| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| From: Alessio Balsini <balsini@android.com> |
| Date: Wed, 12 May 2021 21:22:02 +0100 |
| Subject: UPSTREAM: fuse: fix matching of FUSE_DEV_IOC_CLONE command |
| |
| With commit f8425c939663 ("fuse: 32-bit user space ioctl compat for fuse |
| device") the matching constraints for the FUSE_DEV_IOC_CLONE ioctl command |
| are relaxed, limited to the testing of command type and number. As Arnd |
| noticed, this is wrong as it wouldn't ensure the correctness of the data |
| size or direction for the received FUSE device ioctl. |
| |
| Fix by bringing back the comparison of the ioctl received by the FUSE |
| device to the originally generated FUSE_DEV_IOC_CLONE. |
| |
| Fixes: f8425c939663 ("fuse: 32-bit user space ioctl compat for fuse device") |
| Reported-by: Arnd Bergmann <arnd@kernel.org> |
| Signed-off-by: Alessio Balsini <balsini@android.com> |
| Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> |
| Signed-off-by: Lee Jones <lee.jones@linaro.org> |
| Signed-off-by: Alessio Balsini <balsini@android.com> |
| Change-Id: I372d8399db6d603ba20ef50528acf6645e4d3c66 |
| (cherry picked from commit 6076f5f341e612152879bfda99f0b76c1953bf0b) |
| Signed-off-by: Lee Jones <joneslee@google.com> |
| --- |
| fs/fuse/dev.c | 9 +++++++++ |
| 1 file changed, 9 insertions(+) |
| |
| diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c |
| --- a/fs/fuse/dev.c |
| +++ b/fs/fuse/dev.c |
| @@ -2283,6 +2283,15 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd, |
| } |
| fdput(f); |
| break; |
| + case FUSE_DEV_IOC_PASSTHROUGH_OPEN: |
| + res = -EFAULT; |
| + if (!get_user(oldfd, (__u32 __user *)arg)) { |
| + res = -EINVAL; |
| + fud = fuse_get_dev(file); |
| + if (fud) |
| + res = fuse_passthrough_open(fud, oldfd); |
| + } |
| + break; |
| default: |
| res = -ENOTTY; |
| break; |
