Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp368387pxj;
        Thu, 20 May 2021 11:09:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy7MYvUUj06qhC2mLZWuS60K7rXfLOQvnBQJhVnY/bVEss5JhVLqSmY/aC8KteBYt4yIAlk
X-Received: by 2002:a5e:c913:: with SMTP id z19mr2779411iol.70.1621534173374;
        Thu, 20 May 2021 11:09:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621534173; cv=none;
        d=google.com; s=arc-20160816;
        b=DH5e+cgIpXDE3VwztWbnyIAP2wl/LQDqPYGq4TJEg9lV9LU/fV7LWd2I67+A6Daw6o
         L4pMGsWNf49w7PXH0oVY5IPjr7ZsUaV5LTVM8cvqQXV9tqeUfxARPFjZMhzckwoQaovC
         tdyvT1nVB9vlvxdNuaQkl2aysh9QyUUYz+MEiDPCGG+4YutfJhNgI119V+Yqj6wpab72
         YPmHgv21ttRfE2YXGTqFxtQuuZgM4wtkzdv9prtT83IwgGhlvNZq5xbkqPA59b8jo5S8
         KwakVhbJlQ+wVOdSNumqJy/x636TXyqSwKPRyeyGb70zx0ckzKil4kUJuL22qDfSHzJo
         /j+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=GiMVAMV/7XD4xTQtNgtttcj2S9xGCMS+ar33fJAuLTs=;
        b=VKZ1lQZTEFjLycIdYlAj91IuhotRMn1dhCQMR20Y1M0TNiU9r0FFmRwIAmLBMJ15/P
         zNBXsVrL/JzJUylCPRa3Rqn1yRyKnXBp5WB0dowuEI59wE06W8v+rsmSQrPyVAGnUzlI
         AUcyrAZu7BJo5vum54Dk6JbeChaZnAM2LIIq5cow5OY5fIhOKi0CmYzONrH3qS4kHPq/
         BQapoHIABSQOvYHJneqq9Q+HgEdOjdz9nGutEfj9z1I8iIu1qnSxduECT0h1SC5kesFO
         2KC1b1iDuQICey1doHz0/IPHvcrVZ4Es6Ld/FWXTp3qCroatBCM0FsvSd78BsiSkJmqt
         gwxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ET98uUCY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n6si3273186jal.41.2021.05.20.11.09.19;
        Thu, 20 May 2021 11:09:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ET98uUCY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236105AbhETKOY (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Thu, 20 May 2021 06:14:24 -0400
Received: from mail.kernel.org ([198.145.29.99]:37146 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S235540AbhETKFT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 May 2021 06:05:19 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 2DBEC6193A;
        Thu, 20 May 2021 09:40:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621503656;
        bh=3L1CmHKeh51fexmnpwdHomXdngQC/duxMdMR4iWCr84=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ET98uUCYdGWX4GwXuZxBxRc6npDhmRWl6vReFmmP196pITo0yDjv3cdnMB0vjfdTy
         w94ZPTlqjGqiXvqHGVHyHuLaTXldEvAqvuiFqX6E+qG3AjsuoYIVCRjesdfNY7hPzJ
         R5lT14UwGM0aaNSpNAYEptLZn3zuICACAUHiTDp4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 319/425] cuse: prevent clone
Date:   Thu, 20 May 2021 11:21:28 +0200
Message-Id: <20210520092141.910887920@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210520092131.308959589@linuxfoundation.org>
References: <20210520092131.308959589@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index f057c213c453..e10e2b62ccf4 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -621,6 +621,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2