fs/fuse: fix ioctl type confusion
fuse_dev_ioctl() performed fuse_get_dev() on a user-supplied fd, leading to a type confusion issue. Fix it by checking file->f_op. Signed-off-by: Jann Horn <jann@thejh.net> Acked-by: Miklos Szeredi <miklos@szeredi.hu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
1efdb5f0a9
commit
8ed1f0e22f
@ -2246,7 +2246,15 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd,
|
|||||||
|
|
||||||
err = -EINVAL;
|
err = -EINVAL;
|
||||||
if (old) {
|
if (old) {
|
||||||
struct fuse_dev *fud = fuse_get_dev(old);
|
struct fuse_dev *fud = NULL;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check against file->f_op because CUSE
|
||||||
|
* uses the same ioctl handler.
|
||||||
|
*/
|
||||||
|
if (old->f_op == file->f_op &&
|
||||||
|
old->f_cred->user_ns == file->f_cred->user_ns)
|
||||||
|
fud = fuse_get_dev(old);
|
||||||
|
|
||||||
if (fud) {
|
if (fud) {
|
||||||
mutex_lock(&fuse_mutex);
|
mutex_lock(&fuse_mutex);
|
||||||
|
Loading…
Reference in New Issue
Block a user