Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp173174pxj;
        Tue, 18 May 2021 00:16:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwwcJPDeAttcPO+YgW1Za11PWwOtb3u8Ln5WA4n269wtcuf4ep3cC7p4bPmIovOgVWp0WB2
X-Received: by 2002:a05:6e02:d03:: with SMTP id g3mr3131432ilj.156.1621322193052;
        Tue, 18 May 2021 00:16:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621322193; cv=none;
        d=google.com; s=arc-20160816;
        b=rpkpREISjzG+lBuLruM+CLen5A58BtouU9mBsBQcXftDYT0QAS203hxyZrFhAoKlNY
         hiww/8RNL5saZ/wwA6iNSmpU5P9nIEiQI1oigIAeCAsQVNysyEkmtCbhPYm6MsaI/33/
         FxN4BTEWUswPIJSlf7wXLd6mA9DMQyIdkXjEClSRH1oO4/1ztp/2L5IVC7iE350ozznp
         BsTpOUxUzSMVmO45XBDqcUkg0FRfje0/G6HVXk2Y7w32krKXl9NK564mmkDG6tQQ6Qiv
         lFK33aaHFqI64sfWPlHgWtBKsjzL559GPGTjPwCh3E1O6tEZAPV3nwQfypIUQ4bmSAdS
         Wzkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=iYMv67WW/5IiiT+jPW9TaKObSkgageqMBCHm5rPpENI=;
        b=UEOU3toX7xahrfrvjnTcFQvjJGLI0nFwuxM97WAK2RSfQSj2yPBuwK5NBAy7laqXqI
         M2yGdvimQFB5367F3PkmeNTlxJbBfutAT92fkLOv5AE+aMqmkCFcYI/+CuTfAYDKZR/C
         ESldy/2N2ey5yeZh0t4buYAqM1Q9bQjauXa9WEtn3+/BPKNUam+oqilA3UW5EGz5YkHd
         NIYn7jaeul4MrVX0dm1l8ELlMdhVQ81D1mJvHFZIi8s6cK/Fe10gWcOxU5TEHDjqKpgm
         TsSHw1X74y/PXeRwsQ53y/7aU3UBFGfkU4UgbCWZ70YXin2Q17/YJqyCGsbuDFRKSbW4
         Km2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tTcv5IqU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s21si18132010jaj.47.2021.05.18.00.16.20;
        Tue, 18 May 2021 00:16:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tTcv5IqU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240754AbhEQOx1 (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Mon, 17 May 2021 10:53:27 -0400
Received: from mail.kernel.org ([198.145.29.99]:54266 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S241533AbhEQOpJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 May 2021 10:45:09 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id E7E3761963;
        Mon, 17 May 2021 14:20:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621261260;
        bh=rPHIF/+0AcFm8CFMCe2mNu3gaE4Hz8XPq3/3gL81Xe0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=tTcv5IqUS/Ky4wRlvSeeTqFFwRldB9tlZrl3ICoREFmL4+e1YIhEWQgychkeXCQJy
         io+sGQyPKER15YkXCDGr+fjFy0MUFw43fnidKS0TMNut4oSqW51FMHf/Ult5Jm4yQE
         1Ra3dzF6vz5KZWcwexykfw8ZcoiFu8qaNLGFqgeA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 026/141] cuse: prevent clone
Date:   Mon, 17 May 2021 16:01:18 +0200
Message-Id: <20210517140243.649349873@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210517140242.729269392@linuxfoundation.org>
References: <20210517140242.729269392@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index 00015d851382..e51b7019e887 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -624,6 +624,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2