Bug 2397559 (CVE-2025-39877) - CVE-2025-39877 kernel: mm/damon/sysfs: fix use-after-free in state_show()
Summary: CVE-2025-39877 kernel: mm/damon/sysfs: fix use-after-free in state_show()
Keywords:
Status: NEW
Alias: CVE-2025-39877
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-23 07:01 UTC by OSIDB Bzimport
Modified: 2025-09-25 16:23 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-23 07:01:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs: fix use-after-free in state_show()

state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. 
This allows a use-after-free race:

CPU 0                         CPU 1
-----                         -----
state_show()                  damon_sysfs_turn_damon_on()
ctx = kdamond->damon_ctx;     mutex_lock(&damon_sysfs_lock);
                              damon_destroy_ctx(kdamond->damon_ctx);
                              kdamond->damon_ctx = NULL;
                              mutex_unlock(&damon_sysfs_lock);
damon_is_running(ctx);        /* ctx is freed */
mutex_lock(&ctx->kdamond_lock); /* UAF */

(The race can also occur with damon_sysfs_kdamonds_rm_dirs() and
damon_sysfs_kdamond_release(), which free or replace the context under
damon_sysfs_lock.)

Fix by taking damon_sysfs_lock before dereferencing the context, mirroring
the locking used in pid_show().

The bug has existed since state_show() first accessed kdamond->damon_ctx.
Comment 1 Jon Moroney 2025-09-23 17:28:01 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025092301-CVE-2025-39877-1244@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.