Commit 01ed88ae authored Jul 01, 2025 by Ming Lei Committed by Jens Axboe Jul 01, 2025

ublk: don't queue request if the associated uring_cmd is canceled



Commit 524346e9 ("ublk: build batch from IOs in same io_ring_ctx and io task")
need to dereference `io->cmd` for checking if the IO can be added to current
batch, see ublk_belong_to_same_batch() and io_uring_cmd_ctx_handle(). However,
`io->cmd` may become invalid after the uring_cmd is canceled.

Fixes it by only allowing to queue this IO in case that ublk_prep_req()
returns `BLK_STS_OK`, when 'io->cmd' is guaranteed to be valid.

Reported-by: Changhui Zhong <czhong@redhat.com>
Fixes: 524346e9 ("ublk: build batch from IOs in same io_ring_ctx and io task")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20250701072325.1458109-1-ming.lei@redhat.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent c0070621

drivers/block/ublk_drv.c

+6 −5

Original line number	Diff line number	Diff line
		@@ -1442,15 +1442,16 @@ static void ublk_queue_rqs(struct rq_list *rqlist)
		struct ublk_queue *this_q = req->mq_hctx->driver_data;
		struct ublk_io *this_io = &this_q->ios[req->tag];

		if (ublk_prep_req(this_q, req, true) != BLK_STS_OK) {
		rq_list_add_tail(&requeue_list, req);
		continue;
		}

		if (io && !ublk_belong_to_same_batch(io, this_io) &&
		!rq_list_empty(&submit_list))
		ublk_queue_cmd_list(io, &submit_list);
		io = this_io;

		if (ublk_prep_req(this_q, req, true) == BLK_STS_OK)
		rq_list_add_tail(&submit_list, req);
		else
		rq_list_add_tail(&requeue_list, req);
		}

		if (!rq_list_empty(&submit_list))