| From eb5de1bfa9d0daa21970d02b8700b32adadd2835 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 14 Apr 2021 10:40:58 +0200 |
| Subject: cuse: prevent clone |
| |
| From: Miklos Szeredi <mszeredi@redhat.com> |
| |
| [ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ] |
| |
| For cloned connections cuse_channel_release() will be called more than |
| once, resulting in use after free. |
| |
| Prevent device cloning for CUSE, which does not make sense at this point, |
| and highly unlikely to be used in real life. |
| |
| Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/fuse/cuse.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c |
| index 45082269e698..a37528b51798 100644 |
| --- a/fs/fuse/cuse.c |
| +++ b/fs/fuse/cuse.c |
| @@ -627,6 +627,8 @@ static int __init cuse_init(void) |
| cuse_channel_fops.owner = THIS_MODULE; |
| cuse_channel_fops.open = cuse_channel_open; |
| cuse_channel_fops.release = cuse_channel_release; |
| + /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */ |
| + cuse_channel_fops.unlocked_ioctl = NULL; |
| |
| cuse_class = class_create(THIS_MODULE, "cuse"); |
| if (IS_ERR(cuse_class)) |
| -- |
| 2.30.2 |
| |