Re: [PATCH] md/raid5-ppl: convert pending_flushes from atomic_t to refcount_t

Next message: David Hildenbrand (Arm): "Re: [PATCH v1] kernel: add a simple timer based software watchpoint"
Previous message: Eric Dumazet: "Re: [PATCH 1/2] Protect skb pointer used by two different kernel instances"
In reply to: Sajal Gupta: "[PATCH] md/raid5-ppl: convert pending_flushes from atomic_t to refcount_t"
Next in thread: Dan Carpenter: "Re: [PATCH] md/raid5-ppl: convert pending_flushes from atomic_t to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Mon Jun 22 2026 - 04:45:16 EST

On Mon, Jun 22, 2026 at 01:34:32PM +0530, Sajal Gupta wrote:
> The old atomic_t based counter allowed ppl_do_flush() to continue using io
> after it could already have been freed by ppl_io_unit_finished(), leading
> to a use-after-free.
>
> Convert pending_flushes from atomic_t to refcount_t with a proper ownership
> model. The creator holds a reference for the duration of ppl_do_flush(),
> and each submitted flush bio holds a reference until its endio callback
> runs. This makes the io lifetime explicit and removes the need for the
> second loop in ppl_do_flush().
>
> Fixes: 1532d9e87e8b ("raid5-ppl: PPL support for disks with write-back cache enabled")
> Reported-by: Dan Carpenter <error27@xxxxxxxxx>
> Closes: https://lore.kernel.org/all/ajJF2wKYWRk4GGCK@stanley.mountain/
> Signed-off-by: Sajal Gupta <sajal2005gupta@xxxxxxxxx>
> ---

Have you tested this at all because it doesn't seem at all correct to
me...

regards,
dan carpenter