Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp104827pxj;
        Mon, 17 May 2021 22:15:56 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw5CYGTomv9OaDV4CsiBuao7n3T+MLuw4KvfdVeSP34h3imLufjP/IH1St0ljIBGe3NbihJ
X-Received: by 2002:a05:6402:50d1:: with SMTP id h17mr4934213edb.199.1621314955973;
        Mon, 17 May 2021 22:15:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621314955; cv=none;
        d=google.com; s=arc-20160816;
        b=q3MEE/JKRhZqNbFk/F9H2917fhPsYFMxDeirefxm+9sMq0ppgbpE6SyBet0MrzE12i
         DdmajrDl62TIOwKfquJKTd5HDCbQV4mpy8Ad5fkMikNXAr0Vra0Om8bS67YJwgmZHQ7d
         JvGjfS0SyChcgmYnKl2CAVFqJr7TvbCSq0t3dN/ev21nQcauztMTJ8GM4tW5rpC6Y5DT
         Y29eiK+4MRFe8jRj7hTULBNApA2+F/dT0gOUjkmKSgV9pbfMutQsHGzRXxhOv0WZ/+kY
         4w5uVEBIIs7yZHy67GIsUomdhrvJ8em/9V89959Ccbb2UdLcGy4OmvTEJfLO+b4CDr6y
         wqwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ijUr8uwUsJuzPcVpYtC62hT2R/9EUqsdgKXAB8tbG+I=;
        b=egsPE1shi7BGA3qj8v3PSTuAknGmkWgkbtbLGjDoM6WfXBbqVj3iCMjiJhMmiqyWNq
         oTXbmtO+VleCf7Wk3hzSkN5xQd4FlILeKLM81TBS4ymsed+MkHUsUUdG7Npu0UlRfrC2
         qXiOB7E10S4NfxFmGIsJogFdhzqtWDUbrl0dLn8stEX8l8TZV4GwhIQNKPNOB/IegiH/
         UFLtZ8oz6V6GORcssiLTwJxuBlYKZPo5ZkXCFiI5BtzEOgJKXoLz+4SIrzewficgonuY
         V6G4BK7ojX6rBQyIoaprxDCMhH3AqPUklLSFSvni1g/fGp5rlf5cvBlWxkdWPW4r9KTe
         MFNA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wSzHVJgV;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m1si19915560ejj.42.2021.05.17.22.15.11;
        Mon, 17 May 2021 22:15:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wSzHVJgV;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241511AbhEQOpH (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Mon, 17 May 2021 10:45:07 -0400
Received: from mail.kernel.org ([198.145.29.99]:34294 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S241023AbhEQOh0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 May 2021 10:37:26 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8675C613F6;
        Mon, 17 May 2021 14:17:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621261076;
        bh=YETmwC0vmkJEnYjZRQtB8GtVeKH+RSjRHV996b86cVk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=wSzHVJgVKfbiQQ0Ywk6/VxdODE5OmZvV13jmRzHjleYYcTU2pUB6+g/CvAMtG0pTf
         4hsChe7xnXmxiDNj3iA0dC4LrtgjLPzZ4gGp4VPI5UFnpGRMArCQJJfya7FSWZ2ztK
         mSlraBRsIFtsxmfNFsMtLRTfZtts2dVcqPbRj91c=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.11 068/329] cuse: prevent clone
Date:   Mon, 17 May 2021 15:59:39 +0200
Message-Id: <20210517140304.362587280@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210517140302.043055203@linuxfoundation.org>
References: <20210517140302.043055203@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index 45082269e698..a37528b51798 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -627,6 +627,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2