CVE-2026-46121

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock<br /> <br /> Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path".<br /> <br /> Reads of &amp;#39;memcg_path&amp;#39; and &amp;#39;path&amp;#39; files in DAMON sysfs interface could race<br /> with their writes, results in use-after-free. Fix those.<br /> <br /> <br /> This patch (of 2):<br /> <br /> damon_sysfs_scheme_filter-&gt;mmecg_path can be read and written by users,<br /> via DAMON sysfs memcg_path file. It can also be indirectly read, for the<br /> parameters {on,off}line committing to DAMON. The reads for parameters<br /> committing are protected by damon_sysfs_lock to avoid the sysfs files<br /> being destroyed while any of the parameters are being read. But the<br /> user-driven direct reads and writes are not protected by any lock, while<br /> the write is deallocating the memcg_path-pointing buffer. As a result,<br /> the readers could read the already freed buffer (user-after-free). Note<br /> that the user-reads don&amp;#39;t race when the same open file is used by the<br /> writer, due to kernfs&amp;#39;s open file locking. Nonetheless, doing the reads<br /> and writes with separate open files would be common. Fix it by protecting<br /> both the user-direct reads and writes with damon_sysfs_lock.