[f2fs-dev] [PATCH v6] f2fs: use post-decrement count for cp_wait wakeup

Wed, 17 Jun 2026 20:13:01 -0700 

f2fs_write_end_io() decrements the writeback page counter and then reads
it again with get_pages() to decide whether the last F2FS_WB_CP_DATA
completion should wake cp_wait.

That second read can race with a new CP-data writeback submission.  If
this completion drops the counter to zero, but another thread increments
it again before get_pages() runs, the zero transition is missed and a
checkpoint waiter can keep sleeping until the timeout.

Use the post-decrement value for F2FS_WB_CP_DATA completions so the wakeup
decision is tied to this completion.  Keep the existing dec_page_count()
path for other writeback counters.

Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for 
better performance")
Fixes: ce2739e482bc ("f2fs: fix to avoid UAF in f2fs_write_end_io()")
Cc: [email protected]
Signed-off-by: Wenjie Qi <[email protected]>
---
 fs/f2fs/data.c | 12 +++++++-----
 fs/f2fs/f2fs.h |  6 ++++++
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index d83a21998ec2..2afdcd209d54 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -392,15 +392,17 @@ static void f2fs_write_end_io(struct bio *bio)
                if (f2fs_in_warm_node_list(folio))
                        f2fs_del_fsync_node_entry(sbi, folio);
 
-               dec_page_count(sbi, type);
-
                /*
                 * we should access sbi before folio_end_writeback() to
                 * avoid racing w/ kill_f2fs_super()
                 */
-               if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) &&
-                               wq_has_sleeper(&sbi->cp_wait))
-                       wake_up(&sbi->cp_wait);
+               if (type == F2FS_WB_CP_DATA) {
+                       if (!dec_page_count_return(sbi, type) &&
+                           wq_has_sleeper(&sbi->cp_wait))
+                               wake_up(&sbi->cp_wait);
+               } else {
+                       dec_page_count(sbi, type);
+               }
 
                folio_clear_f2fs_gcing(folio);
                folio_end_writeback(folio);
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 9f24287de4c3..db750cef371d 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2776,6 +2776,12 @@ static inline void dec_page_count(struct f2fs_sb_info 
*sbi, int count_type)
        atomic_dec(&sbi->nr_pages[count_type]);
 }
 
+static inline int dec_page_count_return(struct f2fs_sb_info *sbi,
+                                       int count_type)
+{
+       return atomic_dec_return(&sbi->nr_pages[count_type]);
+}
+
 static inline void inode_dec_dirty_pages(struct inode *inode)
 {
        if (!S_ISDIR(inode->i_mode) && !S_ISREG(inode->i_mode) &&

base-commit: c0b65f6129c7fbb526e921dd60261650f1b2bef9
-- 
2.43.0



_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to