[PATCH] block: blk-mq: fix ws_active refcount leak in blk_mq_mark_tag_wait()

Next message: Arpit Saini: "Re: [PATCH 1/2] dt-bindings: display: panel: add Ilitek ILI7807S panel controller"
Previous message: Sudeep Holla: "[PATCH] firmware: arm_ffa: Treat missing FF-A feature on a platform as a probe miss"
Next in thread: Jens Axboe: "Re: [PATCH] block: blk-mq: fix ws_active refcount leak in blk_mq_mark_tag_wait()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Tue May 26 2026 - 06:38:45 EST

blk_mq_mark_tag_wait() calls sbitmap_queue_get() which increments
sbq->ws_active. On the error path where the waitqueue_active() check
fails and the function returns early, sbq->ws_active is not decremented,
leaking the reference.

Fix this by calling sbitmap_queue_clear() to properly release the
ws_active reference before returning on the error path.

Fixes: c27d53fb445f ("blk-mq: Reduce the number of if-statements in blk_mq_mark_tag_wait()")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
block/blk-mq.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index d0c37daf568f..e1c2ac416693 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1952,6 +1952,8 @@ static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx,
spin_lock_irq(&wq->lock);
spin_lock(&hctx->dispatch_wait_lock);
if (!list_empty(&wait->entry)) {
+ list_del_init(&wait->entry);
+ atomic_dec(&sbq->ws_active);
spin_unlock(&hctx->dispatch_wait_lock);
spin_unlock_irq(&wq->lock);
return false;
--
2.34.1