Re: [PATCH v3] loop: Fix NULL pointer dereference in lo_rw_aio()

Next message: Rob Herring (Arm): "Re: [PATCH v3 1/4] dt-bindings: PCI: renesas,r9a08g045-pcie: Add RZ/V2H(P) support"
Previous message: Andrew Morton: "Re: [PATCH v5 0/4] selftests/mm: refactor pkey helpers and fix mmap error handling"
In reply to: Ming Lei: "Re: [PATCH v3] loop: Fix NULL pointer dereference in lo_rw_aio()"
Next in thread: Ming Lei: "Re: [PATCH v3] loop: Fix NULL pointer dereference in lo_rw_aio()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Mon Jun 01 2026 - 19:22:37 EST

On Mon, 1 Jun 2026 17:14:59 -0500 Ming Lei wrote:
> On Tue, Jun 02, 2026 at 05:51:26AM +0800, Hillf Danton wrote:
> > On OnMon, 1 Jun 2026 10:29:25 -0500 Ming Lei wrote:
> > > syzbot log shows the null-ptr-deref is on WRITE, instead of DISCARD.
> > >
> > > https://syzkaller.appspot.com/bug?extid=cd8a9a308e879a4e2c28
> > >
> > > Adding WARN_ON(!lo->lo_backing_file) in loop_queue_rq() might capture
> > > this bio submission context if this req isn't issued via wq.
> > >
> > I suspect this makes $.02 sense given the check of Lo_bound upon queuing rq.
>
> Can't lo->lo_state be updated after the check? It is totally lockless...
>
Sounds good hm... do you mean it is UNWISE to not flush the loop workqueue
when closing disk?