ublk_drv: do not add a re-issued request aborted previously to ioucmd's task_work

In ublk_queue_rq(), Assume current request is a re-issued request aborted
previously in monitor_work because the ubq_daemon(ioucmd's task) is
PF_EXITING. For this request, we cannot call
io_uring_cmd_complete_in_task() anymore because at that moment io_uring
context may be freed in case that no inflight ioucmd exists. Otherwise,
we may cause null-deref in ctx->fallback_work.

Add a check on UBLK_IO_FLAG_ABORTED to prevent the above situation. This
check is safe and makes sense.

Note: monitor_work sets UBLK_IO_FLAG_ABORTED and ends this request
(releasing the tag). Then the request is restarted(allocating the tag)
and we are here. Since releasing/allocating a tag implies smp_mb(),
finding UBLK_IO_FLAG_ABORTED guarantees that here is a re-issued request
aborted previously.

Suggested-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: ZiyangZhang <ZiyangZhang@linux.alibaba.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20220815023633.259825-4-ZiyangZhang@linux.alibaba.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 685a43b..6a4a94b 100644 (file)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -756,9 +756,25 @@ static blk_status_t ublk_queue_rq(struct blk_mq_hw_ctx *hctx,
                if (task_work_add(ubq->ubq_daemon, &data->work, notify_mode))
                        goto fail;
        } else {
-               struct io_uring_cmd *cmd = ubq->ios[rq->tag].cmd;
+               struct ublk_io *io = &ubq->ios[rq->tag];
+               struct io_uring_cmd *cmd = io->cmd;
                struct ublk_uring_cmd_pdu *pdu = ublk_get_uring_cmd_pdu(cmd);
 
+               /*
+                * If the check pass, we know that this is a re-issued request aborted
+                * previously in monitor_work because the ubq_daemon(cmd's task) is
+                * PF_EXITING. We cannot call io_uring_cmd_complete_in_task() anymore
+                * because this ioucmd's io_uring context may be freed now if no inflight
+                * ioucmd exists. Otherwise we may cause null-deref in ctx->fallback_work.
+                *
+                * Note: monitor_work sets UBLK_IO_FLAG_ABORTED and ends this request(releasing
+                * the tag). Then the request is re-started(allocating the tag) and we are here.
+                * Since releasing/allocating a tag implies smp_mb(), finding UBLK_IO_FLAG_ABORTED
+                * guarantees that here is a re-issued request aborted previously.
+                */
+               if ((io->flags & UBLK_IO_FLAG_ABORTED))
+                       goto fail;
+
                pdu->req = rq;
                io_uring_cmd_complete_in_task(cmd, ublk_rq_task_work_cb);
        }