Re: [PATCH v2] loop: Fix NULL pointer dereference by synchronizing lo_release and loop_queue_rq

Next message: Yixun Lan: "Re: [PATCH v2 0/5] riscv: dts: spacemit: improve Milk-V Jupiter device tree"
Previous message: tip-bot2 for Chen Yu: "[tip: sched/core] sched/cache: Calculate the LLC size and store it in sched_domain"
In reply to: Ming Lei: "Re: [PATCH v2] loop: Fix NULL pointer dereference by synchronizing lo_release and loop_queue_rq"
Next in thread: Ming Lei: "Re: [PATCH v2] loop: Fix NULL pointer dereference by synchronizing lo_release and loop_queue_rq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tetsuo Handa

Date: Wed May 20 2026 - 04:42:04 EST

On 2026/05/20 16:49, Ming Lei wrote:
> On Wed, May 20, 2026 at 03:36:12PM +0900, Tetsuo Handa wrote:
>> On 2026/05/20 12:06, Ming Lei wrote:
>>> The IO after close(loop) should be from writeback. rcu/sruc isn't necessary,
>>
>> Gemini's comment is that drain_workqueue() is not sufficient for waiting for
>> do_req_filebacked(REQ_OP_WRITE) requests with cmd->use_aio == true case to complete.
>
> Anything cleared in __loop_clr_fd() is not used by lo_rw_aio_complete() & lo_complete_rq().

"struct inode *inode = file_inode(iocb->ki_filp);" in kiocb_end_write() from
lo_rw_aio_do_completion() can dereference "struct file *" with refcount == 0 (UAF)
because fput() in __loop_clr_fd() can be the last reference to that file.

>
> So why isn't drain_workqueue() enough for cmd->use_aio?

In addition to possible UAF above, the assumption at
https://elixir.bootlin.com/linux/v7.1-rc4/source/drivers/block/loop.c#L1134
is currently broken due to this race problem.