Thread (17 messages) 17 messages, 6 authors, 2025-11-24

Re: [PATCH] nbd: restrict sockets to TCP and UDP

From: Eric Dumazet <edumazet@google.com>
Date: 2025-09-09 15:33:39
Also in: linux-block, lkml

On Tue, Sep 9, 2025 at 8:19 AM Richard W.M. Jones [off-list ref] wrote:
On Tue, Sep 09, 2025 at 07:47:09AM -0700, Eric Dumazet wrote:
quoted
On Tue, Sep 9, 2025 at 7:37 AM Jens Axboe [off-list ref] wrote:
quoted
On 9/9/25 8:35 AM, Eric Dumazet wrote:
quoted
On Tue, Sep 9, 2025 at 7:04 AM Eric Dumazet [off-list ref] wrote:
quoted
On Tue, Sep 9, 2025 at 6:32 AM Richard W.M. Jones [off-list ref] wrote:
quoted
On Tue, Sep 09, 2025 at 01:22:43PM +0000, Eric Dumazet wrote:
quoted
Recently, syzbot started to abuse NBD with all kinds of sockets.

Commit cf1b2326b734 ("nbd: verify socket is supported during setup")
made sure the socket supported a shutdown() method.

Explicitely accept TCP and UNIX stream sockets.
I'm not clear what the actual problem is, but I will say that libnbd &
nbdkit (which are another NBD client & server, interoperable with the
kernel) we support and use NBD over vsock[1].  And we could support
NBD over pretty much any stream socket (Infiniband?) [2].

[1] https://libguestfs.org/nbd_aio_connect_vsock.3.html
    https://libguestfs.org/nbdkit-service.1.html#AF_VSOCK
[2] https://libguestfs.org/nbd_connect_socket.3.html

TCP and Unix domain sockets are by far the most widely used, but I
don't think it's fair to exclude other socket types.
If we have known and supported socket types, please send a patch to add them.

I asked the question last week and got nothing about vsock or other types.

https://lore.kernel.org/netdev/CANn89iLNFHBMTF2Pb6hHERYpuih9eQZb6A12+ndzBcQs_kZoBA@mail.gmail.com/ (local)

For sure, we do not want datagram sockets, RAW, netlink, and many others.
BTW vsock will probably fire lockdep warnings, I see GFP_KERNEL
being used in net/vmw_vsock/virtio_transport.c
CC-ing Stefan & Stefano.  Myself, I'm only using libnbd
(ie. userspace) over vsock, not the kernel client.
quoted
quoted
quoted
So you will have to fix this.
Rather than play whack-a-mole with this, would it make sense to mark as
socket as "writeback/reclaim" safe and base the nbd decision on that rather
than attempt to maintain some allow/deny list of sockets?
Even if a socket type was writeback/reclaim safe, probably NBD would not support
arbitrary socket type, like netlink, af_packet, or af_netrom.

An allow list seems safer to me, with commits with a clear owner.

If future syzbot reports are triggered, the bisection will point to
these commits.
From the outside it seems really odd to hard code a list of "good"
socket types into each kernel client that can open a socket.  Normally
if you wanted to restrict socket types wouldn't you do that through
something more flexible like nftables?
nftables is user policy.

We need a kernel that will not crash, even if nftables is not
compiled/loaded/used .

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help