Re: [PATCH V3 01/17] ublk: validate ublk server pid

Caleb Sander Mateos <csander@xxxxxxxxxxxxxxx> · Tue, 15 Jul 2025 10:50:39 -0400

On Sun, Jul 13, 2025 at 10:34 AM Ming Lei <ming.lei@xxxxxxxxxx> wrote:
>
> ublk server pid(the `tgid` of the process opening the ublk device) is stored
> in `ublk_device->ublksrv_tgid`. This `tgid` is then checked against the
> `ublksrv_pid` in `ublk_ctrl_start_dev` and `ublk_ctrl_end_recovery`.
>
> This ensures that correct ublk server pid is stored in device info.
>
> Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
> Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
> ---
>  drivers/block/ublk_drv.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
> index a1a700c7e67a..2b894de29823 100644
> --- a/drivers/block/ublk_drv.c
> +++ b/drivers/block/ublk_drv.c
> @@ -237,6 +237,7 @@ struct ublk_device {
>         unsigned int            nr_privileged_daemon;
>         struct mutex cancel_mutex;
>         bool canceling;
> +       pid_t   ublksrv_tgid;
>  };
>
>  /* header of ublk_params */
> @@ -1528,6 +1529,7 @@ static int ublk_ch_open(struct inode *inode, struct file *filp)
>         if (test_and_set_bit(UB_STATE_OPEN, &ub->state))
>                 return -EBUSY;
>         filp->private_data = ub;
> +       ub->ublksrv_tgid = current->tgid;
>         return 0;
>  }
>
> @@ -1542,6 +1544,7 @@ static void ublk_reset_ch_dev(struct ublk_device *ub)
>         ub->mm = NULL;
>         ub->nr_queues_ready = 0;
>         ub->nr_privileged_daemon = 0;
> +       ub->ublksrv_tgid = -1;

Should this be reset to 0? The next patch checks whether ublksrv_tgid
is 0 in ublk_timeout(). Also, the accesses to it should probably be
using {READ,WRITE}_ONCE() since ublk server open/close can happen
concurrently with ublk I/O timeout handling.

Best,
Caleb

>  }
>
>  static struct gendisk *ublk_get_disk(struct ublk_device *ub)
> @@ -2820,6 +2823,9 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub,
>         if (wait_for_completion_interruptible(&ub->completion) != 0)
>                 return -EINTR;
>
> +       if (ub->ublksrv_tgid != ublksrv_pid)
> +               return -EINVAL;
> +
>         mutex_lock(&ub->mutex);
>         if (ub->dev_info.state == UBLK_S_DEV_LIVE ||
>             test_bit(UB_STATE_USED, &ub->state)) {
> @@ -3321,6 +3327,9 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub,
>         pr_devel("%s: All FETCH_REQs received, dev id %d\n", __func__,
>                  header->dev_id);
>
> +       if (ub->ublksrv_tgid != ublksrv_pid)
> +               return -EINVAL;
> +
>         mutex_lock(&ub->mutex);
>         if (ublk_nosrv_should_stop_dev(ub))
>                 goto out_unlock;
> --
> 2.47.0
>