From f30394bcbdbc9c5b47ad4462f31777baab575962 Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Fri, 1 May 2026 16:52:16 +0800 Subject: [PATCH] ublk: reject FETCH from non-userspace context __ublk_fetch() sets io->task to current, which is later checked against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn(). With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from task work, which can be run from io_uring's fallback workqueue, causing a task mismatch and triggering the WARN in cancel_fn. Reject FETCH if current is not a real userspace task, and it is reasonable for failing it in case of io_uring fallback. Fixes: 3421c7f68bba ("ublk: make sure io cmd handled in submitter task context") Signed-off-by: Ming Lei --- drivers/block/ublk_drv.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 8e5f3738c203..57abc0e9681f 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -3251,12 +3251,19 @@ static int __ublk_fetch(struct io_uring_cmd *cmd, struct ublk_device *ub, WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_OWNED_BY_SRV); - ublk_fill_io_cmd(io, cmd); - - if (ublk_dev_support_batch_io(ub)) + if (ublk_dev_support_batch_io(ub)) { WRITE_ONCE(io->task, NULL); - else + } else { + /* + * FETCH must come from a real userspace task, not a + * kworker is actually io_uring fallback workqueue. + */ + if (current->flags & (PF_KTHREAD | PF_WQ_WORKER)) + return -EINVAL; WRITE_ONCE(io->task, get_task_struct(current)); + } + + ublk_fill_io_cmd(io, cmd); return 0; }