Skip to content

ublk: fix struct ublksrv_ctrl_cmd accesses #529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
blktests-ci wants to merge 4 commits into from
Closed

ublk: fix struct ublksrv_ctrl_cmd accesses #529

blktests-ci wants to merge 4 commits into from

Conversation

@blktests-ci
Copy link

@blktests-ci blktests-ci bot commented Jan 30, 2026

Pull request for series with
subject: ublk: fix struct ublksrv_ctrl_cmd accesses
version: 2
url: https://patchwork.kernel.org/project/linux-block/list/?series=1049091

@blktests-ci
Copy link
Author

blktests-ci bot commented Jan 30, 2026

Upstream branch: d4b7351
series: https://patchwork.kernel.org/project/linux-block/list/?series=1049091
version: 2

@blktests-ci
Copy link
Author

blktests-ci bot commented Jan 31, 2026

Upstream branch: d4b7351
series: https://patchwork.kernel.org/project/linux-block/list/?series=1049091
version: 2

govind-varadar and others added 3 commits January 31, 2026 11:11
@govind-varadar @kawasaki
ublk: Validate SQE128 flag before accessing the cmd
348d9d7 
ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before
IO_URING_F_SQE128 flag check. This could cause out of boundary memory
access.

Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return
-EINVAL immediately if the flag is not set.

Fixes: 71f28f3 ("ublk_drv: add io_uring based userspace block driver")
Signed-off-by: Govindarajulu Varadarajan <[email protected]>
Reviewed-by: Caleb Sander Mateos <[email protected]>
Reviewed-by: Ming Lei <[email protected]>
@calebsander @kawasaki
ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd
50a1f53 
struct ublksrv_ctrl_cmd is part of the io_uring_sqe, which may lie in
userspace-mapped memory. It's racy to access its fields with normal
loads, as userspace may write to them concurrently. Use READ_ONCE() to
copy the ublksrv_ctrl_cmd from the io_uring_sqe to the stack. Use the
local copy in place of the one in the io_uring_sqe.

Fixes: 87213b0 ("ublk: allow non-blocking ctrl cmds in IO_URING_F_NONBLOCK issue")
Signed-off-by: Caleb Sander Mateos <[email protected]>
Reviewed-by: Ming Lei <[email protected]>
@calebsander @kawasaki
ublk: drop ublk_ctrl_start_recovery() header argument
9c251cf 
ublk_ctrl_start_recovery() only uses its const struct ublksrv_ctrl_cmd *
header argument to log the dev_id. But this value is already available
in struct ublk_device's ub_number field. So log ub_number instead and
drop the unused header argument.

Signed-off-by: Caleb Sander Mateos <[email protected]>
Reviewed-by: Ming Lei <[email protected]>
@blktests-ci blktests-ci bot force-pushed the series/1048738=>for-next branch from 46d9115 to 9c251cf Compare January 31, 2026 02:11
@blktests-ci blktests-ci bot closed this Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

for-next new V2-ci-fail V2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kawasaki @govind-varadar @calebsander