This is a note to let you know that I've just added the patch titled dm cache: Fix UAF in destroy() to the 6.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: dm-cache-fix-uaf-in-destroy.patch and it can be found in the queue-6.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa Mon Sep 17 00:00:00 2001 From: Luo Meng <luomeng12@xxxxxxxxxx> Date: Tue, 29 Nov 2022 10:48:49 +0800 Subject: dm cache: Fix UAF in destroy() From: Luo Meng <luomeng12@xxxxxxxxxx> commit 6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa upstream. Dm_cache also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in destroy(). Cc: stable@xxxxxxxxxxxxxxx Fixes: c6b4fcbad044e ("dm: add cache target") Signed-off-by: Luo Meng <luomeng12@xxxxxxxxxx> Signed-off-by: Mike Snitzer <snitzer@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/md/dm-cache-target.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1887,6 +1887,7 @@ static void destroy(struct cache *cache) if (cache->prison) dm_bio_prison_destroy_v2(cache->prison); + cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq); Patches currently in stable-queue which might be from luomeng12@xxxxxxxxxx are queue-6.0/dm-integrity-fix-uaf-in-dm_integrity_dtr.patch queue-6.0/dm-clone-fix-uaf-in-clone_dtr.patch queue-6.0/dm-thin-resume-even-if-in-fail-mode.patch queue-6.0/dm-cache-fix-uaf-in-destroy.patch queue-6.0/dm-thin-fix-uaf-in-run_timer_softirq.patch