CVE-2026-53062

Summary

In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: fix missing locks in invalidating cache blocks

In passthrough mode, the policy invalidate_mapping operation is called simultaneously from multiple workers, thus it should be protected by a lock. Otherwise, we might end up with data races on the allocated blocks counter, or even use-after-free issues with internal data structures when doing concurrent writes.

Note that the existing FIXME in smq_invalidate_mapping() doesn't affect passthrough mode since migration tasks don't exist there, but would need attention if supporting fast device shrinking via suspend/resume without target reloading.

Reproduce steps:

  1. Create a cache device consisting of 1024 cache entries

dmsetup create cmeta –table "0 8192 linear /dev/sdc 0" dmsetup create cdata –table "0 131072 linear /dev/sdc 8192" dmsetup create corig –table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache –table "0 262144 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

  1. Populate the cache, and record the number of cached blocks

fio –name=populate –filename=/dev/mapper/cache –rw=randwrite –bs=4k
–size=64m –direct=1 nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')

  1. Reload the cache into passthrough mode

dmsetup suspend cache dmsetup reload cache –table "0 262144 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache

  1. Write to the passthrough cache. By setting multiple jobs with I/O size equal to the cache block size, cache blocks are invalidated concurrently from different workers.

fio –filename=/dev/mapper/cache –name=test –rw=randwrite –bs=64k
–direct=1 –numjobs=2 –randrepeat=0 –size=64m

  1. Check if demoted matches cached block count. These numbers should match but may differ due to the data race.

nr_demoted=$(dmsetup status cache | awk '{print $12}') echo "$nr_cached, $nr_demoted"

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < 4991b5a08751e2e82488fb93ae08849b6aea10d9affected
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < 1b2bec4a7dcf5f00b7a1cbeeec8997841d783513affected
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < 9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130eaffected
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < ac5ee99443891bdb161f5539606a66a1b5e72542affected
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < 93627a29d4b66d4a2def938dfb8610cc80ae454baffected
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < c348ae47d8e65f06429fa41adce9ad986b696766affected
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < 2b62d0611c9af14a16bddf22df2612b4f40eb5a1affected
LinuxLinuxb29d4986d0da1a27cd35917cdb433672f5c95d7f < 2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45affected
LinuxLinux4.12affected
LinuxLinux0 < 4.12unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.141 <= 6.6.*unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References