dm cache metadata: fix memory leak on metadata abort retry
Summary
| CVE | CVE-2026-53060 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:18 UTC |
| Updated | 2026-06-24 17:17:18 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: dm cache metadata: fix memory leak on metadata abort retry When failing to acquire the root_lock in dm_cache_metadata_abort because the block_manager is read-only, the temporary block_manager created outside the root_lock is not properly released, causing a memory leak. Reproduce steps: This can be reproduced by reloading a new table while the metadata is read-only. While the second call to dm_cache_metadata_abort is caused by lack of support for table preload in dm-cache, mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), it exposes the memory leak in dm_cache_metadata_abort when the function is called multiple times. Specifically, dm-cache fails to sync the new cache object's mode during preresume, creating the reproducer condition. This issue could also occur through concurrent metadata_operation_failed calls due to races in cache mode updates, but the table preload scenario below provides a reliable reproducer. 1. Create a cache device with some faulty trailing metadata blocks dmsetup create cmeta <<EOF 0 200 linear /dev/sdc 0 200 7992 error EOF dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0" 2. Suspend and resume the cache to start a new metadata transaction and trigger metadata io errors on the next metadata commit. dmsetup suspend cache dmsetup resume cache 3. Write to the cache device to update metadata fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \ --randrepeat=0 --direct=1 --size 64k 4. Preload the same table dmsetup reload cache --table "$(dmsetup table cache)" 5. Resume the new table. This triggers the memory leak. dmsetup suspend cache dmsetup resume cache kmemleak logs: <snip> unreferenced object 0xffff8880080c2010 (size 16): comm "dmsetup", pid 132, jiffies 4294982580 hex dump (first 16 bytes): 00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ... backtrace (crc 3118f31c): kmemleak_alloc+0x28/0x40 __kmalloc_cache_noprof+0x3d9/0x510 dm_block_manager_create+0x51/0x140 dm_cache_metadata_abort+0x85/0x320 metadata_operation_failed+0x103/0x1e0 cache_preresume+0xacd/0xe70 dm_table_resume_targets+0xd3/0x320 __dm_resume+0x1b/0xf0 dm_resume+0x127/0x170 <snip> |
Risk And Classification
EPSS: 0.001840000 probability, percentile 0.081780000 (date 2026-06-25)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected b45e77b79215405bd039a690f5b06cc03e8ed27d 14f60e957f34f95a626caec76a8fae88cf4c397f git | Not specified |
| CNA | Linux | Linux | affected 28d307f380df88a598bc0186d527462902d9bda1 6b97cc7a42905755c56bbddc33aa8b792205caee git | Not specified |
| CNA | Linux | Linux | affected f74b7c5a85e22cd9091845e0d62a1dd89d0f855f d1a79620c419a0af1911f99c873014b30740e303 git | Not specified |
| CNA | Linux | Linux | affected 352b837a5541690d4f843819028cf2b8be83d424 15c30997dca681f90dbf2d45ee629c1828bf0c0d git | Not specified |
| CNA | Linux | Linux | affected 352b837a5541690d4f843819028cf2b8be83d424 b0bd35535bdb6f58505f3a30ee5793986943997a git | Not specified |
| CNA | Linux | Linux | affected 352b837a5541690d4f843819028cf2b8be83d424 322a3b70368d49e39591fe9fc6c07d262128b05f git | Not specified |
| CNA | Linux | Linux | affected 352b837a5541690d4f843819028cf2b8be83d424 4311ca59a1891d33c4c8b7946f98c34f167fe833 git | Not specified |
| CNA | Linux | Linux | affected 352b837a5541690d4f843819028cf2b8be83d424 044ca491d4086dc5bf233e9fcb71db52df32f633 git | Not specified |
| CNA | Linux | Linux | affected 6e237cacda8b4e976849e7bff9fe7dff0e968586 git | Not specified |
| CNA | Linux | Linux | affected 3972ae47d0ee9b5b434af5d0cca6cdfd1e239d4f git | Not specified |
| CNA | Linux | Linux | affected 9958f5ffc44530b650fb4cc9038a4d167fa4f5c1 git | Not specified |
| CNA | Linux | Linux | affected f472bfc95d9c9653172dbdad39219b32fabf9b92 git | Not specified |
| CNA | Linux | Linux | affected bdd4e106929ac943f3226d8f03754b480701e97b git | Not specified |
| CNA | Linux | Linux | affected 5.10.163 5.10.258 semver | Not specified |
| CNA | Linux | Linux | affected 5.15.87 5.15.209 semver | Not specified |
| CNA | Linux | Linux | affected 6.1.4 6.1.175 semver | Not specified |
| CNA | Linux | Linux | affected 4.9.337 4.10 semver | Not specified |
| CNA | Linux | Linux | affected 4.14.303 4.15 semver | Not specified |
| CNA | Linux | Linux | affected 4.19.270 4.20 semver | Not specified |
| CNA | Linux | Linux | affected 5.4.229 5.5 semver | Not specified |
| CNA | Linux | Linux | affected 6.0.18 6.1 semver | Not specified |
| CNA | Linux | Linux | affected 6.2 | Not specified |
| CNA | Linux | Linux | unaffected 6.2 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/322a3b70368d49e39591fe9fc6c07d262128b05f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/14f60e957f34f95a626caec76a8fae88cf4c397f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b0bd35535bdb6f58505f3a30ee5793986943997a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/15c30997dca681f90dbf2d45ee629c1828bf0c0d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d1a79620c419a0af1911f99c873014b30740e303 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/044ca491d4086dc5bf233e9fcb71db52df32f633 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/6b97cc7a42905755c56bbddc33aa8b792205caee | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/4311ca59a1891d33c4c8b7946f98c34f167fe833 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.