Re: [PATCH] ocfs2: fix orphan inode disk leak in ocfs2_dio_end_io() on I/O error

[Heming Zhao <heming.zhao@suse.com>]

On Thu, Jun 11, 2026 at 05:01:50PM +0200, Marco Elver wrote:
> When an extending direct I/O write or a direct I/O write racing with an
> unlink is initiated, ocfs2_direct_IO() places the user inode into the
> system orphan directory and sets the OCFS2_DIO_ORPHANED_FL flag to
> ensure defined behavior and crash consistency.
> 
> However, if the direct I/O request encounters an error or gets
> asynchronous cancellation (bytes <= 0), the VFS completion hook
> ocfs2_dio_end_io() bypasses ocfs2_dio_end_io_write() entirely and
> executes ocfs2_dio_free_write_ctx().  This completely omits the teardown
> of the orphan entry, leaking the user inode in the orphan directory and
> leaving the OCFS2_DIO_ORPHANED_FL disk flag set.
> 
> Because the OCFS2_DIO_ORPHANED_FL flag remains active, subsequent VFS
> final inode eviction (ocfs2_delete_inode) observes the flag, assumes a
> direct I/O write is actively in progress, and refuses to wipe the inode.
> This results in an irrecoverable disk storage and resource leak that can
> only be reclaimed if the cluster unmounts or crashes.
> 
> Fix this by ensuring that ocfs2_dio_end_io() inspects dw_orphaned even
> when an I/O error occurs, and executes ocfs2_del_inode_from_orphan() to
> liberate the inode before destroying the in-memory write context.
> 
> Fixes: 5040f8df56fb ("ocfs2: free up write context when direct IO failed")
> Assisted-by: Antigravity:Gemini
> Signed-off-by: Marco Elver <elver@google.com>
> ---
>  fs/ocfs2/aops.c | 17 +++++++++++++++--
>  1 file changed, 15 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
> index 4acdbb70882c..ad3f2057e26e 100644
> --- a/fs/ocfs2/aops.c
> +++ b/fs/ocfs2/aops.c
> @@ -2419,11 +2419,24 @@ static int ocfs2_dio_end_io(struct kiocb *iocb,
>  		mlog_ratelimited(ML_ERROR, "Direct IO failed, bytes = %lld",
>  				 (long long)bytes);
>  	if (private) {
> -		if (bytes > 0)
> +		if (bytes > 0) {
>  			ret = ocfs2_dio_end_io_write(inode, private, offset,
>  						     bytes);
> -		else
> +		} else {
> +			struct ocfs2_dio_write_ctxt *dwc = private;
> +
> +			if (dwc->dw_orphaned) {
> +				struct buffer_head *di_bh = NULL;
> +
> +				if (ocfs2_inode_lock(inode, &di_bh, 1) == 0) {
> +					ocfs2_del_inode_from_orphan(OCFS2_SB(inode->i_sb),
> +								    inode, di_bh, 0, 0);
> +					ocfs2_inode_unlock(inode, 1);
> +					brelse(di_bh);
> +				}

Calling only ocfs2_del_inode_from_orphan() without ocfs2_truncate_file() will
leave stale blocks beyond the EOF.

I think the existing OCFS2 code already handles error/crash cases for orphaned
inodes, and this "leaking" behavior is by design.
please refer to ocfs2_recover_orphans() and ocfs2_add_inode_to_orphan().

Thanks,
Heming
> +			}
>  			ocfs2_dio_free_write_ctx(inode, private);
> +		}
>  	}
>  
>  	ocfs2_iocb_clear_rw_locked(iocb);
> -- 
> 2.54.0.1099.g489fc7bff1-goog
> 
>