Re: [PATCH] f2fs: avoid cp_wait use-after-free in f2fs_write_end_io()

Next message: lihuisong (C): "Re: [PATCH v02] mailbox: pcc: report errors for PCC clients"
Previous message: Jaegeuk Kim: "Re: [f2fs-dev] [PATCH v2] f2fs: another way to set large folio by remembering inode number"
In reply to: Chao Yu: "Re: [PATCH] f2fs: avoid cp_wait use-after-free in f2fs_write_end_io()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wenjie Qi

Date: Mon May 25 2026 - 23:49:12 EST

Agreed, v1 can wake cp_wait before nr_pages[F2FS_WB_CP_DATA] reaches
zero, so
the waiter may recheck the counter, still see a non-zero value, and
sleep until
DEFAULT_SCHEDULE_TIMEOUT.

I sent v2 to address this:
https://lore.kernel.org/r/20260526034439.1017521-1-qiwenjie@xxxxxxxxxx

In v2, I used atomic_dec_and_lock_irqsave() for the F2FS_WB_CP_DATA zero
transition and wake waiters while holding cp_wait.lock.
f2fs_wait_on_all_pages()
also prepares the wait entry and rechecks get_pages() under the same
lock before
sleeping.

This should avoid the missed wakeup you pointed out, while also avoiding an
unprotected post-zero access to sbi->cp_wait in f2fs_write_end_io().