From 44827715a4c4a79d963a56952db4c338df09e96e Mon Sep 17 00:00:00 2001 From: Wentao Liang Date: Tue, 26 May 2026 10:37:22 +0000 Subject: [PATCH] block: blk-mq: fix ws_active refcount leak in blk_mq_mark_tag_wait() blk_mq_mark_tag_wait() calls sbitmap_queue_get() which increments sbq->ws_active. On the error path where the waitqueue_active() check fails and the function returns early, sbq->ws_active is not decremented, leaking the reference. Fix this by calling sbitmap_queue_clear() to properly release the ws_active reference before returning on the error path. Fixes: c27d53fb445f ("blk-mq: Reduce the number of if-statements in blk_mq_mark_tag_wait()") Cc: stable@vger.kernel.org Signed-off-by: Wentao Liang --- block/blk-mq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/block/blk-mq.c b/block/blk-mq.c index 88cb5acc4f39..9cfc54c36ecd 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -1921,6 +1921,8 @@ static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx, spin_lock_irq(&wq->lock); spin_lock(&hctx->dispatch_wait_lock); if (!list_empty(&wait->entry)) { + list_del_init(&wait->entry); + atomic_dec(&sbq->ws_active); spin_unlock(&hctx->dispatch_wait_lock); spin_unlock_irq(&wq->lock); return false;