diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch deleted file mode 100644 index bf11bdb6f8..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch +++ /dev/null | |||
@@ -1,117 +0,0 @@ | |||
1 | From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Stefan Hajnoczi <stefanha@redhat.com> | ||
3 | Date: Thu, 4 Feb 2021 15:02:07 +0000 | ||
4 | Subject: [PATCH] virtiofsd: optionally return inode pointer from | ||
5 | lo_do_lookup() | ||
6 | |||
7 | lo_do_lookup() finds an existing inode or allocates a new one. It | ||
8 | increments nlookup so that the inode stays alive until the client | ||
9 | releases it. | ||
10 | |||
11 | Existing callers don't need the struct lo_inode so the function doesn't | ||
12 | return it. Extend the function to optionally return the inode. The next | ||
13 | commit will need it. | ||
14 | |||
15 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
16 | Reviewed-by: Greg Kurz <groug@kaod.org> | ||
17 | Message-Id: <20210204150208.367837-3-stefanha@redhat.com> | ||
18 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | [https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3] | ||
22 | |||
23 | CVE: CVE-2020-35517 | ||
24 | |||
25 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
26 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | ||
27 | --- | ||
28 | tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++-------- | ||
29 | 1 file changed, 21 insertions(+), 8 deletions(-) | ||
30 | |||
31 | diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c | ||
32 | index f14fa51..aa35fc6 100644 | ||
33 | --- a/tools/virtiofsd/passthrough_ll.c | ||
34 | +++ b/tools/virtiofsd/passthrough_ll.c | ||
35 | @@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname, | ||
36 | } | ||
37 | |||
38 | /* | ||
39 | - * Increments nlookup and caller must release refcount using | ||
40 | - * lo_inode_put(&parent). | ||
41 | + * Increments nlookup on the inode on success. unref_inode_lolocked() must be | ||
42 | + * called eventually to decrement nlookup again. If inodep is non-NULL, the | ||
43 | + * inode pointer is stored and the caller must call lo_inode_put(). | ||
44 | */ | ||
45 | static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, | ||
46 | - struct fuse_entry_param *e) | ||
47 | + struct fuse_entry_param *e, | ||
48 | + struct lo_inode **inodep) | ||
49 | { | ||
50 | int newfd; | ||
51 | int res; | ||
52 | @@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, | ||
53 | struct lo_inode *inode = NULL; | ||
54 | struct lo_inode *dir = lo_inode(req, parent); | ||
55 | |||
56 | + if (inodep) { | ||
57 | + *inodep = NULL; | ||
58 | + } | ||
59 | + | ||
60 | /* | ||
61 | * name_to_handle_at() and open_by_handle_at() can reach here with fuse | ||
62 | * mount point in guest, but we don't have its inode info in the | ||
63 | @@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, | ||
64 | pthread_mutex_unlock(&lo->mutex); | ||
65 | } | ||
66 | e->ino = inode->fuse_ino; | ||
67 | - lo_inode_put(lo, &inode); | ||
68 | + | ||
69 | + /* Transfer ownership of inode pointer to caller or drop it */ | ||
70 | + if (inodep) { | ||
71 | + *inodep = inode; | ||
72 | + } else { | ||
73 | + lo_inode_put(lo, &inode); | ||
74 | + } | ||
75 | + | ||
76 | lo_inode_put(lo, &dir); | ||
77 | |||
78 | fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent, | ||
79 | @@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) | ||
80 | return; | ||
81 | } | ||
82 | |||
83 | - err = lo_do_lookup(req, parent, name, &e); | ||
84 | + err = lo_do_lookup(req, parent, name, &e, NULL); | ||
85 | if (err) { | ||
86 | fuse_reply_err(req, err); | ||
87 | } else { | ||
88 | @@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent, | ||
89 | goto out; | ||
90 | } | ||
91 | |||
92 | - saverr = lo_do_lookup(req, parent, name, &e); | ||
93 | + saverr = lo_do_lookup(req, parent, name, &e, NULL); | ||
94 | if (saverr) { | ||
95 | goto out; | ||
96 | } | ||
97 | @@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size, | ||
98 | |||
99 | if (plus) { | ||
100 | if (!is_dot_or_dotdot(name)) { | ||
101 | - err = lo_do_lookup(req, ino, name, &e); | ||
102 | + err = lo_do_lookup(req, ino, name, &e, NULL); | ||
103 | if (err) { | ||
104 | goto error; | ||
105 | } | ||
106 | @@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, | ||
107 | } | ||
108 | |||
109 | fi->fh = fh; | ||
110 | - err = lo_do_lookup(req, parent, name, &e); | ||
111 | + err = lo_do_lookup(req, parent, name, &e, NULL); | ||
112 | } | ||
113 | if (lo->cache == CACHE_NONE) { | ||
114 | fi->direct_io = 1; | ||
115 | -- | ||
116 | 1.8.3.1 | ||
117 | |||