From: Ming Lei <tom.leiming@gmail.com>
To: Hongling Zeng <zenghongling@kylinos.cn>
Cc: axboe@kernel.dk, ming.lei@canonical.com,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
zhongling0719@126.com
Subject: Re: [PATCH] block/loop: Fix NULL pointer dereference in lo_rw_aio()
Date: Tue, 19 May 2026 12:42:19 +0800 [thread overview]
Message-ID: <agvqK_4EelxnXUvf@fedora> (raw)
In-Reply-To: <20260519040103.22776-1-zenghongling@kylinos.cn>
On Tue, May 19, 2026 at 12:01:03PM +0800, Hongling Zeng wrote:
> lo->lo_backing_file can be NULL when the loop device is being cleared,
> causing NULL pointer dereference in lo_rw_aio(). Add a defensive check
> to prevent kernel crash.
In v7.1-rc tree, lo->lo_backing_file is cleared in __loop_clr_fd(), which
is called from lo_release() only, when it is guaranteed that there isn't
inflight IO.
So care to share your stack trace?
>
> Also fix loop_attr_backing_file_show() to use PTR_ERR_OR_ZERO()
> for correct NULL pointer handling.
>
> Fixes: bc07c10a3603a ("block: loop: support DIO & AIO")
Can you explain how the issue is introduced in above commit?
> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> ---
> drivers/block/loop.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/loop.c b/drivers/block/loop.c
> index 0000913f7efc..d8db1b0d8018 100644
> --- a/drivers/block/loop.c
> +++ b/drivers/block/loop.c
> @@ -397,6 +397,9 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
> cmd->iocb.ki_flags = 0;
> }
>
> + if (!file)
> + return -EIO;
If lo->lo_backing_file may become NULL, it isn't enough to add check here
only, cause it can be observed in lo_req_flush() & lo_fallocate() too.
Thanks,
Ming
next prev parent reply other threads:[~2026-05-19 4:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 4:01 [PATCH] block/loop: Fix NULL pointer dereference in lo_rw_aio() Hongling Zeng
2026-05-19 4:42 ` Ming Lei [this message]
2026-05-19 6:06 ` Hongling Zeng
2026-05-19 8:33 ` Ming Lei
[not found] ` <6A0C29F6.5080704@126.com>
2026-05-19 11:28 ` Ming Lei
2026-05-19 12:37 ` Tetsuo Handa
2026-05-20 3:20 ` Hongling Zeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agvqK_4EelxnXUvf@fedora \
--to=tom.leiming@gmail.com \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=zenghongling@kylinos.cn \
--cc=zhongling0719@126.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.