From: Caleb Sander Mateos <csander@purestorage.com>
To: Ming Lei <ming.lei@redhat.com>, Jens Axboe <axboe@kernel.dk>
Cc: Govindarajulu Varadarajan <govind.varadar@gmail.com>,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
Caleb Sander Mateos <csander@purestorage.com>
Subject: [PATCH 3/4] ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd
Date: Thu, 29 Jan 2026 15:46:16 -0700 [thread overview]
Message-ID: <20260129224618.975401-4-csander@purestorage.com> (raw)
In-Reply-To: <20260129224618.975401-1-csander@purestorage.com>
struct ublksrv_ctrl_cmd is part of the io_uring_sqe, which may lie in
userspace-mapped memory. It's racy to access its fields with normal
loads, as userspace may write to them concurrently. Use READ_ONCE() for
all the ublksrv_ctrl_cmd field accesses to avoid the race.
Fixes: 87213b0d847c ("ublk: allow non-blocking ctrl cmds in IO_URING_F_NONBLOCK issue")
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
---
drivers/block/ublk_drv.c | 77 +++++++++++++++++++---------------------
1 file changed, 37 insertions(+), 40 deletions(-)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 29c6942450c2..49510216832f 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -4188,15 +4188,13 @@ static struct ublk_device *ublk_get_device_from_id(int idx)
spin_unlock(&ublk_idr_lock);
return ub;
}
-static int ublk_ctrl_start_dev(struct ublk_device *ub,
- const struct ublksrv_ctrl_cmd *header)
+static int ublk_ctrl_start_dev(struct ublk_device *ub, int ublksrv_pid)
{
const struct ublk_param_basic *p = &ub->params.basic;
- int ublksrv_pid = (int)header->data[0];
struct queue_limits lim = {
.logical_block_size = 1 << p->logical_bs_shift,
.physical_block_size = 1 << p->physical_bs_shift,
.io_min = 1 << p->io_min_shift,
.io_opt = 1 << p->io_opt_shift,
@@ -4346,15 +4344,14 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub,
mutex_unlock(&ub->mutex);
return ret;
}
static int ublk_ctrl_get_queue_affinity(struct ublk_device *ub,
- const struct ublksrv_ctrl_cmd *header, u64 addr, u16 len)
+ u64 queue, u64 addr, u16 len)
{
void __user *argp = (void __user *)addr;
cpumask_var_t cpumask;
- unsigned long queue;
unsigned int retlen;
unsigned int i;
int ret;
if (len * BITS_PER_BYTE < nr_cpu_ids)
@@ -4362,11 +4359,10 @@ static int ublk_ctrl_get_queue_affinity(struct ublk_device *ub,
if (len & (sizeof(unsigned long)-1))
return -EINVAL;
if (!addr)
return -EINVAL;
- queue = header->data[0];
if (queue >= ub->dev_info.nr_hw_queues)
return -EINVAL;
if (!zalloc_cpumask_var(&cpumask, GFP_KERNEL))
return -ENOMEM;
@@ -4396,23 +4392,22 @@ static inline void ublk_dump_dev_info(struct ublksrv_ctrl_dev_info *info)
info->dev_id, info->flags);
pr_devel("\t nr_hw_queues %d queue_depth %d\n",
info->nr_hw_queues, info->queue_depth);
}
-static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header,
- u64 addr, u16 len)
+static int ublk_ctrl_add_dev(u32 dev_id, u16 qid, u64 addr, u16 len)
{
void __user *argp = (void __user *)addr;
struct ublksrv_ctrl_dev_info info;
struct ublk_device *ub;
int ret = -EINVAL;
if (len < sizeof(info) || !addr)
return -EINVAL;
- if (header->queue_id != (u16)-1) {
+ if (qid != (u16)-1) {
pr_warn("%s: queue_id is wrong %x\n",
- __func__, header->queue_id);
+ __func__, qid);
return -EINVAL;
}
if (copy_from_user(&info, argp, sizeof(info)))
return -EFAULT;
@@ -4473,17 +4468,17 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header,
return -EINVAL;
/* the created device is always owned by current user */
ublk_store_owner_uid_gid(&info.owner_uid, &info.owner_gid);
- if (header->dev_id != info.dev_id) {
+ if (dev_id != info.dev_id) {
pr_warn("%s: dev id not match %u %u\n",
- __func__, header->dev_id, info.dev_id);
+ __func__, dev_id, info.dev_id);
return -EINVAL;
}
- if (header->dev_id != U32_MAX && header->dev_id >= UBLK_MAX_UBLKS) {
+ if (dev_id != U32_MAX && dev_id >= UBLK_MAX_UBLKS) {
pr_warn("%s: dev id is too large. Max supported is %d\n",
__func__, UBLK_MAX_UBLKS - 1);
return -EINVAL;
}
@@ -4505,11 +4500,11 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header,
mutex_init(&ub->mutex);
spin_lock_init(&ub->lock);
mutex_init(&ub->cancel_mutex);
INIT_WORK(&ub->partition_scan_work, ublk_partition_scan_work);
- ret = ublk_alloc_dev_number(ub, header->dev_id);
+ ret = ublk_alloc_dev_number(ub, dev_id);
if (ret < 0)
goto out_free_ub;
memcpy(&ub->dev_info, &info, sizeof(info));
@@ -4641,17 +4636,15 @@ static int ublk_ctrl_del_dev(struct ublk_device **p_ub, bool wait)
if (wait && wait_event_interruptible(ublk_idr_wq, ublk_idr_freed(idx)))
return -EINTR;
return 0;
}
-static inline void ublk_ctrl_cmd_dump(struct io_uring_cmd *cmd)
+static inline void ublk_ctrl_cmd_dump(u32 cmd_op, u32 dev_id, u16 qid,
+ u64 data, u64 addr, u16 len)
{
- const struct ublksrv_ctrl_cmd *header = io_uring_sqe_cmd(cmd->sqe);
-
pr_devel("%s: cmd_op %x, dev id %d qid %d data %llx buf %llx len %u\n",
- __func__, cmd->cmd_op, header->dev_id, header->queue_id,
- header->data[0], header->addr, header->len);
+ __func__, cmd_op, dev_id, qid, data, addr, len);
}
static void ublk_ctrl_stop_dev(struct ublk_device *ub)
{
ublk_stop_dev(ub);
@@ -4819,13 +4812,12 @@ static int ublk_ctrl_start_recovery(struct ublk_device *ub,
mutex_unlock(&ub->mutex);
return ret;
}
static int ublk_ctrl_end_recovery(struct ublk_device *ub,
- const struct ublksrv_ctrl_cmd *header)
+ const struct ublksrv_ctrl_cmd *header, int ublksrv_pid)
{
- int ublksrv_pid = (int)header->data[0];
int ret = -EINVAL;
pr_devel("%s: Waiting for all FETCH_REQs, dev id %d...\n", __func__,
header->dev_id);
@@ -4869,14 +4861,13 @@ static int ublk_ctrl_get_features(u64 addr, u16 len)
return -EFAULT;
return 0;
}
-static void ublk_ctrl_set_size(struct ublk_device *ub, const struct ublksrv_ctrl_cmd *header)
+static void ublk_ctrl_set_size(struct ublk_device *ub, u64 new_size)
{
struct ublk_param_basic *p = &ub->params.basic;
- u64 new_size = header->data[0];
mutex_lock(&ub->mutex);
p->dev_sectors = new_size;
set_capacity_and_notify(ub->ub_disk, p->dev_sectors);
mutex_unlock(&ub->mutex);
@@ -4950,15 +4941,13 @@ static int ublk_wait_for_idle_io(struct ublk_device *ub,
ret = 0;
return ret;
}
-static int ublk_ctrl_quiesce_dev(struct ublk_device *ub,
- const struct ublksrv_ctrl_cmd *header)
+static int ublk_ctrl_quiesce_dev(struct ublk_device *ub, u64 timeout_ms)
{
/* zero means wait forever */
- u64 timeout_ms = header->data[0];
struct gendisk *disk;
int ret = -ENODEV;
if (!(ub->dev_info.flags & UBLK_F_QUIESCE))
return -EOPNOTSUPP;
@@ -5032,10 +5021,11 @@ static int ublk_ctrl_uring_cmd_permission(struct ublk_device *ub,
{
const struct ublksrv_ctrl_cmd *header = io_uring_sqe_cmd(cmd->sqe);
bool unprivileged = ub->dev_info.flags & UBLK_F_UNPRIVILEGED_DEV;
void __user *argp = (void __user *)*addr;
char *dev_path = NULL;
+ u16 dev_path_len;
int ret = 0;
int mask;
if (!unprivileged) {
if (!capable(CAP_SYS_ADMIN))
@@ -5054,17 +5044,18 @@ static int ublk_ctrl_uring_cmd_permission(struct ublk_device *ub,
* User has to provide the char device path for unprivileged ublk
*
* header->addr always points to the dev path buffer, and
* header->dev_path_len records length of dev path buffer.
*/
- if (!header->dev_path_len || header->dev_path_len > PATH_MAX)
+ dev_path_len = READ_ONCE(header->dev_path_len);
+ if (!dev_path_len || dev_path_len > PATH_MAX)
return -EINVAL;
- if (*len < header->dev_path_len)
+ if (*len < dev_path_len)
return -EINVAL;
- dev_path = memdup_user_nul(argp, header->dev_path_len);
+ dev_path = memdup_user_nul(argp, dev_path_len);
if (IS_ERR(dev_path))
return PTR_ERR(dev_path);
ret = -EINVAL;
switch (_IOC_NR(cmd->cmd_op)) {
@@ -5091,12 +5082,12 @@ static int ublk_ctrl_uring_cmd_permission(struct ublk_device *ub,
goto exit;
}
ret = ublk_char_dev_permission(ub, dev_path, mask);
if (!ret) {
- *len -= header->dev_path_len;
- *addr += header->dev_path_len;
+ *len -= dev_path_len;
+ *addr += dev_path_len;
}
pr_devel("%s: dev id %d cmd_op %x uid %d gid %d path %s ret %d\n",
__func__, ub->ub_number, cmd->cmd_op,
ub->dev_info.owner_uid, ub->dev_info.owner_gid,
dev_path, ret);
@@ -5123,23 +5114,29 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
{
const struct ublksrv_ctrl_cmd *header = io_uring_sqe_cmd(cmd->sqe);
struct ublk_device *ub = NULL;
u32 cmd_op = cmd->cmd_op;
int ret = -EINVAL;
+ u32 dev_id;
+ u16 qid;
+ u64 data;
u64 addr;
u16 len;
if (ublk_ctrl_uring_cmd_may_sleep(cmd_op) &&
issue_flags & IO_URING_F_NONBLOCK)
return -EAGAIN;
if (!(issue_flags & IO_URING_F_SQE128))
return -EINVAL;
+ dev_id = READ_ONCE(header->dev_id);
+ qid = READ_ONCE(header->queue_id);
+ data = READ_ONCE(header->data[0]);
addr = READ_ONCE(header->addr);
len = READ_ONCE(header->len);
- ublk_ctrl_cmd_dump(cmd);
+ ublk_ctrl_cmd_dump(cmd_op, dev_id, qid, data, addr, len);
ret = ublk_check_cmd_op(cmd_op);
if (ret)
goto out;
@@ -5148,42 +5145,42 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
goto out;
}
if (_IOC_NR(cmd_op) != UBLK_CMD_ADD_DEV) {
ret = -ENODEV;
- ub = ublk_get_device_from_id(header->dev_id);
+ ub = ublk_get_device_from_id(dev_id);
if (!ub)
goto out;
ret = ublk_ctrl_uring_cmd_permission(ub, cmd, &addr, &len);
if (ret)
goto put_dev;
}
switch (_IOC_NR(cmd_op)) {
case UBLK_CMD_START_DEV:
- ret = ublk_ctrl_start_dev(ub, header);
+ ret = ublk_ctrl_start_dev(ub, data);
break;
case UBLK_CMD_STOP_DEV:
ublk_ctrl_stop_dev(ub);
ret = 0;
break;
case UBLK_CMD_GET_DEV_INFO:
case UBLK_CMD_GET_DEV_INFO2:
ret = ublk_ctrl_get_dev_info(ub, addr, len);
break;
case UBLK_CMD_ADD_DEV:
- ret = ublk_ctrl_add_dev(header, addr, len);
+ ret = ublk_ctrl_add_dev(dev_id, qid, addr, len);
break;
case UBLK_CMD_DEL_DEV:
ret = ublk_ctrl_del_dev(&ub, true);
break;
case UBLK_CMD_DEL_DEV_ASYNC:
ret = ublk_ctrl_del_dev(&ub, false);
break;
case UBLK_CMD_GET_QUEUE_AFFINITY:
- ret = ublk_ctrl_get_queue_affinity(ub, header, addr, len);
+ ret = ublk_ctrl_get_queue_affinity(ub, data, addr, len);
break;
case UBLK_CMD_GET_PARAMS:
ret = ublk_ctrl_get_params(ub, addr, len);
break;
case UBLK_CMD_SET_PARAMS:
@@ -5191,18 +5188,18 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
break;
case UBLK_CMD_START_USER_RECOVERY:
ret = ublk_ctrl_start_recovery(ub, header);
break;
case UBLK_CMD_END_USER_RECOVERY:
- ret = ublk_ctrl_end_recovery(ub, header);
+ ret = ublk_ctrl_end_recovery(ub, header, data);
break;
case UBLK_CMD_UPDATE_SIZE:
- ublk_ctrl_set_size(ub, header);
+ ublk_ctrl_set_size(ub, data);
ret = 0;
break;
case UBLK_CMD_QUIESCE_DEV:
- ret = ublk_ctrl_quiesce_dev(ub, header);
+ ret = ublk_ctrl_quiesce_dev(ub, data);
break;
case UBLK_CMD_TRY_STOP_DEV:
ret = ublk_ctrl_try_stop_dev(ub);
break;
default:
@@ -5213,11 +5210,11 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
put_dev:
if (ub)
ublk_put_device(ub);
out:
pr_devel("%s: cmd done ret %d cmd_op %x, dev id %d qid %d\n",
- __func__, ret, cmd->cmd_op, header->dev_id, header->queue_id);
+ __func__, ret, cmd_op, dev_id, qid);
return ret;
}
static const struct file_operations ublk_ctl_fops = {
.open = nonseekable_open,
--
2.45.2
next prev parent reply other threads:[~2026-01-29 22:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-29 22:46 [PATCH 0/4] ublk: fix struct ublksrv_ctrl_cmd accesses Caleb Sander Mateos
2026-01-29 22:46 ` [PATCH 1/4] ublk: Validate SQE128 flag before accessing the cmd Caleb Sander Mateos
2026-01-30 8:03 ` Ming Lei
2026-01-29 22:46 ` [PATCH 2/4] ublk: don't write to struct ublksrv_ctrl_cmd Caleb Sander Mateos
2026-01-30 15:48 ` Ming Lei
2026-01-30 16:05 ` Ming Lei
2026-01-29 22:46 ` Caleb Sander Mateos [this message]
2026-01-30 15:56 ` [PATCH 3/4] ublk: use READ_ONCE() to read " Ming Lei
2026-01-29 22:46 ` [PATCH 4/4] ublk: drop ublk_ctrl_{start,end}_recovery() header argument Caleb Sander Mateos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260129224618.975401-4-csander@purestorage.com \
--to=csander@purestorage.com \
--cc=axboe@kernel.dk \
--cc=govind.varadar@gmail.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.