From: Trond Myklebust <trondmy@kernel.org>
To: WenTao Liang <vulab@iscas.ac.cn>, anna@kernel.org
Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] NFS: fix refcount leak in nfs_direct_write_schedule_iovec()
Date: Thu, 11 Jun 2026 13:31:03 -0400 [thread overview]
Message-ID: <7e5031b94df2e3d7fa977ee06242c1cd5c4db497.camel@kernel.org> (raw)
In-Reply-To: <20260611150354.90801-1-vulab@iscas.ac.cn>
On Thu, 2026-06-11 at 23:03 +0800, WenTao Liang wrote:
> When nfs_direct_write_schedule_iovec() fails to start any write
> operations (requested_bytes == 0), it bails out after calling
> inode_dio_end() but before releasing the dreq->io_count reference
> that was unconditionally acquired by get_dreq(). The normal
> success path balances that via put_dreq(), which decrements the
> io_count and eventually calls nfs_direct_write_complete(). The
> leaked reference prevents proper cleanup of the direct write request.
Again, I'd like you to explain this claim that somehow io_count is
preventing cleanup of the request. Neither nfs_file_direct_write nor
nfs_direct_req_release care about its value.
>
> Add the missing put_dreq() in the early exit path before calling
> nfs_direct_req_release().
>
> Cc: stable@vger.kernel.org
> Fixes: 65caafd0d214 ("SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE
> not waiting for direct IO compeletion")")
> Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
> ---
> fs/nfs/direct.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
> index 41a6cabb0592..99bd72a4601c 100644
> --- a/fs/nfs/direct.c
> +++ b/fs/nfs/direct.c
> @@ -956,6 +956,7 @@ static ssize_t
> nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq,
> */
> if (requested_bytes == 0) {
> inode_dio_end(inode);
> + put_dreq(dreq);
> nfs_direct_req_release(dreq);
> return result < 0 ? result : -EIO;
> }
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trondmy@kernel.org, trond.myklebust@hammerspace.com
prev parent reply other threads:[~2026-06-11 17:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 15:03 [PATCH] NFS: fix refcount leak in nfs_direct_write_schedule_iovec() WenTao Liang
2026-06-11 17:31 ` Trond Myklebust [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e5031b94df2e3d7fa977ee06242c1cd5c4db497.camel@kernel.org \
--to=trondmy@kernel.org \
--cc=anna@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox