v2 was here:
https://lists.gnu.org/archive/html/qemu-devel/2024-08/msg00253.html
Since then:
- CVE number assigned
- drop old patch 1. Instead of tracking nbd_server generation, the
code now ensures that nbd_server can't be set to NULL until all
clients have disconnected
- rewrite to force qio shutdown coupled with AIO_WAIT to ensure all
clients actually disconnect quickly (from the server's
perspective. A client may still hold its socket open longer, but
will eventually see EPIPE or EOF when finally using it)
- patch 2 is optional, although I like the notion of a doubly-linked
list (where the client has to remember an opaque pointer) over a
singly-linked one (where the client is unchanged, but a lot of
repeated client connect/disconnect over a long-lived server can
chew up memory and slow down the eventual nbd-server-stop)
Eric Blake (2):
nbd: CVE-2024-7409: Close stray client sockets at server shutdown
nbd: Clean up clients more efficiently
include/block/nbd.h | 4 +++-
blockdev-nbd.c | 39 +++++++++++++++++++++++++++++++++++++--
nbd/server.c | 15 ++++++++++++---
qemu-nbd.c | 2 +-
4 files changed, 53 insertions(+), 7 deletions(-)
--
2.45.2