CVE-2025-39877
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
23/09/2025
Last modified:
23/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mm/damon/sysfs: fix use-after-free in state_show()<br />
<br />
state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. <br />
This allows a use-after-free race:<br />
<br />
CPU 0 CPU 1<br />
----- -----<br />
state_show() damon_sysfs_turn_damon_on()<br />
ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock);<br />
damon_destroy_ctx(kdamond->damon_ctx);<br />
kdamond->damon_ctx = NULL;<br />
mutex_unlock(&damon_sysfs_lock);<br />
damon_is_running(ctx); /* ctx is freed */<br />
mutex_lock(&ctx->kdamond_lock); /* UAF */<br />
<br />
(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and<br />
damon_sysfs_kdamond_release(), which free or replace the context under<br />
damon_sysfs_lock.)<br />
<br />
Fix by taking damon_sysfs_lock before dereferencing the context, mirroring<br />
the locking used in pid_show().<br />
<br />
The bug has existed since state_show() first accessed kdamond->damon_ctx.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/26d29b2ac87a2989071755f9828ebf839b560d4c
- https://git.kernel.org/stable/c/3260a3f0828e06f5f13fac69fb1999a6d60d9cff
- https://git.kernel.org/stable/c/3858c44341ad49dc7544b19cc9f9ecffaa7cc50e
- https://git.kernel.org/stable/c/4e87f461d61959647464a94d11ae15c011be58ce
- https://git.kernel.org/stable/c/60d7a3d2b985a395318faa1d88da6915fad11c19