CVE-2026-53062
Received Received - Intake
Race Condition in Linux Kernel dm-cache SMQ Policy

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm cache policy smq: fix missing locks in invalidating cache blocks In passthrough mode, the policy invalidate_mapping operation is called simultaneously from multiple workers, thus it should be protected by a lock. Otherwise, we might end up with data races on the allocated blocks counter, or even use-after-free issues with internal data structures when doing concurrent writes. Note that the existing FIXME in smq_invalidate_mapping() doesn't affect passthrough mode since migration tasks don't exist there, but would need attention if supporting fast device shrinking via suspend/resume without target reloading. Reproduce steps: 1. Create a cache device consisting of 1024 cache entries dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. Populate the cache, and record the number of cached blocks fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \ --size=64m --direct=1 nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}') 3. Reload the cache into passthrough mode dmsetup suspend cache dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0" dmsetup resume cache 4. Write to the passthrough cache. By setting multiple jobs with I/O size equal to the cache block size, cache blocks are invalidated concurrently from different workers. fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \ --direct=1 --numjobs=2 --randrepeat=0 --size=64m 5. Check if demoted matches cached block count. These numbers should match but may differ due to the data race. nr_demoted=$(dmsetup status cache | awk '{print $12}') echo "$nr_cached, $nr_demoted"
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53062
EUVD
EUVD-2026-38930
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's dm cache policy smq, specifically related to missing locks when invalidating cache blocks in passthrough mode.

In passthrough mode, the invalidate_mapping operation can be called simultaneously from multiple workers without proper locking, which can cause data races on the allocated blocks counter or use-after-free issues with internal data structures during concurrent writes.

The problem arises because multiple workers may invalidate cache blocks at the same time, leading to unsafe concurrent access to shared data structures.

Impact Analysis

This vulnerability can lead to data corruption or system instability due to data races and use-after-free conditions when multiple workers invalidate cache blocks concurrently.

Such issues could cause unexpected behavior in the caching mechanism, potentially resulting in loss of data integrity or crashes in systems relying on the dm cache policy smq in passthrough mode.

Detection Guidance

This vulnerability can be detected by reproducing the conditions that trigger the data races and use-after-free issues in the dm cache policy smq in passthrough mode. The following steps and commands can be used to detect it:

  • Create a cache device with 1024 cache entries using dmsetup commands:
  • dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
  • dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
  • dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
  • dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
  • dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
  • Populate the cache and record the number of cached blocks using fio and dmsetup status:
  • fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k --size=64m --direct=1
  • nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')
  • Reload the cache into passthrough mode:
  • dmsetup suspend cache
  • dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
  • dmsetup resume cache
  • Write to the passthrough cache with multiple jobs to cause concurrent invalidation:
  • fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k --direct=1 --numjobs=2 --randrepeat=0 --size=64m
  • Check if the number of demoted blocks matches the cached blocks (they may differ if the vulnerability is present):
  • nr_demoted=$(dmsetup status cache | awk '{print $12}')
  • echo "$nr_cached, $nr_demoted"
Mitigation Strategies

The provided information does not specify explicit immediate mitigation steps. However, since the vulnerability involves missing locks in the dm cache policy smq in passthrough mode, a general mitigation approach would be to avoid using passthrough mode for the cache policy until a patch or fix is applied.

Additionally, applying the updated Linux kernel version that includes the fix for this vulnerability is recommended to prevent data races and use-after-free issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart