On 6/18/26 11:38, Wenjie Qi wrote:
The race is between dec_page_count() and the later get_pages() check:
another CP-data writeback can be submitted after the counter reaches zero
but before get_pages() observes it, so the zero transition may miss the
cp_wait wakeup.
Can you describe race condition like below calltrace? which will be easier to
understand?
loop device umount
- worker_thread
- loop_process_work
- do_req_filebacked
- lo_rw_aio
- lo_rw_aio_complete
- blk_mq_end_request
- blk_update_request
- f2fs_write_end_io
- dec_page_count
- folio_end_writeback
- kill_f2fs_super
- kill_block_super
- f2fs_put_super
: free(sbi)
: get_pages(, F2FS_WB_CP_DATA)
accessed sbi which is freed
Thanks,
v6 also adds dec_page_count_return() and uses it instead of accessing
nr_pages directly. The wakeup logic is unchanged from v5.
https://lore.kernel.org/linux-f2fs-devel/[email protected]/T/#u
On Thu, Jun 18, 2026 at 2:09 AM Jaegeuk Kim <[email protected]> wrote:
On 06/16, Wenjie Qi wrote:
f2fs_write_end_io() decrements the writeback page counter and then
reads it again with get_pages() to decide whether the last
F2FS_WB_CP_DATA completion should wake cp_wait.
Use atomic_dec_return() for F2FS_WB_CP_DATA completions so the wakeup
decision is made from the value produced by the decrement itself. Keep
the existing dec_page_count() path for other writeback counters.
Is there a race condition to do this? If so, can you describe? And, I think
we need a wrapper function instead of calling nr_pages directly.
Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for better
performance")
Fixes: ce2739e482bc ("f2fs: fix to avoid UAF in f2fs_write_end_io()")
Cc: [email protected]
Signed-off-by: Wenjie Qi <[email protected]>
---
fs/f2fs/data.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index d83a21998ec2..58d23eb74ec2 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -392,15 +392,17 @@ static void f2fs_write_end_io(struct bio *bio)
if (f2fs_in_warm_node_list(folio))
f2fs_del_fsync_node_entry(sbi, folio);
- dec_page_count(sbi, type);
-
/*
* we should access sbi before folio_end_writeback() to
* avoid racing w/ kill_f2fs_super()
*/
- if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) &&
- wq_has_sleeper(&sbi->cp_wait))
- wake_up(&sbi->cp_wait);
+ if (type == F2FS_WB_CP_DATA) {
+ if (!atomic_dec_return(&sbi->nr_pages[type]) &&
+ wq_has_sleeper(&sbi->cp_wait))
+ wake_up(&sbi->cp_wait);
+ } else {
+ dec_page_count(sbi, type);
+ }
folio_clear_f2fs_gcing(folio);
folio_end_writeback(folio);
base-commit: c0b65f6129c7fbb526e921dd60261650f1b2bef9
--
2.43.0
_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
