From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:48797 "EHLO
	mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751654AbbIWE7F (ORCPT
	<rfc822;stable@vger.kernel.org>); Wed, 23 Sep 2015 00:59:05 -0400
Subject: Patch "fs/fuse: fix ioctl type confusion" has been added to the 4.1-stable tree
To: jann@thejh.net, gregkh@linuxfoundation.org, miklos@szeredi.hu,
	torvalds@linux-foundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Tue, 22 Sep 2015 21:58:59 -0700
Message-ID: <144298433917171@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    fs/fuse: fix ioctl type confusion

to the 4.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fs-fuse-fix-ioctl-type-confusion.patch
and it can be found in the queue-4.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From 8ed1f0e22f49ef42e63875fd2529389a32ff3566 Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sun, 16 Aug 2015 20:27:01 +0200
Subject: fs/fuse: fix ioctl type confusion

From: Jann Horn <jann@thejh.net>

commit 8ed1f0e22f49ef42e63875fd2529389a32ff3566 upstream.

fuse_dev_ioctl() performed fuse_get_dev() on a user-supplied fd,
leading to a type confusion issue. Fix it by checking file->f_op.

Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 80cc1b35d460..ebb5e37455a0 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2246,7 +2246,15 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd,
 
 			err = -EINVAL;
 			if (old) {
-				struct fuse_dev *fud = fuse_get_dev(old);
+				struct fuse_dev *fud = NULL;
+
+				/*
+				 * Check against file->f_op because CUSE
+				 * uses the same ioctl handler.
+				 */
+				if (old->f_op == file->f_op &&
+				    old->f_cred->user_ns == file->f_cred->user_ns)
+					fud = fuse_get_dev(old);
 
 				if (fud) {
 					mutex_lock(&fuse_mutex);


Patches currently in stable-queue which might be from jann@thejh.net are

queue-4.1/cifs-fix-type-confusion-in-copy-offload-ioctl.patch
queue-4.1/fs-fuse-fix-ioctl-type-confusion.patch