From nobody Mon May 25 09:57:05 2026 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68AF63CF663 for ; Mon, 18 May 2026 07:43:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779090183; cv=none; b=kBRbonINdeGYSBaNfof/nSiqZyUHxVJehAOoSyb2jGOGMgqwcQoVF49cCESDdm6U1IVGQp7NvPT5jCa/n1phk3eQGEjkN3OzFQ7zM1gbJSArnnmcb+a4ro0rfD+MLkNY7Qhp9KHInvOF/Mw4xiS8y91DLf5tlvUc/d/jseu2O84= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779090183; c=relaxed/simple; bh=eSueVGjl9kpfrC/9O9pfTUZGg3av7Bo0jfk9t85JoS4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=uEQf5QiGOMqIt0HCnnXydF+oEw5mTwiPqWRSmbaJYJp/ewctajKzoLx5SQhLvbfzEvQbzALYkIjaDzGsjSyFZX5dwtgREhgFmT4Z+BHYoc3eKPy+ow/6+IX7Ex5OcKvgWvrDDKlKVf5LMB3+U/L2cKC1f4cUwVXNbY88OGiq9hA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pIdOD8Se; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pIdOD8Se" Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-3691a0a4e1aso149021a91.3 for ; Mon, 18 May 2026 00:43:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779090182; x=1779694982; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=k8yME935TMtR1RQ2fzR/XnTzQNsnJA37aJzNpTqM9xk=; b=pIdOD8SeVbL7F/gl0FTHJs5dVrgwzJK2nMb96IgsgXYxy+BonXYiRNcJPV5MuiEhYF REIlnS150rd2ZuRcRh8belDH5Fh0z+XCOGdKzLCkQjS28MCOaS54DRYEC3B/6CnnaOvI 2GACY3w+88Z2c+hHlhklHrOMf++a0jEXBJKy5OVcd6iNplokTX/nDHfs+nTEV/KydS4I uXvQc4grdSZ6e6JtMEPzAp3miQaQjfdfxZJLwwQj0FZGwjqGo0bX2iFLTmmbtL+30TO3 oN4TPZ8+Zd0NTENU7WLVu7HEXvzdwC9JaGNBEEtQ1Wi6Z87PLvwSggoQY5XQr2W025Eu rW4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779090182; x=1779694982; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=k8yME935TMtR1RQ2fzR/XnTzQNsnJA37aJzNpTqM9xk=; b=EziXXexxBj2MqbGhfGPSddSwuci92TkF2tP17Tw7g4edH5nSeIwO80wMlWsF6gn4Le cdZMTFrlUfH1RyUy6CBzFwRN+GZ0qo3wtb0TPx6x6VKNzGCZeDAJgOXewl27J2GD1PTx NUjVFXL418GTrjxs+oruxCWE/2pDW0H4Bz8Uio7PQuaJ3Z7dQR7jeZVg+Oi4h/VOtXJs PiVjumBttZa3XRTvXPIkXA2AQnEFO5dduILdNqxgJFE7jtNv/lti/F+Psi96StpUAUzh qVmiObUuqoY7edz6XoBfFUkmukytOkAds7PVkXeIP7AVLxX3NIeawjHakgdgTyVMNi0D ovYg== X-Forwarded-Encrypted: i=1; AFNElJ/7RG8aFMkTeDqpM99LJ8Tkb/FiiWVsvWjBOTOrAwwjxAWC+r6K5Sy7dv0Vij0RWY0FMeGsWv7r35eIC+Y=@vger.kernel.org X-Gm-Message-State: AOJu0YxcyEiGhIUAkAqX/zZPQsWWIt/QpxUPtRMgpR6Hw6ko6ZLpZMET h2DsGAWUGs0h+hIfrSsakhbCjn7zER1rISuoRSvNVEfyeBibhq9q/VmNhjgvOeK+pQk= X-Gm-Gg: Acq92OH1I0p6VHNoiwwY+ojC4i1nFzscKTE5UM5E29qBThjb7HFBFwhY/HTsgAr4bqQ xTkWsbpTv2/hc+B99UJyvtn4DO5Yw7jj8/lGGKTpShaa4wKguH4jBRKoVe37XEkfbj/SEEXEH1o V9aqfXg47I8y/JZDau6mdUMo/J6O+6gBjoASTq1bcKUIE5qrWdKu8kSXRL94yCkmUDA00Puae8W n5oYt+FI7KNOIfrpZI9qKFVg7NA+wS1NmVMWsRyZAw1s0EE6stO49aTT9D4zU/jBe2dtka160h6 9veHtKSMs6SI0v5XRDR+XQydvYm9ACQYfzrq5Ms5Gzfogj9bpE6iftCmwa20K03Na5DoSaByFBp GbBgJf02e/xytg5QYgaVd3laMzWkpU5XjAXYjTa4AR9VLHDc3IhSx5GkBO90yz3BzHRbX3SVmCj o/DXiUSr72xE/bl4X73QOwJtIOpacHYe7qyDkknvKAKQsoZPWqiKbniLXAReZIFrYL9NyZHWM60 dnpDnnHdgZJHGvMZaNj9JDTSbCZTp8zRw== X-Received: by 2002:a17:90b:4d0d:b0:368:44d:bbac with SMTP id 98e67ed59e1d1-36951ca93d8mr7586429a91.6.1779090181689; Mon, 18 May 2026 00:43:01 -0700 (PDT) Received: from localhost ([240d:f:a5c:fb00:b9d0:5976:9793:153b]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-369517a8612sm10167726a91.12.2026.05.18.00.43.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 00:43:01 -0700 (PDT) From: Aaron Esau To: linux-block@vger.kernel.org Cc: Jens Axboe , Anuj Gupta , Kanchan Joshi , Christoph Hellwig , Keith Busch , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Aaron Esau Subject: [PATCH] block: fix dio leak on integrity metadata mapping failure Date: Mon, 18 May 2026 16:42:58 +0900 Message-ID: <20260518074258.1600307-1-aaron1esau@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In __blkdev_direct_IO(), when bio_integrity_map_iter() fails on a bio after earlier bios have already been submitted, the goto fail path frees only the current bio and returns the error directly to the caller. This is incorrect because the fail label does not decrement dio->ref for the current bio, and does not return -EIOCBQUEUED. The in-flight bios each hold a reference via dio->ref, which was incremented before their submission. When they eventually complete, blkdev_bio_end_io() decrements dio->ref but it will never reach zero since the failing bio did not participate in the completion mechanism. This permanently leaks the embedded dio/bio structure from blkdev_dio_pool. The trigger is deterministic: a multi-segment direct IO with integrity metadata where the user-provided metadata buffer is too small for all segments causes bio_integrity_map_iter() to return -EINVAL on a later bio after earlier bios are already in flight. Fix this by handling the integrity mapping failure the same way blkdev_iov_iter_get_pages() failure is handled: set bi_status and call bio_endio() to enter the normal completion path, then break out of the loop so the function returns -EIOCBQUEUED for async IO. Fixes: 3d8b5a22d404 ("block: add support to pass user meta buffer") Cc: stable@vger.kernel.org Signed-off-by: Aaron Esau --- block/fops.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/block/fops.c b/block/fops.c index bb6642b459..39280d761c 100644 --- a/block/fops.c +++ b/block/fops.c @@ -239,8 +239,11 @@ static ssize_t __blkdev_direct_IO(struct kiocb *iocb, = struct iov_iter *iter, } if (iocb->ki_flags & IOCB_HAS_METADATA) { ret =3D bio_integrity_map_iter(bio, iocb->private); - if (unlikely(ret)) - goto fail; + if (unlikely(ret)) { + bio->bi_status =3D BLK_STS_IOERR; + bio_endio(bio); + break; + } } =20 if (is_read) { --=20 2.54.0