mm/damon/core: avoid use of half-online-committed context
Summary
| CVE | CVE-2026-31445 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-22 14:16:38 UTC |
| Updated | 2026-04-23 16:17:41 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: avoid use of half-online-committed context One major usage of damon_call() is online DAMON parameters update. It is done by calling damon_commit_ctx() inside the damon_call() callback function. damon_commit_ctx() can fail for two reasons: 1) invalid parameters and 2) internal memory allocation failures. In case of failures, the damon_ctx that attempted to be updated (commit destination) can be partially updated (or, corrupted from a perspective), and therefore shouldn't be used anymore. The function only ensures the damon_ctx object can safely deallocated using damon_destroy_ctx(). The API callers are, however, calling damon_commit_ctx() only after asserting the parameters are valid, to avoid damon_commit_ctx() fails due to invalid input parameters. But it can still theoretically fail if the internal memory allocation fails. In the case, DAMON may run with the partially updated damon_ctx. This can result in unexpected behaviors including even NULL pointer dereference in case of damos_commit_dests() failure [1]. Such allocation failure is arguably too small to fail, so the real world impact would be rare. But, given the bad consequence, this needs to be fixed. Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving the damon_commit_ctx() failure on the damon_ctx object. For this, introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it when it is failed. kdamond_call() checks if the field is set after each damon_call_control->fn() is executed. If it is set, ignore remaining callback requests and return. All kdamond_call() callers including kdamond_fn() also check the maybe_corrupted field right after kdamond_call() invocations. If the field is set, break the kdamond_fn() main loop so that DAMON sill doesn't use the context that might be corrupted. [[email protected]: let kdamond_call() with cancel regardless of maybe_corrupted] |
Risk And Classification
EPSS: 0.000170000 probability, percentile 0.040460000 (date 2026-04-23)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 3301f1861d34f53911a30a8f5f41b9141bd8ed39 9c495f9d3781cd692bd199531cabd4627155e8cd git | Not specified |
| CNA | Linux | Linux | affected 3301f1861d34f53911a30a8f5f41b9141bd8ed39 1b247cd0654a3a306996fa80741d79296c683a56 git | Not specified |
| CNA | Linux | Linux | affected 3301f1861d34f53911a30a8f5f41b9141bd8ed39 26f775a054c3cda86ad465a64141894a90a9e145 git | Not specified |
| CNA | Linux | Linux | affected 6.15 | Not specified |
| CNA | Linux | Linux | unaffected 6.15 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.21 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.11 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/26f775a054c3cda86ad465a64141894a90a9e145 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/1b247cd0654a3a306996fa80741d79296c683a56 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/9c495f9d3781cd692bd199531cabd4627155e8cd | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.