git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Caleb Sander Mateos <csander@purestorage.com>
	Fri, 20 Jun 2025 15:09:56 +0000 (09:09 -0600)
committer	Jens Axboe <axboe@kernel.dk>
	Mon, 30 Jun 2025 21:50:53 +0000 (15:50 -0600)
commit	7ba962f4d73b2b768c977db2c7cd9551798bba26
tree	082bff32a604eb4153d56d102e71b45169705aff	tree
parent	c2f48453b7806d41f5a3270f206a5cd5640ed207	commit \| diff

ublk: remove struct ublk_rq_data

__ublk_check_and_get_req() attempts to atomically look up the struct
request for a ublk I/O and take a reference on it. However, the request
can be freed between the lookup on the tagset in blk_mq_tag_to_rq() and
the increment of its reference count in ublk_get_req_ref(), for example
if an elevator switch happens concurrently.

Fix the potential use after free by moving the reference count from
ublk_rq_data to ublk_io. Move the fields buf_index and buf_ctx_handle
too to reduce the number of cache lines touched when dispatching and
completing a ublk I/O, allowing ublk_rq_data to be removed entirely.

Suggested-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Fixes: 62fe99cef94a ("ublk: add read()/write() support for ublk char device")
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20250620151008.3976463-3-csander@purestorage.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>