Home

Description

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damos_walk() vs kdamond_fn() exit race When kdamond_fn() main loop is finished, the function cancels remaining damos_walk() request and unset the damon_ctx->kdamond so that API callers and API functions themselves can show the context is terminated. damos_walk() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damos_walk() starts waiting for the kdamond's handling of the newly added request. The damos_walk() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damos_walk() could race with damon_ctx->kdamond unset, and result in deadlocks. For example, let's suppose kdamond successfully finished the damow_walk() request cancelling. Right after that, damos_walk() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damos_walk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos_walk() caller thread infinitely waits. Fix this by introducing another damon_ctx field, namely walk_control_obsolete. It is protected by the damon_ctx->walk_control_lock, which protects damos_walk() request registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of the remaining damos_walk() request is executed. damos_walk() reads the obsolete field under the lock and avoids adding a new request. After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together. The issue is found by sashiko [1].

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-27 | Assigner Linux

Product status

Default status
unaffected

bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 (git) before 0ba956a239ba6e3fae8555d3660e22e675be63b5
affected

bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 (git) before 33c3f6c2b48cd84b441dba1ee3e62290e53930f4
affected

Default status
affected

6.14
affected

Any version before 6.14
unaffected

7.0.4 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/0ba956a239ba6e3fae8555d3660e22e675be63b5

git.kernel.org/...c/33c3f6c2b48cd84b441dba1ee3e62290e53930f4

cve.org (CVE-2026-46008)

nvd.nist.gov (CVE-2026-46008)

Download JSON