On Wed, Sep 15, 2021 at 05:20:09PM +0800, Yu Kuai wrote:
> Prepare to fix uaf in nbd_read_stat(), no functional changes.
>
> Signed-off-by: Yu Kuai <yukuai3@xxxxxxxxxx>
> ---
> drivers/block/nbd.c | 76 +++++++++++++++++++++++++++------------------
> 1 file changed, 45 insertions(+), 31 deletions(-)
>
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index 22c91d8901f6..9a7bbf8ebe74 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -694,38 +694,45 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd, int index)
> return 0;
> }
>
> -/* NULL returned = something went wrong, inform userspace */
> -static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
> +static int nbd_read_reply(struct nbd_device *nbd, int index,
> + struct nbd_reply *reply)
> {
> - struct nbd_config *config = nbd->config;
> - int result;
> - struct nbd_reply reply;
> - struct nbd_cmd *cmd;
> - struct request *req = NULL;
> - u64 handle;
> - u16 hwq;
> - u32 tag;
> - struct kvec iov = {.iov_base = &reply, .iov_len = sizeof(reply)};
> + struct kvec iov = {.iov_base = reply, .iov_len = sizeof(*reply)};
> struct iov_iter to;
> - int ret = 0;
> + int result;
>
> - reply.magic = 0;
> - iov_iter_kvec(&to, READ, &iov, 1, sizeof(reply));
> + reply->magic = 0;
> + iov_iter_kvec(&to, READ, &iov, 1, sizeof(*reply));
> result = sock_xmit(nbd, index, 0, &to, MSG_WAITALL, NULL);
> - if (result <= 0) {
> - if (!nbd_disconnected(config))
> + if (result < 0) {
> + if (!nbd_disconnected(nbd->config))
The above is actually sort of functional change, I'd suggest to do it in one
single patch because sock_xmit() won't return zero.
--
Ming
