dm cache: fix null-deref with concurrent writes in passthrough mode
Summary
| CVE | CVE-2026-53064 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:19 UTC |
| Updated | 2026-07-14 15:26:52 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: dm cache: fix null-deref with concurrent writes in passthrough mode In passthrough mode, when dm-cache starts to invalidate a cache entry and bio prison cell lock fails due to concurrent write to the same cached block, mg->cell remains NULL. The error path in invalidate_complete() attempts to unlock and free the cell unconditionally, causing a NULL pointer dereference: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT RIP: 0010:dm_cell_unlock_v2+0x3f/0x210 <snip> Call Trace: invalidate_complete+0xef/0x430 map_bio+0x130f/0x1a10 cache_map+0x320/0x6b0 __map_bio+0x458/0x510 dm_submit_bio+0x40e/0x16d0 __submit_bio+0x419/0x870 <snip> Reproduce steps: 1. Create a cache device dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. Promote the first data block into cache fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \ --direct=1 --size=64k 3. Reload the cache into passthrough mode dmsetup suspend cache dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache 4. Write to the first cached block concurrently fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \ --randrepeat=0 --direct=1 --numjobs=2 --size 64k Fix by checking if mg->cell is valid before attempting to unlock it. |
Risk And Classification
EPSS: 0.001760000 probability, percentile 0.073390000 (date 2026-07-14)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f 01264a6a3a3ad7ac1d73443299cd5a9568002454 git | Not specified |
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f ee38fb00e1a80f46a4990e38f25ecb04ae7b7417 git | Not specified |
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f c7fb6bc864c4910b344dafa36dd5028e9b980768 git | Not specified |
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f 0aa745fea1f8dc81bcdd0a45e215b6706727b482 git | Not specified |
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f a2635d541a93fd111e743cf14b6275dc81be2abc git | Not specified |
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f 25dcc1989c194ba2b5fb6d03cbb9b83814ac0d15 git | Not specified |
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f df3b8ef06cc62de4fca5d2108e285085b3cffd44 git | Not specified |
| CNA | Linux | Linux | affected b29d4986d0da1a27cd35917cdb433672f5c95d7f 7d1f98d668ee34c1d15bdc0420fdd062f24a27c0 git | Not specified |
| CNA | Linux | Linux | affected 4.12 | Not specified |
| CNA | Linux | Linux | unaffected 4.12 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/01264a6a3a3ad7ac1d73443299cd5a9568002454 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/25dcc1989c194ba2b5fb6d03cbb9b83814ac0d15 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/ee38fb00e1a80f46a4990e38f25ecb04ae7b7417 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/0aa745fea1f8dc81bcdd0a45e215b6706727b482 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/a2635d541a93fd111e743cf14b6275dc81be2abc | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/7d1f98d668ee34c1d15bdc0420fdd062f24a27c0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/df3b8ef06cc62de4fca5d2108e285085b3cffd44 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/c7fb6bc864c4910b344dafa36dd5028e9b980768 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.