[PATCH] block/loop: Fix NULL pointer dereference in lo_rw_aio()

Next message: Aboorva Devarajan: "Re: [PATCH 0/3] selftests/mm: assorted fixes for hmm-tests"
Previous message: Marek Vasut: "Re: [PATCH] nvmem: core: Mark nWP GPIO as non-exclusive"
Next in thread: Ming Lei: "Re: [PATCH] block/loop: Fix NULL pointer dereference in lo_rw_aio()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hongling Zeng

Date: Tue May 19 2026 - 00:02:56 EST

lo->lo_backing_file can be NULL when the loop device is being cleared,
causing NULL pointer dereference in lo_rw_aio(). Add a defensive check
to prevent kernel crash.

Also fix loop_attr_backing_file_show() to use PTR_ERR_OR_ZERO()
for correct NULL pointer handling.

Fixes: bc07c10a3603a ("block: loop: support DIO & AIO")
Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
---
drivers/block/loop.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 0000913f7efc..d8db1b0d8018 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -397,6 +397,9 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
cmd->iocb.ki_flags = 0;
}

+ if (!file)
+ return -EIO;
+
if (rw == ITER_SOURCE) {
kiocb_start_write(&cmd->iocb);
ret = file->f_op->write_iter(&cmd->iocb, &iter);
@@ -662,7 +665,7 @@ static ssize_t loop_attr_backing_file_show(struct loop_device *lo, char *buf)
spin_unlock_irq(&lo->lo_lock);

if (IS_ERR_OR_NULL(p))
- ret = PTR_ERR(p);
+ ret = PTR_ERR_OR_ZERO(p);
else {
ret = strlen(p);
memmove(buf, p, ret);
--
2.25.1