Re: [PATCH] md/raid5-ppl: convert pending_flushes from atomic_t to refcount_t

Next message: Peter Zijlstra: "Re: [PATCH 0/2] tracing: Move trace_printk.h out of kernel.h"
Previous message: David Laight: "Re: [PATCH v3 1/7] list: Add mutable iterator variants"
In reply to: Dan Carpenter: "Re: [PATCH] md/raid5-ppl: convert pending_flushes from atomic_t to refcount_t"
Next in thread: Sajal Gupta: "Re: [PATCH] md/raid5-ppl: convert pending_flushes from atomic_t to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Mon Jun 22 2026 - 04:47:46 EST

On Mon, Jun 22, 2026 at 11:42:01AM +0300, Dan Carpenter wrote:
> On Mon, Jun 22, 2026 at 01:34:32PM +0530, Sajal Gupta wrote:
> > The old atomic_t based counter allowed ppl_do_flush() to continue using io
> > after it could already have been freed by ppl_io_unit_finished(), leading
> > to a use-after-free.
> >
> > Convert pending_flushes from atomic_t to refcount_t with a proper ownership
> > model. The creator holds a reference for the duration of ppl_do_flush(),
> > and each submitted flush bio holds a reference until its endio callback
> > runs. This makes the io lifetime explicit and removes the need for the
> > second loop in ppl_do_flush().
> >
> > Fixes: 1532d9e87e8b ("raid5-ppl: PPL support for disks with write-back cache enabled")
> > Reported-by: Dan Carpenter <error27@xxxxxxxxx>
> > Closes: https://lore.kernel.org/all/ajJF2wKYWRk4GGCK@stanley.mountain/
> > Signed-off-by: Sajal Gupta <sajal2005gupta@xxxxxxxxx>
> > ---
>
> Have you tested this at all because it doesn't seem at all correct to
> me...

How I imagined this would work would be:
patch 1: add a break statement to fix the use after free
patch 2: s/atomic_t/recount_t/

The difference between atomic_t and refcount_t is that refount_t warns
about overflows and underflows.

regards,
dan carpenter