ublk: reject FETCH from non-userspace context

__ublk_fetch() sets io->task to current, which is later checked
against io_uring_cmd_get_task() in ublk_uring_cmd_cancel_fn().
With REQ_F_FORCE_ASYNC, the FETCH uring_cmd can be issued from
task work, which can be run from io_uring's fallback workqueue,
causing a task mismatch and triggering the WARN in cancel_fn.

Reject FETCH if current is not a real userspace task, and it is
reasonable for failing it in case of io_uring fallback.

Fixes: 3421c7f ("ublk: make sure io cmd handled in submitter task context")
Signed-off-by: Ming Lei <[email protected]>

Author: ming1

drivers/block/ublk_drv.c

@@ -3251,12 +3251,19 @@ static int __ublk_fetch(struct io_uring_cmd *cmd, struct ublk_device *ub,
 
 	WARN_ON_ONCE(io->flags & UBLK_IO_FLAG_OWNED_BY_SRV);
 
-	ublk_fill_io_cmd(io, cmd);
-
-	if (ublk_dev_support_batch_io(ub))
+	if (ublk_dev_support_batch_io(ub)) {
 		WRITE_ONCE(io->task, NULL);
-	else
+	} else {
+		/*
+		 * FETCH must come from a real userspace task, not a
+		 * kworker is actually io_uring fallback workqueue.
+		 */
+		if (current->flags & (PF_KTHREAD | PF_WQ_WORKER))
+			return -EINVAL;
 		WRITE_ONCE(io->task, get_task_struct(current));
+	}
+
+	ublk_fill_io_cmd(io, cmd);
 
 	return 0;
 }