Skip to content

ublk: fix null-ptr-deref in ublk_queue_cmd#917

Open
blktests-ci[bot] wants to merge 1 commit into
linus-master_basefrom
series/1104193=>linus-master
Open

ublk: fix null-ptr-deref in ublk_queue_cmd#917
blktests-ci[bot] wants to merge 1 commit into
linus-master_basefrom
series/1104193=>linus-master

Conversation

@blktests-ci
Copy link
Copy Markdown

@blktests-ci blktests-ci Bot commented Jun 1, 2026

Pull request for series with
subject: ublk: fix null-ptr-deref in ublk_queue_cmd
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1104193

@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented Jun 1, 2026

Upstream branch: e43ffb6
series: https://patchwork.kernel.org/project/linux-block/list/?series=1104193
version: 1

@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from c6dc343 to fc36596 Compare June 3, 2026 13:56
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented Jun 3, 2026

Upstream branch: ba3e43a
series: https://patchwork.kernel.org/project/linux-block/list/?series=1104193
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1104193=>linus-master branch from f266c19 to f2d87d4 Compare June 3, 2026 14:14
@blktests-ci blktests-ci Bot force-pushed the linus-master_base branch from fc36596 to 7bed9c3 Compare June 5, 2026 09:48
@zhouyun1306
ublk: fix null-ptr-deref in ublk_queue_cmd
07251c7 
ublk_queue_cmd() dereferences ios[tag].cmd without NULL check. The cmd
pointer can be NULL when ublk_cancel_cmd() races with IO dispatch during
server teardown:

  CPU0 (partition scan work)        CPU1 (io_uring cancel callback)
  ublk_queue_rq()
    ublk_prep_req() -> OK
    check canceling -> false
                                    ublk_start_cancel()
                                      quiesce, set canceling, unquiesce
                                    ublk_cancel_cmd()
                                      io->cmd = NULL
    ublk_queue_cmd()
      cmd = ios[tag].cmd  -> NULL
      ublk_get_uring_cmd_pdu(cmd) -> null-ptr-deref

The race window exists because ublk_cancel_cmd() can execute between the
canceling flag check and the cmd dereference in ublk_queue_cmd(). This
cannot be closed with simple synchronization since blk_mq_quiesce_queue
only waits for in-flight dispatches, not requests already past the
canceling check.

Fix by checking cmd for NULL before dereferencing. When NULL, abort the
request via __ublk_abort_rq() which handles both recovery (requeue) and
non-recovery (end with IOERR) cases.

Fixes: 71f28f3 ("ublk_drv: add io_uring based userspace block driver")
Reported-by: syzbot+415b9ec753cd2a196087@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=415b9ec753cd2a196087
Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
@blktests-ci
Copy link
Copy Markdown
Author

blktests-ci Bot commented Jun 5, 2026

Upstream branch: ddd664b
series: https://patchwork.kernel.org/project/linux-block/list/?series=1104193
version: 1

@blktests-ci blktests-ci Bot force-pushed the series/1104193=>linus-master branch from f2d87d4 to 07251c7 Compare June 5, 2026 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

linus-master new V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zhouyun1306