[PATCH v2] md/raid5-ppl: fix use-after-free in ppl_do_flush()

[PATCH v2] md/raid5-ppl: fix use-after-free in ppl_do_flush()

[Sajal Gupta]

The loop in ppl_do_flush() continues iterating after calling
ppl_io_unit_finished(), touching io->pending_flushes and leading to a
use-after-free.

Add a break statement to stop the loop once io is freed.

Fixes: 1532d9e87e8b ("raid5-ppl: PPL support for disks with write-back cache enabled")
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/all/ajJF2wKYWRk4GGCK@stanley.mountain/
Signed-off-by: Sajal Gupta <sajal2005gupta@gmail.com>
---
Compile tested only.

Changes in v2:
 - drop the refcount_t conversion

v1: https://lore.kernel.org/all/20260622080656.22786-1-sajal2005gupta@gmail.com/

 drivers/md/raid5-ppl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/md/raid5-ppl.c b/drivers/md/raid5-ppl.c
index a70cbec12ed0..c3cfdd66d8b0 100644
--- a/drivers/md/raid5-ppl.c
+++ b/drivers/md/raid5-ppl.c
@@ -643,8 +643,10 @@ static void ppl_do_flush(struct ppl_io_unit *io)
 	log->disk_flush_bitmap = 0;

 	for (i = flushed_disks ; i < raid_disks; i++) {
-		if (atomic_dec_and_test(&io->pending_flushes))
+		if (atomic_dec_and_test(&io->pending_flushes)) {
 			ppl_io_unit_finished(io);
+			break;
+		}
 	}
 }

--
2.54.0

Re: [PATCH v2] md/raid5-ppl: fix use-after-free in ppl_do_flush()

[Brigham Campbell]

On Mon Jun 22, 2026 at 8:06 AM MDT, Sajal Gupta wrote:
> Compile tested only.

It looks like you're on the right track, but this could use some
testing. My analysis here may be incorrect, but it looks like it should
be pretty easy to test this patch by compiling and running on a system
with a RAID5 array, PPL enabled, and no RAID journal. I expect the call
stack would look something like the following (feel free to correct me,
anyone...):

ppl_do_flush
ppl_stripe_write_finished
log_stripe_write_finished
handle_stripe
...

To be sure, you can add a tracepoint[^1] inside ppl_do_flush.

Dan was probably reluctant to make the change himself, opting to instead
submit a KTODO because the change is relatively straightforward, but
testing is a little more involved. Testing is particularly important
with respect to subsystems pertaining to the filesystem because latent
regressions could mean permanent data loss.

Cheers,
Brigham

[1]: https://docs.kernel.org/trace/tracepoints.html

Re: [PATCH v2] md/raid5-ppl: fix use-after-free in ppl_do_flush()

[Dan Carpenter]

On Tue, Jun 23, 2026 at 10:42:47PM -0600, Brigham Campbell wrote:
> On Mon Jun 22, 2026 at 8:06 AM MDT, Sajal Gupta wrote:
> > Compile tested only.
> 
> It looks like you're on the right track, but this could use some
> testing. My analysis here may be incorrect, but it looks like it should
> be pretty easy to test this patch by compiling and running on a system
> with a RAID5 array, PPL enabled, and no RAID journal. I expect the call
> stack would look something like the following (feel free to correct me,
> anyone...):

Heh...  That doesn't sound easy at all.  (0_0)

I just left this one because it's not really a big deal.  It probably
isn't even a real bug.  We call increment the refcount in a loop and
then decrement it in another loop.  It's not the right way.  Sajal's
first approach is the right direction this should go but *that* patch
would require testing.

Adding a break here doesn't require testing because it can't possibly
break anything which is not already broken.

regards,
dan carpenter