Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-46008

Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-362 Ejecución concurrente utilizando recursos compartidos con una incorrecta sincronización (Condición de carrera)
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/core: fix damos_walk() vs kdamond_fn() exit race<br /> <br /> When kdamond_fn() main loop is finished, the function cancels remaining<br /> damos_walk() request and unset the damon_ctx-&gt;kdamond so that API callers<br /> and API functions themselves can show the context is terminated. <br /> damos_walk() adds the caller&amp;#39;s request to the queue first. After that, it<br /> shows if the kdamond of the damon_ctx is still running (damon_ctx-&gt;kdamond<br /> is set). Only if the kdamond is running, damos_walk() starts waiting for<br /> the kdamond&amp;#39;s handling of the newly added request.<br /> <br /> The damos_walk() requests registration and damon_ctx-&gt;kdamond unset are<br /> protected by different mutexes, though. Hence, damos_walk() could race<br /> with damon_ctx-&gt;kdamond unset, and result in deadlocks.<br /> <br /> For example, let&amp;#39;s suppose kdamond successfully finished the damow_walk()<br /> request cancelling. Right after that, damos_walk() is called for the<br /> context. It registers the new request, and shows the context is still<br /> running, because damon_ctx-&gt;kdamond unset is not yet done. Hence the<br /> damos_walk() caller starts waiting for the handling of the request. <br /> However, the kdamond is already on the termination steps, so it never<br /> handles the new request. As a result, the damos_walk() caller thread<br /> infinitely waits.<br /> <br /> Fix this by introducing another damon_ctx field, namely<br /> walk_control_obsolete. It is protected by the<br /> damon_ctx-&gt;walk_control_lock, which protects damos_walk() request<br /> registration. Initialize (unset) it in kdamond_fn() before letting<br /> damon_start() returns and set it just before the cancelling of the<br /> remaining damos_walk() request is executed. damos_walk() reads the<br /> obsolete field under the lock and avoids adding a new request.<br /> <br /> After this change, only requests that are guaranteed to be handled or<br /> cancelled are registered. Hence the after-registration DAMON context<br /> termination check is no longer needed. Remove it together.<br /> <br /> The issue is found by sashiko [1].

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (incluyendo) 7.0.4 (excluyendo)