From: Ming Lei <tom.leiming@gmail.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org,
syzbot+cd8a9a308e879a4e2c28@syzkaller.appspotmail.com,
syzbot+bc273027d5643e48e5b3@syzkaller.appspotmail.com,
Hongling Zeng <zenghongling@kylinos.cn>,
Bart Van Assche <bvanassche@acm.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] loop: add sync_blockdev() in __loop_clr_fd() to prevent UAF
Date: Fri, 22 May 2026 19:50:38 +0800 [thread overview]
Message-ID: <ahBDDhq5FHIGgTia@fedora> (raw)
In-Reply-To: <3001ff83-b48c-47d0-aaf3-81a8d58a0a44@I-love.SAKURA.ne.jp>
On Fri, May 22, 2026 at 06:54:39PM +0900, Tetsuo Handa wrote:
> On 2026/05/22 18:33, Ming Lei wrote:
> > Please do take a look at the commit log of this one and commit 1fe0b1acb14d
>
> My question is what commit broke "->release is only called after all outstanding
> I/O has completed" in the patch description of commit 1fe0b1acb14d ("loop: only
> freeze the queue in __loop_clr_fd when needed").
oops, 1fe0b1acb14d ("loop: only freeze the queue in __loop_clr_fd when needed") is actually
correct.
The issue must be from somewhere else(writeback?), given blkdev_put_whole() does
run blkdev_flush_mapping() before calling ->release(). If you or anyone
can reproduce it, the following debug patch may provide some hint:
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 0000913f7efc..85f140c7f0a4 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1855,6 +1855,8 @@ static blk_status_t loop_queue_rq(struct blk_mq_hw_ctx *hctx,
struct loop_cmd *cmd = blk_mq_rq_to_pdu(rq);
struct loop_device *lo = rq->q->queuedata;
+ WARN_ON_ONCE(!lo->lo_backing_file);
+
blk_mq_start_request(rq);
if (data_race(READ_ONCE(lo->lo_state)) != Lo_bound)
Thanks,
Ming
prev parent reply other threads:[~2026-05-22 11:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 2:54 [PATCH] loop: add sync_blockdev() in __loop_clr_fd() to prevent UAF Ming Lei
2026-05-22 3:28 ` Tetsuo Handa
2026-05-22 3:45 ` Ming Lei
2026-05-22 6:54 ` Tetsuo Handa
2026-05-22 9:33 ` Ming Lei
2026-05-22 9:54 ` Tetsuo Handa
2026-05-22 11:50 ` Ming Lei [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahBDDhq5FHIGgTia@fedora \
--to=tom.leiming@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=linux-block@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+bc273027d5643e48e5b3@syzkaller.appspotmail.com \
--cc=syzbot+cd8a9a308e879a4e2c28@syzkaller.appspotmail.com \
--cc=zenghongling@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.