[PATCH] NFS: fix refcount leak in nfs_direct_write_schedule_iovec()

Next message: gutierrez.asier: "[RFC PATCH v4 3/4] mm/damon/sysfs: support hugepage_mem_bp quota goal metric"
Previous message: Runyu Xiao: "[PATCH] mfd: tps6594: copy regmap IRQ chip descriptors per probe"
Next in thread: Trond Myklebust: "Re: [PATCH] NFS: fix refcount leak in nfs_direct_write_schedule_iovec()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Thu Jun 11 2026 - 11:05:32 EST

When nfs_direct_write_schedule_iovec() fails to start any write
operations (requested_bytes == 0), it bails out after calling
inode_dio_end() but before releasing the dreq->io_count reference
that was unconditionally acquired by get_dreq(). The normal
success path balances that via put_dreq(), which decrements the
io_count and eventually calls nfs_direct_write_complete(). The
leaked reference prevents proper cleanup of the direct write request.

Add the missing put_dreq() in the early exit path before calling
nfs_direct_req_release().

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 65caafd0d214 ("SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO compeletion")")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
fs/nfs/direct.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
index 41a6cabb0592..99bd72a4601c 100644
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -956,6 +956,7 @@ static ssize_t nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq,
*/
if (requested_bytes == 0) {
inode_dio_end(inode);
+ put_dreq(dreq);
nfs_direct_req_release(dreq);
return result < 0 ? result : -EIO;
}
--
2.50.1 (Apple Git-155)