dentry->d_sb->s_magic == AUTOFS_SUPER_MAGIC) {
214 			if (test(&path, data)) {
215 				path_get(&path);
216 				*res = path;
217 				err = 0;
218 				break;
219 			}
220 		}
221 		if (!follow_up(&path))
222 			break;
223 	}
224 	path_put(&path);
225 	return err;
226 }
227 
test_by_dev(const struct path * path,void * p)228 static int test_by_dev(const struct path *path, void *p)
229 {
230 	return path->dentry->d_sb->s_dev == *(dev_t *)p;
231 }
232 
test_by_type(const struct path * path,void * p)233 static int test_by_type(const struct path *path, void *p)
234 {
235 	struct autofs_info *ino = autofs_dentry_ino(path->dentry);
236 
237 	return ino && ino->sbi->type & *(unsigned *)p;
238 }
239 
240 /*
241  * Open a file descriptor on the autofs mount point corresponding
242  * to the given path and device number (aka. new_encode_dev(sb->s_dev)).
243  */
autofs_dev_ioctl_open_mountpoint(const char * name,dev_t devid)244 static int autofs_dev_ioctl_open_mountpoint(const char *name, dev_t devid)
245 {
246 	int err, fd;
247 
248 	fd = get_unused_fd_flags(O_CLOEXEC);
249 	if (likely(fd >= 0)) {
250 		struct file *filp;
251 		struct path path;
252 
253 		err = find_autofs_mount(name, &path, test_by_dev, &devid);
254 		if (err)
255 			goto out;
256 
257 		filp = dentry_open(&path, O_RDONLY, current_cred());
258 		path_put(&path);
259 		if (IS_ERR(filp)) {
260 			err = PTR_ERR(filp);
261 			goto out;
262 		}
263 
264 		fd_install(fd, filp);
265 	}
266 
267 	return fd;
268 
269 out:
270 	put_unused_fd(fd);
271 	return err;
272 }
273 
274 /* Open a file descriptor on an autofs mount point */
autofs_dev_ioctl_openmount(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)275 static int autofs_dev_ioctl_openmount(struct file *fp,
276 				      struct autofs_sb_info *sbi,
277 				      struct autofs_dev_ioctl *param)
278 {
279 	const char *path;
280 	dev_t devid;
281 	int err, fd;
282 
283 	/* param->path has been checked in validate_dev_ioctl() */
284 
285 	if (!param->openmount.devid)
286 		return -EINVAL;
287 
288 	param->ioctlfd = -1;
289 
290 	path = param->path;
291 	devid = new_decode_dev(param->openmount.devid);
292 
293 	err = 0;
294 	fd = autofs_dev_ioctl_open_mountpoint(path, devid);
295 	if (unlikely(fd < 0)) {
296 		err = fd;
297 		goto out;
298 	}
299 
300 	param->ioctlfd = fd;
301 out:
302 	return err;
303 }
304 
305 /* Close file descriptor allocated above (user can also use close(2)). */
autofs_dev_ioctl_closemount(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)306 static int autofs_dev_ioctl_closemount(struct file *fp,
307 				       struct autofs_sb_info *sbi,
308 				       struct autofs_dev_ioctl *param)
309 {
310 	return ksys_close(param->ioctlfd);
311 }
312 
313 /*
314  * Send "ready" status for an existing wait (either a mount or an expire
315  * request).
316  */
autofs_dev_ioctl_ready(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)317 static int autofs_dev_ioctl_ready(struct file *fp,
318 				  struct autofs_sb_info *sbi,
319 				  struct autofs_dev_ioctl *param)
320 {
321 	autofs_wqt_t token;
322 
323 	token = (autofs_wqt_t) param->ready.token;
324 	return autofs_wait_release(sbi, token, 0);
325 }
326 
327 /*
328  * Send "fail" status for an existing wait (either a mount or an expire
329  * request).
330  */
autofs_dev_ioctl_fail(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)331 static int autofs_dev_ioctl_fail(struct file *fp,
332 				 struct autofs_sb_info *sbi,
333 				 struct autofs_dev_ioctl *param)
334 {
335 	autofs_wqt_t token;
336 	int status;
337 
338 	token = (autofs_wqt_t) param->fail.token;
339 	status = param->fail.status < 0 ? param->fail.status : -ENOENT;
340 	return autofs_wait_release(sbi, token, status);
341 }
342 
343 /*
344  * Set the pipe fd for kernel communication to the daemon.
345  *
346  * Normally this is set at mount using an option but if we
347  * are reconnecting to a busy mount then we need to use this
348  * to tell the autofs mount about the new kernel pipe fd. In
349  * order to protect mounts against incorrectly setting the
350  * pipefd we also require that the autofs mount be catatonic.
351  *
352  * This also sets the process group id used to identify the
353  * controlling process (eg. the owning automount(8) daemon).
354  */
autofs_dev_ioctl_setpipefd(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)355 static int autofs_dev_ioctl_setpipefd(struct file *fp,
356 				      struct autofs_sb_info *sbi,
357 				      struct autofs_dev_ioctl *param)
358 {
359 	int pipefd;
360 	int err = 0;
361 	struct pid *new_pid = NULL;
362 
363 	if (param->setpipefd.pipefd == -1)
364 		return -EINVAL;
365 
366 	pipefd = param->setpipefd.pipefd;
367 
368 	mutex_lock(&sbi->wq_mutex);
369 	if (!sbi->catatonic) {
370 		mutex_unlock(&sbi->wq_mutex);
371 		return -EBUSY;
372 	} else {
373 		struct file *pipe;
374 
375 		new_pid = get_task_pid(current, PIDTYPE_PGID);
376 
377 		if (ns_of_pid(new_pid) != ns_of_pid(sbi->oz_pgrp)) {
378 			pr_warn("not allowed to change PID namespace\n");
379 			err = -EINVAL;
380 			goto out;
381 		}
382 
383 		pipe = fget(pipefd);
384 		if (!pipe) {
385 			err = -EBADF;
386 			goto out;
387 		}
388 		if (autofs_prepare_pipe(pipe) < 0) {
389 			err = -EPIPE;
390 			fput(pipe);
391 			goto out;
392 		}
393 		swap(sbi->oz_pgrp, new_pid);
394 		sbi->pipefd = pipefd;
395 		sbi->pipe = pipe;
396 		sbi->catatonic = 0;
397 	}
398 out:
399 	put_pid(new_pid);
400 	mutex_unlock(&sbi->wq_mutex);
401 	return err;
402 }
403 
404 /*
405  * Make the autofs mount point catatonic, no longer responsive to
406  * mount requests. Also closes the kernel pipe file descriptor.
407  */
autofs_dev_ioctl_catatonic(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)408 static int autofs_dev_ioctl_catatonic(struct file *fp,
409 				      struct autofs_sb_info *sbi,
410 				      struct autofs_dev_ioctl *param)
411 {
412 	autofs_catatonic_mode(sbi);
413 	return 0;
414 }
415 
416 /* Set the autofs mount timeout */
autofs_dev_ioctl_timeout(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)417 static int autofs_dev_ioctl_timeout(struct file *fp,
418 				    struct autofs_sb_info *sbi,
419 				    struct autofs_dev_ioctl *param)
420 {
421 	unsigned long timeout;
422 
423 	timeout = param->timeout.timeout;
424 	param->timeout.timeout = sbi->exp_timeout / HZ;
425 	sbi->exp_timeout = timeout * HZ;
426 	return 0;
427 }
428 
429 /*
430  * Return the uid and gid of the last request for the mount
431  *
432  * When reconstructing an autofs mount tree with active mounts
433  * we need to re-connect to mounts that may have used the original
434  * process uid and gid (or string variations of them) for mount
435  * lookups within the map entry.
436  */
autofs_dev_ioctl_requester(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)437 static int autofs_dev_ioctl_requester(struct file *fp,
438 				      struct autofs_sb_info *sbi,
439 				      struct autofs_dev_ioctl *param)
440 {
441 	struct autofs_info *ino;
442 	struct path path;
443 	dev_t devid;
444 	int err = -ENOENT;
445 
446 	/* param->path has been checked in validate_dev_ioctl() */
447 
448 	devid = sbi->sb->s_dev;
449 
450 	param->requester.uid = param->requester.gid = -1;
451 
452 	err = find_autofs_mount(param->path, &path, test_by_dev, &devid);
453 	if (err)
454 		goto out;
455 
456 	ino = autofs_dentry_ino(path.dentry);
457 	if (ino) {
458 		err = 0;
459 		autofs_expire_wait(&path, 0);
460 		spin_lock(&sbi->fs_lock);
461 		param->requester.uid =
462 			from_kuid_munged(current_user_ns(), ino->uid);
463 		param->requester.gid =
464 			from_kgid_munged(current_user_ns(), ino->gid);
465 		spin_unlock(&sbi->fs_lock);
466 	}
467 	path_put(&path);
468 out:
469 	return err;
470 }
471 
472 /*
473  * Call repeatedly until it returns -EAGAIN, meaning there's nothing
474  * more that can be done.
475  */
autofs_dev_ioctl_expire(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)476 static int autofs_dev_ioctl_expire(struct file *fp,
477 				   struct autofs_sb_info *sbi,
478 				   struct autofs_dev_ioctl *param)
479 {
480 	struct vfsmount *mnt;
481 	int how;
482 
483 	how = param->expire.how;
484 	mnt = fp->f_path.mnt;
485 
486 	return autofs_do_expire_multi(sbi->sb, mnt, sbi, how);
487 }
488 
489 /* Check if autofs mount point is in use */
autofs_dev_ioctl_askumount(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)490 static int autofs_dev_ioctl_askumount(struct file *fp,
491 				      struct autofs_sb_info *sbi,
492 				      struct autofs_dev_ioctl *param)
493 {
494 	param->askumount.may_umount = 0;
495 	if (may_umount(fp->f_path.mnt))
496 		param->askumount.may_umount = 1;
497 	return 0;
498 }
499 
500 /*
501  * Check if the given path is a mountpoint.
502  *
503  * If we are supplied with the file descriptor of an autofs
504  * mount we're looking for a specific mount. In this case
505  * the path is considered a mountpoint if it is itself a
506  * mountpoint or contains a mount, such as a multi-mount
507  * without a root mount. In this case we return 1 if the
508  * path is a mount point and the super magic of the covering
509  * mount if there is one or 0 if it isn't a mountpoint.
510  *
511  * If we aren't supplied with a file descriptor then we
512  * lookup the path and check if it is the root of a mount.
513  * If a type is given we are looking for a particular autofs
514  * mount and if we don't find a match we return fail. If the
515  * located path is the root of a mount we return 1 along with
516  * the super magic of the mount or 0 otherwise.
517  *
518  * In both cases the the device number (as returned by
519  * new_encode_dev()) is also returned.
520  */
autofs_dev_ioctl_ismountpoint(struct file * fp,struct autofs_sb_info * sbi,struct autofs_dev_ioctl * param)521 static int autofs_dev_ioctl_ismountpoint(struct file *fp,
522 					 struct autofs_sb_info *sbi,
523 					 struct autofs_dev_ioctl *param)
524 {
525 	struct path path;
526 	const char *name;
527 	unsigned int type;
528 	unsigned int devid, magic;
529 	int err = -ENOENT;
530 
531 	/* param->path has been checked in validate_dev_ioctl() */
532 
533 	name = param->path;
534 	type = param->ismountpoint.in.type;
535 
536 	param->ismountpoint.out.devid = devid = 0;
537 	param->ismountpoint.out.magic = magic = 0;
538 
539 	if (!fp || param->ioctlfd == -1) {
540 		if (autofs_type_any(type))
541 			err = kern_path_mountpoint(AT_FDCWD,
542 						   name, &path, LOOKUP_FOLLOW);
543 		else
544 			err = find_autofs_mount(name, &path,
545 						test_by_type, &type);
546 		if (err)
547 			goto out;
548 		devid = new_encode_dev(path.dentry->d_sb->s_dev);
549 		err = 0;
550 		if (path.mnt->mnt_root == path.dentry) {
551 			err = 1;
552 			magic = path.dentry->d_sb->s_magic;
553 		}
554 	} else {
555 		dev_t dev = sbi->sb->s_dev;
556 
557 		err = find_autofs_mount(name, &path, test_by_dev, &dev);
558 		if (err)
559 			goto out;
560 
561 		devid = new_encode_dev(dev);
562 
563 		err = path_has_submounts(&path);
564 
565 		if (follow_down_one(&path))
566 			magic = path.dentry->d_sb->s_magic;
567 	}
568 
569 	param->ismountpoint.out.devid = devid;
570 	param->ismountpoint.out.magic = magic;
571 	path_put(&path);
572 out:
573 	return err;
574 }
575 
576 /*
577  * Our range of ioctl numbers isn't 0 based so we need to shift
578  * the array index by _IOC_NR(AUTOFS_CTL_IOC_FIRST) for the table
579  * lookup.
580  */
581 #define cmd_idx(cmd)	(cmd - _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST))
582 
lookup_dev_ioctl(unsigned int cmd)583 static ioctl_fn lookup_dev_ioctl(unsigned int cmd)
584 {
585 	static ioctl_fn _ioctls[] = {
586 		autofs_dev_ioctl_version,
587 		autofs_dev_ioctl_protover,
588 		autofs_dev_ioctl_protosubver,
589 		autofs_dev_ioctl_openmount,
590 		autofs_dev_ioctl_closemount,
591 		autofs_dev_ioctl_ready,
592 		autofs_dev_ioctl_fail,
593 		autofs_dev_ioctl_setpipefd,
594 		autofs_dev_ioctl_catatonic,
595 		autofs_dev_ioctl_timeout,
596 		autofs_dev_ioctl_requester,
597 		autofs_dev_ioctl_expire,
598 		autofs_dev_ioctl_askumount,
599 		autofs_dev_ioctl_ismountpoint,
600 	};
601 	unsigned int idx = cmd_idx(cmd);
602 
603 	return (idx >= ARRAY_SIZE(_ioctls)) ? NULL : _ioctls[idx];
604 }
605 
606 /* ioctl dispatcher */
_autofs_dev_ioctl(unsigned int command,struct autofs_dev_ioctl __user * user)607 static int _autofs_dev_ioctl(unsigned int command,
608 			     struct autofs_dev_ioctl __user *user)
609 {
610 	struct autofs_dev_ioctl *param;
611 	struct file *fp;
612 	struct autofs_sb_info *sbi;
613 	unsigned int cmd_first, cmd;
614 	ioctl_fn fn = NULL;
615 	int err = 0;
616 
617 	cmd_first = _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST);
618 	cmd = _IOC_NR(command);
619 
620 	if (_IOC_TYPE(command) != _IOC_TYPE(AUTOFS_DEV_IOCTL_IOC_FIRST) ||
621 	    cmd - cmd_first > AUTOFS_DEV_IOCTL_IOC_COUNT) {
622 		return -ENOTTY;
623 	}
624 
625 	/* Only root can use ioctls other than AUTOFS_DEV_IOCTL_VERSION_CMD
626 	 * and AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD
627 	 */
628 	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
629 	    cmd != AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD &&
630 	    !capable(CAP_SYS_ADMIN))
631 		return -EPERM;
632 
633 	/* Copy the parameters into kernel space. */
634 	param = copy_dev_ioctl(user);
635 	if (IS_ERR(param))
636 		return PTR_ERR(param);
637 
638 	err = validate_dev_ioctl(command, param);
639 	if (err)
640 		goto out;
641 
642 	fn = lookup_dev_ioctl(cmd);
643 	if (!fn) {
644 		pr_warn("unknown command 0x%08x\n", command);
645 		err = -ENOTTY;
646 		goto out;
647 	}
648 
649 	fp = NULL;
650 	sbi = NULL;
651 
652 	/*
653 	 * For obvious reasons the openmount can't have a file
654 	 * descriptor yet. We don't take a reference to the
655 	 * file during close to allow for immediate release,
656 	 * and the same for retrieving ioctl version.
657 	 */
658 	if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
659 	    cmd != AUTOFS_DEV_IOCTL_OPENMOUNT_CMD &&
660 	    cmd != AUTOFS_DEV_IOCTL_CLOSEMOUNT_CMD) {
661 		fp = fget(param->ioctlfd);
662 		if (!fp) {
663 			if (cmd == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD)
664 				goto cont;
665 			err = -EBADF;
666 			goto out;
667 		}
668 
669 		sbi = autofs_dev_ioctl_sbi(fp);
670 		if (!sbi || sbi->magic != AUTOFS_SBI_MAGIC) {
671 			err = -EINVAL;
672 			fput(fp);
673 			goto out;
674 		}
675 
676 		/*
677 		 * Admin needs to be able to set the mount catatonic in
678 		 * order to be able to perform the re-open.
679 		 */
680 		if (!autofs_oz_mode(sbi) &&
681 		    cmd != AUTOFS_DEV_IOCTL_CATATONIC_CMD) {
682 			err = -EACCES;
683 			fput(fp);
684 			goto out;
685 		}
686 	}
687 cont:
688 	err = fn(fp, sbi, param);
689 
690 	if (fp)
691 		fput(fp);
692 	if (err >= 0 && copy_to_user(user, param, AUTOFS_DEV_IOCTL_SIZE))
693 		err = -EFAULT;
694 out:
695 	free_dev_ioctl(param);
696 	return err;
697 }
698 
autofs_dev_ioctl(struct file * file,unsigned int command,unsigned long u)699 static long autofs_dev_ioctl(struct file *file, unsigned int command,
700 			     unsigned long u)
701 {
702 	int err;
703 
704 	err = _autofs_dev_ioctl(command, (struct autofs_dev_ioctl __user *) u);
705 	return (long) err;
706 }
707 
708 #ifdef CONFIG_COMPAT
autofs_dev_ioctl_compat(struct file * file,unsigned int command,unsigned long u)709 static long autofs_dev_ioctl_compat(struct file *file, unsigned int command,
710 				    unsigned long u)
711 {
712 	return autofs_dev_ioctl(file, command, (unsigned long) compat_ptr(u));
713 }
714 #else
715 #define autofs_dev_ioctl_compat NULL
716 #endif
717 
718 static const struct file_operations _dev_ioctl_fops = {
719 	.unlocked_ioctl	 = autofs_dev_ioctl,
720 	.compat_ioctl = autofs_dev_ioctl_compat,
721 	.owner	 = THIS_MODULE,
722 	.llseek = noop_llseek,
723 };
724 
725 static struct miscdevice _autofs_dev_ioctl_misc = {
726 	.minor		= AUTOFS_MINOR,
727 	.name		= AUTOFS_DEVICE_NAME,
728 	.fops		= &_dev_ioctl_fops,
729 	.mode           = 0644,
730 };
731 
732 MODULE_ALIAS_MISCDEV(AUTOFS_MINOR);
733 MODULE_ALIAS("devname:autofs");
734 
735 /* Register/deregister misc character device */
autofs_dev_ioctl_init(void)736 int __init autofs_dev_ioctl_init(void)
737 {
738 	int r;
739 
740 	r = misc_register(&_autofs_dev_ioctl_misc);
741 	if (r) {
742 		pr_err("misc_register failed for control device\n");
743 		return r;
744 	}
745 
746 	return 0;
747 }
748 
autofs_dev_ioctl_exit(void)749 void autofs_dev_ioctl_exit(void)
750 {
751 	misc_deregister(&_autofs_dev_ioctl_misc);
752 }
753