From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DEF8F2F8EA0 for ; Fri, 8 May 2026 14:24:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250292; cv=none; b=q94jHN10UaytAYpI5l42udxqCU9fNjJpU7JEW7CiBeEh199FNnxh/EUEhZmbzNSdCoiWF9IeUqtTTtqxIlUotXH847lNPZjmzs+JgzqkLFpPRhdnpvYdz3e4/pOLJMz/iVn6gQH3wK/JFBm/d6bPSh+Y/mQ3fVMTXvAL1kfZyjQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250292; c=relaxed/simple; bh=HqOewJm0HNgjtdUfCQm2b+AnruzGmGX4dL0SO/YfVHw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=DOS5Q3Mm1cJduPrgig++/KQ2jeOctrQ5Nx5olPnpuQ64emkt9frzpBcwm2UUWKj25WCu7wE18VrPt4+TfReFkZp6vKHK7LbYFIjlRdqTSPrV5c1tBCg/SEeRa5S0SiHUDSUezLvbMHKe73Opb4J99HcxYZDZgNWfvBwtI68sLEE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=X9Y6k0oJ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="X9Y6k0oJ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 75486C2BCB0; Fri, 8 May 2026 14:24:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250292; bh=HqOewJm0HNgjtdUfCQm2b+AnruzGmGX4dL0SO/YfVHw=; h=From:To:Cc:Subject:Date:Reply-To:From; b=X9Y6k0oJhZUXiI6m2H7Pz4MD2Qiq/xvE50PFrtQM5/MMca0tXdYsxiqBsdMu7XePS W8glAXI6ohUWaufysWXog6dtCNQzgD2QvbD6jTkZ62kVGKWYlNF/QxsR6DTCcIWr5q nL889ez969iHkjfSeTpALLgh5HPlJkS2MPzDnHog= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43388: mm/damon/core: clear walk_control on inactive context in damos_walk() Date: Fri, 8 May 2026 16:21:57 +0200 Message-ID: <2026050835-CVE-2026-43388-fa28@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3583; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=aas9xg9SmfFmFJxVWlSdjiUMCewy+JxiTLsFLDXdhY8=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P+aLzXvrLCbkxK9w5e7rAuErVSpmTMkezYvezxX5k 7+zrHNrRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEyk3YBhnkG64osJway/5ELK EpfHFrueeJHygWG+841vchGiey8E/putoM7cVfacfcYFAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This is structurally identical to the bug fixed in commit f9132fbc2e83 ("mm/damon/core: remove call_control in inactive contexts") for damon_call(), which had the same pattern of linking a control object and returning an error without unlinking it. The dangling walk_control pointer can cause: 1. Use-after-free if the context is later started and kdamond    dereferences ctx->walk_control (e.g., in damos_walk_cancel()    which writes to control->canceled and calls complete()) 2. Permanent -EBUSY from subsequent damos_walk() calls, since the    stale pointer is non-NULL Nonetheless, the real user impact is quite restrictive. The use-after-free is impossible because there is no damos_walk() callers who starts the context later. The permanent -EBUSY can actually confuse users, as DAMON is not running. But the symptom is kept only while the context is turned off. Turning it on again will make DAMON internally uses a newly generated damon_ctx object that doesn't have the invalid damos_walk_control pointer, so everything will work fine again. Fix this by clearing ctx->walk_control under walk_control_lock before returning -EINVAL, mirroring the fix pattern from f9132fbc2e83. The Linux kernel CVE team has assigned CVE-2026-43388 to this issue. Affected and fixed versions =========================== Issue introduced in 6.14 with commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 and fixed in 6.18.19 with commit ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b Issue introduced in 6.14 with commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 and fixed in 6.19.9 with commit 9320c77134ab8d7701e20608bbf08517df4fa321 Issue introduced in 6.14 with commit bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 and fixed in 7.0 with commit d210fdcac9c0d1380eab448aebc93f602c1cd4e6 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43388 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: mm/damon/core.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321 https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6