From: Eric Sandeen <sandeen@redhat.com> Subject: [RHEL5 PATCH] Fix NULL bio crash in loop worker thread Date: Mon, 04 Jun 2007 14:36:16 -0500 Bugzilla: 236880 Message-Id: <466469B0.7070406@redhat.com> Changelog: [block] Fix NULL bio crash in loop worker thread For Bug 236880: [PATCH] Fix NULL bio crash in loop worker thread Alexey found the problem, testcase, and patch, and I have verified the problem & the fix using the steps he outlines below. Description of problem: After LOOP_SET_FD/LOOP_CLR_FD combo loop device's queue gets request handler which is persistent. After, say mount -t iso9660 /dev/loop0 /mnt # sic, fails this request handler is called directly with a) ->lo_state being Lo_unbound b) ->lo_pending being zero Error path in loop_make_request() completes ->lo_bh_done completion which is persistent as well. Now, let's start worker thread as usual. It'll set ->lo_pending to 1, don't wait for completion because it was already completed (brokenly), and will not get out of infinite loop because of ->lo_pending. Loop device doesn't have bios at this point and triggers BUG_ON. So, don't complete ->lo_bh_done when loop device isn't setup fully. How reproducible: always Steps to Reproduce: #!/bin/sh -x ISO=1.iso mount -o loop $ISO /mnt umount /mnt mount -t iso9660 /dev/loop0 /mnt # sic mount -o loop $ISO /mnt Actual results: BUG_ON(!bio); in loop_thread triggers Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> --- Index: linux-2.6.18-20.EL/drivers/block/loop.c =================================================================== --- linux-2.6.18-20.EL.orig/drivers/block/loop.c +++ linux-2.6.18-20.EL/drivers/block/loop.c @@ -519,7 +519,7 @@ static int loop_make_request(request_que spin_lock_irq(&lo->lo_lock); if (lo->lo_state != Lo_bound) - goto out; + goto out_not_bound; if (unlikely(rw == WRITE && (lo->lo_flags & LO_FLAGS_READ_ONLY))) goto out; lo->lo_pending++; @@ -531,6 +531,7 @@ static int loop_make_request(request_que out: if (lo->lo_pending == 0) complete(&lo->lo_bh_done); +out_not_bound: spin_unlock_irq(&lo->lo_lock); bio_io_error(old_bio, old_bio->bi_size); return 0;