FKIE_CVE-2026-46050

Vulnerability from fkie_nvd - Published: 2026-05-27 14:17 - Updated: 2026-05-27 14:48
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn't happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix deadlock with check operation and nowait requests\n\nWhen an array check is running it will raise the barrier at which point\nnormal requests will become blocked and increment the nr_pending value to\nsignal there is work pending inside of wait_barrier(). NOWAIT requests\ndo not block and so will return immediately with an error, and additionally\ndo not increment nr_pending in wait_barrier(). Upstream change commit\n43806c3d5b9b (\"raid10: cleanup memleak at raid10_make_request\") added a\ncall to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit\nthis condition. raid_end_bio_io() eventually calls allow_barrier() and\nit will unconditionally do an atomic_dec_and_test(\u0026conf-\u003enr_pending) even\nthough the corresponding increment on nr_pending didn\u0027t happen in the\nNOWAIT case.\n\nThis can be easily seen by starting a check operation while an application\nis doing nowait IO on the same array. This results in a deadlocked state\ndue to nr_pending value underflowing and so the md resync thread gets stuck\nwaiting for nr_pending to == 0.\n\nOutput of r10conf state of the array when we hit this condition:\n\ncrash\u003e struct r10conf\n\tbarrier = 1,\n        nr_pending = {\n          counter = -41\n        },\n        nr_waiting = 15,\n        nr_queued = 0,\n\nExample of md_sync thread stuck waiting on raise_barrier() and other\nrequests stuck in wait_barrier():\n\nmd1_resync\n[\u003c0\u003e] raise_barrier+0xce/0x1c0\n[\u003c0\u003e] raid10_sync_request+0x1ca/0x1ed0\n[\u003c0\u003e] md_do_sync+0x779/0x1110\n[\u003c0\u003e] md_thread+0x90/0x160\n[\u003c0\u003e] kthread+0xbe/0xf0\n[\u003c0\u003e] ret_from_fork+0x34/0x50\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30\n\nkworker/u1040:2+flush-253:4\n[\u003c0\u003e] wait_barrier+0x1de/0x220\n[\u003c0\u003e] regular_request_wait+0x30/0x180\n[\u003c0\u003e] raid10_make_request+0x261/0x1000\n[\u003c0\u003e] md_handle_request+0x13b/0x230\n[\u003c0\u003e] __submit_bio+0x107/0x1f0\n[\u003c0\u003e] submit_bio_noacct_nocheck+0x16f/0x390\n[\u003c0\u003e] ext4_io_submit+0x24/0x40\n[\u003c0\u003e] ext4_do_writepages+0x254/0xc80\n[\u003c0\u003e] ext4_writepages+0x84/0x120\n[\u003c0\u003e] do_writepages+0x7a/0x260\n[\u003c0\u003e] __writeback_single_inode+0x3d/0x300\n[\u003c0\u003e] writeback_sb_inodes+0x1dd/0x470\n[\u003c0\u003e] __writeback_inodes_wb+0x4c/0xe0\n[\u003c0\u003e] wb_writeback+0x18b/0x2d0\n[\u003c0\u003e] wb_workfn+0x2a1/0x400\n[\u003c0\u003e] process_one_work+0x149/0x330\n[\u003c0\u003e] worker_thread+0x2d2/0x410\n[\u003c0\u003e] kthread+0xbe/0xf0\n[\u003c0\u003e] ret_from_fork+0x34/0x50\n[\u003c0\u003e] ret_from_fork_asm+0x1a/0x30"
    }
  ],
  "id": "CVE-2026-46050",
  "lastModified": "2026-05-27T14:48:03.013",
  "metrics": {},
  "published": "2026-05-27T14:17:24.547",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.