CVE-2026-46008

Source
https://cve.org/CVERecord?id=CVE-2026-46008
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46008.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46008
Downstream
Related
Published
2026-05-27T12:56:08.315Z
Modified
2026-06-18T03:57:03.952626740Z
Summary
mm/damon/core: fix damos_walk() vs kdamond_fn() exit race
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: fix damoswalk() vs kdamondfn() exit race

When kdamondfn() main loop is finished, the function cancels remaining damoswalk() request and unset the damonctx->kdamond so that API callers and API functions themselves can show the context is terminated. damoswalk() adds the caller's request to the queue first. After that, it shows if the kdamond of the damonctx is still running (damonctx->kdamond is set). Only if the kdamond is running, damos_walk() starts waiting for the kdamond's handling of the newly added request.

The damoswalk() requests registration and damonctx->kdamond unset are protected by different mutexes, though. Hence, damoswalk() could race with damonctx->kdamond unset, and result in deadlocks.

For example, let's suppose kdamond successfully finished the damowwalk() request cancelling. Right after that, damoswalk() is called for the context. It registers the new request, and shows the context is still running, because damonctx->kdamond unset is not yet done. Hence the damoswalk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos_walk() caller thread infinitely waits.

Fix this by introducing another damonctx field, namely walkcontrolobsolete. It is protected by the damonctx->walkcontrollock, which protects damoswalk() request registration. Initialize (unset) it in kdamondfn() before letting damonstart() returns and set it just before the cancelling of the remaining damoswalk() request is executed. damos_walk() reads the obsolete field under the lock and avoids adding a new request.

After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together.

The issue is found by sashiko [1].

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46008.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61
Fixed
0ba956a239ba6e3fae8555d3660e22e675be63b5
Fixed
33c3f6c2b48cd84b441dba1ee3e62290e53930f4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46008.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46008.json"