Re: [PATCH] block/loop: Fix NULL pointer dereference in lo_rw_aio()

Next message: Sarthak Sharma: "Re: [PATCH 2/2] selftests/mm: rewrite gup_test as a standalone harness-based selftest"
Previous message: kernel test robot: "fs/orangefs/inode.o: error: objtool: orangefs_readahead+0x21c: can't find jump dest instruction at .text.orangefs_readahead+0x2dc"
In reply to: Hongling Zeng: "[PATCH] block/loop: Fix NULL pointer dereference in lo_rw_aio()"
Next in thread: Hongling Zeng: "Re: [PATCH] block/loop: Fix NULL pointer dereference in lo_rw_aio()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ming Lei

Date: Tue May 19 2026 - 00:42:36 EST

On Tue, May 19, 2026 at 12:01:03PM +0800, Hongling Zeng wrote:
> lo->lo_backing_file can be NULL when the loop device is being cleared,
> causing NULL pointer dereference in lo_rw_aio(). Add a defensive check
> to prevent kernel crash.

In v7.1-rc tree, lo->lo_backing_file is cleared in __loop_clr_fd(), which
is called from lo_release() only, when it is guaranteed that there isn't
inflight IO.

So care to share your stack trace?

>
> Also fix loop_attr_backing_file_show() to use PTR_ERR_OR_ZERO()
> for correct NULL pointer handling.
>
> Fixes: bc07c10a3603a ("block: loop: support DIO & AIO")

Can you explain how the issue is introduced in above commit?

> Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
> ---
> drivers/block/loop.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/loop.c b/drivers/block/loop.c
> index 0000913f7efc..d8db1b0d8018 100644
> --- a/drivers/block/loop.c
> +++ b/drivers/block/loop.c
> @@ -397,6 +397,9 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
> cmd->iocb.ki_flags = 0;
> }
>
> + if (!file)
> + return -EIO;

If lo->lo_backing_file may become NULL, it isn't enough to add check here
only, cause it can be observed in lo_req_flush() & lo_fallocate() too.

Thanks,
Ming