Commit 8ed1f0e2 authored by Jann Horn's avatar Jann Horn Committed by Linus Torvalds

fs/fuse: fix ioctl type confusion

fuse_dev_ioctl() performed fuse_get_dev() on a user-supplied fd,
leading to a type confusion issue. Fix it by checking file->f_op.
Signed-off-by: default avatarJann Horn <jann@thejh.net>
Acked-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 1efdb5f0
...@@ -2246,7 +2246,15 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd, ...@@ -2246,7 +2246,15 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd,
err = -EINVAL; err = -EINVAL;
if (old) { if (old) {
struct fuse_dev *fud = fuse_get_dev(old); struct fuse_dev *fud = NULL;
/*
* Check against file->f_op because CUSE
* uses the same ioctl handler.
*/
if (old->f_op == file->f_op &&
old->f_cred->user_ns == file->f_cred->user_ns)
fud = fuse_get_dev(old);
if (fud) { if (fud) {
mutex_lock(&fuse_mutex); mutex_lock(&fuse_mutex);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment