ublk: Validate SQE128 flag before accessing the cmd

ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before IO_URING_F_SQE128 flag check. This could cause out of boundary memory access. Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return -EINVAL immediately if the flag is not set. Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") Signed-off-by: Govindarajulu Varadarajan <govind.varadar@gmail.com> Reviewed-by: Caleb Sander Mateos <csander@purestorage.com> Reviewed-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Govindarajulu Varadarajan <govind.varadar@gmail.com> 2026-01-30 10:14:12 -0700
committer: Jens Axboe <axboe@kernel.dk> 2026-01-31 06:36:11 -0700
commit: da7e4b75e50c087d2031a92f6646eb90f7045a67 (patch)
tree: 800cad41cefe6c0661b7318b2a33a0e6b5fe8304
parent: da562d92e6755c00cd67845a8dbfb908dac51a9c (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 5efaf53261ce..01088194c8d3 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -5221,10 +5221,10 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
 	    issue_flags & IO_URING_F_NONBLOCK)
 		return -EAGAIN;
 
-	ublk_ctrl_cmd_dump(cmd);
-
 	if (!(issue_flags & IO_URING_F_SQE128))
-		goto out;
+		return -EINVAL;
+
+	ublk_ctrl_cmd_dump(cmd);
 
 	ret = ublk_check_cmd_op(cmd_op);
 	if (ret)
author	Govindarajulu Varadarajan <govind.varadar@gmail.com>	2026-01-30 10:14:12 -0700
committer	Jens Axboe <axboe@kernel.dk>	2026-01-31 06:36:11 -0700
commit	da7e4b75e50c087d2031a92f6646eb90f7045a67 (patch)
tree	800cad41cefe6c0661b7318b2a33a0e6b5fe8304
parent	da562d92e6755c00cd67845a8dbfb908dac51a9c (diff)