Skip to content

ublk: fix use-after-free in ublk_cancel_cmd()#812

Open
blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
series/1091619=>linus-master
Open

ublk: fix use-after-free in ublk_cancel_cmd()#812
blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
series/1091619=>linus-master

Conversation

@blktests-ci
Copy link
Copy Markdown

@blktests-ci blktests-ci Bot commented May 8, 2026

Pull request for series with
subject: ublk: fix use-after-free in ublk_cancel_cmd()
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1091619

@ming1
ublk: fix use-after-free in ublk_cancel_cmd()
84a113c 
When ublk_reset_ch_dev() clears io->cmd via ublk_queue_reinit()
concurrently with ublk_cancel_cmd(), ublk_cancel_cmd() can read a
stale pointer and pass it to io_uring_cmd_done(), causing a
use-after-free.

Fix by synchronizing the two paths with ubq->cancel_lock:

- ublk_cancel_cmd(): read and clear io->cmd under cancel_lock,
  then call io_uring_cmd_done() on the saved local copy outside
  the lock.

- ublk_reset_ch_dev(): hold cancel_lock across ublk_queue_reinit()
  so that io->cmd and io->flags are cleared atomically with respect
  to ublk_cancel_cmd().

Fixes: 216c8f5 ("ublk: replace monitor with cancelable uring_cmd")
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 8, 2026

Upstream branch: 6d35786
series: https://patchwork.kernel.org/project/linux-block/list/?series=1091619
version: 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

linus-master new V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ming1