| Andrew Geissler | c926e17 | 2021-05-07 16:11:35 -0500 | [diff] [blame^] | 1 | From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001 |
| 2 | From: Stefan Hajnoczi <stefanha@redhat.com> |
| 3 | Date: Thu, 4 Feb 2021 15:02:07 +0000 |
| 4 | Subject: [PATCH] virtiofsd: optionally return inode pointer from |
| 5 | lo_do_lookup() |
| 6 | |
| 7 | lo_do_lookup() finds an existing inode or allocates a new one. It |
| 8 | increments nlookup so that the inode stays alive until the client |
| 9 | releases it. |
| 10 | |
| 11 | Existing callers don't need the struct lo_inode so the function doesn't |
| 12 | return it. Extend the function to optionally return the inode. The next |
| 13 | commit will need it. |
| 14 | |
| 15 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
| 16 | Reviewed-by: Greg Kurz <groug@kaod.org> |
| 17 | Message-Id: <20210204150208.367837-3-stefanha@redhat.com> |
| 18 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> |
| 19 | |
| 20 | Upstream-Status: Backport |
| 21 | [https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3] |
| 22 | |
| 23 | CVE: CVE-2020-35517 |
| 24 | |
| 25 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> |
| 26 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> |
| 27 | --- |
| 28 | tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++-------- |
| 29 | 1 file changed, 21 insertions(+), 8 deletions(-) |
| 30 | |
| 31 | diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c |
| 32 | index f14fa51..aa35fc6 100644 |
| 33 | --- a/tools/virtiofsd/passthrough_ll.c |
| 34 | +++ b/tools/virtiofsd/passthrough_ll.c |
| 35 | @@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname, |
| 36 | } |
| 37 | |
| 38 | /* |
| 39 | - * Increments nlookup and caller must release refcount using |
| 40 | - * lo_inode_put(&parent). |
| 41 | + * Increments nlookup on the inode on success. unref_inode_lolocked() must be |
| 42 | + * called eventually to decrement nlookup again. If inodep is non-NULL, the |
| 43 | + * inode pointer is stored and the caller must call lo_inode_put(). |
| 44 | */ |
| 45 | static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, |
| 46 | - struct fuse_entry_param *e) |
| 47 | + struct fuse_entry_param *e, |
| 48 | + struct lo_inode **inodep) |
| 49 | { |
| 50 | int newfd; |
| 51 | int res; |
| 52 | @@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, |
| 53 | struct lo_inode *inode = NULL; |
| 54 | struct lo_inode *dir = lo_inode(req, parent); |
| 55 | |
| 56 | + if (inodep) { |
| 57 | + *inodep = NULL; |
| 58 | + } |
| 59 | + |
| 60 | /* |
| 61 | * name_to_handle_at() and open_by_handle_at() can reach here with fuse |
| 62 | * mount point in guest, but we don't have its inode info in the |
| 63 | @@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, |
| 64 | pthread_mutex_unlock(&lo->mutex); |
| 65 | } |
| 66 | e->ino = inode->fuse_ino; |
| 67 | - lo_inode_put(lo, &inode); |
| 68 | + |
| 69 | + /* Transfer ownership of inode pointer to caller or drop it */ |
| 70 | + if (inodep) { |
| 71 | + *inodep = inode; |
| 72 | + } else { |
| 73 | + lo_inode_put(lo, &inode); |
| 74 | + } |
| 75 | + |
| 76 | lo_inode_put(lo, &dir); |
| 77 | |
| 78 | fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent, |
| 79 | @@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) |
| 80 | return; |
| 81 | } |
| 82 | |
| 83 | - err = lo_do_lookup(req, parent, name, &e); |
| 84 | + err = lo_do_lookup(req, parent, name, &e, NULL); |
| 85 | if (err) { |
| 86 | fuse_reply_err(req, err); |
| 87 | } else { |
| 88 | @@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent, |
| 89 | goto out; |
| 90 | } |
| 91 | |
| 92 | - saverr = lo_do_lookup(req, parent, name, &e); |
| 93 | + saverr = lo_do_lookup(req, parent, name, &e, NULL); |
| 94 | if (saverr) { |
| 95 | goto out; |
| 96 | } |
| 97 | @@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size, |
| 98 | |
| 99 | if (plus) { |
| 100 | if (!is_dot_or_dotdot(name)) { |
| 101 | - err = lo_do_lookup(req, ino, name, &e); |
| 102 | + err = lo_do_lookup(req, ino, name, &e, NULL); |
| 103 | if (err) { |
| 104 | goto error; |
| 105 | } |
| 106 | @@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, |
| 107 | } |
| 108 | |
| 109 | fi->fh = fh; |
| 110 | - err = lo_do_lookup(req, parent, name, &e); |
| 111 | + err = lo_do_lookup(req, parent, name, &e, NULL); |
| 112 | } |
| 113 | if (lo->cache == CACHE_NONE) { |
| 114 | fi->direct_io = 1; |
| 115 | -- |
| 116 | 1.8.3.1 |
| 117 | |