ublk: fix null-ptr-deref in ublk_queue_cmd#917
Open
blktests-ci[bot] wants to merge 1 commit into
Open
Conversation
Author
|
Upstream branch: e43ffb6 |
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
c6dc343 to
fc36596
Compare
Author
|
Upstream branch: ba3e43a |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
f266c19 to
f2d87d4
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
fc36596 to
7bed9c3
Compare
Author
|
Upstream branch: ddd664b |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
f2d87d4 to
07251c7
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
7bed9c3 to
a7bb5c5
Compare
Author
|
Upstream branch: 979c294 |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
07251c7 to
48b4d93
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
a7bb5c5 to
5e41a3b
Compare
Author
|
Upstream branch: acb7500 |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
48b4d93 to
24308c5
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
5e41a3b to
c3a084b
Compare
Author
|
Upstream branch: 9716c08 |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
24308c5 to
f1a0a92
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
c3a084b to
5f78e5d
Compare
Author
|
Upstream branch: 2a2974b |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
f1a0a92 to
8b0e958
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
5f78e5d to
e48f9db
Compare
Author
|
Upstream branch: 062871f |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
8b0e958 to
eedaf12
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
2 times, most recently
from
199644a to
e6d9eb8
Compare
Author
|
Upstream branch: 66affa3 |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
eedaf12 to
7151b53
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
e6d9eb8 to
7d8604f
Compare
ublk_queue_cmd() dereferences ios[tag].cmd without NULL check. The cmd
pointer can be NULL when ublk_cancel_cmd() races with IO dispatch during
server teardown:
CPU0 (partition scan work) CPU1 (io_uring cancel callback)
ublk_queue_rq()
ublk_prep_req() -> OK
check canceling -> false
ublk_start_cancel()
quiesce, set canceling, unquiesce
ublk_cancel_cmd()
io->cmd = NULL
ublk_queue_cmd()
cmd = ios[tag].cmd -> NULL
ublk_get_uring_cmd_pdu(cmd) -> null-ptr-deref
The race window exists because ublk_cancel_cmd() can execute between the
canceling flag check and the cmd dereference in ublk_queue_cmd(). This
cannot be closed with simple synchronization since blk_mq_quiesce_queue
only waits for in-flight dispatches, not requests already past the
canceling check.
Fix by checking cmd for NULL before dereferencing. When NULL, abort the
request via __ublk_abort_rq() which handles both recovery (requeue) and
non-recovery (end with IOERR) cases.
Fixes: 71f28f3 ("ublk_drv: add io_uring based userspace block driver")
Reported-by: syzbot+415b9ec753cd2a196087@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=415b9ec753cd2a196087
Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
Author
|
Upstream branch: bade58e |
blktests-ci
Bot
force-pushed
the
series/1104193=>linus-master
branch
from
7151b53 to
2cb8d67
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: ublk: fix null-ptr-deref in ublk_queue_cmd
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1104193