-

CVE-2026-53064

dm cache: fix null-deref with concurrent writes in passthrough mode

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix null-deref with concurrent writes in passthrough mode

In passthrough mode, when dm-cache starts to invalidate a cache
entry and bio prison cell lock fails due to concurrent write to
the same cached block, mg->cell remains NULL. The error path in
invalidate_complete() attempts to unlock and free the cell
unconditionally, causing a NULL pointer dereference:

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT
RIP: 0010:dm_cell_unlock_v2+0x3f/0x210
<snip>
Call Trace:
 invalidate_complete+0xef/0x430
 map_bio+0x130f/0x1a10
 cache_map+0x320/0x6b0
 __map_bio+0x458/0x510
 dm_submit_bio+0x40e/0x16d0
 __submit_bio+0x419/0x870
<snip>

Reproduce steps:

1. Create a cache device

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. Promote the first data block into cache

fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k

3. Reload the cache into passthrough mode

dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache

4. Write to the first cached block concurrently

fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k

Fix by checking if mg->cell is valid before attempting to unlock it.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 01264a6a3a3ad7ac1d73443299cd5a9568002454
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < ee38fb00e1a80f46a4990e38f25ecb04ae7b7417
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < c7fb6bc864c4910b344dafa36dd5028e9b980768
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 0aa745fea1f8dc81bcdd0a45e215b6706727b482
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < a2635d541a93fd111e743cf14b6275dc81be2abc
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 25dcc1989c194ba2b5fb6d03cbb9b83814ac0d15
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < df3b8ef06cc62de4fca5d2108e285085b3cffd44
Status affected
Version b29d4986d0da1a27cd35917cdb433672f5c95d7f
Version < 7d1f98d668ee34c1d15bdc0420fdd062f24a27c0
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 4.12
Status affected
Version 0
Version < 4.12
Status unaffected
Version <= 5.10.*
Version 5.10.258
Status unaffected
Version <= 5.15.*
Version 5.15.209
Status unaffected
Version <= 6.1.*
Version 6.1.175
Status unaffected
Version <= 6.6.*
Version 6.6.141
Status unaffected
Version <= 6.12.*
Version 6.12.91
Status unaffected
Version <= 6.18.*
Version 6.18.33
Status unaffected
Version <= 7.0.*
Version 7.0.10
Status unaffected
Version <= *
Version 7.1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.074
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/01264a6a3a3ad7ac1d73443299cd5a9568002454
https://git.kernel.org/stable/c/ee38fb00e1a80f46a4990e38f25ecb04ae7b7417
https://git.kernel.org/stable/c/c7fb6bc864c4910b344dafa36dd5028e9b980768
https://git.kernel.org/stable/c/0aa745fea1f8dc81bcdd0a45e215b6706727b482
https://git.kernel.org/stable/c/a2635d541a93fd111e743cf14b6275dc81be2abc
https://git.kernel.org/stable/c/25dcc1989c194ba2b5fb6d03cbb9b83814ac0d15
https://git.kernel.org/stable/c/df3b8ef06cc62de4fca5d2108e285085b3cffd44
https://git.kernel.org/stable/c/7d1f98d668ee34c1d15bdc0420fdd062f24a27c0