Re: [PATCH] raid1: fix nr_pending leak in REQ_ATOMIC bad-block error path

Next message: Jonathan Cameron: "Re: [PATCH RFC v3 2/6] Documentation: iio: add Open Sensor Fusion protocol v0 reference"
Previous message: syzbot: "Re: [syzbot] [jfs?] [bfs?] kernel BUG in folio_set_bh (3)"
In reply to: Abd-Alrhman Masalkhi: "[PATCH] raid1: fix nr_pending leak in REQ_ATOMIC bad-block error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yu Kuai

Date: Sun May 31 2026 - 06:34:27 EST

在 2026/5/30 23:14, Abd-Alrhman Masalkhi 写道:

> In raid1_write_request(), each per-mirror loop iteration begins by
> incrementing rdev->nr_pending. If a REQ_ATOMIC write encounters a
> badblock within the requested range, the code jumps to err_handle
> without dropping the reference taken for the current mirror.
>
> err_handle's cleanup loop will only decrements for k < i and
> r1_bio->bios[k] is non-NULL. The current slot is therefore skipped,
> leaving its nr_pending reference leaked permanently. The reference
> prevents the rdev from ever being removed, since raid1_remove_conf()
> refuses to remove an rdev with nr_pending > 0.
>
> Fix this by calling rdev_dec_pending() before jumping to err_handle.
>
> Fixes: f2a38abf5f1c ("md/raid1: Atomic write support")
> Signed-off-by: Abd-Alrhman Masalkhi<abd.masalkhi@xxxxxxxxx>
> ---
> drivers/md/raid1.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Applied to md-7.2

--
Thansk,
Kuai