On Wed, Feb 12, 2025 at 05:24:34PM +0800, Ming Lei wrote: > On Tue, Feb 11, 2025 at 09:11:10PM -0700, Keith Busch wrote: > > However, it still may cause use-after-free on this request which has > been failed from io_uring_try_cancel_uring_cmd(), and please see the > following code path: > > io_uring_try_cancel_requests > io_uring_try_cancel_uring_cmd > ublk_uring_cmd_cancel_fn > ublk_abort_requests > ublk_abort_queue > __ublk_fail_req > ublk_put_req_ref > > The above race needs to be covered. This race is covered. The ublk request has one reference taken when it notifies userspace, then a second reference taken when user registers the bvec. The first reference is dropped from the abort, but the request won't be completed because the second reference prevents that. That second request reference can't be dropped until the ->release callback happens, and that can't happen until two conditions are met: The bvec is unregistered All IO using the index completes I think all the bases are covered here.
