2
0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
linux/drivers/block
Ming Lei c5c5eb24ed ublk: avoid ublk_io_release() called after ublk char dev is closed
When running test_stress_04.sh, the following warning is triggered:

WARNING: CPU: 1 PID: 135 at drivers/block/ublk_drv.c:1933 ublk_ch_release+0x423/0x4b0 [ublk_drv]

This happens when the daemon is abruptly killed:

- some references may still be held, because registering IO buffer
doesn't grab ublk char device reference

OR

- io->task_registered_buffers won't be cleared because io buffer is
released from non-daemon context

For zero-copy and auto buffer register modes, I/O reference crosses
syscalls, so IO reference may not be dropped naturally when ublk server is
killed abruptly. However, when releasing io_uring context, it is guaranteed
that the reference is dropped finally, see io_sqe_buffers_unregister() from
io_ring_ctx_free().

Fix this by adding ublk_drain_io_references() that:
- Waits for active I/O references dropped in async way by scheduling
  work function, for avoiding ublk dev and io_uring file's release
  dependency
- Reinitializes io->ref and io->task_registered_buffers to clean state

This ensures the reference count state is clean when ublk_queue_reinit()
is called, preventing the warning and potential use-after-free.

Fixes: 1f6540e2aa ("ublk: zc register/unregister bvec")
Fixes: 1ceeedb597 ("ublk: optimize UBLK_IO_UNREGISTER_IO_BUF on daemon task")
Fixes: 8a8fe42d76 ("ublk: optimize UBLK_IO_REGISTER_IO_BUF on daemon task")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20250827121602.2619736-2-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2025-08-28 07:56:57 -06:00
..
aoe block-6.16-20250619 2025-06-19 23:29:35 -07:00
drbd drbd: Remove the open-coded page pool 2025-08-11 07:54:27 -06:00
mtip32xx block: mtip32xx: Fix usage of dma_map_sg() 2025-07-08 11:55:38 -06:00
null_blk null_blk: use memzero_page() 2025-07-09 22:42:08 -07:00
rnbd rnbd-srv: use bio_add_virt_nofail 2025-05-07 07:31:07 -06:00
xen-blkback xen/blkback: convert timeouts to secs_to_jiffies() 2025-01-12 20:21:03 -08:00
zram zram: pass buffer offset to zcomp_available_show() 2025-07-03 19:56:51 -06:00
amiflop.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
ataflop.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
brd.c brd: fix sleeping function called from invalid context in brd_insert_page() 2025-07-01 08:14:01 -06:00
floppy.c block: floppy: Fix uninitialized use of outparam 2025-07-13 12:08:31 -06:00
Kconfig block: remove pktcdvd driver 2025-07-07 07:02:42 -06:00
loop.c loop: fix zero sized loop for block special file 2025-08-25 07:46:57 -06:00
Makefile block: remove pktcdvd driver 2025-07-07 07:02:42 -06:00
n64cart.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
nbd.c for-6.17/block-20250728 2025-07-28 16:43:54 -07:00
ps3disk.c ps3disk: Do not use dev->bounce_size before it is set 2025-01-03 11:44:25 -07:00
ps3vram.c block: pass a queue_limits argument to blk_alloc_disk 2024-02-19 16:58:23 -07:00
rbd_types.h
rbd.c block: force noio scope in blk_mq_freeze_queue 2025-01-31 07:20:08 -07:00
rnull.rs rust: module: introduce authors key 2025-03-10 15:12:17 +01:00
sunvdc.c sunvdc: Balance device refcount in vdc_port_mpgroup_check 2025-07-22 10:02:17 -06:00
swim3.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
swim_asm.S
swim.c block: remove BLK_MQ_F_SHOULD_MERGE 2024-12-23 08:17:23 -07:00
ublk_drv.c ublk: avoid ublk_io_release() called after ublk char dev is closed 2025-08-28 07:56:57 -06:00
virtio_blk.c virtio: blk/scsi: use block layer helpers to calculate num of queues 2025-07-01 10:24:19 -06:00
xen-blkfront.c block: remove unused parameter 'q' parameter in __blk_rq_map_sg() 2025-03-13 05:46:19 -06:00
z2ram.c block: remove BLK_MQ_F_SHOULD_MERGE 2024-12-23 08:17:23 -07:00
zloop.c zloop: fix KASAN use-after-free of tag set 2025-07-31 15:01:07 -06:00