Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2982241pxj;
        Mon, 17 May 2021 14:49:58 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwV7X7FzOfTj9EGeP18G8AWqJOAjZr6w5mLFaAeqC6SwsR7zL/x8SbP0HfzR+Er8iEZnmC0
X-Received: by 2002:a5d:8a16:: with SMTP id w22mr1669287iod.186.1621288197821;
        Mon, 17 May 2021 14:49:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621288197; cv=none;
        d=google.com; s=arc-20160816;
        b=oBM6CVlPwCyH8r1PrXheT5fRDTT+NK566agApNjWAd4qFfzxpaJCAY9DjqXLDK8ThM
         KbeYLiMRhWN9qHkthIO1R1Pp30NjNAe5r0Szegf4FshRqjh5J7wB92eWoo5HP+jpocDk
         ZBftjKhe3TIwBvvLoXVIogyY3V7qs7E/ea0f2I7PtZYeuN4o6pW/N6/+bVG39dBqf55w
         oVHKIQXo7tdH2z94aRrlPhcI5ll9kze2D9HJYQQoXs7JFjJyeEtjgt4J2L46sAs62goj
         P1W92TSwX7oOBgX7lD2jxp6JqOryw9vGUyH+8iVGKGEf5tqkUW0dE8VvxWxCf3BvQ7HA
         WpEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ijUr8uwUsJuzPcVpYtC62hT2R/9EUqsdgKXAB8tbG+I=;
        b=BR9BrAwaoK1nBRwVpZv64c88nNQZfcWlSXajAXBMh12QH7lloLjtud5AKMN6JVLWAK
         nfp/tI7XefWuAoVuih3a3Jjisg3ophh5MtsPQj2sZRCtGCYkdOavshshf+oCpKtvSFc8
         j9poTuRotoUeCZHWjmiSI0m+gdutkBryAoZ5i5H0i6dZUNyK9LLp0Zz+XDbkSPQiKMlA
         E/EJHr49OQVCx1gStC5zQ8Drjt0y44TooqOdDrzdLdoVblWaxen4x2bLvjPunZZVOhK5
         UBUcqEm8zebAPEn+Wi0ujgwPK172+7N7YoV9PUISFvF8v+F8eGWksCmjSxuqSMW1DQZj
         XXMA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kreIFEG8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k8si20042423jav.68.2021.05.17.14.49.44;
        Mon, 17 May 2021 14:49:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kreIFEG8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238681AbhEQOLy (ORCPT <rfc822;nirdebian@gmail.com> + 99 others);
        Mon, 17 May 2021 10:11:54 -0400
Received: from mail.kernel.org ([198.145.29.99]:58468 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S237816AbhEQOJj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 May 2021 10:09:39 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 168556139A;
        Mon, 17 May 2021 14:07:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621260422;
        bh=YETmwC0vmkJEnYjZRQtB8GtVeKH+RSjRHV996b86cVk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=kreIFEG8ho3WeDXowft2kRgDxP0OPiLvj17IEMD24+SWDY3jXLMG7gDe0n7Mc7U1X
         JPw2aVSpcqgppC92iWClnLDIJyAXYI9RZeou2cPRUNgs1NXYJXJr7ZJsNLcSxlStm0
         xVrCLMFWyNN+96L+o7n3k3KENcf4bFHNVT7GRDrY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.12 075/363] cuse: prevent clone
Date:   Mon, 17 May 2021 15:59:01 +0200
Message-Id: <20210517140305.124659566@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210517140302.508966430@linuxfoundation.org>
References: <20210517140302.508966430@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index 45082269e698..a37528b51798 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -627,6 +627,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2