CVE-2026-46008
Description
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: fix damos_walk() vs kdamond_fn() exit race
When kdamond_fn() main loop is finished, the function cancels remaining damos_walk() request and unset the damon_ctx->kdamond so that API callers and API functions themselves can show the context is terminated. damos_walk() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damos_walk() starts waiting for the kdamond's handling of the newly added request.
The damos_walk() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damos_walk() could race with damon_ctx->kdamond unset, and result in deadlocks.
For example, let's suppose kdamond successfully finished the damow_walk() request cancelling. Right after that, damos_walk() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damos_walk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos_walk() caller thread infinitely waits.
Fix this by introducing another damon_ctx field, namely walk_control_obsolete. It is protected by the damon_ctx->walk_control_lock, which protects damos_walk() request registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of the remaining damos_walk() request is executed. damos_walk() reads the obsolete field under the lock and avoids adding a new request.
After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together.
The issue is found by sashiko [1].
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's DAMON subsystem between damos_walk() and kdamond_fn() exit can cause a deadlock, fixed by adding a walk_control_obsolete field.
Vulnerability
In the Linux kernel's mm/damon/core.c, a race condition exists between the damos_walk() function and the kdamond_fn() main loop exit. When kdamond_fn() finishes, it cancels pending damos_walk() requests and unsets damon_ctx->kdamond. However, damos_walk() registers a new request under one mutex and checks damon_ctx->kdamond under a different mutex. This allows a scenario where damos_walk() sees the kdamond as still running after the kdamond has already terminated, causing the caller to wait indefinitely for a request that will never be handled. The issue affects all kernel versions with DAMON support prior to the fix commit [1].
Exploitation
An attacker with local access and the ability to invoke DAMON operations (e.g., via the DAMON sysfs interface or debugfs) can trigger the race by calling damos_walk() while the kdamond thread is in the process of terminating. No special privileges beyond the ability to interact with DAMON are required. The race window is small but can be reliably exploited by repeatedly invoking the operations.
Impact
Successful exploitation results in a deadlock, causing the calling thread to hang indefinitely. This leads to a denial of service (DoS) condition on the affected system. There is no evidence of privilege escalation or information disclosure.
Mitigation
The vulnerability is fixed in the Linux kernel by commit [1], which introduces a new damon_ctx field walk_control_obsolete to prevent registration of new requests after termination has begun. Users should update to a kernel version containing this commit. No workaround is available for unpatched kernels.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
40ba956a239bamm/damon/core: fix damos_walk() vs kdamond_fn() exit race
4 files changed · +30 −16
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index fe4fc20e6db9df..d94d965103e1ac 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -809,6 +809,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index fe4fc20e6db9df..d94d965103e1ac 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -809,6 +809,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 5d77462166620a..3c114b81f36d51 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1528,6 +1528,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1535,19 +1539,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2731,6 +2732,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -2839,6 +2843,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 5d77462166620a..3c114b81f36d51 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1528,6 +1528,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1535,19 +1539,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2731,6 +2732,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -2839,6 +2843,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
33c3f6c2b48cmm/damon/core: fix damos_walk() vs kdamond_fn() exit race
4 files changed · +30 −16
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index 5129de70e7b70b..f2cdb7c3f5e6ce 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -822,6 +822,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index 5129de70e7b70b..f2cdb7c3f5e6ce 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -822,6 +822,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 9bcda2765ac97f..ddabb93f23773e 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1637,6 +1637,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1644,19 +1648,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2932,6 +2933,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -3046,6 +3050,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 9bcda2765ac97f..ddabb93f23773e 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1637,6 +1637,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1644,19 +1648,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2932,6 +2933,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -3046,6 +3050,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
0ba956a239bamm/damon/core: fix damos_walk() vs kdamond_fn() exit race
4 files changed · +30 −16
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index fe4fc20e6db9df..d94d965103e1ac 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -809,6 +809,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index fe4fc20e6db9df..d94d965103e1ac 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -809,6 +809,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 5d77462166620a..3c114b81f36d51 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1528,6 +1528,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1535,19 +1539,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2731,6 +2732,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -2839,6 +2843,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 5d77462166620a..3c114b81f36d51 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1528,6 +1528,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1535,19 +1539,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2731,6 +2732,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -2839,6 +2843,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
33c3f6c2b48cmm/damon/core: fix damos_walk() vs kdamond_fn() exit race
4 files changed · +30 −16
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index 5129de70e7b70b..f2cdb7c3f5e6ce 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -822,6 +822,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
include/linux/damon.h+1 −0 modifieddiff --git a/include/linux/damon.h b/include/linux/damon.h index 5129de70e7b70b..f2cdb7c3f5e6ce 100644 --- a/include/linux/damon.h +++ b/include/linux/damon.h @@ -822,6 +822,7 @@ struct damon_ctx { struct mutex call_controls_lock; struct damos_walk_control *walk_control; + bool walk_control_obsolete; struct mutex walk_control_lock; /*
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 9bcda2765ac97f..ddabb93f23773e 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1637,6 +1637,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1644,19 +1648,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2932,6 +2933,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -3046,6 +3050,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
mm/damon/core.c+14 −8 modifieddiff --git a/mm/damon/core.c b/mm/damon/core.c index 9bcda2765ac97f..ddabb93f23773e 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1637,6 +1637,10 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) * passed at least one &damos->apply_interval_us, kdamond marks the request as * completed so that damos_walk() can wakeup and return. * + * Note that this function should be called only after damon_start() with the + * @ctx has succeeded. Otherwise, this function could fall into an indefinite + * wait. + * * Return: 0 on success, negative error code otherwise. */ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) @@ -1644,19 +1648,16 @@ int damos_walk(struct damon_ctx *ctx, struct damos_walk_control *control) init_completion(&control->completion); control->canceled = false; mutex_lock(&ctx->walk_control_lock); + if (ctx->walk_control_obsolete) { + mutex_unlock(&ctx->walk_control_lock); + return -ECANCELED; + } if (ctx->walk_control) { mutex_unlock(&ctx->walk_control_lock); return -EBUSY; } ctx->walk_control = control; mutex_unlock(&ctx->walk_control_lock); - if (!damon_is_running(ctx)) { - mutex_lock(&ctx->walk_control_lock); - if (ctx->walk_control == control) - ctx->walk_control = NULL; - mutex_unlock(&ctx->walk_control_lock); - return -EINVAL; - } wait_for_completion(&control->completion); if (control->canceled) return -ECANCELED; @@ -2932,6 +2933,9 @@ static int kdamond_fn(void *data) mutex_lock(&ctx->call_controls_lock); ctx->call_controls_obsolete = false; mutex_unlock(&ctx->call_controls_lock); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = false; + mutex_unlock(&ctx->walk_control_lock); complete(&ctx->kdamond_started); kdamond_init_ctx(ctx); @@ -3046,6 +3050,9 @@ done: ctx->call_controls_obsolete = true; mutex_unlock(&ctx->call_controls_lock); kdamond_call(ctx, true); + mutex_lock(&ctx->walk_control_lock); + ctx->walk_control_obsolete = true; + mutex_unlock(&ctx->walk_control_lock); damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Race condition: damos_walk() registers a new walk request under walk_control_lock, but checks whether the kdamond is still running using a different lock (damon_ctx->kdamond), so a request can be queued after the kdamond has already begun its termination sequence, causing the caller to wait indefinitely for a completion that will never arrive."
Attack vector
An attacker who can trigger damos_walk() on a DAMON context whose kdamond thread is concurrently exiting can cause a deadlock. The kdamond_fn() cancels remaining walk requests and unsets damon_ctx->kdamond under one lock, while damos_walk() registers a new request under walk_control_lock and then checks damon_ctx->kdamond under a different lock. If the kdamond finishes cancellation before damos_walk() registers its request, but damon_ctx->kdamond is still set, damos_walk() will wait forever on a completion that the already-exiting kdamond will never signal [patch_id=2660481].
Affected code
The race involves `damos_walk()` in `mm/damon/core.c` (around line 1644) and `kdamond_fn()` in the same file (around lines 2932 and 3046). The `struct damon_ctx` in `include/linux/damon.h` gains a new `bool walk_control_obsolete` field [patch_id=2660481].
What the fix does
The patch introduces a new boolean field `walk_control_obsolete` in `struct damon_ctx` (in `include/linux/damon.h`), protected by the existing `walk_control_lock`. In `kdamond_fn()`, this field is set to `true` under the lock just before `damos_walk_cancel()` is called, and cleared to `false` early in the function before the kdamond starts processing. In `damos_walk()`, the function now checks `ctx->walk_control_obsolete` under `walk_control_lock` before registering a new request; if the flag is set, it returns `-ECANCELED` immediately. This ensures that no new walk request can be queued after the kdamond has begun its termination teardown. The old post-registration `damon_is_running()` check and its rollback code are removed as they are no longer needed [patch_id=2660481].
Preconditions
- configThe DAMON kernel subsystem must be configured and active (CONFIG_DAMON).
- authThe attacker must have the capability to invoke damos_walk() on a DAMON context (typically requires root or CAP_SYS_ADMIN).
- inputThe attacker must trigger damos_walk() concurrently with the kdamond thread exiting.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.