On Thu, Jul 07, 2022 at 03:49:52PM +0800, Ming Lei wrote: > On Tue, Jul 05, 2022 at 04:06:16PM +0800, Ming Lei wrote: > > On Mon, Jul 04, 2022 at 06:10:40PM -0400, Gabriel Krisman Bertazi wrote: > > > Ming Lei <ming.lei@xxxxxxxxxx> writes: > > ... > > > > > > > > > > > > + __func__, cmd->cmd_op, ub_cmd->q_id, tag, > > > > + ub_cmd->result); > > > > + > > > > + if (!(issue_flags & IO_URING_F_SQE128)) > > > > + goto out; > > > > + > > > > + ubq = ublk_get_queue(ub, ub_cmd->q_id); > > > > + if (!ubq || ub_cmd->q_id != ubq->q_id) > > > > > > q_id is coming from userspace and is used to access an array inside > > > ublk_get_queue(). I think you need to ensure qid < ub->dev_info.nr_hw_queues > > > before calling ublk_get_queue() to protect from a kernel bad memory > > > access triggered by userspace. > > > > Good catch! > > Turns out the check on 'qid < ub->dev_info.nr_hw_queues' isn't needed, > since the condition of 'ub_cmd->q_id != ubq->q_id' is more strict. But ubq is retrieved via ->q_id, so we do need the validation. Sorry for the noise. Thanks, Ming
