Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp623000pxj;
        Thu, 20 May 2021 18:12:17 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzlEJ7VcK9VfKGzCh3KaqG4o3X/i/wyH6e48ZocAfplaBr4gGaC9na1R3Y3/J7UVTCF1KkS
X-Received: by 2002:a17:906:2c19:: with SMTP id e25mr7389432ejh.53.1621559537448;
        Thu, 20 May 2021 18:12:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621559537; cv=none;
        d=google.com; s=arc-20160816;
        b=VW5DJSH/F3mn8nvL/PYTmBCwrsp5xKunAHSQD1WASOJT1cdl24ZhVOzEwuR3//i2YY
         gWUH/A0KPYIlvM4MoxkS/67OubrCkwVmwl4OkTB+mXSMcQTRm+ckJ/hbC3UeyYY/ZlUH
         yo80ymXChZ2Yx+/AxZme1NrxZvaCcyEK1SwOpmFhveqnwkQpRU/zemHfWRCFhqoO+bvY
         WcdTraefT230mXv7Oimj3668NTJNbT9asXbROcgo6ZRKx3XB1d+VHzawj6JRXIHd0iyQ
         2JR+drQ2bMDyOX0LfgTUV6oNP8XvKsv5I8DhXu+Ihvn/IyDG3vOKm+FxROLPYJd12G4H
         2Vaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=WEAdXqnhp19anTpzoIMNDy6hH1tWqOa0FLm3FWnMxcM=;
        b=gDM2YHWDWo6g0hw7vBR+nFFUzIkb9bF9MRYDmbZuP6z4AGHQvjWVt+V4BvVSgtlKZ6
         qBI8wGLxzha7U0TSVTmmpLNtCwS188pzlBCYr01HvcjaG0fgDsRqi2Xghg41/Act0/Iv
         EiYdY460rKYR8LzQWVjjmi3QCvHmrOHg0xjfT9A3kt+vEBdlMlYFiNqHou8j1Xb2a17E
         i9r8fILBN4OJw1RmMzJsXGQ51X3QpTLDLABSvE+DBUDH/tAPy3mUHdwzCCe33fP0KEtI
         +okhzwlF7WNgJmCZWwZdwog33EpNFxOvAUrTYCTcYxAcGvyAYMZd9g+pHgjOXZplfC31
         79rA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=STXTmyX2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b1si4606628ejb.714.2021.05.20.18.11.53;
        Thu, 20 May 2021 18:12:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=STXTmyX2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242208AbhETLlO (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Thu, 20 May 2021 07:41:14 -0400
Received: from mail.kernel.org ([198.145.29.99]:43412 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S239705AbhETLUZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 May 2021 07:20:25 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 0BB1E6142D;
        Thu, 20 May 2021 10:11:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621505463;
        bh=T3kO8RrvNCX8As7P6Z7PFwvA19Yoow54UYuEWBXkQOg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=STXTmyX2mJp309H7cWYCw2MXtA77wVbQl2mFO5sOxAKZ823W44UPOQL8+g0DszGMw
         jRnzAiAvDuJcAXOv3DqhzGlEDeOejE1xhk6Bihe+ueH0C/EkFoA9BbuCaAX9E8ShpF
         ddBWRtnqgash6uNxJ0sIxucMku9ZfCOwA8HWkd+8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 145/190] cuse: prevent clone
Date:   Thu, 20 May 2021 11:23:29 +0200
Message-Id: <20210520092106.980683842@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210520092102.149300807@linuxfoundation.org>
References: <20210520092102.149300807@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index d9aba9700726..b83367300f48 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -616,6 +616,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2