Loading...
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright 2008 Red Hat, Inc. All rights reserved.
4 * Copyright 2008 Ian Kent <raven@themaw.net>
5 */
6
7#include <linux/module.h>
8#include <linux/miscdevice.h>
9#include <linux/compat.h>
10#include <linux/fdtable.h>
11#include <linux/magic.h>
12#include <linux/nospec.h>
13
14#include "autofs_i.h"
15
16/*
17 * This module implements an interface for routing autofs ioctl control
18 * commands via a miscellaneous device file.
19 *
20 * The alternate interface is needed because we need to be able open
21 * an ioctl file descriptor on an autofs mount that may be covered by
22 * another mount. This situation arises when starting automount(8)
23 * or other user space daemon which uses direct mounts or offset
24 * mounts (used for autofs lazy mount/umount of nested mount trees),
25 * which have been left busy at service shutdown.
26 */
27
28typedef int (*ioctl_fn)(struct file *, struct autofs_sb_info *,
29 struct autofs_dev_ioctl *);
30
31static int check_name(const char *name)
32{
33 if (!strchr(name, '/'))
34 return -EINVAL;
35 return 0;
36}
37
38/*
39 * Check a string doesn't overrun the chunk of
40 * memory we copied from user land.
41 */
42static int invalid_str(char *str, size_t size)
43{
44 if (memchr(str, 0, size))
45 return 0;
46 return -EINVAL;
47}
48
49/*
50 * Check that the user compiled against correct version of autofs
51 * misc device code.
52 *
53 * As well as checking the version compatibility this always copies
54 * the kernel interface version out.
55 */
56static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param)
57{
58 int err = 0;
59
60 if ((param->ver_major != AUTOFS_DEV_IOCTL_VERSION_MAJOR) ||
61 (param->ver_minor > AUTOFS_DEV_IOCTL_VERSION_MINOR)) {
62 pr_warn("ioctl control interface version mismatch: "
63 "kernel(%u.%u), user(%u.%u), cmd(0x%08x)\n",
64 AUTOFS_DEV_IOCTL_VERSION_MAJOR,
65 AUTOFS_DEV_IOCTL_VERSION_MINOR,
66 param->ver_major, param->ver_minor, cmd);
67 err = -EINVAL;
68 }
69
70 /* Fill in the kernel version. */
71 param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
72 param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
73
74 return err;
75}
76
77/*
78 * Copy parameter control struct, including a possible path allocated
79 * at the end of the struct.
80 */
81static struct autofs_dev_ioctl *
82copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
83{
84 struct autofs_dev_ioctl tmp, *res;
85
86 if (copy_from_user(&tmp, in, AUTOFS_DEV_IOCTL_SIZE))
87 return ERR_PTR(-EFAULT);
88
89 if (tmp.size < AUTOFS_DEV_IOCTL_SIZE)
90 return ERR_PTR(-EINVAL);
91
92 if (tmp.size > AUTOFS_DEV_IOCTL_SIZE + PATH_MAX)
93 return ERR_PTR(-ENAMETOOLONG);
94
95 res = memdup_user(in, tmp.size);
96 if (!IS_ERR(res))
97 res->size = tmp.size;
98
99 return res;
100}
101
102static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)
103{
104 kfree(param);
105}
106
107/*
108 * Check sanity of parameter control fields and if a path is present
109 * check that it is terminated and contains at least one "/".
110 */
111static int validate_dev_ioctl(int cmd, struct autofs_dev_ioctl *param)
112{
113 int err;
114
115 err = check_dev_ioctl_version(cmd, param);
116 if (err) {
117 pr_warn("invalid device control module version "
118 "supplied for cmd(0x%08x)\n", cmd);
119 goto out;
120 }
121
122 if (param->size > AUTOFS_DEV_IOCTL_SIZE) {
123 err = invalid_str(param->path, param->size - AUTOFS_DEV_IOCTL_SIZE);
124 if (err) {
125 pr_warn(
126 "path string terminator missing for cmd(0x%08x)\n",
127 cmd);
128 goto out;
129 }
130
131 err = check_name(param->path);
132 if (err) {
133 pr_warn("invalid path supplied for cmd(0x%08x)\n",
134 cmd);
135 goto out;
136 }
137 } else {
138 unsigned int inr = _IOC_NR(cmd);
139
140 if (inr == AUTOFS_DEV_IOCTL_OPENMOUNT_CMD ||
141 inr == AUTOFS_DEV_IOCTL_REQUESTER_CMD ||
142 inr == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD) {
143 err = -EINVAL;
144 goto out;
145 }
146 }
147
148 err = 0;
149out:
150 return err;
151}
152
153/* Return autofs dev ioctl version */
154static int autofs_dev_ioctl_version(struct file *fp,
155 struct autofs_sb_info *sbi,
156 struct autofs_dev_ioctl *param)
157{
158 /* This should have already been set. */
159 param->ver_major = AUTOFS_DEV_IOCTL_VERSION_MAJOR;
160 param->ver_minor = AUTOFS_DEV_IOCTL_VERSION_MINOR;
161 return 0;
162}
163
164/* Return autofs module protocol version */
165static int autofs_dev_ioctl_protover(struct file *fp,
166 struct autofs_sb_info *sbi,
167 struct autofs_dev_ioctl *param)
168{
169 param->protover.version = sbi->version;
170 return 0;
171}
172
173/* Return autofs module protocol sub version */
174static int autofs_dev_ioctl_protosubver(struct file *fp,
175 struct autofs_sb_info *sbi,
176 struct autofs_dev_ioctl *param)
177{
178 param->protosubver.sub_version = sbi->sub_version;
179 return 0;
180}
181
182/* Find the topmost mount satisfying test() */
183static int find_autofs_mount(const char *pathname,
184 struct path *res,
185 int test(const struct path *path, void *data),
186 void *data)
187{
188 struct path path;
189 int err;
190
191 err = kern_path(pathname, LOOKUP_MOUNTPOINT, &path);
192 if (err)
193 return err;
194 err = -ENOENT;
195 while (path.dentry == path.mnt->mnt_root) {
196 if (path.dentry->d_sb->s_magic == AUTOFS_SUPER_MAGIC) {
197 if (test(&path, data)) {
198 path_get(&path);
199 *res = path;
200 err = 0;
201 break;
202 }
203 }
204 if (!follow_up(&path))
205 break;
206 }
207 path_put(&path);
208 return err;
209}
210
211static int test_by_dev(const struct path *path, void *p)
212{
213 return path->dentry->d_sb->s_dev == *(dev_t *)p;
214}
215
216static int test_by_type(const struct path *path, void *p)
217{
218 struct autofs_info *ino = autofs_dentry_ino(path->dentry);
219
220 return ino && ino->sbi->type & *(unsigned *)p;
221}
222
223/*
224 * Open a file descriptor on the autofs mount point corresponding
225 * to the given path and device number (aka. new_encode_dev(sb->s_dev)).
226 */
227static int autofs_dev_ioctl_open_mountpoint(const char *name, dev_t devid)
228{
229 int err, fd;
230
231 fd = get_unused_fd_flags(O_CLOEXEC);
232 if (likely(fd >= 0)) {
233 struct file *filp;
234 struct path path;
235
236 err = find_autofs_mount(name, &path, test_by_dev, &devid);
237 if (err)
238 goto out;
239
240 filp = dentry_open(&path, O_RDONLY, current_cred());
241 path_put(&path);
242 if (IS_ERR(filp)) {
243 err = PTR_ERR(filp);
244 goto out;
245 }
246
247 fd_install(fd, filp);
248 }
249
250 return fd;
251
252out:
253 put_unused_fd(fd);
254 return err;
255}
256
257/* Open a file descriptor on an autofs mount point */
258static int autofs_dev_ioctl_openmount(struct file *fp,
259 struct autofs_sb_info *sbi,
260 struct autofs_dev_ioctl *param)
261{
262 const char *path;
263 dev_t devid;
264 int err, fd;
265
266 /* param->path has been checked in validate_dev_ioctl() */
267
268 if (!param->openmount.devid)
269 return -EINVAL;
270
271 param->ioctlfd = -1;
272
273 path = param->path;
274 devid = new_decode_dev(param->openmount.devid);
275
276 err = 0;
277 fd = autofs_dev_ioctl_open_mountpoint(path, devid);
278 if (unlikely(fd < 0)) {
279 err = fd;
280 goto out;
281 }
282
283 param->ioctlfd = fd;
284out:
285 return err;
286}
287
288/* Close file descriptor allocated above (user can also use close(2)). */
289static int autofs_dev_ioctl_closemount(struct file *fp,
290 struct autofs_sb_info *sbi,
291 struct autofs_dev_ioctl *param)
292{
293 return close_fd(param->ioctlfd);
294}
295
296/*
297 * Send "ready" status for an existing wait (either a mount or an expire
298 * request).
299 */
300static int autofs_dev_ioctl_ready(struct file *fp,
301 struct autofs_sb_info *sbi,
302 struct autofs_dev_ioctl *param)
303{
304 autofs_wqt_t token;
305
306 token = (autofs_wqt_t) param->ready.token;
307 return autofs_wait_release(sbi, token, 0);
308}
309
310/*
311 * Send "fail" status for an existing wait (either a mount or an expire
312 * request).
313 */
314static int autofs_dev_ioctl_fail(struct file *fp,
315 struct autofs_sb_info *sbi,
316 struct autofs_dev_ioctl *param)
317{
318 autofs_wqt_t token;
319 int status;
320
321 token = (autofs_wqt_t) param->fail.token;
322 status = param->fail.status < 0 ? param->fail.status : -ENOENT;
323 return autofs_wait_release(sbi, token, status);
324}
325
326/*
327 * Set the pipe fd for kernel communication to the daemon.
328 *
329 * Normally this is set at mount using an option but if we
330 * are reconnecting to a busy mount then we need to use this
331 * to tell the autofs mount about the new kernel pipe fd. In
332 * order to protect mounts against incorrectly setting the
333 * pipefd we also require that the autofs mount be catatonic.
334 *
335 * This also sets the process group id used to identify the
336 * controlling process (eg. the owning automount(8) daemon).
337 */
338static int autofs_dev_ioctl_setpipefd(struct file *fp,
339 struct autofs_sb_info *sbi,
340 struct autofs_dev_ioctl *param)
341{
342 int pipefd;
343 int err = 0;
344 struct pid *new_pid = NULL;
345
346 if (param->setpipefd.pipefd == -1)
347 return -EINVAL;
348
349 pipefd = param->setpipefd.pipefd;
350
351 mutex_lock(&sbi->wq_mutex);
352 if (!(sbi->flags & AUTOFS_SBI_CATATONIC)) {
353 mutex_unlock(&sbi->wq_mutex);
354 return -EBUSY;
355 } else {
356 struct file *pipe;
357
358 new_pid = get_task_pid(current, PIDTYPE_PGID);
359
360 if (ns_of_pid(new_pid) != ns_of_pid(sbi->oz_pgrp)) {
361 pr_warn("not allowed to change PID namespace\n");
362 err = -EINVAL;
363 goto out;
364 }
365
366 pipe = fget(pipefd);
367 if (!pipe) {
368 err = -EBADF;
369 goto out;
370 }
371 if (autofs_prepare_pipe(pipe) < 0) {
372 err = -EPIPE;
373 fput(pipe);
374 goto out;
375 }
376 swap(sbi->oz_pgrp, new_pid);
377 sbi->pipefd = pipefd;
378 sbi->pipe = pipe;
379 sbi->flags &= ~AUTOFS_SBI_CATATONIC;
380 }
381out:
382 put_pid(new_pid);
383 mutex_unlock(&sbi->wq_mutex);
384 return err;
385}
386
387/*
388 * Make the autofs mount point catatonic, no longer responsive to
389 * mount requests. Also closes the kernel pipe file descriptor.
390 */
391static int autofs_dev_ioctl_catatonic(struct file *fp,
392 struct autofs_sb_info *sbi,
393 struct autofs_dev_ioctl *param)
394{
395 autofs_catatonic_mode(sbi);
396 return 0;
397}
398
399/* Set the autofs mount timeout */
400static int autofs_dev_ioctl_timeout(struct file *fp,
401 struct autofs_sb_info *sbi,
402 struct autofs_dev_ioctl *param)
403{
404 unsigned long timeout;
405
406 timeout = param->timeout.timeout;
407 param->timeout.timeout = sbi->exp_timeout / HZ;
408 sbi->exp_timeout = timeout * HZ;
409 return 0;
410}
411
412/*
413 * Return the uid and gid of the last request for the mount
414 *
415 * When reconstructing an autofs mount tree with active mounts
416 * we need to re-connect to mounts that may have used the original
417 * process uid and gid (or string variations of them) for mount
418 * lookups within the map entry.
419 */
420static int autofs_dev_ioctl_requester(struct file *fp,
421 struct autofs_sb_info *sbi,
422 struct autofs_dev_ioctl *param)
423{
424 struct autofs_info *ino;
425 struct path path;
426 dev_t devid;
427 int err = -ENOENT;
428
429 /* param->path has been checked in validate_dev_ioctl() */
430
431 devid = sbi->sb->s_dev;
432
433 param->requester.uid = param->requester.gid = -1;
434
435 err = find_autofs_mount(param->path, &path, test_by_dev, &devid);
436 if (err)
437 goto out;
438
439 ino = autofs_dentry_ino(path.dentry);
440 if (ino) {
441 err = 0;
442 autofs_expire_wait(&path, 0);
443 spin_lock(&sbi->fs_lock);
444 param->requester.uid =
445 from_kuid_munged(current_user_ns(), ino->uid);
446 param->requester.gid =
447 from_kgid_munged(current_user_ns(), ino->gid);
448 spin_unlock(&sbi->fs_lock);
449 }
450 path_put(&path);
451out:
452 return err;
453}
454
455/*
456 * Call repeatedly until it returns -EAGAIN, meaning there's nothing
457 * more that can be done.
458 */
459static int autofs_dev_ioctl_expire(struct file *fp,
460 struct autofs_sb_info *sbi,
461 struct autofs_dev_ioctl *param)
462{
463 struct vfsmount *mnt;
464 int how;
465
466 how = param->expire.how;
467 mnt = fp->f_path.mnt;
468
469 return autofs_do_expire_multi(sbi->sb, mnt, sbi, how);
470}
471
472/* Check if autofs mount point is in use */
473static int autofs_dev_ioctl_askumount(struct file *fp,
474 struct autofs_sb_info *sbi,
475 struct autofs_dev_ioctl *param)
476{
477 param->askumount.may_umount = 0;
478 if (may_umount(fp->f_path.mnt))
479 param->askumount.may_umount = 1;
480 return 0;
481}
482
483/*
484 * Check if the given path is a mountpoint.
485 *
486 * If we are supplied with the file descriptor of an autofs
487 * mount we're looking for a specific mount. In this case
488 * the path is considered a mountpoint if it is itself a
489 * mountpoint or contains a mount, such as a multi-mount
490 * without a root mount. In this case we return 1 if the
491 * path is a mount point and the super magic of the covering
492 * mount if there is one or 0 if it isn't a mountpoint.
493 *
494 * If we aren't supplied with a file descriptor then we
495 * lookup the path and check if it is the root of a mount.
496 * If a type is given we are looking for a particular autofs
497 * mount and if we don't find a match we return fail. If the
498 * located path is the root of a mount we return 1 along with
499 * the super magic of the mount or 0 otherwise.
500 *
501 * In both cases the device number (as returned by
502 * new_encode_dev()) is also returned.
503 */
504static int autofs_dev_ioctl_ismountpoint(struct file *fp,
505 struct autofs_sb_info *sbi,
506 struct autofs_dev_ioctl *param)
507{
508 struct path path;
509 const char *name;
510 unsigned int type;
511 unsigned int devid, magic;
512 int err = -ENOENT;
513
514 /* param->path has been checked in validate_dev_ioctl() */
515
516 name = param->path;
517 type = param->ismountpoint.in.type;
518
519 param->ismountpoint.out.devid = devid = 0;
520 param->ismountpoint.out.magic = magic = 0;
521
522 if (!fp || param->ioctlfd == -1) {
523 if (autofs_type_any(type))
524 err = kern_path(name, LOOKUP_FOLLOW | LOOKUP_MOUNTPOINT,
525 &path);
526 else
527 err = find_autofs_mount(name, &path,
528 test_by_type, &type);
529 if (err)
530 goto out;
531 devid = new_encode_dev(path.dentry->d_sb->s_dev);
532 err = 0;
533 if (path.mnt->mnt_root == path.dentry) {
534 err = 1;
535 magic = path.dentry->d_sb->s_magic;
536 }
537 } else {
538 dev_t dev = sbi->sb->s_dev;
539
540 err = find_autofs_mount(name, &path, test_by_dev, &dev);
541 if (err)
542 goto out;
543
544 devid = new_encode_dev(dev);
545
546 err = path_has_submounts(&path);
547
548 if (follow_down_one(&path))
549 magic = path.dentry->d_sb->s_magic;
550 }
551
552 param->ismountpoint.out.devid = devid;
553 param->ismountpoint.out.magic = magic;
554 path_put(&path);
555out:
556 return err;
557}
558
559/*
560 * Our range of ioctl numbers isn't 0 based so we need to shift
561 * the array index by _IOC_NR(AUTOFS_CTL_IOC_FIRST) for the table
562 * lookup.
563 */
564#define cmd_idx(cmd) (cmd - _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST))
565
566static ioctl_fn lookup_dev_ioctl(unsigned int cmd)
567{
568 static const ioctl_fn _ioctls[] = {
569 autofs_dev_ioctl_version,
570 autofs_dev_ioctl_protover,
571 autofs_dev_ioctl_protosubver,
572 autofs_dev_ioctl_openmount,
573 autofs_dev_ioctl_closemount,
574 autofs_dev_ioctl_ready,
575 autofs_dev_ioctl_fail,
576 autofs_dev_ioctl_setpipefd,
577 autofs_dev_ioctl_catatonic,
578 autofs_dev_ioctl_timeout,
579 autofs_dev_ioctl_requester,
580 autofs_dev_ioctl_expire,
581 autofs_dev_ioctl_askumount,
582 autofs_dev_ioctl_ismountpoint,
583 };
584 unsigned int idx = cmd_idx(cmd);
585
586 if (idx >= ARRAY_SIZE(_ioctls))
587 return NULL;
588 idx = array_index_nospec(idx, ARRAY_SIZE(_ioctls));
589 return _ioctls[idx];
590}
591
592/* ioctl dispatcher */
593static int _autofs_dev_ioctl(unsigned int command,
594 struct autofs_dev_ioctl __user *user)
595{
596 struct autofs_dev_ioctl *param;
597 struct file *fp;
598 struct autofs_sb_info *sbi;
599 unsigned int cmd_first, cmd;
600 ioctl_fn fn = NULL;
601 int err = 0;
602
603 cmd_first = _IOC_NR(AUTOFS_DEV_IOCTL_IOC_FIRST);
604 cmd = _IOC_NR(command);
605
606 if (_IOC_TYPE(command) != _IOC_TYPE(AUTOFS_DEV_IOCTL_IOC_FIRST) ||
607 cmd - cmd_first > AUTOFS_DEV_IOCTL_IOC_COUNT) {
608 return -ENOTTY;
609 }
610
611 /* Only root can use ioctls other than AUTOFS_DEV_IOCTL_VERSION_CMD
612 * and AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD
613 */
614 if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
615 cmd != AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD &&
616 !capable(CAP_SYS_ADMIN))
617 return -EPERM;
618
619 /* Copy the parameters into kernel space. */
620 param = copy_dev_ioctl(user);
621 if (IS_ERR(param))
622 return PTR_ERR(param);
623
624 err = validate_dev_ioctl(command, param);
625 if (err)
626 goto out;
627
628 fn = lookup_dev_ioctl(cmd);
629 if (!fn) {
630 pr_warn("unknown command 0x%08x\n", command);
631 err = -ENOTTY;
632 goto out;
633 }
634
635 fp = NULL;
636 sbi = NULL;
637
638 /*
639 * For obvious reasons the openmount can't have a file
640 * descriptor yet. We don't take a reference to the
641 * file during close to allow for immediate release,
642 * and the same for retrieving ioctl version.
643 */
644 if (cmd != AUTOFS_DEV_IOCTL_VERSION_CMD &&
645 cmd != AUTOFS_DEV_IOCTL_OPENMOUNT_CMD &&
646 cmd != AUTOFS_DEV_IOCTL_CLOSEMOUNT_CMD) {
647 struct super_block *sb;
648
649 fp = fget(param->ioctlfd);
650 if (!fp) {
651 if (cmd == AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD)
652 goto cont;
653 err = -EBADF;
654 goto out;
655 }
656
657 sb = file_inode(fp)->i_sb;
658 if (sb->s_type != &autofs_fs_type) {
659 err = -EINVAL;
660 fput(fp);
661 goto out;
662 }
663 sbi = autofs_sbi(sb);
664
665 /*
666 * Admin needs to be able to set the mount catatonic in
667 * order to be able to perform the re-open.
668 */
669 if (!autofs_oz_mode(sbi) &&
670 cmd != AUTOFS_DEV_IOCTL_CATATONIC_CMD) {
671 err = -EACCES;
672 fput(fp);
673 goto out;
674 }
675 }
676cont:
677 err = fn(fp, sbi, param);
678
679 if (fp)
680 fput(fp);
681 if (err >= 0 && copy_to_user(user, param, AUTOFS_DEV_IOCTL_SIZE))
682 err = -EFAULT;
683out:
684 free_dev_ioctl(param);
685 return err;
686}
687
688static long autofs_dev_ioctl(struct file *file, unsigned int command,
689 unsigned long u)
690{
691 int err;
692
693 err = _autofs_dev_ioctl(command, (struct autofs_dev_ioctl __user *) u);
694 return (long) err;
695}
696
697#ifdef CONFIG_COMPAT
698static long autofs_dev_ioctl_compat(struct file *file, unsigned int command,
699 unsigned long u)
700{
701 return autofs_dev_ioctl(file, command, (unsigned long) compat_ptr(u));
702}
703#else
704#define autofs_dev_ioctl_compat NULL
705#endif
706
707static const struct file_operations _dev_ioctl_fops = {
708 .unlocked_ioctl = autofs_dev_ioctl,
709 .compat_ioctl = autofs_dev_ioctl_compat,
710 .owner = THIS_MODULE,
711 .llseek = noop_llseek,
712};
713
714static struct miscdevice _autofs_dev_ioctl_misc = {
715 .minor = AUTOFS_MINOR,
716 .name = AUTOFS_DEVICE_NAME,
717 .fops = &_dev_ioctl_fops,
718 .mode = 0644,
719};
720
721MODULE_ALIAS_MISCDEV(AUTOFS_MINOR);
722MODULE_ALIAS("devname:autofs");
723
724/* Register/deregister misc character device */
725int __init autofs_dev_ioctl_init(void)
726{
727 int r;
728
729 r = misc_register(&_autofs_dev_ioctl_misc);
730 if (r) {
731 pr_err("misc_register failed for control device\n");
732 return r;
733 }
734
735 return 0;
736}
737
738void autofs_dev_ioctl_exit(void)
739{
740 misc_deregister(&_autofs_dev_ioctl_misc);
741}