Re: [PATCH v4] f2fs: use post-decrement count for cp_wait wakeup

[Wenjie Qi]

   Hi Chao,

  I added the missing Fixes tag in v5. The code is unchanged from v4.

  https://lore.kernel.org/linux-f2fs-devel/20260616135637.1439319-1-qiwenjie@xxxxxxxxxx/T/#u

  Regards,
  Wenjie


On Tue, Jun 16, 2026 at 11:37 AM Chao Yu <chao@xxxxxxxxxx> wrote:
>
> On 6/16/26 11:31, Wenjie Qi wrote:
> > f2fs_write_end_io() decrements the writeback page counter and then
> > reads it again with get_pages() to decide whether the last
> > F2FS_WB_CP_DATA completion should wake cp_wait.
> >
> > Use atomic_dec_return() for F2FS_WB_CP_DATA completions so the wakeup
> > decision is made from the value produced by the decrement itself. Keep
> > the existing dec_page_count() path for other writeback counters.
> >
> > Fixes: ce2739e482bc ("f2fs: fix to avoid UAF in f2fs_write_end_io()")
>
> Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for better performance")
> Fixes: ce2739e482bc ("f2fs: fix to avoid UAF in f2fs_write_end_io()")
>
> Thanks,
>
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Wenjie Qi <qiwenjie@xxxxxxxxxx>
> > ---
> > Changes in v4:
> > - Add Fixes and Cc stable tags.
> >
> >  fs/f2fs/data.c | 12 +++++++-----
> >  1 file changed, 7 insertions(+), 5 deletions(-)
> >
> > diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
> > index d83a21998ec2..58d23eb74ec2 100644
> > --- a/fs/f2fs/data.c
> > +++ b/fs/f2fs/data.c
> > @@ -392,15 +392,17 @@ static void f2fs_write_end_io(struct bio *bio)
> >               if (f2fs_in_warm_node_list(folio))
> >                       f2fs_del_fsync_node_entry(sbi, folio);
> >
> > -             dec_page_count(sbi, type);
> > -
> >               /*
> >                * we should access sbi before folio_end_writeback() to
> >                * avoid racing w/ kill_f2fs_super()
> >                */
> > -             if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) &&
> > -                             wq_has_sleeper(&sbi->cp_wait))
> > -                     wake_up(&sbi->cp_wait);
> > +             if (type == F2FS_WB_CP_DATA) {
> > +                     if (!atomic_dec_return(&sbi->nr_pages[type]) &&
> > +                         wq_has_sleeper(&sbi->cp_wait))
> > +                             wake_up(&sbi->cp_wait);
> > +             } else {
> > +                     dec_page_count(sbi, type);
> > +             }
> >
> >               folio_clear_f2fs_gcing(folio);
> >               folio_end_writeback(folio);
>