CVE-2026-31445

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/core: avoid use of half-online-committed context<br /> <br /> One major usage of damon_call() is online DAMON parameters update. It is<br /> done by calling damon_commit_ctx() inside the damon_call() callback<br /> function. damon_commit_ctx() can fail for two reasons: 1) invalid<br /> parameters and 2) internal memory allocation failures. In case of<br /> failures, the damon_ctx that attempted to be updated (commit destination)<br /> can be partially updated (or, corrupted from a perspective), and therefore<br /> shouldn&amp;#39;t be used anymore. The function only ensures the damon_ctx object<br /> can safely deallocated using damon_destroy_ctx().<br /> <br /> The API callers are, however, calling damon_commit_ctx() only after<br /> asserting the parameters are valid, to avoid damon_commit_ctx() fails due<br /> to invalid input parameters. But it can still theoretically fail if the<br /> internal memory allocation fails. In the case, DAMON may run with the<br /> partially updated damon_ctx. This can result in unexpected behaviors<br /> including even NULL pointer dereference in case of damos_commit_dests()<br /> failure [1]. Such allocation failure is arguably too small to fail, so<br /> the real world impact would be rare. But, given the bad consequence, this<br /> needs to be fixed.<br /> <br /> Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving<br /> the damon_commit_ctx() failure on the damon_ctx object. For this,<br /> introduce damon_ctx-&gt;maybe_corrupted field. damon_commit_ctx() sets it<br /> when it is failed. kdamond_call() checks if the field is set after each<br /> damon_call_control-&gt;fn() is executed. If it is set, ignore remaining<br /> callback requests and return. All kdamond_call() callers including<br /> kdamond_fn() also check the maybe_corrupted field right after<br /> kdamond_call() invocations. If the field is set, break the kdamond_fn()<br /> main loop so that DAMON sill doesn&amp;#39;t use the context that might be<br /> corrupted.<br /> <br /> [sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]