dm cache policy smq: fix missing locks in invalidating cache...

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

dm cache policy smq: fix missing locks in invalidating cache blocks

In passthrough mode, the policy invalidate_mapping operation is called
simultaneously from multiple workers, thus it should be protected by a
lock. Otherwise, we might end up with data races on the allocated blocks
counter, or even use-after-free issues with internal data structures
when doing concurrent writes.

Note that the existing FIXME in smq_invalidate_mapping() doesn't affect
passthrough mode since migration tasks don't exist there, but would need
attention if supporting fast device shrinking via suspend/resume without
target reloading.

Reproduce steps:

1. Create a cache device consisting of 1024 cache entries

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. Populate the cache, and record the number of cached blocks

fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \
--size=64m --direct=1
nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')

3. Reload the cache into passthrough mode

dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache

4. Write to the passthrough cache. By setting multiple jobs with I/O
size equal to the cache block size, cache blocks are invalidated
concurrently from different workers.

fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \
--direct=1 --numjobs=2 --randrepeat=0 --size=64m

5. Check if demoted matches cached block count. These numbers should
match but may differ due to the data race.

nr_demoted=$(dmsetup status cache | awk '{print $12}')
echo "$nr_cached, $nr_demoted"

Basic Information

ID CVE-2026-53062

Source Linux

Published Jun 24, 2026 at 16:30

Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux

Product Linux

Version b29d4986d0da1a27cd35917cdb433672f5c95d7f

Affected Versions Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f
Linux Linux 4.12

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache policy smq: fix missing locks in invalidating cache blocks\n\nIn passthrough mode, the policy invalidate_mapping operation is called\nsimultaneously from multiple workers, thus it should be protected by a\nlock. Otherwise, we might end up with data races on the allocated blocks\ncounter, or even use-after-free issues with internal data structures\nwhen doing concurrent writes.\n\nNote that the existing FIXME in smq_invalidate_mapping() doesn't affect\npassthrough mode since migration tasks don't exist there, but would need\nattention if supporting fast device shrinking via suspend/resume without\ntarget reloading.\n\nReproduce steps:\n\n1. Create a cache device consisting of 1024 cache entries\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 262144 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 262144 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\n2. Populate the cache, and record the number of cached blocks\n\nfio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \\\n--size=64m --direct=1\nnr_cached=$(dmsetup status cache | awk '{split($7, a, \"/\"); print a[1]}')\n\n3. Reload the cache into passthrough mode\n\ndmsetup suspend cache\ndmsetup reload cache --table \"0 262144 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0\"\ndmsetup resume cache\n\n4. Write to the passthrough cache. By setting multiple jobs with I/O\n   size equal to the cache block size, cache blocks are invalidated\n   concurrently from different workers.\n\nfio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \\\n--direct=1 --numjobs=2 --randrepeat=0 --size=64m\n\n5. Check if demoted matches cached block count. These numbers should\n   match but may differ due to the data race.\n\nnr_demoted=$(dmsetup status cache | awk '{print $12}')\necho \"$nr_cached, $nr_demoted\"",
    "published": "2026-06-24T16:30:06.189Z",
    "modified": "2026-06-28T06:38:50.387Z",
    "type": "cve",
    "title": "dm cache policy smq: fix missing locks in invalidating cache blocks",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/4991b5a08751e2e82488fb93ae08849b6aea10d9\nhttps://git.kernel.org/stable/c/1b2bec4a7dcf5f00b7a1cbeeec8997841d783513\nhttps://git.kernel.org/stable/c/9a5fdfb9e57ec3a8ad2b8fce5e5ffa42d53b130e\nhttps://git.kernel.org/stable/c/ac5ee99443891bdb161f5539606a66a1b5e72542\nhttps://git.kernel.org/stable/c/93627a29d4b66d4a2def938dfb8610cc80ae454b\nhttps://git.kernel.org/stable/c/c348ae47d8e65f06429fa41adce9ad986b696766\nhttps://git.kernel.org/stable/c/2b62d0611c9af14a16bddf22df2612b4f40eb5a1\nhttps://git.kernel.org/stable/c/2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45",
    "id": "CVE-2026-53062",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux b29d4986d0da1a27cd35917cdb433672f5c95d7f\nLinux Linux 4.12",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "b29d4986d0da1a27cd35917cdb433672f5c95d7f",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

dm cache policy smq: fix missing locks in invalidating cache blocks_CVE-2026-53062

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply