In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix deadlock with check operation and nowait requests
When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nrpending value to signal there is work pending inside of waitbarrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nrpending in waitbarrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10makerequest") added a call to raidendbioio() to fix a memory leak when NOWAIT requests hit this condition. raidendbioio() eventually calls allowbarrier() and it will unconditionally do an atomicdecandtest(&conf->nrpending) even though the corresponding increment on nrpending didn't happen in the NOWAIT case.
This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nrpending value underflowing and so the md resync thread gets stuck waiting for nrpending to == 0.
Output of r10conf state of the array when we hit this condition:
crash> struct r10conf barrier = 1, nrpending = { counter = -41 }, nrwaiting = 15, nr_queued = 0,
Example of mdsync thread stuck waiting on raisebarrier() and other requests stuck in wait_barrier():
md1resync [<0>] raisebarrier+0xce/0x1c0 [<0>] raid10syncrequest+0x1ca/0x1ed0 [<0>] mddosync+0x779/0x1110 [<0>] mdthread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] retfromfork+0x34/0x50 [<0>] retfromforkasm+0x1a/0x30
kworker/u1040:2+flush-253:4 [<0>] waitbarrier+0x1de/0x220 [<0>] regularrequestwait+0x30/0x180 [<0>] raid10makerequest+0x261/0x1000 [<0>] mdhandle_request+0x13b/0x230 [<0>] __submitbio+0x107/0x1f0 [<0>] submitbionoacctnocheck+0x16f/0x390 [<0>] ext4iosubmit+0x24/0x40 [<0>] ext4dowritepages+0x254/0xc80 [<0>] ext4writepages+0x84/0x120 [<0>] dowritepages+0x7a/0x260 [<0>] __writebacksingleinode+0x3d/0x300 [<0>] writebacksbinodes+0x1dd/0x470 [<0>] __writebackinodeswb+0x4c/0xe0 [<0>] wbwriteback+0x18b/0x2d0 [<0>] wbworkfn+0x2a1/0x400 [<0>] processonework+0x149/0x330 [<0>] workerthread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] retfromfork+0x34/0x50 [<0>] retfromforkasm+0x1a/0x30
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46050.json",
"cna_assigner": "Linux"
}