Re: [PATCH v3] loop: Fix NULL pointer dereference in lo_rw_aio()

Next message: Simon Horman: "Re: [PATCH] arcnet: com90xx: Mark cards and numcards variables as __ro_after_init"
Previous message: kernel test robot: "[tip:irq/drivers] BUILD SUCCESS e61654fbc3bc5d07ec9fafe29f33e19b2b5d0fd5"
In reply to: Christoph Hellwig: "Re: [PATCH v3] loop: Fix NULL pointer dereference in lo_rw_aio()"
Next in thread: Hillf Danton: "Re: [PATCH v3] loop: Fix NULL pointer dereference in lo_rw_aio()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Qu Wenruo

Date: Thu May 28 2026 - 06:17:22 EST

在 2026/5/28 18:08, Christoph Hellwig 写道:

On Thu, May 28, 2026 at 03:11:05AM +0900, Damien Le Moal wrote:

It sounds like the VFS unmount call needs to have something that waits for
sync() to complete. Though, it really feels very strange that an FS can complete

I don't think this is the VFS-controlled VFS file data writeback, which
we wait on, but some kind of fs controlled metadata. And yes, it looks
like those file systems are buggy in that area. We definitively had
such bugs in XFS before and fixed them.

e.g. 9c7504aa72b6 ("xfs: track and serialize in-flight async buffers against
unmount")

Considering the xfs fix is pretty old, it's before the fix hint thus no such mention in fstests.

Do you happen to know which test case is for that fix?
I'd like to adapt it for btrfs as a reproducer.

This syzbot report doesn't provide a reproducer.

Another thing is, if it's some btrfs bios on-the-fly after close_ctree(), the most common symptom should be NULL pointer dereference inside various btrfs endio functions.
As all those end_bbio_*() functions are referring to either fs_info or inode/eb, thus if the fs is unmounted before the bio finished, they should all cause use-after-free.

The only exception is discard, which is using blkdev_issue_discard() thus has no such reference to btrfs internal structure, but that's out of my understanding.

Thanks,
Qu