[PATCH] block/fops: fix refcount underflow in __blkdev_direct_IO()

Next message: Kunwu Chan: "Re: [PATCH v2 0/3] selftests/damon: misc fixes for test bugs"
Previous message: Jakub Kicinski: "Re: [PATCH v2] llc: Fix race between sock_orphan() and timer callback in llc_sk_free()"
Next in thread: syzbot ci: "[syzbot ci] Re: block/fops: fix refcount underflow in __blkdev_direct_IO()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Tue Jun 02 2026 - 22:12:30 EST

__blkdev_direct_IO() calls bio_get() and bio_put() around
I/O operations, but if the I/O fails, the error path may call
bio_put() twice, causing a refcount underflow.

Fix this by moving the bio_put() call from the error path into
the cleanup section that is only executed once, regardless of
whether the I/O succeeded or failed.

Fixes: 3d8b5a22d404 ("block: add support to pass user meta buffer")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
block/fops.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/block/fops.c b/block/fops.c
index bb6642b45937..4dd1e40c7d4e 100644
--- a/block/fops.c
+++ b/block/fops.c
@@ -286,6 +286,8 @@ static ssize_t __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter,
bio_release_pages(bio, false);
bio_clear_flag(bio, BIO_REFFED);
bio_put(bio);
+ if (bio == &dio->bio)
+ bio_put(bio);
blk_finish_plug(&plug);
return ret;
}
--
2.34.1