From: Caleb Sander Mateos <csander@purestorage.com>
To: Ming Lei <ming.lei@redhat.com>, Jens Axboe <axboe@kernel.dk>
Cc: Govindarajulu Varadarajan <govind.varadar@gmail.com>,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
Caleb Sander Mateos <csander@purestorage.com>
Subject: [PATCH 0/4] ublk: fix struct ublksrv_ctrl_cmd accesses
Date: Thu, 29 Jan 2026 15:46:13 -0700 [thread overview]
Message-ID: <20260129224618.975401-1-csander@purestorage.com> (raw)
struct ublksrv_ctrl_cmd is part of the io_uring_sqe. Since commit
87213b0d847c ("ublk: allow non-blocking ctrl cmds in IO_URING_F_NONBLOCK
issue") allowed some commands to be handled in the non-blocking issue,
the SQE may lie in userspace-mapped memory. Validate that the SQE size
is the expected 128 bytes before dereferencing it. Access the
ublksrv_ctrl_cmd fields with READ_ONCE(), as userspace may write to them
concurrently.
Caleb Sander Mateos (3):
ublk: don't write to struct ublksrv_ctrl_cmd
ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd
ublk: drop ublk_ctrl_{start,end}_recovery() header argument
Govindarajulu Varadarajan (1):
ublk: Validate SQE128 flag before accessing the cmd
drivers/block/ublk_drv.c | 163 +++++++++++++++++++--------------------
1 file changed, 80 insertions(+), 83 deletions(-)
--
2.45.2
next reply other threads:[~2026-01-29 22:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-29 22:46 Caleb Sander Mateos [this message]
2026-01-29 22:46 ` [PATCH 1/4] ublk: Validate SQE128 flag before accessing the cmd Caleb Sander Mateos
2026-01-30 8:03 ` Ming Lei
2026-01-29 22:46 ` [PATCH 2/4] ublk: don't write to struct ublksrv_ctrl_cmd Caleb Sander Mateos
2026-01-30 15:48 ` Ming Lei
2026-01-30 16:05 ` Ming Lei
2026-01-29 22:46 ` [PATCH 3/4] ublk: use READ_ONCE() to read " Caleb Sander Mateos
2026-01-30 15:56 ` Ming Lei
2026-01-29 22:46 ` [PATCH 4/4] ublk: drop ublk_ctrl_{start,end}_recovery() header argument Caleb Sander Mateos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260129224618.975401-1-csander@purestorage.com \
--to=csander@purestorage.com \
--cc=axboe@kernel.dk \
--cc=govind.varadar@gmail.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.