Re: [PATCH] NFS: fix refcount leak in nfs_direct_write_schedule_iovec()
From: Trond Myklebust
Date: Thu Jun 11 2026 - 13:31:25 EST
On Thu, 2026-06-11 at 23:03 +0800, WenTao Liang wrote:
> When nfs_direct_write_schedule_iovec() fails to start any write
> operations (requested_bytes == 0), it bails out after calling
> inode_dio_end() but before releasing the dreq->io_count reference
> that was unconditionally acquired by get_dreq(). The normal
> success path balances that via put_dreq(), which decrements the
> io_count and eventually calls nfs_direct_write_complete(). The
> leaked reference prevents proper cleanup of the direct write request.
Again, I'd like you to explain this claim that somehow io_count is
preventing cleanup of the request. Neither nfs_file_direct_write nor
nfs_direct_req_release care about its value.
>
> Add the missing put_dreq() in the early exit path before calling
> nfs_direct_req_release().
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 65caafd0d214 ("SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE
> not waiting for direct IO compeletion")")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> fs/nfs/direct.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
> index 41a6cabb0592..99bd72a4601c 100644
> --- a/fs/nfs/direct.c
> +++ b/fs/nfs/direct.c
> @@ -956,6 +956,7 @@ static ssize_t
> nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq,
> */
> if (requested_bytes == 0) {
> inode_dio_end(inode);
> + put_dreq(dreq);
> nfs_direct_req_release(dreq);
> return result < 0 ? result : -EIO;
> }
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trondmy@xxxxxxxxxx, trond.myklebust@xxxxxxxxxxxxxxx