Merge remote-tracking branch 'remotes/gkurz-gitlab/tags/9p-next-2021-01-15' into staging

Fix for CVE-2021-20181

# gpg: Signature made Fri 15 Jan 2021 08:52:19 GMT
# gpg:                using RSA key B4828BAF943140CEF2A3491071D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>" [full]
# gpg:                 aka "Gregory Kurz <gregory.kurz@free.fr>" [full]
# gpg:                 aka "[jpeg image of size 3330]" [full]
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3  4910 71D4 D5E5 822F 73D6

* remotes/gkurz-gitlab/tags/9p-next-2021-01-15:
  9pfs: Fully restart unreclaim loop (CVE-2021-20181)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 94df440fc7..6026b51a1c 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
 {
     int err;
     V9fsState *s = pdu->s;
-    V9fsFidState *fidp, head_fid;
+    V9fsFidState *fidp;
 
-    head_fid.next = s->fid_list;
+again:
     for (fidp = s->fid_list; fidp; fidp = fidp->next) {
         if (fidp->path.size != path->size) {
             continue;
@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
              * switched to the worker thread
              */
             if (err == 0) {
-                fidp = &head_fid;
+                goto again;
             }
         }
     }