From: Ming Lei <tom.leiming@gmail.com>
To: Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org
Cc: Caleb Sander Mateos <csander@purestorage.com>,
Uday Shankar <ushankar@purestorage.com>,
Ming Lei <tom.leiming@gmail.com>
Subject: [PATCH] ublk: reject FETCH from non-userspace context
Date: Fri, 1 May 2026 16:52:16 +0800 [thread overview]
Message-ID: <20260501085216.905401-1-tom.leiming@gmail.com> (raw)
__ublk_fetch() sets io->task to current, which is later checked
against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
task work, which can be run from io_uring's fallback workqueue,
causing a task mismatch and triggering the WARN in cancel_fn.
Reject FETCH if current is not a real userspace task, and it is
reasonable for failing it in case of io_uring fallback.
Fixes: 3421c7f68bba ("ublk: make sure io cmd handled in submitter task context")
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
---
drivers/block/ublk_drv.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 8e5f3738c203..57abc0e9681f 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3251,12 +3251,19 @@ static int __ublk_fetch(struct io_uring_cmd *cmd, struct ublk_device *ub,
WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_OWNED_BY_SRV);
- ublk_fill_io_cmd(io, cmd);
-
- if (ublk_dev_support_batch_io(ub))
+ if (ublk_dev_support_batch_io(ub)) {
WRITE_ONCE(io->task, NULL);
- else
+ } else {
+ /*
+ * FETCH must come from a real userspace task, not a
+ * kworker is actually io_uring fallback workqueue.
+ */
+ if (current->flags & (PF_KTHREAD | PF_WQ_WORKER))
+ return -EINVAL;
WRITE_ONCE(io->task, get_task_struct(current));
+ }
+
+ ublk_fill_io_cmd(io, cmd);
return 0;
}
--
2.53.0
next reply other threads:[~2026-05-01 8:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 8:52 Ming Lei [this message]
2026-05-01 10:34 ` [PATCH] ublk: reject FETCH from non-userspace context Jens Axboe
2026-05-01 10:36 ` Ming Lei
2026-05-01 10:38 ` Jens Axboe
2026-05-01 10:54 ` Ming Lei
2026-05-01 11:05 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260501085216.905401-1-tom.leiming@gmail.com \
--to=tom.leiming@gmail.com \
--cc=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=linux-block@vger.kernel.org \
--cc=ushankar@purestorage.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.