tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'block-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull block fixes from Jens Axboe:

- Fix for ublk not doing an actual issue from the task_work fallback
path. Any request hitting that should be canceled automatically

- Fix for uring_cmd prep side handling, for the block side uring_cmd
discard handling

- Fix for missing validation of the io and physical block size shifts

- Fix for a use-after-free in ublk's cancel command handling

* tag 'block-7.1-20260508' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
ublk: fix use-after-free in ublk_cancel_cmd()
ublk: validate physical_bs_shift, io_min_shift and io_opt_shift
block: only read from sqe on initial invocation of blkdev_uring_cmd()
ublk: don't issue uring_cmd from fallback task work

Linus Torvalds cbf457c5 8be01e12

+50 -16
+15 -9
block/ioctl.c
··· 857 857 #endif 858 858 859 859 struct blk_iou_cmd { 860 + u64 start; 861 + u64 len; 860 862 int res; 861 863 bool nowait; 862 864 }; ··· 948 946 { 949 947 struct block_device *bdev = I_BDEV(cmd->file->f_mapping->host); 950 948 struct blk_iou_cmd *bic = io_uring_cmd_to_pdu(cmd, struct blk_iou_cmd); 951 - const struct io_uring_sqe *sqe = cmd->sqe; 952 949 u32 cmd_op = cmd->cmd_op; 953 - uint64_t start, len; 954 950 955 - if (unlikely(sqe->ioprio || sqe->__pad1 || sqe->len || 956 - sqe->rw_flags || sqe->file_index)) 957 - return -EINVAL; 951 + /* Read what we need from the SQE on the first issue */ 952 + if (!(issue_flags & IORING_URING_CMD_REISSUE)) { 953 + const struct io_uring_sqe *sqe = cmd->sqe; 954 + 955 + if (unlikely(sqe->ioprio || sqe->__pad1 || sqe->len || 956 + sqe->rw_flags || sqe->file_index)) 957 + return -EINVAL; 958 + 959 + bic->start = READ_ONCE(sqe->addr); 960 + bic->len = READ_ONCE(sqe->addr3); 961 + } 958 962 959 963 bic->res = 0; 960 964 bic->nowait = issue_flags & IO_URING_F_NONBLOCK; 961 965 962 - start = READ_ONCE(sqe->addr); 963 - len = READ_ONCE(sqe->addr3); 964 - 965 966 switch (cmd_op) { 966 967 case BLOCK_URING_CMD_DISCARD: 967 - return blkdev_cmd_discard(cmd, bdev, start, len, bic->nowait); 968 + return blkdev_cmd_discard(cmd, bdev, bic->start, bic->len, 969 + bic->nowait); 968 970 } 969 971 return -EINVAL; 970 972 }
+35 -7
drivers/block/ublk_drv.c
··· 900 900 if (p->logical_bs_shift > PAGE_SHIFT || p->logical_bs_shift < 9) 901 901 return -EINVAL; 902 902 903 + /* 904 + * 256M is a reasonable upper bound for physical block size, 905 + * io_min and io_opt; it aligns with the maximum physical 906 + * block size possible in NVMe. 907 + */ 908 + if (p->physical_bs_shift > ilog2(SZ_256M)) 909 + return -EINVAL; 910 + 911 + if (p->io_min_shift > ilog2(SZ_256M)) 912 + return -EINVAL; 913 + 914 + if (p->io_opt_shift > ilog2(SZ_256M)) 915 + return -EINVAL; 916 + 903 917 if (p->logical_bs_shift > p->physical_bs_shift) 904 918 return -EINVAL; 905 919 ··· 2411 2397 { 2412 2398 int i; 2413 2399 2414 - for (i = 0; i < ub->dev_info.nr_hw_queues; i++) 2415 - ublk_queue_reinit(ub, ublk_get_queue(ub, i)); 2400 + for (i = 0; i < ub->dev_info.nr_hw_queues; i++) { 2401 + struct ublk_queue *ubq = ublk_get_queue(ub, i); 2402 + 2403 + /* Sync with ublk_cancel_cmd() */ 2404 + spin_lock(&ubq->cancel_lock); 2405 + ublk_queue_reinit(ub, ubq); 2406 + spin_unlock(&ubq->cancel_lock); 2407 + } 2416 2408 2417 2409 /* set to NULL, otherwise new tasks cannot mmap io_cmd_buf */ 2418 2410 ub->mm = NULL; ··· 2759 2739 { 2760 2740 struct ublk_io *io = &ubq->ios[tag]; 2761 2741 struct ublk_device *ub = ubq->dev; 2742 + struct io_uring_cmd *cmd = NULL; 2762 2743 struct request *req; 2763 2744 bool done; 2764 2745 ··· 2782 2761 2783 2762 spin_lock(&ubq->cancel_lock); 2784 2763 done = !!(io->flags & UBLK_IO_FLAG_CANCELED); 2785 - if (!done) 2764 + if (!done) { 2786 2765 io->flags |= UBLK_IO_FLAG_CANCELED; 2766 + cmd = io->cmd; 2767 + io->cmd = NULL; 2768 + } 2787 2769 spin_unlock(&ubq->cancel_lock); 2788 2770 2789 - if (!done) 2790 - io_uring_cmd_done(io->cmd, UBLK_IO_RES_ABORT, issue_flags); 2771 + if (!done && cmd) 2772 + io_uring_cmd_done(cmd, UBLK_IO_RES_ABORT, issue_flags); 2791 2773 } 2792 2774 2793 2775 /* ··· 3520 3496 { 3521 3497 unsigned int issue_flags = IO_URING_CMD_TASK_WORK_ISSUE_FLAGS; 3522 3498 struct io_uring_cmd *cmd = io_uring_cmd_from_tw(tw_req); 3523 - int ret = ublk_ch_uring_cmd_local(cmd, issue_flags); 3499 + int ret = -ECANCELED; 3524 3500 3501 + if (!tw.cancel) 3502 + ret = ublk_ch_uring_cmd_local(cmd, issue_flags); 3525 3503 if (ret != -EIOCBQUEUED) 3526 3504 io_uring_cmd_done(cmd, ret, issue_flags); 3527 3505 } ··· 5016 4990 */ 5017 4991 ret = -EACCES; 5018 4992 } else if (copy_from_user(&ub->params, argp, ph.len)) { 4993 + /* zero out partial copy so no stale params survive */ 4994 + memset(&ub->params, 0, sizeof(ub->params)); 5019 4995 ret = -EFAULT; 5020 4996 } else { 5021 4997 /* clear all we don't support yet */ 5022 4998 ub->params.types &= UBLK_PARAM_TYPE_ALL; 5023 4999 ret = ublk_validate_params(ub); 5024 5000 if (ret) 5025 - ub->params.types = 0; 5001 + memset(&ub->params, 0, sizeof(ub->params)); 5026 5002 } 5027 5003 mutex_unlock(&ub->mutex); 5028 5004