In the Linux kernel, the following vulnerability has been resolved: dm cache metadata: fix...
🔗 CVE IDs covered (1)
📋 Description
In the Linux kernel, the following vulnerability has been resolved:
dm cache metadata: fix memory leak on metadata abort retry
When failing to acquire the root_lock in dm_cache_metadata_abort because the block_manager is read-only, the temporary block_manager created outside the root_lock is not properly released, causing a memory leak.
Reproduce steps:
This can be reproduced by reloading a new table while the metadata is read-only. While the second call to dm_cache_metadata_abort is caused by lack of support for table preload in dm-cache, mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), it exposes the memory leak in dm_cache_metadata_abort when the function is called multiple times. Specifically, dm-cache fails to sync the new cache object's mode during preresume, creating the reproducer condition.
This issue could also occur through concurrent metadata_operation_failed calls due to races in cache mode updates, but the table preload scenario below provides a reliable reproducer.
- Create a cache device with some faulty trailing metadata blocks
dmsetup create cmeta <<EOF
0 200 linear /dev/sdc 0
200 7992 error
EOF
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"
- Suspend and resume the cache to start a new metadata transaction and trigger metadata io errors on the next metadata commit.
dmsetup suspend cache dmsetup resume cache
- Write to the cache device to update metadata
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k
--randrepeat=0 --direct=1 --size 64k
- Preload the same table
dmsetup reload cache --table "$(dmsetup table cache)"
- Resume the new table. This triggers the memory leak.
dmsetup suspend cache dmsetup resume cache
kmemleak logs:
🔗 References (10)
- https://nvd.nist.gov/vuln/detail/CVE-2026-53060
- https://git.kernel.org/stable/c/044ca491d4086dc5bf233e9fcb71db52df32f633
- https://git.kernel.org/stable/c/14f60e957f34f95a626caec76a8fae88cf4c397f
- https://git.kernel.org/stable/c/15c30997dca681f90dbf2d45ee629c1828bf0c0d
- https://git.kernel.org/stable/c/322a3b70368d49e39591fe9fc6c07d262128b05f
- https://git.kernel.org/stable/c/4311ca59a1891d33c4c8b7946f98c34f167fe833
- https://git.kernel.org/stable/c/6b97cc7a42905755c56bbddc33aa8b792205caee
- https://git.kernel.org/stable/c/b0bd35535bdb6f58505f3a30ee5793986943997a
- https://git.kernel.org/stable/c/d1a79620c419a0af1911f99c873014b30740e303
- https://github.com/advisories/GHSA-w7r8-qc4c-gqhh