On Fri, Jun 20, 2025 at 09:09:56AM -0600, Caleb Sander Mateos wrote:
> __ublk_check_and_get_req() attempts to atomically look up the struct
> request for a ublk I/O and take a reference on it. However, the request
> can be freed between the lookup on the tagset in blk_mq_tag_to_rq() and
> the increment of its reference count in ublk_get_req_ref(), for example
> if an elevator switch happens concurrently.
>
> Fix the potential use after free by moving the reference count from
> ublk_rq_data to ublk_io. Move the fields buf_index and buf_ctx_handle
> too to reduce the number of cache lines touched when dispatching and
> completing a ublk I/O, allowing ublk_rq_data to be removed entirely.
>
> Suggested-by: Ming Lei <ming.lei@xxxxxxxxxx>
> Signed-off-by: Caleb Sander Mateos <csander@xxxxxxxxxxxxxxx>
> Fixes: 62fe99cef94a ("ublk: add read()/write() support for ublk char device")
Reviewed-by: Ming Lei <ming.lei@xxxxxxxxxx>
Thanks,
Ming
