CVE-2026-46050

In the Linux kernel, the following vulnerability has been resolved:

md/raid10: fix deadlock with check operation and nowait requests

When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr pending value to signal there is work pending inside of wait barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr pending in wait barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10 make request") added a call to raid end bio io() to fix a memory leak when NOWAIT requests hit this condition. raid end bio io() eventually calls allow barrier() and it will unconditionally do an atomic dec and test(&conf->nr pending) even though the corresponding increment on nr pending didn't happen in the NOWAIT case.

This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr pending value underflowing and so the md resync thread gets stuck waiting for nr pending to == 0.

Output of r10conf state of the array when we hit this condition:

crash> struct r10conf barrier = 1, nr pending = { counter = -41 }, nr waiting = 15, nr queued = 0,

Example of md sync thread stuck waiting on raise barrier() and other requests stuck in wait barrier():

md1 resync [<0>] raise barrier+0xce/0x1c0 [<0>] raid10 sync request+0x1ca/0x1ed0 [<0>] md do sync+0x779/0x1110 [<0>] md thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret from fork+0x34/0x50 [<0>] ret from fork asm+0x1a/0x30

kworker/u1040:2+flush-253:4 [<0>] wait barrier+0x1de/0x220 [<0>] regular request wait+0x30/0x180 [<0>] raid10 make request+0x261/0x1000 [<0>] md handle request+0x13b/0x230 [<0>] submit bio+0x107/0x1f0 [<0>] submit bio noacct nocheck+0x16f/0x390 [<0>] ext4 io submit+0x24/0x40 [<0>] ext4 do writepages+0x254/0xc80 [<0>] ext4 writepages+0x84/0x120 [<0>] do writepages+0x7a/0x260 [<0>] writeback single inode+0x3d/0x300 [<0>] writeback sb inodes+0x1dd/0x470 [<0>] writeback inodes wb+0x4c/0xe0 [<0>] wb writeback+0x18b/0x2d0 [<0>] wb workfn+0x2a1/0x400 [<0>] process one work+0x149/0x330 [<0>] worker thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret from fork+0x34/0x50 [<0>] ret from fork asm+0x1a/0x30