[062/104] virtiofsd: Handle hard reboot

Message ID	20191212163904.159893-63-dgilbert@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com> To: qemu-devel@nongnu.org, stefanha@redhat.com, vgoyal@redhat.com Subject: [PATCH 062/104] virtiofsd: Handle hard reboot Date: Thu, 12 Dec 2019 16:38:22 +0000 Message-Id: <20191212163904.159893-63-dgilbert@redhat.com> In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com> References: <20191212163904.159893-1-dgilbert@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	virtiofs daemon [all] \| expand [000/104] virtiofs daemon [all] [001/104] virtiofsd: Pull in upstream headers [002/104] virtiofsd: Pull in kernel's fuse.h [003/104] virtiofsd: Add auxiliary .c's [004/104] virtiofsd: Add fuse_lowlevel.c [005/104] virtiofsd: Add passthrough_ll [006/104] virtiofsd: Trim down imported files [007/104] virtiofsd: Format imported files to qemu style [008/104] virtiofsd: remove mountpoint dummy argument [009/104] virtiofsd: remove unused notify reply support [010/104] virtiofsd: Fix fuse_daemonize ignored return values [011/104] virtiofsd: Fix common header and define for QEMU builds [012/104] virtiofsd: Trim out compatibility code [013/104] virtiofsd: Make fsync work even if only inode is passed in [014/104] virtiofsd: Add options for virtio [015/104] virtiofsd: add -o source=PATH to help output [016/104] virtiofsd: Open vhost connection instead of mounting [017/104] virtiofsd: Start wiring up vhost-user [018/104] virtiofsd: Add main virtio loop [019/104] virtiofsd: get/set features callbacks [020/104] virtiofsd: Start queue threads [021/104] virtiofsd: Poll kick_fd for queue [022/104] virtiofsd: Start reading commands from queue [023/104] virtiofsd: Send replies to messages [024/104] virtiofsd: Keep track of replies [025/104] virtiofsd: Add Makefile wiring for virtiofsd contrib [026/104] virtiofsd: Fast path for virtio read [027/104] virtiofsd: add --fd=FDNUM fd passing option [028/104] virtiofsd: make -f (foreground) the default [029/104] virtiofsd: add vhost-user.json file [030/104] virtiofsd: add --print-capabilities option [031/104] virtiofs: Add maintainers entry [032/104] virtiofsd: passthrough_ll: create new files in caller's context [033/104] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection [034/104] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers [035/104] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers [036/104] virtiofsd: passthrough_ll: add fd_map to hide file descriptors [037/104] virtiofsd: passthrough_ll: add fallback for racy ops [038/104] virtiofsd: validate path components [039/104] virtiofsd: Plumb fuse_bufvec through to do_write_buf [040/104] virtiofsd: Pass write iov's all the way through [041/104] virtiofsd: add fuse_mbuf_iter API [042/104] virtiofsd: validate input buffer sizes in do_write_buf() [043/104] virtiofsd: check input buffer size in fuse_lowlevel.c ops [044/104] virtiofsd: prevent ".." escape in lo_do_lookup() [045/104] virtiofsd: prevent ".." escape in lo_do_readdir() [046/104] virtiofsd: use /proc/self/fd/ O_PATH file descriptor [047/104] virtiofsd: sandbox mount namespace [048/104] virtiofsd: move to an empty network namespace [049/104] virtiofsd: move to a new pid namespace [050/104] virtiofsd: add seccomp whitelist [051/104] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV [052/104] virtiofsd: cap-ng helpers [053/104] virtiofsd: Drop CAP_FSETID if client asked for it [054/104] virtiofsd: set maximum RLIMIT_NOFILE limit [055/104] virtiofsd: fix libfuse information leaks [056/104] virtiofsd: add security guide document [057/104] virtiofsd: add --syslog command-line option [058/104] virtiofsd: print log only when priority is high enough [059/104] virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level [060/104] virtiofsd: Add timestamp to the log with FUSE_LOG_DEBUG level [061/104] virtiofsd: Handle reinit [062/104] virtiofsd: Handle hard reboot [063/104] virtiofsd: Kill threads when queues are stopped [064/104] vhost-user: Print unexpected slave message types [065/104] contrib/libvhost-user: Protect slave fd with mutex [066/104] virtiofsd: passthrough_ll: add renameat2 support [067/104] virtiofsd: passthrough_ll: disable readdirplus on cache=never [068/104] virtiofsd: passthrough_ll: control readdirplus [069/104] virtiofsd: rename unref_inode() to unref_inode_lolocked() [070/104] virtiofsd: fail when parent inode isn't known in lo_do_lookup() [071/104] virtiofsd: extract root inode init into setup_root() [072/104] virtiofsd: passthrough_ll: fix refcounting on remove/rename [073/104] virtiofsd: passthrough_ll: clean up cache related options [074/104] virtiofsd: passthrough_ll: use hashtable [075/104] virtiofsd: Clean up inodes on destroy [076/104] virtiofsd: support nanosecond resolution for file timestamp [077/104] virtiofsd: fix error handling in main() [078/104] virtiofsd: cleanup allocated resource in se [079/104] virtiofsd: fix memory leak on lo.source [080/104] virtiofsd: add helper for lo_data cleanup [081/104] virtiofsd: Prevent multiply running with same vhost_user_socket [082/104] virtiofsd: enable PARALLEL_DIROPS during INIT [083/104] virtiofsd: fix incorrect error handling in lo_do_lookup [084/104] Virtiofsd: fix memory leak on fuse queueinfo [085/104] virtiofsd: Support remote posix locks [086/104] virtiofsd: use fuse_lowlevel_is_virtio() in fuse_session_destroy() [087/104] virtiofsd: prevent fv_queue_thread() vs virtio_loop() races [088/104] virtiofsd: make lo_release() atomic [089/104] virtiofsd: prevent races with lo_dirp_put() [090/104] virtiofsd: rename inode->refcount to inode->nlookup [091/104] libvhost-user: Fix some memtable remap cases [092/104] virtiofsd: add man page [093/104] virtiofsd: introduce inode refcount to prevent use-after-free [094/104] virtiofsd: do not always set FUSE_FLOCK_LOCKS [095/104] virtiofsd: convert more fprintf and perror to use fuse log infra [096/104] virtiofsd: Reset O_DIRECT flag during file open [097/104] virtiofsd: Fix data corruption with O_APPEND wirte in writeback mode [098/104] virtiofsd: add definition of fuse_buf_writev() [099/104] virtiofsd: use fuse_buf_writev to replace fuse_buf_write for better performance [100/104] virtiofsd: process requests in a thread pool [101/104] virtiofsd: prevent FUSE_INIT/FUSE_DESTROY races [102/104] virtiofsd: fix lo_destroy() resource leaks [103/104] virtiofsd: add --thread-pool-size=NUM option [104/104] virtiofsd: Convert lo_destroy to take the lo->mutex lock itself [105/104] virtiofsd: Unref old/new inodes with the same mutex lock in lo_rename()

Message ID

20191212163904.159893-63-dgilbert@redhat.com

State

New

Headers

From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org,
	stefanha@redhat.com,
	vgoyal@redhat.com
Subject: [PATCH 062/104] virtiofsd: Handle hard reboot
Date: Thu, 12 Dec 2019 16:38:22 +0000
Message-Id: <20191212163904.159893-63-dgilbert@redhat.com>
In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com>
References: <20191212163904.159893-1-dgilbert@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

virtiofs daemon [all] | expand

Commit Message

Dr. David Alan Gilbert Dec. 12, 2019, 4:38 p.m. UTC

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

Handle a
  mount
  hard reboot (without unmount)
  mount

we get another 'init' which FUSE doesn't normally expect.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
 tools/virtiofsd/fuse_lowlevel.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

Comments

Daniel P. Berrangé Jan. 7, 2020, 11:14 a.m. UTC | #1

On Thu, Dec 12, 2019 at 04:38:22PM +0000, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
> 
> Handle a
>   mount
>   hard reboot (without unmount)
>   mount
> 
> we get another 'init' which FUSE doesn't normally expect.
> 
> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
>  tools/virtiofsd/fuse_lowlevel.c | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
> index 2d1d1a2e59..45125ef66a 100644
> --- a/tools/virtiofsd/fuse_lowlevel.c
> +++ b/tools/virtiofsd/fuse_lowlevel.c
> @@ -2436,7 +2436,21 @@ void fuse_session_process_buf_int(struct fuse_session *se,
>              goto reply_err;
>          }
>      } else if (in->opcode == FUSE_INIT || in->opcode == CUSE_INIT) {
> -        goto reply_err;
> +        if (fuse_lowlevel_is_virtio(se)) {
> +            /*
> +             * TODO: This is after a hard reboot typically, we need to do
> +             * a destroy, but we can't reply to this request yet so
> +             * we can't use do_destroy
> +             */
> +            fuse_log(FUSE_LOG_DEBUG, "%s: reinit\n", __func__);
> +            se->got_destroy = 1;
> +            se->got_init = 0;
> +            if (se->op.destroy) {
> +                se->op.destroy(se->userdata);
> +            }
> +        } else {
> +            goto reply_err;
> +        }

In doing this, is there any danger we're exposed to from a malicious
guest which does

   mount
   mount

without a reboot in between ?

I'm thinking not so if its ok, then

 Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
 

Regards,
Daniel

Dr. David Alan Gilbert Jan. 10, 2020, 3:43 p.m. UTC | #2

* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Thu, Dec 12, 2019 at 04:38:22PM +0000, Dr. David Alan Gilbert (git) wrote:
> > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
> > 
> > Handle a
> >   mount
> >   hard reboot (without unmount)
> >   mount
> > 
> > we get another 'init' which FUSE doesn't normally expect.
> > 
> > Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> > ---
> >  tools/virtiofsd/fuse_lowlevel.c | 16 +++++++++++++++-
> >  1 file changed, 15 insertions(+), 1 deletion(-)
> > 
> > diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
> > index 2d1d1a2e59..45125ef66a 100644
> > --- a/tools/virtiofsd/fuse_lowlevel.c
> > +++ b/tools/virtiofsd/fuse_lowlevel.c
> > @@ -2436,7 +2436,21 @@ void fuse_session_process_buf_int(struct fuse_session *se,
> >              goto reply_err;
> >          }
> >      } else if (in->opcode == FUSE_INIT || in->opcode == CUSE_INIT) {
> > -        goto reply_err;
> > +        if (fuse_lowlevel_is_virtio(se)) {
> > +            /*
> > +             * TODO: This is after a hard reboot typically, we need to do
> > +             * a destroy, but we can't reply to this request yet so
> > +             * we can't use do_destroy
> > +             */
> > +            fuse_log(FUSE_LOG_DEBUG, "%s: reinit\n", __func__);
> > +            se->got_destroy = 1;
> > +            se->got_init = 0;
> > +            if (se->op.destroy) {
> > +                se->op.destroy(se->userdata);
> > +            }
> > +        } else {
> > +            goto reply_err;
> > +        }
> 
> In doing this, is there any danger we're exposed to from a malicious
> guest which does
> 
>    mount
>    mount
> 
> without a reboot in between ?

I don't think so - or at least not from the daemon side of things; if it
were to do that (and get two FUSE_INIT's) then the state of it's first
mount would be rather messed up; but the only thing to suffer would be
the kernel doing that odd re-init, so I don't think the maliciousness
should break anyone else.


> I'm thinking not so if its ok, then
> 
>  Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Thanks.

> 
> Regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Misono Tomohiro Jan. 20, 2020, 6:46 a.m. UTC | #3

> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
> 
> Handle a
>   mount
>   hard reboot (without unmount)
>   mount
> 
> we get another 'init' which FUSE doesn't normally expect.
> 
> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
>  tools/virtiofsd/fuse_lowlevel.c | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
> index 2d1d1a2e59..45125ef66a 100644
> --- a/tools/virtiofsd/fuse_lowlevel.c
> +++ b/tools/virtiofsd/fuse_lowlevel.c
> @@ -2436,7 +2436,21 @@ void fuse_session_process_buf_int(struct fuse_session *se,
>              goto reply_err;
>          }
>      } else if (in->opcode == FUSE_INIT || in->opcode == CUSE_INIT) {
> -        goto reply_err;
> +        if (fuse_lowlevel_is_virtio(se)) {

> +            /*
> +             * TODO: This is after a hard reboot typically, we need to do
> +             * a destroy, but we can't reply to this request yet so
> +             * we can't use do_destroy
> +             */

Hi,

I wonder what is the TODO actually. Is this just to provide a common
function for both here and do_destroy() or more than that?

Thanks
Misono

> +            fuse_log(FUSE_LOG_DEBUG, "%s: reinit\n", __func__);
> +            se->got_destroy = 1;
> +            se->got_init = 0;
> +            if (se->op.destroy) {
> +                se->op.destroy(se->userdata);
> +            }
> +        } else {
> +            goto reply_err;
> +        }
>      }
>  
>      err = EACCES;
> -- 
> 2.23.0

Dr. David Alan Gilbert Jan. 22, 2020, 6:28 p.m. UTC | #4

* Misono Tomohiro (misono.tomohiro@jp.fujitsu.com) wrote:
> > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
> > 
> > Handle a
> >   mount
> >   hard reboot (without unmount)
> >   mount
> > 
> > we get another 'init' which FUSE doesn't normally expect.
> > 
> > Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> > ---
> >  tools/virtiofsd/fuse_lowlevel.c | 16 +++++++++++++++-
> >  1 file changed, 15 insertions(+), 1 deletion(-)
> > 
> > diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
> > index 2d1d1a2e59..45125ef66a 100644
> > --- a/tools/virtiofsd/fuse_lowlevel.c
> > +++ b/tools/virtiofsd/fuse_lowlevel.c
> > @@ -2436,7 +2436,21 @@ void fuse_session_process_buf_int(struct fuse_session *se,
> >              goto reply_err;
> >          }
> >      } else if (in->opcode == FUSE_INIT || in->opcode == CUSE_INIT) {
> > -        goto reply_err;
> > +        if (fuse_lowlevel_is_virtio(se)) {
> 
> > +            /*
> > +             * TODO: This is after a hard reboot typically, we need to do
> > +             * a destroy, but we can't reply to this request yet so
> > +             * we can't use do_destroy
> > +             */
> 
> Hi,
> 
> I wonder what is the TODO actually. Is this just to provide a common
> function for both here and do_destroy() or more than that?

Yes, we really need to combine it somehow; but do_destroy is based
n responding to a request, but we don't have a normal request at this
point.

Dave

> Thanks
> Misono
> 
> > +            fuse_log(FUSE_LOG_DEBUG, "%s: reinit\n", __func__);
> > +            se->got_destroy = 1;
> > +            se->got_init = 0;
> > +            if (se->op.destroy) {
> > +                se->op.destroy(se->userdata);
> > +            }
> > +        } else {
> > +            goto reply_err;
> > +        }
> >      }
> >  
> >      err = EACCES;
> > -- 
> > 2.23.0
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
index 2d1d1a2e59..45125ef66a 100644
--- a/tools/virtiofsd/fuse_lowlevel.c
+++ b/tools/virtiofsd/fuse_lowlevel.c
@@ -2436,7 +2436,21 @@  void fuse_session_process_buf_int(struct fuse_session *se,
             goto reply_err;
         }
     } else if (in->opcode == FUSE_INIT || in->opcode == CUSE_INIT) {
-        goto reply_err;
+        if (fuse_lowlevel_is_virtio(se)) {
+            /*
+             * TODO: This is after a hard reboot typically, we need to do
+             * a destroy, but we can't reply to this request yet so
+             * we can't use do_destroy
+             */
+            fuse_log(FUSE_LOG_DEBUG, "%s: reinit\n", __func__);
+            se->got_destroy = 1;
+            se->got_init = 0;
+            if (se->op.destroy) {
+                se->op.destroy(se->userdata);
+            }
+        } else {
+            goto reply_err;
+        }
     }
 
     err = EACCES;

[062/104] virtiofsd: Handle hard reboot

Commit Message

Comments

Patch