Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp423024pxj;
        Thu, 20 May 2021 12:29:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxWIhEctQnQKKzOKST7idFmo5RdllQVCe0ynFc/7EsAyG0XgO0t5TUsK+PpBgUpyN0uMVUG
X-Received: by 2002:a05:6e02:156d:: with SMTP id k13mr6787003ilu.149.1621538976477;
        Thu, 20 May 2021 12:29:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621538976; cv=none;
        d=google.com; s=arc-20160816;
        b=Q1Y4qy9AoUYeBLNcfjqwv2u9cFYAB/jeI9BlXrNAG8yoOR3HLGBki7PDDjBL2Nvrii
         ZPsHSAaGdcCxAzYOWeqEBb/0bC1l+1gOghnq7C/E2TiQITc8VSLWqRK8y1IQkVpDyhQr
         DZkBSajKNjGXl7R4C6/JGqP3X3mtzOtgl5UUWNWqfmrX5PuhpZ1+4CMr1CLHPcQCMl07
         bbmX5HXuZznUPeIiFJdXw/jpwqounplwr3hF1SHEGBgPo5YbKxITTTL16ijsbOamdzLr
         lzIBx2IdMjR6B1zZ+zoCPJZ+VVvd9BTFQszmw8EJ15BLgIf0RHMWO6BXf/Xr6DpWqUMq
         /AbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=KWJ3XGaBz/xfsHh0gmcawdgfo90q9E5yvLrmTLnUuBI=;
        b=l/BFWZzHbnKld94KLueN7qPxbe85mN3TaTV21s3Et1l8GcqaaZxfBzFiRWxelysm7B
         uiUrqn4bCHzj45RLvk8JBm0+RKEJVuhIr5XBcvnZ9zNdX8nd4HbgH/HpZ1Arp3qjXXKa
         UNcv/+DYh6Gdx0zLDtsemqNTC+58m+h5SCtW9T6iqKZ98RhWXKZFZ5Bym8hRbxFIMgjs
         77io2O7oAlgMwiJjpsFgf4Ub9yqQnGRogt/VmZLHUH7U+f0dqmpm20eZNPy1qzrxCzeq
         aRYvz2FTcJCMr562W/nv8b3SMl8uIRkbzqq+jQApxOu4yYjHuz/sQFLVCSlqpluiTRYf
         fN/w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=K15Or7o6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y6si3811021ilu.153.2021.05.20.12.29.22;
        Thu, 20 May 2021 12:29:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=K15Or7o6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239438AbhETKzA (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Thu, 20 May 2021 06:55:00 -0400
Received: from mail.kernel.org ([198.145.29.99]:39830 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S238165AbhETKjf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 May 2021 06:39:35 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 5119C61C7B;
        Thu, 20 May 2021 09:55:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621504514;
        bh=GkZH2jLkvJLUIT5boZSGask8fzSznjyBbbhHLFjVEbM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=K15Or7o6zW57ubtasBMXAusaPtKyjDmuQasU3BfetG0GhfyjL/FKWd/UGQCHOz9re
         SAiHLtgKSxXguGueiu5f9SpEEbCIRI0vwDmO5ZazWHEmvkvsLuStitryZjFm77yMU6
         PP0FCK/1QYJc4PKLM8ngI4SYb4x3haWZ+xlGMy0g=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 246/323] cuse: prevent clone
Date:   Thu, 20 May 2021 11:22:18 +0200
Message-Id: <20210520092128.624626819@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210520092120.115153432@linuxfoundation.org>
References: <20210520092120.115153432@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index 55db06c7c587..b15eaa9e6cd7 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -616,6 +616,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2