CVE-2026-53060

In the Linux kernel, the following vulnerability has been resolved:

dm cache metadata: fix memory leak on metadata abort retry

When failing to acquire the root lock in dm cache metadata abort because the block manager is read-only, the temporary block manager created outside the root lock is not properly released, causing a memory leak.

Reproduce steps:

This can be reproduced by reloading a new table while the metadata is read-only. While the second call to dm cache metadata abort is caused by lack of support for table preload in dm-cache, mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata object across inactive and active DM tables"), it exposes the memory leak in dm cache metadata abort when the function is called multiple times. Specifically, dm-cache fails to sync the new cache object's mode during preresume, creating the reproducer condition.

This issue could also occur through concurrent metadata operation failed calls due to races in cache mode updates, but the table preload scenario below provides a reliable reproducer.

dmsetup create cmeta <<EOF 0 200 linear /dev/sdc 0 200 7992 error EOF dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 262144 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"

dmsetup suspend cache dmsetup resume cache

fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k --randrepeat=0 --direct=1 --size 64k

dmsetup reload cache --table "$(dmsetup table cache)"

dmsetup suspend cache dmsetup resume cache

kmemleak logs: