From: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
To: John Garry <john.g.garry@oracle.com>,
song@kernel.org, yukuai@fnnas.com, linan122@huawei.com,
martin.petersen@oracle.com, axboe@kernel.dk
Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] raid1: fix nr_pending leak in REQ_ATOMIC bad-block error path
Date: Mon, 01 Jun 2026 11:03:25 +0200 [thread overview]
Message-ID: <m2h5nmljj6.fsf@gmail.com> (raw)
In-Reply-To: <d9c769f5-19a3-4724-b805-3e2f30541c64@oracle.com>
hi,
Thank you for the feedback.
On Mon, Jun 01, 2026 at 09:43 +0100, John Garry wrote:
> On 30/05/2026 16:14, Abd-Alrhman Masalkhi wrote:
>> In raid1_write_request(), each per-mirror loop iteration begins by
>> incrementing rdev->nr_pending. If a REQ_ATOMIC write encounters a
>> badblock within the requested range, the code jumps to err_handle
>> without dropping the reference taken for the current mirror.
>>
>> err_handle's cleanup loop will only decrements for k < i and
>> r1_bio->bios[k] is non-NULL. The current slot is therefore skipped,
>> leaving its nr_pending reference leaked permanently. The reference
>> prevents the rdev from ever being removed, since raid1_remove_conf()
>> refuses to remove an rdev with nr_pending > 0.
>>
>> Fix this by calling rdev_dec_pending() before jumping to err_handle.
>>
>> Fixes: f2a38abf5f1c ("md/raid1: Atomic write support")
>> Signed-off-by: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
>
> FWIW,
>
> Reviewed-by: John Garry <john.g.garry@oracle.com>
>
>> ---
>> drivers/md/raid1.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
>> index 181400e147c0..0084bbc24076 100644
>> --- a/drivers/md/raid1.c
>> +++ b/drivers/md/raid1.c
>> @@ -1580,8 +1580,10 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio,
>> * complexity of supporting that is not worth
>> * the benefit.
>> */
>> - if (bio->bi_opf & REQ_ATOMIC)
>> + if (bio->bi_opf & REQ_ATOMIC) {
>> + rdev_dec_pending(rdev, mddev);
>
> It's not so nice that we have 2x locations that does the
> rdev_dec_pending work
>
Are you suggesting deferring atomic_inc(&rdev->nr_pending) until after
the if (test_bit(WriteErrorSeen, &rdev->flags)) {..} block? The patch
is already in md-7.2; should I send a separate cleanup patch?
>> goto err_handle;
>> + }
>>
>> good_sectors = first_bad - r1_bio->sector;
>> if (good_sectors < max_sectors)
>
--
Best Regards,
Abd-Alrhman
next prev parent reply other threads:[~2026-06-01 9:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-30 15:14 [PATCH] raid1: fix nr_pending leak in REQ_ATOMIC bad-block error path Abd-Alrhman Masalkhi
2026-05-31 10:21 ` Yu Kuai
2026-06-01 8:43 ` John Garry
2026-06-01 9:03 ` Abd-Alrhman Masalkhi [this message]
2026-06-01 9:05 ` John Garry
2026-06-01 9:13 ` Abd-Alrhman Masalkhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2h5nmljj6.fsf@gmail.com \
--to=abd.masalkhi@gmail.com \
--cc=axboe@kernel.dk \
--cc=john.g.garry@oracle.com \
--cc=linan122@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=song@kernel.org \
--cc=yukuai@fnnas.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox