Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp588399pxj;
        Thu, 20 May 2021 17:07:40 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyombL7yC3WQYrIinRs4LTDVmFV0fN4f4ERyJEyOnbGVJCABhNgSWUNqjAKz7C1hsLwy55T
X-Received: by 2002:a02:a19c:: with SMTP id n28mr117517jah.117.1621555660116;
        Thu, 20 May 2021 17:07:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621555660; cv=none;
        d=google.com; s=arc-20160816;
        b=ysxMl3mHPj9vaatEC9EnveGms6Jf9rFXq8n0TZOrhtfWbpq549xRMIu3fQURBQEHiP
         EoVxQWTGJojiVt7cQ0UWoL8UGr/4Rm6pKCyVGsufbcO9M1B1vGYI5UvT7w4G4JWlL5Xz
         btc4pDdwEOHyBghfSEdCm7k3utp7wbfqrfclrqxs/NFY9Un87laNmIddYX3fkPJ54zdu
         X5gVtxSnQsXm9R69rtaOamjSJH2mlrlrqTVKxtCq3c0vX1DfHQah01NJvK8z5ftPecnP
         kGcxoHZozCVCJGWsRmNMe1dleyz7PNtxqNfyqrl0ZBBeKLvutoA41EcIknb97zS9w0bn
         B/3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=WEAdXqnhp19anTpzoIMNDy6hH1tWqOa0FLm3FWnMxcM=;
        b=E3mwIMJsUtMC8SsFYcgMp/Qlk6qDS7OjARzYL8UdnRWy5WZJ/HRGP4jQ+7GRJXwKps
         TeK/yd4QXROk6dpNKCiRbddbO22VYswyMHUgUllmmYoXsgbnQ1wv0OwnMIFB4sMgGOah
         2DMbezEDEu0HgsVd+nEMMQn29sDbzoFaXSMw8AVFbznZUKNUATTe0K5KXmBH0rxAi2Wx
         y66lC1atsfKNVDqJNqjQYA1BLdvuWXDjjVTtjYba2nyVlq9d5ZuviNfsGhZ7mUm5KMl5
         2RPaBF0eR02amqOE1U2rqGBzbuJN+Uw0GA1h6uIqFCtMRO+E7SAjvNW75sXYGB3iNggq
         lP1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kBzteK5e;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b26si3768407ios.29.2021.05.20.17.07.27;
        Thu, 20 May 2021 17:07:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kBzteK5e;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240924AbhETLVh (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Thu, 20 May 2021 07:21:37 -0400
Received: from mail.kernel.org ([198.145.29.99]:56958 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S239098AbhETLBj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 May 2021 07:01:39 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 69B9E61423;
        Thu, 20 May 2021 10:03:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621505022;
        bh=T3kO8RrvNCX8As7P6Z7PFwvA19Yoow54UYuEWBXkQOg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=kBzteK5eBY/1Znu3hDRCuWDRppBbb/U0mhteF9ijHxJp8h7WcQSg4DkpVQFFoi+ay
         1e6WB1swGPQhIyFiBn/TDDoFkLKtu1c6VIv3u8Jp/G2A3YoxTwwASJn/TAoQvt3nes
         dMiRa3hzq3hmVUjaB6hNpO2FhlYFvI3K1/7IFJ/I=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 180/240] cuse: prevent clone
Date:   Thu, 20 May 2021 11:22:52 +0200
Message-Id: <20210520092114.703207137@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210520092108.587553970@linuxfoundation.org>
References: <20210520092108.587553970@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index d9aba9700726..b83367300f48 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -616,6 +616,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2