CVE-2026-31652

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/stat: deallocate damon_call() failure leaking damon_ctx<br /> <br /> damon_stat_start() always allocates the module&amp;#39;s damon_ctx object<br /> (damon_stat_context). Meanwhile, if damon_call() in the function fails,<br /> the damon_ctx object is not deallocated. Hence, if the damon_call() is<br /> failed, and the user writes Y to “enabled” again, the previously<br /> allocated damon_ctx object is leaked.<br /> <br /> This cannot simply be fixed by deallocating the damon_ctx object when<br /> damon_call() fails. That&amp;#39;s because damon_call() failure doesn&amp;#39;t guarantee<br /> the kdamond main function, which accesses the damon_ctx object, is<br /> completely finished. In other words, if damon_stat_start() deallocates<br /> the damon_ctx object after damon_call() failure, the not-yet-terminated<br /> kdamond could access the freed memory (use-after-free).<br /> <br /> Fix the leak while avoiding the use-after-free by keeping returning<br /> damon_stat_start() without deallocating the damon_ctx object after<br /> damon_call() failure, but deallocating it when the function is invoked<br /> again and the kdamond is completely terminated. If the kdamond is not yet<br /> terminated, simply return -EAGAIN, as the kdamond will soon be terminated.<br /> <br /> The issue was discovered [1] by sashiko.