Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1484980pxf;
        Fri, 19 Mar 2021 08:08:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxEGUgI9B5K54YOejeEAB8RNHDExGRodlEXjZajtMF1btci5VK1yLMlkXqeUcwb3MRkRw+9
X-Received: by 2002:a17:906:4e99:: with SMTP id v25mr4873247eju.532.1616166511896;
        Fri, 19 Mar 2021 08:08:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616166511; cv=none;
        d=google.com; s=arc-20160816;
        b=s8Uctv/iduEL0zaS/dwea8AFfP8KRaVgolpErMkcpsvA8j5GBwtYYL4CPrIGTkfROr
         48uH5u4T6vEI78LitBEMC+ucIz7TEC92m19I2LUDqEIVkli1IoZfjMYy7YbgviXhl6+I
         CLCvPB82jU1pimzYHvhkUe876y8qldL3kQgnzak1g7b3gXWM/h+jX+9sDNcpd2tDRmNW
         tmYBKEKJxGbTsxcpfPfWQ82BpatodsVCYdalnKrwwkZvPyz5//0jBz45XKeb57N+Tq3O
         Zj61liYxNlPW8hib1BrEXh86WGulWJ9yC1DhYQwZxRkYJqnU/NG5SIxt3md/tYK4Q1b/
         EkIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=O1cliPNt4IOuiJ9NAYStWdoDOAvSKQBjj0GaKYwsRdg=;
        b=by/TVZsX4Pq+Hv4Mfn/07edGtUxP3TngT6NMaqzv/t2XX9zf4a6e++SVzOBcbs4u+B
         YgTuxQ5qvTIg5Ck15OGJILuFAou1MIqqI2WrHIrQ0J29VjKcLlxBIkbXXXX5OKjJc8/w
         R5vxDUtvQ/mOuvh4I7z4W+6V/ve8yzAduuGX/ahwumLZbEFRRZ3caMCU+YYS/bzRncwc
         8uykv9FfkjLDHMWdFeCcIxezOpBHkMXDOP8IDF1Yx2b7C5Nq7f7FXlEm8wzrqVjpD4r9
         pnaxt48vTm6l7sXB67eSq6BzseBYd1w8Bl88RTekqgKj7HNhswug4YNlWvxepx0vVS6q
         4eiQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=C7B11toD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p6si4218154ejw.222.2021.03.19.08.08.02;
        Fri, 19 Mar 2021 08:08:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=C7B11toD;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231145AbhCSPHF (ORCPT <rfc822;madrobroadblock@gmail.com>
        + 99 others); Fri, 19 Mar 2021 11:07:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35034 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229941AbhCSPGn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Mar 2021 11:06:43 -0400
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53A58C06174A
        for <linux-kernel@vger.kernel.org>; Fri, 19 Mar 2021 08:06:43 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id v11so9438941wro.7
        for <linux-kernel@vger.kernel.org>; Fri, 19 Mar 2021 08:06:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=O1cliPNt4IOuiJ9NAYStWdoDOAvSKQBjj0GaKYwsRdg=;
        b=C7B11toD2TiZrKj3lUFGE6nIMpJt59OarnlrWaEPVb/dlUNaAI44URh9mHbRj5Mtsm
         CFbdzOKA5NliU2BRgP9V7b/Wyj87h0LMQWZnjq8/oAXMyKDgeTLzx22oETziyJkwdGCt
         vRuvYYbZVZ2iMw4pujpbyzsO+WQ9m/W3s22lEB+Jd4INJtM5OS0I0rewOFW1klije2Gk
         hD/uF+swP6rbRbbeGXdzyph++nVVpjVtxFfg0RR/oS69IHjcKpGVwTe6rqzNbeFNXy9q
         PA2mm79+6wP4DjDzPS13Alx+sWEqLzoljLVWHUqjih7ACGLUcKCuwkxNXt0X076iFnx3
         MeWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=O1cliPNt4IOuiJ9NAYStWdoDOAvSKQBjj0GaKYwsRdg=;
        b=BdCQplKgL+c+2rlMuhur/1MDnm5Qf6sUtz46xWRjXHpjlBnlBMXO+H9YmDJPdIW2EO
         m7suLLyAB1qfjkPzxPGT2JZPX9VVNYRLZvBU3i5lowUdei8/Sm7EGWOeImLCzRb5nJRY
         aE0QpFHp+rYAh8f8Bokbn2357q8+24Z9qTe1zeVHbz+IQLR5MULCIIx6tp3zbT9GPatK
         qDUFjRYSO44f14t2hzIselap48/n5vbLwhF3+XNHVDd/kGXgH3XZ3XqyxPDRFAsJm7bd
         ASIipb8HT2pTKMt/7tu4aBjsGG6AVPFnh/UgbulQqYbkaxfWgUTCS2pEEAl+7u/6JpGl
         h0cg==
X-Gm-Message-State: AOAM531QHe6TzV5FQ2jIQ5euV7U/6mdXtGtY4OEGearW4pWvnXK7q5qf
        IDk1cE2tiEMU3eBIiadP7hUxqQ==
X-Received: by 2002:a5d:4686:: with SMTP id u6mr5040256wrq.60.1616166401927;
        Fri, 19 Mar 2021 08:06:41 -0700 (PDT)
Received: from balsini.lon.corp.google.com ([2a00:79e0:d:210:d49c:45f3:9d86:b2e9])
        by smtp.gmail.com with ESMTPSA id w6sm8381391wrl.49.2021.03.19.08.06.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Mar 2021 08:06:41 -0700 (PDT)
From:   Alessio Balsini <balsini@android.com>
To:     Arnd Bergmann <arnd@kernel.org>, Miklos Szeredi <miklos@szeredi.hu>
Cc:     kernel-team@android.com, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] fs/fuse: Fix matching of FUSE_DEV_IOC_CLONE command
Date:   Fri, 19 Mar 2021 15:05:14 +0000
Message-Id: <20210319150514.1315985-1-balsini@android.com>
X-Mailer: git-send-email 2.31.0.291.g576ba9dcdaf-goog
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

With commit f8425c939663 ("fuse: 32-bit user space ioctl compat for fuse
device") the matching constraints for the FUSE_DEV_IOC_CLONE ioctl
command are relaxed, limited to the testing of command type and number.
As Arnd noticed, this is wrong as it wouldn't ensure the correctness of
the data size or direction for the received FUSE device ioctl.

Fix by bringing back the comparison of the ioctl received by the FUSE
device to the originally generated FUSE_DEV_IOC_CLONE.

Fixes: f8425c939663 ("fuse: 32-bit user space ioctl compat for fuse device")
Reported-by: Arnd Bergmann <arnd@kernel.org>
Signed-off-by: Alessio Balsini <balsini@android.com>
---
 fs/fuse/dev.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index c0fee830a34e..a5ceccc5ef00 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2233,11 +2233,8 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd,
 	int oldfd;
 	struct fuse_dev *fud = NULL;
 
-	if (_IOC_TYPE(cmd) != FUSE_DEV_IOC_MAGIC)
-		return -ENOTTY;
-
-	switch (_IOC_NR(cmd)) {
-	case _IOC_NR(FUSE_DEV_IOC_CLONE):
+	switch (cmd) {
+	case FUSE_DEV_IOC_CLONE:
 		res = -EFAULT;
 		if (!get_user(oldfd, (__u32 __user *)arg)) {
 			struct file *old = fget(oldfd);
-- 
2.31.0.291.g576ba9dcdaf-goog