Commit c2c8089f authored by Ming Lei's avatar Ming Lei Committed by Jens Axboe
Browse files

ublk: validate ublk server pid 



ublk server pid(the `tgid` of the process opening the ublk device) is stored
in `ublk_device->ublksrv_tgid`. This `tgid` is then checked against the
`ublksrv_pid` in `ublk_ctrl_start_dev` and `ublk_ctrl_end_recovery`.

This ensures that correct ublk server pid is stored in device info.

Fixes: 71f28f31 ("ublk_drv: add io_uring based userspace block driver")
Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20250713143415.2857561-2-ming.lei@redhat.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 2e92ac61

drivers/block/ublk_drv.c

+9 −0
Original line number Diff line number Diff line
@@ -237,6 +237,7 @@ struct ublk_device { 
	unsigned int		nr_privileged_daemon;

	struct mutex cancel_mutex;

	bool canceling;

	pid_t 	ublksrv_tgid;

};



/* header of ublk_params */
@@ -1528,6 +1529,7 @@ static int ublk_ch_open(struct inode *inode, struct file *filp) 
	if (test_and_set_bit(UB_STATE_OPEN, &ub->state))

		return -EBUSY;

	filp->private_data = ub;

	ub->ublksrv_tgid = current->tgid;

	return 0;

}
@@ -1542,6 +1544,7 @@ static void ublk_reset_ch_dev(struct ublk_device *ub) 
	ub->mm = NULL;

	ub->nr_queues_ready = 0;

	ub->nr_privileged_daemon = 0;

	ub->ublksrv_tgid = -1;

}



static struct gendisk *ublk_get_disk(struct ublk_device *ub)
@@ -2820,6 +2823,9 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub, 
	if (wait_for_completion_interruptible(&ub->completion) != 0)

		return -EINTR;



	if (ub->ublksrv_tgid != ublksrv_pid)

		return -EINVAL;



	mutex_lock(&ub->mutex);

	if (ub->dev_info.state == UBLK_S_DEV_LIVE ||

	    test_bit(UB_STATE_USED, &ub->state)) {
@@ -3321,6 +3327,9 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub, 
	pr_devel("%s: All FETCH_REQs received, dev id %d\n", __func__,

		 header->dev_id);



	if (ub->ublksrv_tgid != ublksrv_pid)

		return -EINVAL;



	mutex_lock(&ub->mutex);

	if (ublk_nosrv_should_stop_dev(ub))

		goto out_unlock;