Skip to content

ublk: clear server ownership before aborting in-flight requests#822

Open
blktests-ci[bot] wants to merge 1 commit into
linus-master_basefrom
series/1093401=>linus-master
Open

ublk: clear server ownership before aborting in-flight requests#822
blktests-ci[bot] wants to merge 1 commit into
linus-master_basefrom
series/1093401=>linus-master

Conversation

@blktests-ci
Copy link
Copy Markdown

@blktests-ci blktests-ci Bot commented May 12, 2026

Pull request for series with
subject: ublk: clear server ownership before aborting in-flight requests
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1093401

@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 12, 2026

Upstream branch: aa54b1d
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from b1870f6 to ca57796 Compare May 15, 2026 07:55
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 15, 2026

Upstream branch: 70eda68
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from abaf827 to 8338f32 Compare May 15, 2026 08:02
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from ca57796 to c1feb59 Compare May 21, 2026 02:54
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 21, 2026

Upstream branch: 8bc67e4
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from 8338f32 to e76d47e Compare May 21, 2026 03:22
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from c1feb59 to ea833a1 Compare May 22, 2026 01:53
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 22, 2026

Upstream branch: 6779b50
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from e76d47e to 4279e27 Compare May 22, 2026 02:20
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from ea833a1 to 7af85d1 Compare May 23, 2026 06:11
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 23, 2026

Upstream branch: 79bd2dd
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from 4279e27 to 96c624c Compare May 23, 2026 07:16
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from 7af85d1 to de94ac7 Compare May 23, 2026 17:08
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 23, 2026

Upstream branch: eed108e
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from 96c624c to 1987a11 Compare May 23, 2026 17:45
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from de94ac7 to 86d8d37 Compare May 26, 2026 15:38
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 26, 2026

Upstream branch: e8c2f9f
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from 1987a11 to 3dec49f Compare May 26, 2026 16:17
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from 86d8d37 to 9805659 Compare May 28, 2026 13:24
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 28, 2026

Upstream branch: eb3f4b7
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from 3dec49f to 9af9f1d Compare May 28, 2026 15:06
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from 9805659 to 3f4a345 Compare May 29, 2026 11:12
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented May 29, 2026

Upstream branch: 8fde5d1
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from 9af9f1d to f147f69 Compare May 29, 2026 11:58
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from 3f4a345 to c6dc343 Compare June 1, 2026 08:58
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented Jun 1, 2026

Upstream branch: e43ffb6
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from f147f69 to c052545 Compare June 1, 2026 09:48
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from c6dc343 to fc36596 Compare June 3, 2026 13:56
@Gality369
ublk: clear server ownership before aborting in-flight requests
08da582 
[BUG]
A stale UBLK_IO_COMMIT_AND_FETCH_REQ can reach the normal completion path
after ublk has already aborted the in-flight request, leading to a
use-after-free in map/unmap mode:

BUG: KASAN: use-after-free in ublk_copy_io_pages drivers/block/ublk_drv.c:946 [inline]
BUG: KASAN: use-after-free in ublk_copy_user_pages+0x83c/0xcc0 drivers/block/ublk_drv.c:1013
Write of size 4096 at addr ffff88800ce2a000 by task ublk.fsfuzz/275

Call Trace:
 ...
 ublk_copy_io_pages drivers/block/ublk_drv.c:946 [inline]
 ublk_copy_user_pages+0x83c/0xcc0 drivers/block/ublk_drv.c:1013
 ublk_unmap_io+0x2bb/0x350 drivers/block/ublk_drv.c:1076
 __ublk_complete_rq drivers/block/ublk_drv.c:1188 [inline]
 ublk_ch_uring_cmd_local+0x157c/0x2180 drivers/block/ublk_drv.c:2477
 ublk_ch_uring_cmd+0x42/0x640 drivers/block/ublk_drv.c:2561
 io_uring_cmd+0x26f/0x570 io_uring/uring_cmd.c:263
 __io_issue_sqe+0xc2/0x760 io_uring/io_uring.c:1826
 io_issue_sqe+0xdd/0x11e0 io_uring/io_uring.c:1849
 io_queue_sqe io_uring/io_uring.c:2076 [inline]
 io_submit_sqe io_uring/io_uring.c:2336 [inline]
 io_submit_sqes+0x806/0x2390 io_uring/io_uring.c:2449
 __do_sys_io_uring_enter+0x5c0/0x13a0 io_uring/io_uring.c:3516
 __se_sys_io_uring_enter io_uring/io_uring.c:3455 [inline]
 __x64_sys_io_uring_enter+0xe5/0x1c0 io_uring/io_uring.c:3455
 x64_sys_call+0x2419/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:427
 ...

[CAUSE]
commit e63d222 ("ublk: simplify aborting ublk request") removed the
abort-only completion state and now __ublk_fail_req() fails or requeues
the request without first revoking UBLK_IO_FLAG_OWNED_BY_SRV. That leaves
the tag looking as if it is still owned by the ublk server, so a stale
COMMIT_AND_FETCH_REQ can pass the ownership check, reuse io->req, and
call __ublk_complete_rq() after the request has already been ended. In map
mode that drives ublk_unmap_io() into freed request pages.

[FIX]
Clear UBLK_IO_FLAG_OWNED_BY_SRV as soon as abort starts in
__ublk_fail_req(). Once ownership is revoked, any stale
COMMIT_AND_FETCH_REQ fails before touching io->req, so the completion path
can no longer copy into freed bio pages.

Fixes: e63d222 ("ublk: simplify aborting ublk request")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented Jun 3, 2026

Upstream branch: ba3e43a
series: https://patchwork.kernel.org/project/linux-block/list/?series=1093401
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1093401=>linus-master branch from c052545 to 08da582 Compare June 3, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

linus-master new V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Gality369