From: Al Viro <viro@zeniv.linux.org.uk>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Jens Axboe <axboe@kernel.dk>,
Bart Van Assche <bvanassche@acm.org>,
Christoph Hellwig <hch@lst.de>,
Damien Le Moal <dlemoal@kernel.org>,
Ming Lei <tom.leiming@gmail.com>,
linux-block <linux-block@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-btrfs@vger.kernel.org, David Sterba <dsterba@suse.com>,
linux-fsdevel@vger.kernel.org,
Christian Brauner <brauner@kernel.org>,
Hillf Danton <hdanton@sina.com>
Subject: Re: [PATCH v4] loop: Fix NULL pointer dereference in lo_rw_aio()
Date: Tue, 9 Jun 2026 18:50:13 +0100 [thread overview]
Message-ID: <20260609175013.GH2636677@ZenIV> (raw)
In-Reply-To: <3244d4dd-8254-47c0-9609-b1db53450c7c@I-love.SAKURA.ne.jp>
On Sun, Jun 07, 2026 at 07:54:58PM +0900, Tetsuo Handa wrote:
> syzbot is reporting NULL pointer dereference in lo_rw_aio() [1][2].
> An analysis by the Gemini AI collaborator [3] considers that this problem
> is caused by a timing shift primarily exposed by commit 65565ca5f99b
> ("block: unify the synchronous bi_end_io callbacks"), along with helper
> refactorings like commit 92c3737a2473 ("block: add a bio_submit_or_kill
> helper").
>
> But due to difficulty of reproducing this race, discussion about what is
> happening and how to fix this problem is stalling. Also, we haven't
> identified how many filesystems are subjected to this problem.
>
> Therefore, this patch introduces a grace period for flushing pending I/O
> requests (which should be a good thing from the perspective of defensive
> programming) so that we won't hit NULL pointer dereference problem, and
> also emits BUG: message in order to help filesystem developers identify
> the caller of an I/O request that failed to wait for completion so that
> filesystem developers can fix such caller to wait for completion.
>
> Note that emitting BUG: message is enabled only if CONFIG_KCOV=y, for
> this check is a waste of computation resources for almost all users.
Still breaks xfs/259, same as the version in next-20260605...
prev parent reply other threads:[~2026-06-09 17:50 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-18 0:02 [syzbot] [block?] general protection fault in lo_rw_aio syzbot
2026-04-21 11:05 ` Tetsuo Handa
2026-05-11 11:43 ` [PATCH] loop: Fix NULL pointer dereference by synchronizing lo_release and loop_queue_rq Tetsuo Handa
2026-05-11 15:58 ` Bart Van Assche
2026-05-11 17:43 ` Tetsuo Handa
2026-05-12 11:46 ` Tetsuo Handa
2026-05-15 1:38 ` [PATCH v2] " Tetsuo Handa
2026-05-19 0:40 ` Andrew Morton
2026-05-19 9:27 ` Tetsuo Handa
2026-05-20 3:06 ` Ming Lei
2026-05-20 6:36 ` Tetsuo Handa
2026-05-20 7:49 ` Ming Lei
2026-05-20 8:20 ` Tetsuo Handa
2026-05-20 8:54 ` Ming Lei
2026-05-25 3:40 ` [PATCH v3] loop: Fix NULL pointer dereference in lo_rw_aio() Tetsuo Handa
2026-05-25 15:19 ` Ming Lei
2026-05-26 0:25 ` Tetsuo Handa
2026-05-27 1:20 ` Ming Lei
2026-05-27 1:35 ` Tetsuo Handa
2026-05-27 3:00 ` Ming Lei
2026-05-27 11:29 ` Tetsuo Handa
2026-05-27 18:11 ` Damien Le Moal
2026-05-28 8:38 ` Christoph Hellwig
2026-05-28 10:16 ` Qu Wenruo
2026-06-01 14:40 ` Christoph Hellwig
2026-06-01 16:29 ` Brian Foster
2026-06-01 22:27 ` Qu Wenruo
2026-06-01 15:29 ` Ming Lei
2026-06-01 21:51 ` Hillf Danton
2026-06-01 22:14 ` Ming Lei
2026-06-01 23:17 ` Hillf Danton
2026-06-01 23:36 ` Ming Lei
2026-06-02 2:02 ` Hillf Danton
2026-05-28 5:43 ` Hillf Danton
2026-05-28 23:00 ` Hillf Danton
2026-05-29 0:14 ` Tetsuo Handa
2026-05-29 7:04 ` Hillf Danton
2026-05-29 22:05 ` Hillf Danton
2026-05-30 23:57 ` Tetsuo Handa
2026-06-07 10:54 ` [PATCH v4] " Tetsuo Handa
2026-06-09 17:50 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609175013.GH2636677@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=bvanassche@acm.org \
--cc=dlemoal@kernel.org \
--cc=dsterba@suse.com \
--cc=hch@lst.de \
--cc=hdanton@sina.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=tom.leiming@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.