> 2026年6月26日 23:08,WenTao Liang <[email protected]> 写道:
>
> When key->seg_gen is less than cache_seg->gen, the code calls
> cache_key_put(key) which decrements the refcount to 0 and frees the key
> via cache_key_destroy. However, execution falls through to
> cache_seg_get(key->cache_pos.cache_seg) which accesses the freed key's
> memory, causing a use-after-free.
>
> Add a continue statement after cache_key_put to skip the subsequent
> operations on the freed key.
>
> Cc: [email protected]
> Fixes: 1d57628ff95b ("dm-pcache: add persistent cache target in
> device-mapper")
> Signed-off-by: WenTao Liang <[email protected]>
> ---
> drivers/md/dm-pcache/cache_key.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/md/dm-pcache/cache_key.c
> b/drivers/md/dm-pcache/cache_key.c
> index e068e878231b..c33d6b37f58d 100644
> --- a/drivers/md/dm-pcache/cache_key.c
> +++ b/drivers/md/dm-pcache/cache_key.c
> @@ -733,6 +733,7 @@ static int kset_replay(struct pcache_cache *cache, struct
> pcache_cache_kset_onme
> /* Check if the segment generation is valid for insertion. */
> if (key->seg_gen < key->cache_pos.cache_seg->gen) {
> cache_key_put(key);
> + continue;
> } else {
> cache_subtree = get_subtree(&cache->req_key_tree,
> key->off);
> spin_lock(&cache_subtree->tree_lock);
> --
> 2.39.5 (Apple Git-154)
Please ignore this patch. I will resend a proper version after
learning the kernel submission process.
Apologies for the noise.
Best regards,
WenTao Liang
