CVE-2026-31445

Source
https://cve.org/CVERecord?id=CVE-2026-31445
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31445.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31445
Downstream
Published
2026-04-22T13:53:42.090Z
Modified
2026-07-15T01:49:09.473631386Z
Summary
mm/damon/core: avoid use of half-online-committed context
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: avoid use of half-online-committed context

One major usage of damoncall() is online DAMON parameters update. It is done by calling damoncommitctx() inside the damoncall() callback function. damoncommitctx() can fail for two reasons: 1) invalid parameters and 2) internal memory allocation failures. In case of failures, the damonctx that attempted to be updated (commit destination) can be partially updated (or, corrupted from a perspective), and therefore shouldn't be used anymore. The function only ensures the damonctx object can safely deallocated using damondestroyctx().

The API callers are, however, calling damoncommitctx() only after asserting the parameters are valid, to avoid damoncommitctx() fails due to invalid input parameters. But it can still theoretically fail if the internal memory allocation fails. In the case, DAMON may run with the partially updated damonctx. This can result in unexpected behaviors including even NULL pointer dereference in case of damoscommit_dests() failure [1]. Such allocation failure is arguably too small to fail, so the real world impact would be rare. But, given the bad consequence, this needs to be fixed.

Avoid such partially-committed (maybe-corrupted) damonctx use by saving the damoncommitctx() failure on the damonctx object. For this, introduce damonctx->maybecorrupted field. damoncommitctx() sets it when it is failed. kdamondcall() checks if the field is set after each damoncallcontrol->fn() is executed. If it is set, ignore remaining callback requests and return. All kdamondcall() callers including kdamondfn() also check the maybecorrupted field right after kdamondcall() invocations. If the field is set, break the kdamondfn() main loop so that DAMON sill doesn't use the context that might be corrupted.

[sj@kernel.org: let kdamondcall() with cancel regardless of maybecorrupted]

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31445.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3301f1861d34f53911a30a8f5f41b9141bd8ed39
Fixed
9c495f9d3781cd692bd199531cabd4627155e8cd
Fixed
1b247cd0654a3a306996fa80741d79296c683a56
Fixed
26f775a054c3cda86ad465a64141894a90a9e145

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31445.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31445.json"