{"id":"CVE-2026-46008","summary":"mm/damon/core: fix damos_walk() vs kdamond_fn() exit race","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: fix damos_walk() vs kdamond_fn() exit race\n\nWhen kdamond_fn() main loop is finished, the function cancels remaining\ndamos_walk() request and unset the damon_ctx-\u003ekdamond so that API callers\nand API functions themselves can show the context is terminated. \ndamos_walk() adds the caller's request to the queue first.  After that, it\nshows if the kdamond of the damon_ctx is still running (damon_ctx-\u003ekdamond\nis set).  Only if the kdamond is running, damos_walk() starts waiting for\nthe kdamond's handling of the newly added request.\n\nThe damos_walk() requests registration and damon_ctx-\u003ekdamond unset are\nprotected by different mutexes, though.  Hence, damos_walk() could race\nwith damon_ctx-\u003ekdamond unset, and result in deadlocks.\n\nFor example, let's suppose kdamond successfully finished the damow_walk()\nrequest cancelling.  Right after that, damos_walk() is called for the\ncontext.  It registers the new request, and shows the context is still\nrunning, because damon_ctx-\u003ekdamond unset is not yet done.  Hence the\ndamos_walk() caller starts waiting for the handling of the request. \nHowever, the kdamond is already on the termination steps, so it never\nhandles the new request.  As a result, the damos_walk() caller thread\ninfinitely waits.\n\nFix this by introducing another damon_ctx field, namely\nwalk_control_obsolete.  It is protected by the\ndamon_ctx-\u003ewalk_control_lock, which protects damos_walk() request\nregistration.  Initialize (unset) it in kdamond_fn() before letting\ndamon_start() returns and set it just before the cancelling of the\nremaining damos_walk() request is executed.  damos_walk() reads the\nobsolete field under the lock and avoids adding a new request.\n\nAfter this change, only requests that are guaranteed to be handled or\ncancelled are registered.  Hence the after-registration DAMON context\ntermination check is no longer needed.  Remove it together.\n\nThe issue is found by sashiko [1].","modified":"2026-06-18T03:57:03.952626740Z","published":"2026-05-27T12:56:08.315Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46008.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ba956a239ba6e3fae8555d3660e22e675be63b5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33c3f6c2b48cd84b441dba1ee3e62290e53930f4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46008.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46008"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61"},{"fixed":"0ba956a239ba6e3fae8555d3660e22e675be63b5"},{"fixed":"33c3f6c2b48cd84b441dba1ee3e62290e53930f4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46008.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.14.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46008.json"}}],"schema_version":"1.7.5"}