ublk: validate ublk server pid

[ Upstream commit c2c8089f325ed703fd5123b39e2dece1dd605904 ]

ublk server pid(the `tgid` of the process opening the ublk device) is stored
in `ublk_device->ublksrv_tgid`. This `tgid` is then checked against the
`ublksrv_pid` in `ublk_ctrl_start_dev` and `ublk_ctrl_end_recovery`.

This ensures that correct ublk server pid is stored in device info.

Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20250713143415.2857561-2-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 2492c11defcced780e7ed47a62525e761dad3cc9..3e60558bf525952cd91411bc621f2274d8968294 100644 (file)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -218,6 +218,7 @@ struct ublk_device {
        unsigned int            nr_privileged_daemon;
        struct mutex cancel_mutex;
        bool canceling;
+       pid_t   ublksrv_tgid;
 };
 
 /* header of ublk_params */
@@ -1517,6 +1518,7 @@ static int ublk_ch_open(struct inode *inode, struct file *filp)
        if (test_and_set_bit(UB_STATE_OPEN, &ub->state))
                return -EBUSY;
        filp->private_data = ub;
+       ub->ublksrv_tgid = current->tgid;
        return 0;
 }
 
@@ -1531,6 +1533,7 @@ static void ublk_reset_ch_dev(struct ublk_device *ub)
        ub->mm = NULL;
        ub->nr_queues_ready = 0;
        ub->nr_privileged_daemon = 0;
+       ub->ublksrv_tgid = -1;
 }
 
 static struct gendisk *ublk_get_disk(struct ublk_device *ub)
@@ -2732,6 +2735,9 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub,
        if (wait_for_completion_interruptible(&ub->completion) != 0)
                return -EINTR;
 
+       if (ub->ublksrv_tgid != ublksrv_pid)
+               return -EINVAL;
+
        mutex_lock(&ub->mutex);
        if (ub->dev_info.state == UBLK_S_DEV_LIVE ||
            test_bit(UB_STATE_USED, &ub->state)) {
@@ -3232,6 +3238,9 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub,
        pr_devel("%s: All FETCH_REQs received, dev id %d\n", __func__,
                 header->dev_id);
 
+       if (ub->ublksrv_tgid != ublksrv_pid)
+               return -EINVAL;
+
        mutex_lock(&ub->mutex);
        if (ublk_nosrv_should_stop_dev(ub))
                goto out_unlock;