raid1: fix nr_pending leak in REQ_ATOMIC bad-block error path

In raid1_write_request(), each per-mirror loop iteration begins by
incrementing rdev->nr_pending. If a REQ_ATOMIC write encounters a
badblock within the requested range, the code jumps to err_handle
without dropping the reference taken for the current mirror.

err_handle's cleanup loop will only decrements for k < i and
r1_bio->bios[k] is non-NULL. The current slot is therefore skipped,
leaving its nr_pending reference leaked permanently. The reference
prevents the rdev from ever being removed, since raid1_remove_conf()
refuses to remove an rdev with nr_pending > 0.

Fix this by calling rdev_dec_pending() before jumping to err_handle.

Fixes: f2a38abf5f1c ("md/raid1: Atomic write support")
Signed-off-by: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
Link: https://patch.msgid.link/20260530151411.4119-1-abd.masalkhi@gmail.com
Signed-off-by: Yu Kuai <yukuai@fygo.io>

diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index 85a17909d8fe72bd673048d7cdf1ba9c86d0e9a2..b1ed4cc6ade410943fc3030a2685b2c2349e99ac 100644 (file)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1603,8 +1603,10 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio,
                                 * complexity of supporting that is not worth
                                 * the benefit.
                                 */
-                               if (bio->bi_opf & REQ_ATOMIC)
+                               if (bio->bi_opf & REQ_ATOMIC) {
+                                       rdev_dec_pending(rdev, mddev);
                                        goto err_handle;
+                               }
 
                                good_sectors = first_bad - r1_bio->sector;
                                if (good_sectors < max_sectors)