[PATCH] fix: md: kset_replay: fix use-after-free after cache_key_put
From: WenTao Liang
Date: Fri Jun 26 2026 - 11:14:08 EST
When key->seg_gen is less than cache_seg->gen, the code calls
cache_key_put(key) which decrements the refcount to 0 and frees the key
via cache_key_destroy. However, execution falls through to
cache_seg_get(key->cache_pos.cache_seg) which accesses the freed key's
memory, causing a use-after-free.
Add a continue statement after cache_key_put to skip the subsequent
operations on the freed key.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 1d57628ff95b ("dm-pcache: add persistent cache target in device-mapper")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
drivers/md/dm-pcache/cache_key.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-pcache/cache_key.c b/drivers/md/dm-pcache/cache_key.c
index e068e878231b..c33d6b37f58d 100644
--- a/drivers/md/dm-pcache/cache_key.c
+++ b/drivers/md/dm-pcache/cache_key.c
@@ -733,6 +733,7 @@ static int kset_replay(struct pcache_cache *cache, struct pcache_cache_kset_onme
/* Check if the segment generation is valid for insertion. */
if (key->seg_gen < key->cache_pos.cache_seg->gen) {
cache_key_put(key);
+ continue;
} else {
cache_subtree = get_subtree(&cache->req_key_tree, key->off);
spin_lock(&cache_subtree->tree_lock);
--
2.39.5 (Apple Git-154)