md/raid10: fix deadlock with check operation and nowait requests
Summary
| CVE | CVE-2026-46050 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 14:17:24 UTC |
| Updated | 2026-05-27 14:48:03 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn't happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 |
Risk And Classification
EPSS: 0.000180000 probability, percentile 0.051520000 (date 2026-05-28)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d 965d6162dd88cc7cc193cf7f5bfc132d8bbf0523 git | Not specified |
| CNA | Linux | Linux | affected 2941155d9a5ae098b480d551f3a5f8605d4f9af5 42fe37c90184cd1568838b84b488934c3671c963 git | Not specified |
| CNA | Linux | Linux | affected 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 cac2106bb9a2180b288079b49ed626414fb5bc45 git | Not specified |
| CNA | Linux | Linux | affected 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 1cdff2937c618f81058422bbdc4974a3e7ec9379 git | Not specified |
| CNA | Linux | Linux | affected 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 7d96f3120a7fb7210d21b520c5b6f495da6ba436 git | Not specified |
| CNA | Linux | Linux | affected 10c6021a609deb95f23f0cc2f89aa9d4bffb14c7 git | Not specified |
| CNA | Linux | Linux | affected 9af149ca9d0dab6e59e813519d309eff62499864 git | Not specified |
| CNA | Linux | Linux | affected ed7bcd9f617e4107ac0813c516e72e6b8f6029bd git | Not specified |
| CNA | Linux | Linux | affected 6.6.99 6.6.140 semver | Not specified |
| CNA | Linux | Linux | affected 6.12.39 6.12.86 semver | Not specified |
| CNA | Linux | Linux | affected 5.15.189 5.16 semver | Not specified |
| CNA | Linux | Linux | affected 6.1.146 6.2 semver | Not specified |
| CNA | Linux | Linux | affected 6.15.7 6.16 semver | Not specified |
| CNA | Linux | Linux | affected 6.16 | Not specified |
| CNA | Linux | Linux | unaffected 6.16 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.140 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.86 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.27 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.4 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.