CVE-2026-46008

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: fix damos walk() vs kdamond fn() exit race

When kdamond fn() main loop is finished, the function cancels remaining damos walk() request and unset the damon ctx->kdamond so that API callers and API functions themselves can show the context is terminated. damos walk() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon ctx is still running (damon ctx->kdamond is set). Only if the kdamond is running, damos walk() starts waiting for the kdamond's handling of the newly added request.

The damos walk() requests registration and damon ctx->kdamond unset are protected by different mutexes, though. Hence, damos walk() could race with damon ctx->kdamond unset, and result in deadlocks.

For example, let's suppose kdamond successfully finished the damow walk() request cancelling. Right after that, damos walk() is called for the context. It registers the new request, and shows the context is still running, because damon ctx->kdamond unset is not yet done. Hence the damos walk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos walk() caller thread infinitely waits.

Fix this by introducing another damon ctx field, namely walk control obsolete. It is protected by the damon ctx->walk control lock, which protects damos walk() request registration. Initialize (unset) it in kdamond fn() before letting damon start() returns and set it just before the cancelling of the remaining damos walk() request is executed. damos walk() reads the obsolete field under the lock and avoids adding a new request.

After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together.

The issue is found by sashiko [1].