loop: Fix NULL pointer dereference by synchronizing lo_release and loop_queue_rq#816
Open
blktests-ci[bot] wants to merge 1 commit into
Open
loop: Fix NULL pointer dereference by synchronizing lo_release and loop_queue_rq#816blktests-ci[bot] wants to merge 1 commit into
blktests-ci[bot] wants to merge 1 commit into
Conversation
Author
|
Upstream branch: aa54b1d |
Author
|
Upstream branch: aa54b1d |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
0496512 to
57c5032
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
b1870f6 to
ca57796
Compare
Author
|
Upstream branch: 70eda68 |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
57c5032 to
2de7efb
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
ca57796 to
c1feb59
Compare
Author
|
Upstream branch: 8bc67e4 |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
2de7efb to
43bd3eb
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
c1feb59 to
ea833a1
Compare
Author
|
Upstream branch: 6779b50 |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
43bd3eb to
14d5595
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
ea833a1 to
7af85d1
Compare
Author
|
Upstream branch: 79bd2dd |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
14d5595 to
0c0ff88
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
7af85d1 to
de94ac7
Compare
Author
|
Upstream branch: eed108e |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
0c0ff88 to
0043504
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
de94ac7 to
86d8d37
Compare
Author
|
Upstream branch: e8c2f9f |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
0043504 to
8ae013b
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
86d8d37 to
9805659
Compare
Author
|
Upstream branch: eb3f4b7 |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
8ae013b to
2236345
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
9805659 to
3f4a345
Compare
Author
|
Upstream branch: 8fde5d1 |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
2236345 to
63c9db2
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
3f4a345 to
c6dc343
Compare
Author
|
Upstream branch: e43ffb6 |
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
63c9db2 to
802627a
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
c6dc343 to
fc36596
Compare
Author
|
Upstream branch: ba3e43a |
…op_queue_rq The loop driver relies on lo_release() to automatically clear the loop device via __loop_clr_fd() when the last file descriptor is closed (LO_FLAGS_AUTOCLEAR). Although the backing file structure itself remains allocated in memory thanks to proper file reference counting (f_count is not zero), a severe race condition exists regarding the visibility of the lo->lo_backing_file pointer. This race window was exposed by commit 65565ca ("block: unify the synchronous bi_end_io callbacks"). By unifying and optimizing the synchronous I/O completion path, the timing and scheduling behavior of the block layer altered significantly. As a result, a highly-concurrent execution pipeline emerged where lo_release() can progress to __loop_clr_fd() and nullify lo->lo_backing_file while an already-scheduled asynchronous I/O work (lo_rw_aio) is just about to be executed by a kworker thread. Since the kworker enters lo_rw_aio() after lo->lo_backing_file has been cleared, it attempts to dereference the now-NULL pointer when initializing the kiocb, leading to the reported NULL pointer dereference bug. To close this race safely without introducing heavy fast-path checks, we must ensure that any running or scheduled dispatch threads have completed before we nullify the pointer. Since loop_queue_rq() operates within the block layer's RCU read-side critical section, invoke synchronize_rcu() and drain_workqueue() in __loop_clr_fd() prior to clearing lo->lo_backing_file. Reported-by: syzbot+cd8a9a308e879a4e2c28@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cd8a9a308e879a4e2c28 Reported-by: syzbot+bc273027d5643e48e5b3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=bc273027d5643e48e5b3 Analyzed-by: AI Mode in Google Search (no mail address) Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
blktests-ci
Bot
force-pushed
the
series/1092734=>linus-master
branch
from
802627a to
198ffc2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: loop: Fix NULL pointer dereference by synchronizing lo_release and loop_queue_rq
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1092734