From: Ming Lei <ming.lei@redhat.com>
To: Caleb Sander Mateos <csander@purestorage.com>
Cc: Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org
Subject: Re: [PATCH v2 02/14] ublk: remove struct ublk_rq_data
Date: Mon, 23 Jun 2025 16:02:33 +0800 [thread overview]
Message-ID: <aFkKGXbsBRDdrMjj@fedora> (raw)
In-Reply-To: <20250620151008.3976463-3-csander@purestorage.com>
On Fri, Jun 20, 2025 at 09:09:56AM -0600, Caleb Sander Mateos wrote:
> __ublk_check_and_get_req() attempts to atomically look up the struct
> request for a ublk I/O and take a reference on it. However, the request
> can be freed between the lookup on the tagset in blk_mq_tag_to_rq() and
> the increment of its reference count in ublk_get_req_ref(), for example
> if an elevator switch happens concurrently.
>
> Fix the potential use after free by moving the reference count from
> ublk_rq_data to ublk_io. Move the fields buf_index and buf_ctx_handle
> too to reduce the number of cache lines touched when dispatching and
> completing a ublk I/O, allowing ublk_rq_data to be removed entirely.
>
> Suggested-by: Ming Lei <ming.lei@redhat.com>
> Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
> Fixes: 62fe99cef94a ("ublk: add read()/write() support for ublk char device")
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Thanks,
Ming
next prev parent reply other threads:[~2025-06-23 8:02 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-20 15:09 [PATCH v2 00/14] ublk: allow off-daemon zero-copy buffer registration Caleb Sander Mateos
2025-06-20 15:09 ` [PATCH v2 01/14] ublk: use vmalloc for ublk_device's __queues Caleb Sander Mateos
2025-06-23 7:20 ` Ming Lei
2025-06-20 15:09 ` [PATCH v2 02/14] ublk: remove struct ublk_rq_data Caleb Sander Mateos
2025-06-23 8:02 ` Ming Lei [this message]
2025-06-20 15:09 ` [PATCH v2 03/14] ublk: check cmd_op first Caleb Sander Mateos
2025-06-20 15:09 ` [PATCH v2 04/14] ublk: handle UBLK_IO_FETCH_REQ earlier Caleb Sander Mateos
2025-06-20 15:09 ` [PATCH v2 05/14] ublk: remove task variable from __ublk_ch_uring_cmd() Caleb Sander Mateos
2025-06-20 15:10 ` [PATCH v2 06/14] ublk: consolidate UBLK_IO_FLAG_{ACTIVE,OWNED_BY_SRV} checks Caleb Sander Mateos
2025-06-20 15:10 ` [PATCH v2 07/14] ublk: move ublk_prep_cancel() to case UBLK_IO_COMMIT_AND_FETCH_REQ Caleb Sander Mateos
2025-06-20 15:10 ` [PATCH v2 08/14] ublk: don't take ublk_queue in ublk_unregister_io_buf() Caleb Sander Mateos
2025-06-23 8:29 ` Ming Lei
2025-06-20 15:10 ` [PATCH v2 09/14] ublk: allow UBLK_IO_(UN)REGISTER_IO_BUF on any task Caleb Sander Mateos
2025-06-23 9:07 ` Ming Lei
2025-06-20 15:10 ` [PATCH v2 10/14] ublk: return early if blk_should_fake_timeout() Caleb Sander Mateos
2025-06-23 9:08 ` Ming Lei
2025-06-20 15:10 ` [PATCH v2 11/14] ublk: optimize UBLK_IO_REGISTER_IO_BUF on daemon task Caleb Sander Mateos
2025-06-23 9:44 ` Ming Lei
2025-06-20 15:10 ` [PATCH v2 12/14] ublk: optimize UBLK_IO_UNREGISTER_IO_BUF " Caleb Sander Mateos
2025-06-23 9:45 ` Ming Lei
2025-06-20 15:10 ` [PATCH v2 13/14] ublk: remove ubq checks from ublk_{get,put}_req_ref() Caleb Sander Mateos
2025-06-23 9:49 ` Ming Lei
2025-06-20 15:10 ` [PATCH v2 14/14] ublk: cache-align struct ublk_io Caleb Sander Mateos
2025-06-23 9:49 ` Ming Lei
2025-06-27 0:47 ` [PATCH v2 00/14] ublk: allow off-daemon zero-copy buffer registration Jens Axboe
2025-06-27 0:48 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aFkKGXbsBRDdrMjj@fedora \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox