Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp288134pxj;
        Tue, 18 May 2021 03:30:08 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJytORTz6H9Br2Px2LTegb2cJa4yLW6lWV9lxfPkk2p4Hh/dB/RCGapQL5wyoTWsAaiQrqda
X-Received: by 2002:a05:6402:31b1:: with SMTP id dj17mr6083149edb.7.1621333807884;
        Tue, 18 May 2021 03:30:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621333807; cv=none;
        d=google.com; s=arc-20160816;
        b=yMqut0mDelkR3iom06gjpzjDjDdZmviQCLiT9qHi0L4qZQ5KrVz6ClXIsSrHVrgQJG
         224sSP4NkAfNW9mjtS3BBflDYB1lCD5o8LxOIBAYaqr9ibnPzK6Si47wBSpLNSFXPSUK
         v6+531ehfOrDEvN5aWh3U+Um9+QQYV2WDx6gR4eDTOCTnx/ysev/0HMkF236R1Z6yK1n
         bHRXuC1p8fpRb6k9PgqN6hc+ypEFQ7s8q+vw0xTLw9iihghAET+Jv7zDhA8gEJfGItUt
         Q1JmHDPnMJb4wlqh4QbpOVHNmzhLqtWgZH5QMoFYrFo6lsFGbCYLXr713lHyKanttqMz
         a09Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ijUr8uwUsJuzPcVpYtC62hT2R/9EUqsdgKXAB8tbG+I=;
        b=0DEgrUq0QvyPZrzXsw+f73SD60VzKysaXCmY+oCpp23FjG8RbB7KuWbOQ2PDCOlL7m
         fnrmih25Kb0zl07DZ6H0p32SyR++2MVX0xgPY+KipcwNIS6GPWgfZggXXhWp2KLckSL/
         smHbbDpnE1dfC0oRY7yOKMtM8znC3oUvb0f4+MD1QTReq2COGQ+2QUIkIb8co9hkk9zF
         SfRY71pJ60lVRf1M1kiyGLoH7FnRTR8j50l/cb8vvrYG8rkoqvsblbmbELFUUWeYEmej
         N7eF8Vqo0yTcQkKRpRiy/1aeo1Mly33MfQzpJDGjnJ/qdDP1WbswB8EFaFiUSZL3GgDU
         y7Hw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TAIKzFoN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id nc13si9801356ejc.255.2021.05.18.03.29.44;
        Tue, 18 May 2021 03:30:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TAIKzFoN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243566AbhEQPOV (ORCPT <rfc822;nirdebian@gmail.com> + 99 others);
        Mon, 17 May 2021 11:14:21 -0400
Received: from mail.kernel.org ([198.145.29.99]:34942 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S242634AbhEQPEL (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 May 2021 11:04:11 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id DD7A861A25;
        Mon, 17 May 2021 14:28:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621261695;
        bh=YETmwC0vmkJEnYjZRQtB8GtVeKH+RSjRHV996b86cVk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=TAIKzFoNFOvybyZ8ssZVoMkIoi3dEvDaXHrSi2SXqmm6RQ3V5F7yOV7zGt1GCVZyx
         m/fHDIzxh/UKT17HLgrr1SrEMIszvnkwkgfLi4/ICVG3tS2n+IvLnG0/LOH36ABck1
         raEUSWcQ62yz4/m7+jnkNWabIbGdHAwsLnHhW704=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 053/289] cuse: prevent clone
Date:   Mon, 17 May 2021 15:59:38 +0200
Message-Id: <20210517140306.987100175@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210517140305.140529752@linuxfoundation.org>
References: <20210517140305.140529752@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index 45082269e698..a37528b51798 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -627,6 +627,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2