ublk: Validate SQE128 flag before accessing the cmd

ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before
IO_URING_F_SQE128 flag check. This could cause out of boundary memory
access.

Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return
-EINVAL immediately if the flag is not set.

Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
Signed-off-by: Govindarajulu Varadarajan <govind.varadar@gmail.com>
Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 5efaf53261cecf5b6798d47aed9b83d1e3c16715..01088194c8d35d2ecd547c7296a3d0b385aee3ee 100644 (file)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -5221,10 +5221,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
            issue_flags & IO_URING_F_NONBLOCK)
                return -EAGAIN;
 
-       ublk_ctrl_cmd_dump(cmd);
-
        if (!(issue_flags & IO_URING_F_SQE128))
-               goto out;
+               return -EINVAL;
+
+       ublk_ctrl_cmd_dump(cmd);
 
        ret = ublk_check_cmd_op(cmd_op);
        if (ret)