[PATCH] ublk: reject FETCH from non-userspace context

[PATCH] ublk: reject FETCH from non-userspace context

[Ming Lei]

__ublk_fetch() sets io->task to current, which is later checked
against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
task work, which can be run from io_uring's fallback workqueue,
causing a task mismatch and triggering the WARN in cancel_fn.

Reject FETCH if current is not a real userspace task, and it is
reasonable for failing it in case of io_uring fallback.

Fixes: 3421c7f68bba ("ublk: make sure io cmd handled in submitter task context")
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
---
 drivers/block/ublk_drv.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 8e5f3738c203..57abc0e9681f 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3251,12 +3251,19 @@ static int __ublk_fetch(struct io_uring_cmd *cmd, struct ublk_device *ub,
 
 	WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_OWNED_BY_SRV);
 
-	ublk_fill_io_cmd(io, cmd);
-
-	if (ublk_dev_support_batch_io(ub))
+	if (ublk_dev_support_batch_io(ub)) {
 		WRITE_ONCE(io->task, NULL);
-	else
+	} else {
+		/*
+		 * FETCH must come from a real userspace task, not a
+		 * kworker is actually io_uring fallback workqueue.
+		 */
+		if (current->flags & (PF_KTHREAD | PF_WQ_WORKER))
+			return -EINVAL;
 		WRITE_ONCE(io->task, get_task_struct(current));
+	}
+
+	ublk_fill_io_cmd(io, cmd);
 
 	return 0;
 }
-- 
2.53.0

Re: [PATCH] ublk: reject FETCH from non-userspace context

[Jens Axboe]

On 5/1/26 2:52 AM, Ming Lei wrote:
> __ublk_fetch() sets io->task to current, which is later checked
> against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
> With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
> task work, which can be run from io_uring's fallback workqueue,
> causing a task mismatch and triggering the WARN in cancel_fn.
> 
> Reject FETCH if current is not a real userspace task, and it is
> reasonable for failing it in case of io_uring fallback.

I think this should be caught in ublk_ch_uring_cmd_cb(), which
should not hit ublk_ch_uring_cmd_local() if tw.cancel is true.
fallback work should just be terminated, not be issued.

-- 
Jens Axboe

Re: [PATCH] ublk: reject FETCH from non-userspace context

[Ming Lei]

On Fri, May 01, 2026 at 04:34:11AM -0600, Jens Axboe wrote:
> On 5/1/26 2:52 AM, Ming Lei wrote:
> > __ublk_fetch() sets io->task to current, which is later checked
> > against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
> > With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
> > task work, which can be run from io_uring's fallback workqueue,
> > causing a task mismatch and triggering the WARN in cancel_fn.
> > 
> > Reject FETCH if current is not a real userspace task, and it is
> > reasonable for failing it in case of io_uring fallback.
> 
> I think this should be caught in ublk_ch_uring_cmd_cb(), which
> should not hit ublk_ch_uring_cmd_local() if tw.cancel is true.
> fallback work should just be terminated, not be issued.

Yeah, that is definitely better, will take it in V2.

Thanks,
Ming

Re: [PATCH] ublk: reject FETCH from non-userspace context

[Jens Axboe]

On 5/1/26 4:36 AM, Ming Lei wrote:
> On Fri, May 01, 2026 at 04:34:11AM -0600, Jens Axboe wrote:
>> On 5/1/26 2:52 AM, Ming Lei wrote:
>>> __ublk_fetch() sets io->task to current, which is later checked
>>> against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
>>> With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
>>> task work, which can be run from io_uring's fallback workqueue,
>>> causing a task mismatch and triggering the WARN in cancel_fn.
>>>
>>> Reject FETCH if current is not a real userspace task, and it is
>>> reasonable for failing it in case of io_uring fallback.
>>
>> I think this should be caught in ublk_ch_uring_cmd_cb(), which
>> should not hit ublk_ch_uring_cmd_local() if tw.cancel is true.
>> fallback work should just be terminated, not be issued.
> 
> Yeah, that is definitely better, will take it in V2.

Something like this, totally untested. Caveat: probably worth checking
the other tw paths in ublk as well!

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 8e5f3738c203..d10460d29e4a 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3496,8 +3496,10 @@ static void ublk_ch_uring_cmd_cb(struct io_tw_req tw_req, io_tw_token_t tw)
 {
 	unsigned int issue_flags = IO_URING_CMD_TASK_WORK_ISSUE_FLAGS;
 	struct io_uring_cmd *cmd = io_uring_cmd_from_tw(tw_req);
-	int ret = ublk_ch_uring_cmd_local(cmd, issue_flags);
+	int ret = -ECANCELED;
 
+	if (!tw.cancel)
+		ret = ublk_ch_uring_cmd_local(cmd, issue_flags);
 	if (ret != -EIOCBQUEUED)
 		io_uring_cmd_done(cmd, ret, issue_flags);
 }

-- 
Jens Axboe

Re: [PATCH] ublk: reject FETCH from non-userspace context

[Ming Lei]

On Fri, May 01, 2026 at 04:38:22AM -0600, Jens Axboe wrote:
> On 5/1/26 4:36 AM, Ming Lei wrote:
> > On Fri, May 01, 2026 at 04:34:11AM -0600, Jens Axboe wrote:
> >> On 5/1/26 2:52 AM, Ming Lei wrote:
> >>> __ublk_fetch() sets io->task to current, which is later checked
> >>> against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
> >>> With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
> >>> task work, which can be run from io_uring's fallback workqueue,
> >>> causing a task mismatch and triggering the WARN in cancel_fn.
> >>>
> >>> Reject FETCH if current is not a real userspace task, and it is
> >>> reasonable for failing it in case of io_uring fallback.
> >>
> >> I think this should be caught in ublk_ch_uring_cmd_cb(), which
> >> should not hit ublk_ch_uring_cmd_local() if tw.cancel is true.
> >> fallback work should just be terminated, not be issued.
> > 
> > Yeah, that is definitely better, will take it in V2.
> 
> Something like this, totally untested. Caveat: probably worth checking
> the other tw paths in ublk as well!

tw.cancel can replace the check in ublk_dispatch_req() for ublk_cmd_tw_cb() and
ublk_cmd_list_tw_cb(), which is one cleanup.

ublk_batch_tw_cb() doesn't track io task, so it is just fine.

> 
> diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
> index 8e5f3738c203..d10460d29e4a 100644
> --- a/drivers/block/ublk_drv.c
> +++ b/drivers/block/ublk_drv.c
> @@ -3496,8 +3496,10 @@ static void ublk_ch_uring_cmd_cb(struct io_tw_req tw_req, io_tw_token_t tw)
>  {
>  	unsigned int issue_flags = IO_URING_CMD_TASK_WORK_ISSUE_FLAGS;
>  	struct io_uring_cmd *cmd = io_uring_cmd_from_tw(tw_req);
> -	int ret = ublk_ch_uring_cmd_local(cmd, issue_flags);
> +	int ret = -ECANCELED;
>  
> +	if (!tw.cancel)
> +		ret = ublk_ch_uring_cmd_local(cmd, issue_flags);
>  	if (ret != -EIOCBQUEUED)
>  		io_uring_cmd_done(cmd, ret, issue_flags);
>  }

This fix looks good.


Thanks,
Ming

Re: [PATCH] ublk: reject FETCH from non-userspace context

[Jens Axboe]

On 5/1/26 4:54 AM, Ming Lei wrote:
> On Fri, May 01, 2026 at 04:38:22AM -0600, Jens Axboe wrote:
>> On 5/1/26 4:36 AM, Ming Lei wrote:
>>> On Fri, May 01, 2026 at 04:34:11AM -0600, Jens Axboe wrote:
>>>> On 5/1/26 2:52 AM, Ming Lei wrote:
>>>>> __ublk_fetch() sets io->task to current, which is later checked
>>>>> against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
>>>>> With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
>>>>> task work, which can be run from io_uring's fallback workqueue,
>>>>> causing a task mismatch and triggering the WARN in cancel_fn.
>>>>>
>>>>> Reject FETCH if current is not a real userspace task, and it is
>>>>> reasonable for failing it in case of io_uring fallback.
>>>>
>>>> I think this should be caught in ublk_ch_uring_cmd_cb(), which
>>>> should not hit ublk_ch_uring_cmd_local() if tw.cancel is true.
>>>> fallback work should just be terminated, not be issued.
>>>
>>> Yeah, that is definitely better, will take it in V2.
>>
>> Something like this, totally untested. Caveat: probably worth checking
>> the other tw paths in ublk as well!
> 
> tw.cancel can replace the check in ublk_dispatch_req() for ublk_cmd_tw_cb() and
> ublk_cmd_list_tw_cb(), which is one cleanup.
> 
> ublk_batch_tw_cb() doesn't track io task, so it is just fine.

Sounds good to me.

>> diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
>> index 8e5f3738c203..d10460d29e4a 100644
>> --- a/drivers/block/ublk_drv.c
>> +++ b/drivers/block/ublk_drv.c
>> @@ -3496,8 +3496,10 @@ static void ublk_ch_uring_cmd_cb(struct io_tw_req tw_req, io_tw_token_t tw)
>>  {
>>  	unsigned int issue_flags = IO_URING_CMD_TASK_WORK_ISSUE_FLAGS;
>>  	struct io_uring_cmd *cmd = io_uring_cmd_from_tw(tw_req);
>> -	int ret = ublk_ch_uring_cmd_local(cmd, issue_flags);
>> +	int ret = -ECANCELED;
>>  
>> +	if (!tw.cancel)
>> +		ret = ublk_ch_uring_cmd_local(cmd, issue_flags);
>>  	if (ret != -EIOCBQUEUED)
>>  		io_uring_cmd_done(cmd, ret, issue_flags);
>>  }
> 
> This fix looks good.

Feel free to just run with it or make it part of a fixup series.

-- 
Jens Axboe