1. Patchew
  2. linux
  3. View series

[PATCH] loop: fix backing file reference leak on validation error

Li Chen posted 1 patch 5 days, 9 hours ago
There is a newer version of this series
drivers/block/loop.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
[PATCH] loop: fix backing file reference leak on validation error
Posted by Li Chen 5 days, 9 hours ago 
loop_change_fd() and loop_configure() call loop_check_backing_file()
to validate the new backing file. If validation fails, the reference
acquired by fget() was not dropped, leaking a file reference.

Fix this by calling fput(file) before returning the error.

Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
---
 drivers/block/loop.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 053a086d547e..94ec7f747f36 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
 		return -EBADF;
 
 	error = loop_check_backing_file(file);
-	if (error)
+	if (error) {
+		fput(file);
 		return error;
+	}
 
 	/* suppress uevents while reconfiguring the device */
 	dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1);
@@ -993,8 +995,10 @@ static int loop_configure(struct loop_device *lo, blk_mode_t mode,
 		return -EBADF;
 
 	error = loop_check_backing_file(file);
-	if (error)
+	if (error) {
+		fput(file);
 		return error;
+	}
 
 	is_loop = is_loop_device(file);
 
-- 
2.51.0
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Ming Lei 2 days, 16 hours ago 
On Fri, Sep 26, 2025 at 8:13 PM Li Chen <me@linux.beauty> wrote:
>
> loop_change_fd() and loop_configure() call loop_check_backing_file()
> to validate the new backing file. If validation fails, the reference
> acquired by fget() was not dropped, leaking a file reference.
>
> Fix this by calling fput(file) before returning the error.
>
> Signed-off-by: Li Chen <chenl311@chinatelecom.cn>

Good catch:

Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter")

Reviewed-by: Ming Lei <ming.lei@redhat.com>

Thanks,
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Yu Kuai 2 days, 20 hours ago 
Hi,

在 2025/09/26 20:12, Li Chen 写道:
> loop_change_fd() and loop_configure() call loop_check_backing_file()
> to validate the new backing file. If validation fails, the reference
> acquired by fget() was not dropped, leaking a file reference.
> 
> Fix this by calling fput(file) before returning the error.
> 
> Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
> ---
>   drivers/block/loop.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/loop.c b/drivers/block/loop.c
> index 053a086d547e..94ec7f747f36 100644
> --- a/drivers/block/loop.c
> +++ b/drivers/block/loop.c
> @@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
>   		return -EBADF;
>   
>   	error = loop_check_backing_file(file);
> -	if (error)
> +	if (error) {
> +		fput(file);
>   		return error;
> +	}
>   
>   	/* suppress uevents while reconfiguring the device */
>   	dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1);
> @@ -993,8 +995,10 @@ static int loop_configure(struct loop_device *lo, blk_mode_t mode,
>   		return -EBADF;
>   
>   	error = loop_check_backing_file(file);
> -	if (error)
> +	if (error) {
> +		fput(file);
>   		return error;
> +	}
>   
>   	is_loop = is_loop_device(file);
>   
> 

The changes look correct, however, I'll prefer to change the error path
to the reverse order and add a new error tag.

Thanks,
Kuai
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Li Chen 2 days, 8 hours ago 
Hi Yu,

 ---- On Mon, 29 Sep 2025 09:11:04 +0800  Yu Kuai <yukuai1@huaweicloud.com> wrote --- 
 > Hi,
 > 
 > 在 2025/09/26 20:12, Li Chen 写道:
 > > loop_change_fd() and loop_configure() call loop_check_backing_file()
 > > to validate the new backing file. If validation fails, the reference
 > > acquired by fget() was not dropped, leaking a file reference.
 > > 
 > > Fix this by calling fput(file) before returning the error.
 > > 
 > > Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
 > > ---
 > >   drivers/block/loop.c | 8 ++++++--
 > >   1 file changed, 6 insertions(+), 2 deletions(-)
 > > 
 > > diff --git a/drivers/block/loop.c b/drivers/block/loop.c
 > > index 053a086d547e..94ec7f747f36 100644
 > > --- a/drivers/block/loop.c
 > > +++ b/drivers/block/loop.c
 > > @@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
 > >           return -EBADF;
 > >   
 > >       error = loop_check_backing_file(file);
 > > -    if (error)
 > > +    if (error) {
 > > +        fput(file);
 > >           return error;
 > > +    }
 > >   
 > >       /* suppress uevents while reconfiguring the device */
 > >       dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1);
 > > @@ -993,8 +995,10 @@ static int loop_configure(struct loop_device *lo, blk_mode_t mode,
 > >           return -EBADF;
 > >   
 > >       error = loop_check_backing_file(file);
 > > -    if (error)
 > > +    if (error) {
 > > +        fput(file);
 > >           return error;
 > > +    }
 > >   
 > >       is_loop = is_loop_device(file);
 > >   
 > > 
 > 
 > The changes look correct, however, I'll prefer to change the error path
 > to the reverse order and add a new error tag.

Thanks, but I will switch to scope-based resource management in v2, as suggested by Markus.

Regards,
Li
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Markus Elfring 3 days, 7 hours ago 
…
> Fix this by calling fput(file) before returning the error.
…
> +++ b/drivers/block/loop.c
…

How do you think about to increase the application of scope-based resource management?
https://elixir.bootlin.com/linux/v6.17-rc7/source/include/linux/file.h#L97

Regards,
Markus
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Li Chen 2 days, 8 hours ago 
Hi Markus,

 ---- On Sun, 28 Sep 2025 21:48:23 +0800  Markus Elfring <Markus.Elfring@web.de> wrote --- 
 > …
 > > Fix this by calling fput(file) before returning the error.
 > …
 > > +++ b/drivers/block/loop.c
 > …
 > 
 > How do you think about to increase the application of scope-based resource management?
 > https://elixir.bootlin.com/linux/v6.17-rc7/source/include/linux/file.h#L97

Looks good; I will add a commit to switch to scope-based resource management in v2.
Thanks for your suggestion!

Regards,
Li
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Ming Lei 2 days, 6 hours ago 
On Mon, Sep 29, 2025 at 8:54 PM Li Chen <me@linux.beauty> wrote:
>
> Hi Markus,
>
>  ---- On Sun, 28 Sep 2025 21:48:23 +0800  Markus Elfring <Markus.Elfring@web.de> wrote ---
>  > …
>  > > Fix this by calling fput(file) before returning the error.
>  > …
>  > > +++ b/drivers/block/loop.c
>  > …
>  >
>  > How do you think about to increase the application of scope-based resource management?
>  > https://elixir.bootlin.com/linux/v6.17-rc7/source/include/linux/file.h#L97
>
> Looks good; I will add a commit to switch to scope-based resource management in v2.
> Thanks for your suggestion!

Please don't do it as one bug fix, the whole fix chain needs to
backport, and scope-based
fput is just added in v6.15.

However, you can do it as one cleanup after the fix is merged.

Thanks,
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Li Chen 1 day, 21 hours ago 
Hi Ming,

 ---- On Mon, 29 Sep 2025 23:01:50 +0800  Ming Lei <ming.lei@redhat.com> wrote --- 
 > On Mon, Sep 29, 2025 at 8:54 PM Li Chen <me@linux.beauty> wrote:
 > >
 > > Hi Markus,
 > >
 > >  ---- On Sun, 28 Sep 2025 21:48:23 +0800  Markus Elfring <Markus.Elfring@web.de> wrote ---
 > >  > …
 > >  > > Fix this by calling fput(file) before returning the error.
 > >  > …
 > >  > > +++ b/drivers/block/loop.c
 > >  > …
 > >  >
 > >  > How do you think about to increase the application of scope-based resource management?
 > >  > https://elixir.bootlin.com/linux/v6.17-rc7/source/include/linux/file.h#L97
 > >
 > > Looks good; I will add a commit to switch to scope-based resource management in v2.
 > > Thanks for your suggestion!
 > 
 > Please don't do it as one bug fix, the whole fix chain needs to
 > backport, and scope-based
 > fput is just added in v6.15.
 > 
 > However, you can do it as one cleanup after the fix is merged.

Noted, thanks for your tip.

Regards,
Li
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by yangerkun 3 days, 19 hours ago 

在 2025/9/26 20:12, Li Chen 写道:
> loop_change_fd() and loop_configure() call loop_check_backing_file()
> to validate the new backing file. If validation fails, the reference
> acquired by fget() was not dropped, leaking a file reference.
> 
> Fix this by calling fput(file) before returning the error.
> 
> Signed-off-by: Li Chen <chenl311@chinatelecom.cn>

You'd better add a fix tag:

Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter")

Or this patch looks good to me.

Reviewed-by: Yang Erkun <yangerkun@huawei.com>

> ---
>   drivers/block/loop.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/loop.c b/drivers/block/loop.c
> index 053a086d547e..94ec7f747f36 100644
> --- a/drivers/block/loop.c
> +++ b/drivers/block/loop.c
> @@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,
>   		return -EBADF;
>   
>   	error = loop_check_backing_file(file);
> -	if (error)
> +	if (error) {
> +		fput(file);
>   		return error;
> +	}
>   
>   	/* suppress uevents while reconfiguring the device */
>   	dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1);
> @@ -993,8 +995,10 @@ static int loop_configure(struct loop_device *lo, blk_mode_t mode,
>   		return -EBADF;
>   
>   	error = loop_check_backing_file(file);
> -	if (error)
> +	if (error) {
> +		fput(file);
>   		return error;
> +	}
>   
>   	is_loop = is_loop_device(file);
>
Re: [PATCH] loop: fix backing file reference leak on validation error
Posted by Li Chen 2 days, 8 hours ago 
Hi Erkun,

 ---- On Sun, 28 Sep 2025 09:54:51 +0800  yangerkun <yangerkun@huawei.com> wrote --- 
 > 
 > 
 > 在 2025/9/26 20:12, Li Chen 写道:
 > > loop_change_fd() and loop_configure() call loop_check_backing_file()
 > > to validate the new backing file. If validation fails, the reference
 > > acquired by fget() was not dropped, leaking a file reference.
 > > 
 > > Fix this by calling fput(file) before returning the error.
 > > 
 > > Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
 > 
 > You'd better add a fix tag:
 > 
 > Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter")

Thanks, I would add it in v2.

Regards,
Li

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.