GHSA-233V-W7H6-4599

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-22 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: avoid use of half-online-committed context

One major usage of damon_call() is online DAMON parameters update. It is done by calling damon_commit_ctx() inside the damon_call() callback function. damon_commit_ctx() can fail for two reasons: 1) invalid parameters and 2) internal memory allocation failures. In case of failures, the damon_ctx that attempted to be updated (commit destination) can be partially updated (or, corrupted from a perspective), and therefore shouldn't be used anymore. The function only ensures the damon_ctx object can safely deallocated using damon_destroy_ctx().

The API callers are, however, calling damon_commit_ctx() only after asserting the parameters are valid, to avoid damon_commit_ctx() fails due to invalid input parameters. But it can still theoretically fail if the internal memory allocation fails. In the case, DAMON may run with the partially updated damon_ctx. This can result in unexpected behaviors including even NULL pointer dereference in case of damos_commit_dests() failure [1]. Such allocation failure is arguably too small to fail, so the real world impact would be rare. But, given the bad consequence, this needs to be fixed.

Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving the damon_commit_ctx() failure on the damon_ctx object. For this, introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it when it is failed. kdamond_call() checks if the field is set after each damon_call_control->fn() is executed. If it is set, ignore remaining callback requests and return. All kdamond_call() callers including kdamond_fn() also check the maybe_corrupted field right after kdamond_call() invocations. If the field is set, break the kdamond_fn() main loop so that DAMON sill doesn't use the context that might be corrupted.

[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-31445"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:38Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid use of half-online-committed context\n\nOne major usage of damon_call() is online DAMON parameters update.  It is\ndone by calling damon_commit_ctx() inside the damon_call() callback\nfunction.  damon_commit_ctx() can fail for two reasons: 1) invalid\nparameters and 2) internal memory allocation failures.  In case of\nfailures, the damon_ctx that attempted to be updated (commit destination)\ncan be partially updated (or, corrupted from a perspective), and therefore\nshouldn\u0027t be used anymore.  The function only ensures the damon_ctx object\ncan safely deallocated using damon_destroy_ctx().\n\nThe API callers are, however, calling damon_commit_ctx() only after\nasserting the parameters are valid, to avoid damon_commit_ctx() fails due\nto invalid input parameters.  But it can still theoretically fail if the\ninternal memory allocation fails.  In the case, DAMON may run with the\npartially updated damon_ctx.  This can result in unexpected behaviors\nincluding even NULL pointer dereference in case of damos_commit_dests()\nfailure [1].  Such allocation failure is arguably too small to fail, so\nthe real world impact would be rare.  But, given the bad consequence, this\nneeds to be fixed.\n\nAvoid such partially-committed (maybe-corrupted) damon_ctx use by saving\nthe damon_commit_ctx() failure on the damon_ctx object.  For this,\nintroduce damon_ctx-\u003emaybe_corrupted field.  damon_commit_ctx() sets it\nwhen it is failed.  kdamond_call() checks if the field is set after each\ndamon_call_control-\u003efn() is executed.  If it is set, ignore remaining\ncallback requests and return.  All kdamond_call() callers including\nkdamond_fn() also check the maybe_corrupted field right after\nkdamond_call() invocations.  If the field is set, break the kdamond_fn()\nmain loop so that DAMON sill doesn\u0027t use the context that might be\ncorrupted.\n\n[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]",
  "id": "GHSA-233v-w7h6-4599",
  "modified": "2026-04-22T15:31:40Z",
  "published": "2026-04-22T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31445"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b247cd0654a3a306996fa80741d79296c683a56"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26f775a054c3cda86ad465a64141894a90a9e145"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c495f9d3781cd692bd199531cabd4627155e8cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.