Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8ed1f0e2 authored by Jann Horn's avatar Jann Horn Committed by Linus Torvalds
Browse files

fs/fuse: fix ioctl type confusion 



fuse_dev_ioctl() performed fuse_get_dev() on a user-supplied fd,
leading to a type confusion issue. Fix it by checking file->f_op.

Signed-off-by: default avatarJann Horn <jann@thejh.net>
Acked-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 1efdb5f0

fs/fuse/dev.c

+9 −1
Original line number Diff line number Diff line
@@ -2246,7 +2246,15 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd, 


			err = -EINVAL;

			if (old) {

				struct fuse_dev *fud = fuse_get_dev(old);

				struct fuse_dev *fud = NULL;



				/*

				 * Check against file->f_op because CUSE

				 * uses the same ioctl handler.

				 */

				if (old->f_op == file->f_op &&

				    old->f_cred->user_ns == file->f_cred->user_ns)

					fud = fuse_get_dev(old);



				if (fud) {

					mutex_lock(&fuse_mutex);