When key->seg_gen is less than cache_seg->gen, the code calls cache_key_put(key) which decrements the refcount to 0 and frees the key via cache_key_destroy. However, execution falls through to cache_seg_get(key->cache_pos.cache_seg) which accesses the freed key's memory, causing a use-after-free.
Add a continue statement after cache_key_put to skip the subsequent operations on the freed key. Cc: [email protected] Fixes: 1d57628ff95b ("dm-pcache: add persistent cache target in device-mapper") Signed-off-by: WenTao Liang <[email protected]> --- drivers/md/dm-pcache/cache_key.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/md/dm-pcache/cache_key.c b/drivers/md/dm-pcache/cache_key.c index e068e878231b..c33d6b37f58d 100644 --- a/drivers/md/dm-pcache/cache_key.c +++ b/drivers/md/dm-pcache/cache_key.c @@ -733,6 +733,7 @@ static int kset_replay(struct pcache_cache *cache, struct pcache_cache_kset_onme /* Check if the segment generation is valid for insertion. */ if (key->seg_gen < key->cache_pos.cache_seg->gen) { cache_key_put(key); + continue; } else { cache_subtree = get_subtree(&cache->req_key_tree, key->off); spin_lock(&cache_subtree->tree_lock); -- 2.39.5 (Apple Git-154)
