Commit da7e4b75 authored Jan 30, 2026 by Govindarajulu Varadarajan Committed by Jens Axboe Jan 31, 2026

ublk: Validate SQE128 flag before accessing the cmd



ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before
IO_URING_F_SQE128 flag check. This could cause out of boundary memory
access.

Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return
-EINVAL immediately if the flag is not set.

Fixes: 71f28f31 ("ublk_drv: add io_uring based userspace block driver")
Signed-off-by: Govindarajulu Varadarajan <govind.varadar@gmail.com>
Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent da562d92

drivers/block/ublk_drv.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -5221,10 +5221,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
		issue_flags & IO_URING_F_NONBLOCK)
		return -EAGAIN;

		ublk_ctrl_cmd_dump(cmd);

		if (!(issue_flags & IO_URING_F_SQE128))
		goto out;
		return -EINVAL;

		ublk_ctrl_cmd_dump(cmd);

		ret = ublk_check_cmd_op(cmd_op);
		if (ret)