Re: [PATCH] block: blk-zoned: fix zwplug refcount leak on write error path

Linux block layer
 help / color / mirror / Atom feed

From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: Damien Le Moal <dlemoal@kernel.org>
Cc: Haris Iqbal <haris.iqbal@linux.dev>,
	Wentao Liang <vulab@iscas.ac.cn>,  Jens Axboe <axboe@kernel.dk>,
	linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
	 stable@vger.kernel.org
Subject: Re: [PATCH] block: blk-zoned: fix zwplug refcount leak on write error path
Date: Wed, 27 May 2026 20:47:30 +0900	[thread overview]
Message-ID: <ahbZRsqHKKbg9PSB@shinmob> (raw)
In-Reply-To: <90a1581d-9a3c-46db-bc7b-5fd1a9d9c0e1@kernel.org>

On May 27, 2026 / 08:15, Damien Le Moal wrote:
[...]
> Wentao,
> 
> You clearly did not test this at all because if you had, you would have seen
> all the warning splats that your patch triggers.

FYI, the blktests CI run for the patch caught failures at block/017, zbd/004,
zbd/009 and zbd/012.

# RUN_ZONED_TESTS=1 ./check block/017
block/017 (do I/O and check the inflight counter)            [passed]
    runtime  2.264s  ...  2.140s
block/017 (zoned) (do I/O and check the inflight counter)    [failed]
    runtime  2.107s  ...  2.080s
    something found in dmesg:
    [  207.429382] [   T1852] run blktests block/017 at 2026-05-27 20:43:45
    [  207.466894] [   T1852] null_blk: nullb1: using native zone append
    [  207.479158] [   T1852] null_blk: disk nullb1 created
    [  207.810531] [   T1956] null_blk: disk nullb0 created
    [  207.811528] [   T1956] null_blk: module loaded
    [  207.830801] [   T1852] null_blk: nullb1: using native zone append
    [  208.404359] [   T1852] null_blk: disk nullb1 created
    [  209.174141] [      C2] ------------[ cut here ]------------
    [  209.175354] [      C2] WARNING: block/blk-zoned.c:590 at disk_free_zone_wplug+0x30c/0x3b0, CPU#2: swapper/2/0
    [  209.176896] [      C2] Modules linked in: null_blk nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr sunrpc 9pnet_virtio 9pnet i2c_piix4 pcspkr netfs i2c_smbus dm_multipath nfnetlink zram vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common vsock bochs drm_client_lib nvme drm_shmem_helper xfs drm_kms_helper sym53c8xx nvme_core floppy nvme_keyring nvme_auth scsi_transport_spi e1000 drm serio_raw ata_generic pata_acpi i2c_dev qemu_fw_cfg virtiofs fuse virtio_console [last unloaded: null_blk]
    ...
    (See '/home/shin/Blktests/blktests/results/nodev_zoned/block/017.dmesg' for the entire message)
# ./check zbd/004 zbd/009 zbd/012
zbd/004 => nullb1 (write split across sequential zones)      [failed]
    runtime  0.152s  ...  0.626s
    something found in dmesg:
    [  231.263084] [   T2067] run blktests zbd/004 at 2026-05-27 20:44:08
    [  231.714947] [   T2105] ------------[ cut here ]------------
    [  231.716700] [   T2105] refcount_t: underflow; use-after-free.
    [  231.717849] [   T2105] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xa9/0xe0, CPU#3: dd/2105
    [  231.720269] [   T2105] Modules linked in: null_blk nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr sunrpc 9pnet_virtio 9pnet i2c_piix4 pcspkr netfs i2c_smbus dm_multipath nfnetlink zram vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common vsock bochs drm_client_lib nvme drm_shmem_helper xfs drm_kms_helper sym53c8xx nvme_core floppy nvme_keyring nvme_auth scsi_transport_spi e1000 drm serio_raw ata_generic pata_acpi i2c_dev qemu_fw_cfg virtiofs fuse virtio_console [last unloaded: null_blk]
    [  231.730390] [   T2105] CPU: 3 UID: 0 PID: 2105 Comm: dd Tainted: G        W           7.1.0-rc5+ #3 PREEMPT(full)
    [  231.732289] [   T2105] Tainted: [W]=WARN
    [  231.733281] [   T2105] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-10.fc44 06/10/2025
    [  231.735090] [   T2105] RIP: 0010:refcount_warn_saturate+0xa9/0xe0
    [  231.736514] [   T2105] Code: bd ee 5d 03 67 48 0f b9 3a 5b 5d c3 cc cc cc cc 48 8d 3d ba ee 5d 03 67 48 0f b9 3a 5b 5d e9 ce ea 85 01 48 8d 3d b7 ee 5d 03 <67> 48 0f b9 3a 5b 5d c3 cc cc cc cc 48 8d 3d b4 ee 5d 03 67 48 0f
    ...
    (See '/home/shin/Blktests/blktests/results/nullb1/zbd/004.dmesg' for the entire message)
zbd/009 (test gap zone support with BTRFS)                   [failed]
    runtime  11.646s  ...  1.424s
    --- tests/zbd/009.out	2023-04-06 10:11:07.928670527 +0900
    +++ /home/shin/Blktests/blktests/results/nodev/zbd/009.out.bad	2026-05-27 20:44:12.743034470 +0900
    @@ -1,2 +1,4 @@
     Running zbd/009
    -Test complete
    +mount: /home/shin/Blktests/blktests/results/tmpdir.zbd.009.xLW/mnt: wrong fs type, bad option, bad superblock on /dev/sdd, missing codepage or helper program, or other error.
    +       dmesg(1) may have more information after failed mount system call.
    +Test failed
zbd/012 (test requeuing of zoned writes and queue freezing)  [failed]
    runtime  42.181s  ...  23.791s
    --- tests/zbd/012.out	2025-03-06 19:32:02.536851507 +0900
    +++ /home/shin/Blktests/blktests/results/nodev/zbd/012.out.bad	2026-05-27 20:44:38.677211476 +0900
    @@ -2,6 +2,4 @@
     1
     2
     4
    -8
    -16
    -Test complete
    +Test failed

next prev parent reply	other threads:[~2026-05-27 11:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-26 14:18 [PATCH] block: blk-zoned: fix zwplug refcount leak on write error path Wentao Liang
2026-05-26 18:54 ` Haris Iqbal
2026-05-26 23:15   ` Damien Le Moal
2026-05-27 11:47     ` Shin'ichiro Kawasaki [this message]
2026-05-27 18:06       ` Damien Le Moal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ahbZRsqHKKbg9PSB@shinmob \
    --to=shinichiro.kawasaki@wdc.com \
    --cc=axboe@kernel.dk \
    --cc=dlemoal@kernel.org \
    --cc=haris.iqbal@linux.dev \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=vulab@iscas.ac.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox