-

CVE-2026-53060

dm cache metadata: fix memory leak on metadata abort retry

In the Linux kernel, the following vulnerability has been resolved:

dm cache metadata: fix memory leak on metadata abort retry

When failing to acquire the root_lock in dm_cache_metadata_abort because
the block_manager is read-only, the temporary block_manager created
outside the root_lock is not properly released, causing a memory leak.

Reproduce steps:

This can be reproduced by reloading a new table while the metadata
is read-only. While the second call to dm_cache_metadata_abort is
caused by lack of support for table preload in dm-cache, mentioned
in commit 9b1cc9f251af ("dm cache: share cache-metadata object across
inactive and active DM tables"), it exposes the memory leak in
dm_cache_metadata_abort when the function is called multiple times.
Specifically, dm-cache fails to sync the new cache object's mode during
preresume, creating the reproducer condition.

This issue could also occur through concurrent metadata_operation_failed
calls due to races in cache mode updates, but the table preload scenario
below provides a reliable reproducer.

1. Create a cache device with some faulty trailing metadata blocks

dmsetup create cmeta <<EOF
0 200 linear /dev/sdc 0
200 7992 error
EOF
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"

2. Suspend and resume the cache to start a new metadata transaction and
   trigger metadata io errors on the next metadata commit.

dmsetup suspend cache
dmsetup resume cache

3. Write to the cache device to update metadata

fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --size 64k

4. Preload the same table

dmsetup reload cache --table "$(dmsetup table cache)"

5. Resume the new table. This triggers the memory leak.

dmsetup suspend cache
dmsetup resume cache

kmemleak logs:

<snip>
unreferenced object 0xffff8880080c2010 (size 16):
  comm "dmsetup", pid 132, jiffies 4294982580
  hex dump (first 16 bytes):
    00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ...
  backtrace (crc 3118f31c):
    kmemleak_alloc+0x28/0x40
    __kmalloc_cache_noprof+0x3d9/0x510
    dm_block_manager_create+0x51/0x140
    dm_cache_metadata_abort+0x85/0x320
    metadata_operation_failed+0x103/0x1e0
    cache_preresume+0xacd/0xe70
    dm_table_resume_targets+0xd3/0x320
    __dm_resume+0x1b/0xf0
    dm_resume+0x127/0x170
<snip>
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version b45e77b79215405bd039a690f5b06cc03e8ed27d
Version < 14f60e957f34f95a626caec76a8fae88cf4c397f
Status affected
Version 28d307f380df88a598bc0186d527462902d9bda1
Version < 6b97cc7a42905755c56bbddc33aa8b792205caee
Status affected
Version f74b7c5a85e22cd9091845e0d62a1dd89d0f855f
Version < d1a79620c419a0af1911f99c873014b30740e303
Status affected
Version 352b837a5541690d4f843819028cf2b8be83d424
Version < 15c30997dca681f90dbf2d45ee629c1828bf0c0d
Status affected
Version 352b837a5541690d4f843819028cf2b8be83d424
Version < b0bd35535bdb6f58505f3a30ee5793986943997a
Status affected
Version 352b837a5541690d4f843819028cf2b8be83d424
Version < 322a3b70368d49e39591fe9fc6c07d262128b05f
Status affected
Version 352b837a5541690d4f843819028cf2b8be83d424
Version < 4311ca59a1891d33c4c8b7946f98c34f167fe833
Status affected
Version 352b837a5541690d4f843819028cf2b8be83d424
Version < 044ca491d4086dc5bf233e9fcb71db52df32f633
Status affected
Version 6e237cacda8b4e976849e7bff9fe7dff0e968586
Status affected
Version 3972ae47d0ee9b5b434af5d0cca6cdfd1e239d4f
Status affected
Version 9958f5ffc44530b650fb4cc9038a4d167fa4f5c1
Status affected
Version f472bfc95d9c9653172dbdad39219b32fabf9b92
Status affected
Version bdd4e106929ac943f3226d8f03754b480701e97b
Status affected
Version 5.10.163
Version < 5.10.258
Status affected
Version 5.15.87
Version < 5.15.209
Status affected
Version 6.1.4
Version < 6.1.175
Status affected
Version 4.9.337
Version < 4.10
Status affected
Version 4.14.303
Version < 4.15
Status affected
Version 4.19.270
Version < 4.20
Status affected
Version 5.4.229
Version < 5.5
Status affected
Version 6.0.18
Version < 6.1
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 6.2
Status affected
Version 0
Version < 6.2
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.082
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/14f60e957f34f95a626caec76a8fae88cf4c397f
https://git.kernel.org/stable/c/6b97cc7a42905755c56bbddc33aa8b792205caee
https://git.kernel.org/stable/c/d1a79620c419a0af1911f99c873014b30740e303
https://git.kernel.org/stable/c/15c30997dca681f90dbf2d45ee629c1828bf0c0d
https://git.kernel.org/stable/c/b0bd35535bdb6f58505f3a30ee5793986943997a
https://git.kernel.org/stable/c/322a3b70368d49e39591fe9fc6c07d262128b05f
https://git.kernel.org/stable/c/4311ca59a1891d33c4c8b7946f98c34f167fe833
https://git.kernel.org/stable/c/044ca491d4086dc5bf233e9fcb71db52df32f633