Linux Kernel DAMON Inactive Context Walk Control Vulnerability

A vulnerability in the Linux kernel's DAMON (Data Access Monitoring) subsystem has been addressed. The issue arises in the 'damos_walk()' function, where the 'walk_control' pointer is set to a caller-provided control structure before verifying if the context is active. If the context is inactive, the function returns an error without clearing the 'walk_control', leaving a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This behavior is similar to a previously fixed bug in 'damon_call()'. The dangling pointer can lead to a use-after-free condition if the context is later activated and the DAMON scheduler dereferences the stale pointer, or it can cause a permanent '-EBUSY' error in subsequent 'damos_walk()' calls. Although the use-after-free scenario is unlikely, the '-EBUSY' error can confuse users, as it suggests DAMON is not running, when in fact the context is simply turned off.

Impact

The vulnerability can cause a permanent '-EBUSY' error in 'damos_walk()' calls, confusing users about the DAMON context status. While a use-after-free condition is theoretically possible, it is not expected to occur in practice.

Reproduction

To reproduce this vulnerability, call the 'damos_walk()' function with a control structure while the DAMON context is inactive. The function will return an error without clearing the 'walk_control', leaving a dangling pointer. This can be observed by subsequently calling 'damos_walk()' again, which will return the '-EBUSY' error, indicating the context is still considered busy, even though DAMON is not running.

Remediation

The vulnerability has been fixed by modifying the 'damos_walk()' function to clear the 'walk_control' pointer under the appropriate lock before returning an error, ensuring that no dangling pointers are left behind.