From: Ming Lei <ming.lei@redhat.com>
To: Caleb Sander Mateos <csander@purestorage.com>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org,
Uday Shankar <ushankar@purestorage.com>
Subject: Re: [PATCH V2 02/16] ublk: look up ublk task via its pid in timeout handler
Date: Sun, 13 Jul 2025 10:31:08 +0800 [thread overview]
Message-ID: <aHMabA97fb9dCR6y@fedora> (raw)
In-Reply-To: <CADUfDZpvqsQUNrcGefQo+dakaC-aijnXfSYSAPV2sEtoUFfWKA@mail.gmail.com>
On Fri, Jul 11, 2025 at 09:20:31AM -0400, Caleb Sander Mateos wrote:
> On Mon, Jul 7, 2025 at 9:18 PM Ming Lei <ming.lei@redhat.com> wrote:
> >
> > Look up ublk process via its pid in timeout handler, so we can avoid to
> > touch io->task, because it is fragile to touch task structure.
> >
> > It is fine to kill ublk server process and this way is simpler.
> >
> > Signed-off-by: Ming Lei <ming.lei@redhat.com>
> > ---
> > drivers/block/ublk_drv.c | 21 +++++++++++++--------
> > 1 file changed, 13 insertions(+), 8 deletions(-)
> >
> > diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
> > index 65daa6ed3a8e..d7b5ee96978a 100644
> > --- a/drivers/block/ublk_drv.c
> > +++ b/drivers/block/ublk_drv.c
> > @@ -1367,14 +1367,19 @@ static void ublk_queue_cmd_list(struct ublk_io *io, struct rq_list *l)
> > static enum blk_eh_timer_return ublk_timeout(struct request *rq)
> > {
> > struct ublk_queue *ubq = rq->mq_hctx->driver_data;
> > - struct ublk_io *io = &ubq->ios[rq->tag];
> > -
> > - if (ubq->flags & UBLK_F_UNPRIVILEGED_DEV) {
> > - send_sig(SIGKILL, io->task, 0);
> > - return BLK_EH_DONE;
> > - }
> > -
> > - return BLK_EH_RESET_TIMER;
> > + struct task_struct *p;
> > + struct pid *pid;
> > +
> > + if (!(ubq->flags & UBLK_F_UNPRIVILEGED_DEV))
> > + return BLK_EH_RESET_TIMER;
> > +
> > + rcu_read_lock();
> > + pid = find_vpid(ubq->dev->dev_info.ublksrv_pid);
>
> It looks like ublksrv_pid is set based on whatever the ublk server
> provides in the UBLK_U_CMD_START_DEV/UBLK_U_CMD_END_USER_RECOVERY
> command. I don't see any validation that this is actually the ublk
> server's PID. So couldn't a buggy/malicious ublk server that doesn't
> provide its own PID cause ublk_timeout() to kill some other process
> and leave the ublk I/O pending forever?
Good catch!
Looks we can store the real ublk server pid in ublk_ch_open(), then validate
the passed `ublksrv_pid` in ublk_ctrl_start_dev(), or even always use
the real ublk server pid stored from ublk_ch_open().
Will do it in next version.
Thanks,
Ming
next prev parent reply other threads:[~2025-07-13 2:31 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-08 1:17 [PATCH V2 00/16] ublk: cleanup for supporting batch IO command Ming Lei
2025-07-08 1:17 ` [PATCH V2 01/16] ublk: move fake timeout logic into __ublk_complete_rq() Ming Lei
2025-07-08 1:17 ` [PATCH V2 02/16] ublk: look up ublk task via its pid in timeout handler Ming Lei
2025-07-11 13:20 ` Caleb Sander Mateos
2025-07-13 2:31 ` Ming Lei [this message]
2025-07-08 1:17 ` [PATCH V2 03/16] ublk: let ublk_fill_io_cmd() cover more things Ming Lei
2025-07-11 13:25 ` Caleb Sander Mateos
2025-07-13 2:34 ` Ming Lei
2025-07-08 1:17 ` [PATCH V2 04/16] ublk: avoid to pass `struct ublksrv_io_cmd *` to ublk_commit_and_fetch() Ming Lei
2025-07-08 1:17 ` [PATCH V2 05/16] ublk: move auto buffer register handling into one dedicated helper Ming Lei
2025-07-11 13:47 ` Caleb Sander Mateos
2025-07-13 2:38 ` Ming Lei
2025-07-08 1:17 ` [PATCH V2 06/16] ublk: store auto buffer register data into `struct ublk_io` Ming Lei
2025-07-08 1:17 ` [PATCH V2 07/16] ublk: add helper ublk_check_fetch_buf() Ming Lei
2025-07-08 1:17 ` [PATCH V2 08/16] ublk: remove ublk_commit_and_fetch() Ming Lei
2025-07-08 1:17 ` [PATCH V2 09/16] ublk: pass 'const struct ublk_io *' to ublk_[un]map_io() Ming Lei
2025-07-08 1:17 ` [PATCH V2 10/16] selftests: ublk: remove `tag` parameter of ->tgt_io_done() Ming Lei
2025-07-08 1:17 ` [PATCH V2 11/16] selftests: ublk: pass 'ublk_thread *' to ->queue_io() and ->tgt_io_done() Ming Lei
2025-07-08 1:17 ` [PATCH V2 12/16] selftests: ublk: pass 'ublk_thread *' to more common helpers Ming Lei
2025-07-08 1:17 ` [PATCH V2 13/16] selftests: ublk: remove ublk queue self-defined flags Ming Lei
2025-07-08 1:17 ` [PATCH V2 14/16] selftests: ublk: improve flags naming Ming Lei
2025-07-08 1:17 ` [PATCH V2 15/16] selftests: ublk: add helper ublk_handle_uring_cmd() for handle ublk command Ming Lei
2025-07-08 1:17 ` [PATCH V2 16/16] selftests: ublk: add utils.h Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aHMabA97fb9dCR6y@fedora \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=linux-block@vger.kernel.org \
--cc=ushankar@purestorage.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.