virtiofs: fix UAF on submount umount

iput() called from fuse_release_end() can Oops if the super block has
already been destroyed.  Normally this is prevented by waiting for
num_waiting to go down to zero before commencing with super block shutdown.

This only works, however, for the last submount instance, as the wait
counter is per connection, not per superblock.

Revert to using synchronous release requests for the auto_submounts case,
which is virtiofs only at this time.

Reported-by: Aurélien Bombo <abombo@microsoft.com>
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: Greg Kurz <gkurz@redhat.com>
Closes: https://github.com/kata-containers/kata-containers/issues/12589
Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kurz <gkurz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index c59452d60b8da063ccc359cbcb8ba708b3539447..9a0f5a8661da337fdb3f6511288783fcac151f32 100644 (file)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -380,8 +380,14 @@ void fuse_file_release(struct inode *inode, struct fuse_file *ff,
         * aio and closes the fd before the aio completes.  Since aio takes its
         * own ref to the file, the IO completion has to drop the ref, which is
         * how the fuse server can end up closing its clients' files.
+        *
+        * Exception is virtio-fs, which is not affected by the above (server is
+        * on host, cannot close open files in guest).  Virtio-fs needs sync
+        * release, because the num_waiting mechanism to wait for all requests
+        * before commencing with fs shutdown doesn't work if submounts are
+        * used.
         */
-       fuse_file_put(ff, false);
+       fuse_file_put(ff, ff->fm->fc->auto_submounts);
 }
 
 void fuse_release_common(struct file *file, bool isdir)