7.8

CVE-2026-53062

dm cache policy smq: fix missing locks in invalidating cache blocks

In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: fix missing locks in invalidating cache blocks

In passthrough mode, the policy invalidate_mapping operation is called
simultaneously from multiple workers, thus it should be protected by a
lock. Otherwise, we might end up with data races on the allocated blocks
counter, or even use-after-free issues with internal data structures
when doing concurrent writes.

Note that the existing FIXME in smq_invalidate_mapping() doesn't affect
passthrough mode since migration tasks don't exist there, but would need
attention if supporting fast device shrinking via suspend/resume without
target reloading.

Reproduce steps:

1. Create a cache device consisting of 1024 cache entries

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. Populate the cache, and record the number of cached blocks

fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \
--size=64m --direct=1
nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')

3. Reload the cache into passthrough mode

dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache

4. Write to the passthrough cache. By setting multiple jobs with I/O
   size equal to the cache block size, cache blocks are invalidated
   concurrently from different workers.

fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \
--direct=1 --numjobs=2 --randrepeat=0 --size=64m

5. Check if demoted matches cached block count. These numbers should
   match but may differ due to the data race.

nr_demoted=$(dmsetup status cache | awk '{print $12}')
echo "$nr_cached, $nr_demoted"
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 4991b5a08751e2e82488fb93ae08849b6aea10d9
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 1b2bec4a7dcf5f00b7a1cbeeec8997841d783513
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < ac5ee99443891bdb161f5539606a66a1b5e72542
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 93627a29d4b66d4a2def938dfb8610cc80ae454b
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < c348ae47d8e65f06429fa41adce9ad986b696766
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 2b62d0611c9af14a16bddf22df2612b4f40eb5a1
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 4.12
Status affected
Version 0
Version < 4.12
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.026
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/4991b5a08751e2e82488fb93ae08849b6aea10d9
https://git.kernel.org/stable/c/1b2bec4a7dcf5f00b7a1cbeeec8997841d783513
https://git.kernel.org/stable/c/9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e
https://git.kernel.org/stable/c/ac5ee99443891bdb161f5539606a66a1b5e72542
https://git.kernel.org/stable/c/93627a29d4b66d4a2def938dfb8610cc80ae454b
https://git.kernel.org/stable/c/c348ae47d8e65f06429fa41adce9ad986b696766
https://git.kernel.org/stable/c/2b62d0611c9af14a16bddf22df2612b4f40eb5a1
https://git.kernel.org/stable/c/2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45