CVE-2026-46008
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-362
Ejecución concurrente utilizando recursos compartidos con una incorrecta sincronización (Condición de carrera)
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mm/damon/core: fix damos_walk() vs kdamond_fn() exit race<br />
<br />
When kdamond_fn() main loop is finished, the function cancels remaining<br />
damos_walk() request and unset the damon_ctx->kdamond so that API callers<br />
and API functions themselves can show the context is terminated. <br />
damos_walk() adds the caller&#39;s request to the queue first. After that, it<br />
shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond<br />
is set). Only if the kdamond is running, damos_walk() starts waiting for<br />
the kdamond&#39;s handling of the newly added request.<br />
<br />
The damos_walk() requests registration and damon_ctx->kdamond unset are<br />
protected by different mutexes, though. Hence, damos_walk() could race<br />
with damon_ctx->kdamond unset, and result in deadlocks.<br />
<br />
For example, let&#39;s suppose kdamond successfully finished the damow_walk()<br />
request cancelling. Right after that, damos_walk() is called for the<br />
context. It registers the new request, and shows the context is still<br />
running, because damon_ctx->kdamond unset is not yet done. Hence the<br />
damos_walk() caller starts waiting for the handling of the request. <br />
However, the kdamond is already on the termination steps, so it never<br />
handles the new request. As a result, the damos_walk() caller thread<br />
infinitely waits.<br />
<br />
Fix this by introducing another damon_ctx field, namely<br />
walk_control_obsolete. It is protected by the<br />
damon_ctx->walk_control_lock, which protects damos_walk() request<br />
registration. Initialize (unset) it in kdamond_fn() before letting<br />
damon_start() returns and set it just before the cancelling of the<br />
remaining damos_walk() request is executed. damos_walk() reads the<br />
obsolete field under the lock and avoids adding a new request.<br />
<br />
After this change, only requests that are guaranteed to be handled or<br />
cancelled are registered. Hence the after-registration DAMON context<br />
termination check is no longer needed. Remove it together.<br />
<br />
The issue is found by sashiko [1].
Impacto
Puntuación base 3.x
4.70
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.14 (incluyendo) | 7.0.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



