CVE-2026-46025

Source
https://cve.org/CVERecord?id=CVE-2026-46025
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46025.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46025
Downstream
Related
Published
2026-05-27T12:56:31.784Z
Modified
2026-06-18T03:55:30.099056045Z
Summary
mm/damon/core: fix damon_call() vs kdamond_fn() exit race
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: fix damoncall() vs kdamondfn() exit race

Patch series "mm/damon/core: fix damoncall()/damoswalk() vs kdmond exit race".

damoncall() and damoswalk() can leak memory and/or deadlock when they race with kdamond terminations. Fix those.

This patch (of 2);

When kdamondfn() main loop is finished, the function cancels all remaining damoncall() requests and unset the damonctx->kdamond so that API callers and API functions themselves can know the context is terminated. damoncall() adds the caller's request to the queue first. After that, it shows if the kdamond of the damonctx is still running (damonctx->kdamond is set). Only if the kdamond is running, damon_call() starts waiting for the kdamond's handling of the newly added request.

The damoncall() requests registration and damonctx->kdamond unset are protected by different mutexes, though. Hence, damoncall() could race with damonctx->kdamond unset, and result in deadlocks.

For example, let's suppose kdamond successfully finished the damoncall() requests cancelling. Right after that, damoncall() is called for the context. It registers the new request, and shows the context is still running, because damonctx->kdamond unset is not yet done. Hence the damoncall() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damon_call() caller threads infinitely waits.

Fix this by introducing another damonctx field, namely callcontrolsobsolete. It is protected by the damonctx->callcontrolslock, which protects damoncall() requests registration. Initialize (unset) it in kdamondfn() before letting damonstart() returns and set it just before the cancelling of remaining damoncall() requests is executed. damon_call() reads the obsolete field under the lock and avoids adding a new request.

After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together.

Note that the deadlock will not happen when damoncall() is called for repeat mode request. In tis case, damoncall() returns instead of waiting for the handling when the request registration succeeds and it shows the kdamond is running. However, if the request also has dealloconcancel, the request memory would be leaked.

The issue is found by sashiko [1].

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46025.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
42b7491af14cbba2393329ce43d508a957bd94fa
Fixed
2691332ad88b57179c38653e2cd613d5820a52cf
Fixed
e6a053a6f4b5048746c49432a5cc5b79fe4695fe
Fixed
55da81663b9642dd046b26dd6f1baddbcf337c1e

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46025.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46025.json"