Received: by 2002:a05:7412:40d:b0:e2:908c:2ebd with SMTP id 13csp432264rdf;
        Tue, 21 Nov 2023 06:43:13 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEJBkmZwpbA9RiqJDep1gTBI2v9DcNghZtscN3SbaScIjFPBWqpHteWEB0zScyEszE10C5b
X-Received: by 2002:a17:902:9687:b0:1cc:431f:55e6 with SMTP id n7-20020a170902968700b001cc431f55e6mr9491775plp.63.1700577793491;
        Tue, 21 Nov 2023 06:43:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700577793; cv=none;
        d=google.com; s=arc-20160816;
        b=qKDfmz1EAE7OQMaRrAcmw+kJbqMdYLUTPHv4rzdzEARl/bIx4AzMX3NZWyNi9xiYb6
         hPw8VIM13EFWXOeRPLv3Jgig8DlSdcx2SDNu8Y50FcwigkNjBTFKTXgX9QP5XQJNNxPW
         w2FHeoPIQgAQfg6turo2h3uwnzMbhMQoSHCKO23KxBVUcMfsStgES1XURYB5CJEs3jhs
         dcwzlCF8StDFrtnhuqANMTZqy+Wxxqq2RxoqD3WID9JcQeMPP7R2/zOsfOoiUJVSNTN8
         Fas6j/WOVbAyLR8zgx57KwgFgsHim49rK1WiShGuUkoR0QBvyf45kET26nE0Q6nCw/Wk
         Lj9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version:date
         :message-id:subject:references:in-reply-to:cc:to:from:dkim-signature;
        bh=TgSwU2wjmRzA6RzqAcEMU9EpGu84w83u/YmCrCrTRVc=;
        fh=5eCF/y9CcIw7L1GRD6NRFIYBeau7rV1vRoJfCc/XazM=;
        b=Jcg2OoBgCvGeIptk1St1iRIAfAcd3V1whPu/tdBHnC/QpyOfYuJr6vVU3HvngrEWCT
         jnI+HgokCfAC0JGM2B+7grX3eKXCA/ovn9VSubUQSww6121GeFNbv2Glh8yik7Zu1Nxh
         PuV7g/vXQszMKkw6vd5cUwvT8+RUkJjKhO+8D5QDJiaWi38/o9Q5AwxNrQmT65QGbkSL
         IKEBi+5Xb0ljhQjxYgHOAzBfb7PSPZokj83SMQpeQMO7UvyOfSxITVZ+cEcKC0MoY6dj
         AQQegmVKLxBuifYPAqkeelFxutggGGvGRA6oQCVmYfo2WA87FsasfI6Ro/oJ7+whljtm
         xmoA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=MqyXD354;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5])
        by mx.google.com with ESMTPS id ix21-20020a170902f81500b001c74d844254si10230315plb.101.2023.11.21.06.43.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Nov 2023 06:43:13 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=MqyXD354;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 32A8880BE0AD;
	Tue, 21 Nov 2023 06:43:08 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234599AbjKUOmu (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Tue, 21 Nov 2023 09:42:50 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50878 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234295AbjKUOmt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 21 Nov 2023 09:42:49 -0500
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 184B79E
        for <linux-kernel@vger.kernel.org>; Tue, 21 Nov 2023 06:42:38 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-7a9541c9b2aso53914039f.0
        for <linux-kernel@vger.kernel.org>; Tue, 21 Nov 2023 06:42:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1700577757; x=1701182557; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:date:message-id:subject
         :references:in-reply-to:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TgSwU2wjmRzA6RzqAcEMU9EpGu84w83u/YmCrCrTRVc=;
        b=MqyXD354+ZkPfKBkUd3tC7UHh1hIMqRNNFnDv05Q6PooI0pA/VMaiRoljmWWOsyJvf
         K0bTcsK+BQ91pwkq0wiWPY75CVq2hRqYhNDZ1yQTKEwayV036/wWuW2fmhAqjz1AfiGK
         Ve+MpJHdbjlcMrDs5BeIsJXeI8RzCtbzPECSPcLpd8gyPFrMGQIaIcWZw76qhLihDaAw
         +6jTq9pyn+OLlTiZn8jq3gtRLJb2rv9b53EsFl+vqSPxquaRtgqPH+ingIPJQg7nwMy8
         zzdjULi3nJZwoBVFYIheQ+qZpHtOgp/uvYx7SxhTvCd3LtGX/x2v1MzWEIx+D+gweh8t
         b+dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700577757; x=1701182557;
        h=content-transfer-encoding:mime-version:date:message-id:subject
         :references:in-reply-to:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TgSwU2wjmRzA6RzqAcEMU9EpGu84w83u/YmCrCrTRVc=;
        b=VV2RTtLF80cyNsUwUGeoFl9dpsvh11JXx2x/ABZu/7lDAkRbdOBkzelAH2cUC6ZCPy
         vnwxKrx3/SvkAFdJEGxyHetcVXA8V7x7qS8SjoJBxLW19mAXLzsWJIe4acvEXTmB/P+d
         ZQpN/wfr9xcljvz8QDQcxbGM2KJUeg8dMje5wxmkOcLVt49ja3a5cvJBHRanMN+wO34C
         ht70LETJdxTFpby6pYL45z4MOWHzK1L9E4J0E0C3p3pGmiYXxtycxksgOpLYdNJDFmXk
         l7N17k/gqCm3G0t2VpzTVEF00c6j5fYZ9+MPlNN/xTaDq4dsrpPZAN1vjNI2uf7on9k5
         p/1A==
X-Gm-Message-State: AOJu0YzXfOrFIoQRZdrJgGVRUx5hxUidYrVqmCbSdK9MfKfQ8v2u0TPa
        rWFx2D+prcUqK9MeMom3xltoENJEQq2uz4D/1fqz8w==
X-Received: by 2002:a5d:9b92:0:b0:7b0:acce:5535 with SMTP id r18-20020a5d9b92000000b007b0acce5535mr7649795iom.1.1700577757029;
        Tue, 21 Nov 2023 06:42:37 -0800 (PST)
Received: from [127.0.0.1] ([96.43.243.2])
        by smtp.gmail.com with ESMTPSA id j14-20020a02cb0e000000b004665ad49d39sm1187305jap.74.2023.11.21.06.42.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Nov 2023 06:42:35 -0800 (PST)
From:   Jens Axboe <axboe@kernel.dk>
To:     josef@toxicpanda.com, linan666@huaweicloud.com
Cc:     linux-block@vger.kernel.org, nbd@other.debian.org,
        linux-kernel@vger.kernel.org, linan122@huawei.com,
        yukuai3@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com,
        yangerkun@huawei.com
In-Reply-To: <20230911023308.3467802-1-linan666@huaweicloud.com>
References: <20230911023308.3467802-1-linan666@huaweicloud.com>
Subject: Re: [PATCH] nbd: pass nbd_sock to nbd_read_reply() instead of
 index
Message-Id: <170057775563.269185.521615863055260084.b4-ty@kernel.dk>
Date:   Tue, 21 Nov 2023 07:42:35 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: b4 0.13-dev-26615
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 21 Nov 2023 06:43:08 -0800 (PST)


On Mon, 11 Sep 2023 10:33:08 +0800, linan666@huaweicloud.com wrote:
> If a socket is processing ioctl 'NBD_SET_SOCK', config->socks might be
> krealloc in nbd_add_socket(), and a garbage request is received now, a UAF
> may occurs.
> 
>   T1
>   nbd_ioctl
>    __nbd_ioctl
>     nbd_add_socket
>      blk_mq_freeze_queue
> 				T2
>   				recv_work
>   				 nbd_read_reply
>   				  sock_xmit
>      krealloc config->socks
> 				   def config->socks
> 
> [...]

Applied, thanks!

[1/1] nbd: pass nbd_sock to nbd_read_reply() instead of index
      commit: 98c598afc22d4e43c2ad91860b65996d0c099a5d

Best regards,
-- 
Jens Axboe