GHSA-W7R8-QC4C-GQHH

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-24 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dm cache metadata: fix memory leak on metadata abort retry

When failing to acquire the root_lock in dm_cache_metadata_abort because the block_manager is read-only, the temporary block_manager created outside the root_lock is not properly released, causing a memory leak.

Reproduce steps:

This can be reproduced by reloading a new table while the metadata is read-only. While the second call to dm_cache_metadata_abort is caused by lack of support for table preload in dm-cache, mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), it exposes the memory leak in dm_cache_metadata_abort when the function is called multiple times. Specifically, dm-cache fails to sync the new cache object's mode during preresume, creating the reproducer condition.

This issue could also occur through concurrent metadata_operation_failed calls due to races in cache mode updates, but the table preload scenario below provides a reliable reproducer.

  1. Create a cache device with some faulty trailing metadata blocks

dmsetup create cmeta <<EOF 0 200 linear /dev/sdc 0 200 7992 error EOF dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"

  1. Suspend and resume the cache to start a new metadata transaction and trigger metadata io errors on the next metadata commit.

dmsetup suspend cache dmsetup resume cache

  1. Write to the cache device to update metadata

fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \ --randrepeat=0 --direct=1 --size 64k

  1. Preload the same table

dmsetup reload cache --table "$(dmsetup table cache)"

  1. Resume the new table. This triggers the memory leak.

dmsetup suspend cache dmsetup resume cache

kmemleak logs:

unreferenced object 0xffff8880080c2010 (size 16): comm "dmsetup", pid 132, jiffies 4294982580 hex dump (first 16 bytes): 00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ... backtrace (crc 3118f31c): kmemleak_alloc+0x28/0x40 __kmalloc_cache_noprof+0x3d9/0x510 dm_block_manager_create+0x51/0x140 dm_cache_metadata_abort+0x85/0x320 metadata_operation_failed+0x103/0x1e0 cache_preresume+0xacd/0xe70 dm_table_resume_targets+0xd3/0x320 __dm_resume+0x1b/0xf0 dm_resume+0x127/0x170

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53060"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:18Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache metadata: fix memory leak on metadata abort retry\n\nWhen failing to acquire the root_lock in dm_cache_metadata_abort because\nthe block_manager is read-only, the temporary block_manager created\noutside the root_lock is not properly released, causing a memory leak.\n\nReproduce steps:\n\nThis can be reproduced by reloading a new table while the metadata\nis read-only. While the second call to dm_cache_metadata_abort is\ncaused by lack of support for table preload in dm-cache, mentioned\nin commit 9b1cc9f251af (\"dm cache: share cache-metadata object across\ninactive and active DM tables\"), it exposes the memory leak in\ndm_cache_metadata_abort when the function is called multiple times.\nSpecifically, dm-cache fails to sync the new cache object\u0027s mode during\npreresume, creating the reproducer condition.\n\nThis issue could also occur through concurrent metadata_operation_failed\ncalls due to races in cache mode updates, but the table preload scenario\nbelow provides a reliable reproducer.\n\n1. Create a cache device with some faulty trailing metadata blocks\n\ndmsetup create cmeta \u003c\u003cEOF\n0 200 linear /dev/sdc 0\n200 7992 error\nEOF\ndmsetup create cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 262144 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 131072 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0\"\n\n2. Suspend and resume the cache to start a new metadata transaction and\n   trigger metadata io errors on the next metadata commit.\n\ndmsetup suspend cache\ndmsetup resume cache\n\n3. Write to the cache device to update metadata\n\nfio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \\\n--randrepeat=0 --direct=1 --size 64k\n\n4. Preload the same table\n\ndmsetup reload cache --table \"$(dmsetup table cache)\"\n\n5. Resume the new table. This triggers the memory leak.\n\ndmsetup suspend cache\ndmsetup resume cache\n\nkmemleak logs:\n\n\u003csnip\u003e\nunreferenced object 0xffff8880080c2010 (size 16):\n  comm \"dmsetup\", pid 132, jiffies 4294982580\n  hex dump (first 16 bytes):\n    00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ...\n  backtrace (crc 3118f31c):\n    kmemleak_alloc+0x28/0x40\n    __kmalloc_cache_noprof+0x3d9/0x510\n    dm_block_manager_create+0x51/0x140\n    dm_cache_metadata_abort+0x85/0x320\n    metadata_operation_failed+0x103/0x1e0\n    cache_preresume+0xacd/0xe70\n    dm_table_resume_targets+0xd3/0x320\n    __dm_resume+0x1b/0xf0\n    dm_resume+0x127/0x170\n\u003csnip\u003e",
  "id": "GHSA-w7r8-qc4c-gqhh",
  "modified": "2026-06-24T18:32:45Z",
  "published": "2026-06-24T18:32:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53060"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/044ca491d4086dc5bf233e9fcb71db52df32f633"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14f60e957f34f95a626caec76a8fae88cf4c397f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/15c30997dca681f90dbf2d45ee629c1828bf0c0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/322a3b70368d49e39591fe9fc6c07d262128b05f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4311ca59a1891d33c4c8b7946f98c34f167fe833"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b97cc7a42905755c56bbddc33aa8b792205caee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0bd35535bdb6f58505f3a30ee5793986943997a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d1a79620c419a0af1911f99c873014b30740e303"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…