Bug 2418803 (CVE-2025-40218) - CVE-2025-40218 kernel: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success
Summary: CVE-2025-40218 kernel: mm/damon/vaddr: do not repeat pte_offset_map_lock() un...
Keywords:
Status: NEW
Alias: CVE-2025-40218
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-04 15:02 UTC by OSIDB Bzimport
Modified: 2025-12-05 17:15 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-04 15:02:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm/damon/vaddr: do not repeat pte_offset_map_lock() until success

DAMON's virtual address space operation set implementation (vaddr) calls
pte_offset_map_lock() inside the page table walk callback function.  This
is for reading and writing page table accessed bits.  If
pte_offset_map_lock() fails, it retries by returning the page table walk
callback function with ACTION_AGAIN.

pte_offset_map_lock() can continuously fail if the target is a pmd
migration entry, though.  Hence it could cause an infinite page table walk
if the migration cannot be done until the page table walk is finished. 
This indeed caused a soft lockup when CPU hotplugging and DAMON were
running in parallel.

Avoid the infinite loop by simply not retrying the page table walk.  DAMON
is promising only a best-effort accuracy, so missing access to such pages
is no problem.
Comment 1 Alexander B 2025-12-05 17:11:12 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120452-CVE-2025-40218-d4dc@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.