FKIE_CVE-2026-53060
Vulnerability from fkie_nvd - Published: 2026-06-24 17:17 - Updated: 2026-06-24 17:17
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache metadata: fix memory leak on metadata abort retry
When failing to acquire the root_lock in dm_cache_metadata_abort because
the block_manager is read-only, the temporary block_manager created
outside the root_lock is not properly released, causing a memory leak.
Reproduce steps:
This can be reproduced by reloading a new table while the metadata
is read-only. While the second call to dm_cache_metadata_abort is
caused by lack of support for table preload in dm-cache, mentioned
in commit 9b1cc9f251af ("dm cache: share cache-metadata object across
inactive and active DM tables"), it exposes the memory leak in
dm_cache_metadata_abort when the function is called multiple times.
Specifically, dm-cache fails to sync the new cache object's mode during
preresume, creating the reproducer condition.
This issue could also occur through concurrent metadata_operation_failed
calls due to races in cache mode updates, but the table preload scenario
below provides a reliable reproducer.
1. Create a cache device with some faulty trailing metadata blocks
dmsetup create cmeta <<EOF
0 200 linear /dev/sdc 0
200 7992 error
EOF
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"
2. Suspend and resume the cache to start a new metadata transaction and
trigger metadata io errors on the next metadata commit.
dmsetup suspend cache
dmsetup resume cache
3. Write to the cache device to update metadata
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --size 64k
4. Preload the same table
dmsetup reload cache --table "$(dmsetup table cache)"
5. Resume the new table. This triggers the memory leak.
dmsetup suspend cache
dmsetup resume cache
kmemleak logs:
<snip>
unreferenced object 0xffff8880080c2010 (size 16):
comm "dmsetup", pid 132, jiffies 4294982580
hex dump (first 16 bytes):
00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ...
backtrace (crc 3118f31c):
kmemleak_alloc+0x28/0x40
__kmalloc_cache_noprof+0x3d9/0x510
dm_block_manager_create+0x51/0x140
dm_cache_metadata_abort+0x85/0x320
metadata_operation_failed+0x103/0x1e0
cache_preresume+0xacd/0xe70
dm_table_resume_targets+0xd3/0x320
__dm_resume+0x1b/0xf0
dm_resume+0x127/0x170
<snip>
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14f60e957f34f95a626caec76a8fae88cf4c397f",
"status": "affected",
"version": "b45e77b79215405bd039a690f5b06cc03e8ed27d",
"versionType": "git"
},
{
"lessThan": "6b97cc7a42905755c56bbddc33aa8b792205caee",
"status": "affected",
"version": "28d307f380df88a598bc0186d527462902d9bda1",
"versionType": "git"
},
{
"lessThan": "d1a79620c419a0af1911f99c873014b30740e303",
"status": "affected",
"version": "f74b7c5a85e22cd9091845e0d62a1dd89d0f855f",
"versionType": "git"
},
{
"lessThan": "15c30997dca681f90dbf2d45ee629c1828bf0c0d",
"status": "affected",
"version": "352b837a5541690d4f843819028cf2b8be83d424",
"versionType": "git"
},
{
"lessThan": "b0bd35535bdb6f58505f3a30ee5793986943997a",
"status": "affected",
"version": "352b837a5541690d4f843819028cf2b8be83d424",
"versionType": "git"
},
{
"lessThan": "322a3b70368d49e39591fe9fc6c07d262128b05f",
"status": "affected",
"version": "352b837a5541690d4f843819028cf2b8be83d424",
"versionType": "git"
},
{
"lessThan": "4311ca59a1891d33c4c8b7946f98c34f167fe833",
"status": "affected",
"version": "352b837a5541690d4f843819028cf2b8be83d424",
"versionType": "git"
},
{
"lessThan": "044ca491d4086dc5bf233e9fcb71db52df32f633",
"status": "affected",
"version": "352b837a5541690d4f843819028cf2b8be83d424",
"versionType": "git"
},
{
"status": "affected",
"version": "6e237cacda8b4e976849e7bff9fe7dff0e968586",
"versionType": "git"
},
{
"status": "affected",
"version": "3972ae47d0ee9b5b434af5d0cca6cdfd1e239d4f",
"versionType": "git"
},
{
"status": "affected",
"version": "9958f5ffc44530b650fb4cc9038a4d167fa4f5c1",
"versionType": "git"
},
{
"status": "affected",
"version": "f472bfc95d9c9653172dbdad39219b32fabf9b92",
"versionType": "git"
},
{
"status": "affected",
"version": "bdd4e106929ac943f3226d8f03754b480701e97b",
"versionType": "git"
},
{
"lessThan": "5.10.258",
"status": "affected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThan": "5.15.209",
"status": "affected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThan": "6.1.175",
"status": "affected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThan": "6.1",
"status": "affected",
"version": "6.0.18",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-metadata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache metadata: fix memory leak on metadata abort retry\n\nWhen failing to acquire the root_lock in dm_cache_metadata_abort because\nthe block_manager is read-only, the temporary block_manager created\noutside the root_lock is not properly released, causing a memory leak.\n\nReproduce steps:\n\nThis can be reproduced by reloading a new table while the metadata\nis read-only. While the second call to dm_cache_metadata_abort is\ncaused by lack of support for table preload in dm-cache, mentioned\nin commit 9b1cc9f251af (\"dm cache: share cache-metadata object across\ninactive and active DM tables\"), it exposes the memory leak in\ndm_cache_metadata_abort when the function is called multiple times.\nSpecifically, dm-cache fails to sync the new cache object\u0027s mode during\npreresume, creating the reproducer condition.\n\nThis issue could also occur through concurrent metadata_operation_failed\ncalls due to races in cache mode updates, but the table preload scenario\nbelow provides a reliable reproducer.\n\n1. Create a cache device with some faulty trailing metadata blocks\n\ndmsetup create cmeta \u003c\u003cEOF\n0 200 linear /dev/sdc 0\n200 7992 error\nEOF\ndmsetup create cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 262144 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 131072 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0\"\n\n2. Suspend and resume the cache to start a new metadata transaction and\n trigger metadata io errors on the next metadata commit.\n\ndmsetup suspend cache\ndmsetup resume cache\n\n3. Write to the cache device to update metadata\n\nfio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \\\n--randrepeat=0 --direct=1 --size 64k\n\n4. Preload the same table\n\ndmsetup reload cache --table \"$(dmsetup table cache)\"\n\n5. Resume the new table. This triggers the memory leak.\n\ndmsetup suspend cache\ndmsetup resume cache\n\nkmemleak logs:\n\n\u003csnip\u003e\nunreferenced object 0xffff8880080c2010 (size 16):\n comm \"dmsetup\", pid 132, jiffies 4294982580\n hex dump (first 16 bytes):\n 00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ...\n backtrace (crc 3118f31c):\n kmemleak_alloc+0x28/0x40\n __kmalloc_cache_noprof+0x3d9/0x510\n dm_block_manager_create+0x51/0x140\n dm_cache_metadata_abort+0x85/0x320\n metadata_operation_failed+0x103/0x1e0\n cache_preresume+0xacd/0xe70\n dm_table_resume_targets+0xd3/0x320\n __dm_resume+0x1b/0xf0\n dm_resume+0x127/0x170\n\u003csnip\u003e"
}
],
"id": "CVE-2026-53060",
"lastModified": "2026-06-24T17:17:18.717",
"metrics": {},
"published": "2026-06-24T17:17:18.717",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/044ca491d4086dc5bf233e9fcb71db52df32f633"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/14f60e957f34f95a626caec76a8fae88cf4c397f"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/15c30997dca681f90dbf2d45ee629c1828bf0c0d"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/322a3b70368d49e39591fe9fc6c07d262128b05f"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/4311ca59a1891d33c4c8b7946f98c34f167fe833"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/6b97cc7a42905755c56bbddc33aa8b792205caee"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/b0bd35535bdb6f58505f3a30ee5793986943997a"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/d1a79620c419a0af1911f99c873014b30740e303"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Received"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…