CVE-2026-23012

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: remove call_control in inactive contexts

If damoncall() is executed against a DAMON context that is not running, the function returns error while keeping the damoncallcontrol object linked to the context's callcontrols list. Let's suppose the object is deallocated after the damoncall(), and yet another damoncall() is executed against the same context. The function tries to add the new damoncallcontrol object to the callcontrols list, which still has the pointer to the previous damoncall_control object, which is deallocated. As a result, use-after-free happens.

This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps.

Fix the issue by making two changes. Firstly, move the final kdamondcall() for cancelling all existing damoncall() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damoncall() requests anymore. Secondly, let damoncall() to cleanup the damoncallcontrol objects that were added to the already-terminated DAMON context, before returning the error.