Bug 2422712 (CVE-2025-40353) - CVE-2025-40353 kernel: arm64: mte: Do not warn if the page is already tagged in copy_highpage()
Summary: CVE-2025-40353 kernel: arm64: mte: Do not warn if the page is already tagged ...
Keywords:
Status: NEW
Alias: CVE-2025-40353
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-16 14:05 UTC by OSIDB Bzimport
Modified: 2025-12-17 01:17 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-16 14:05:42 UTC 
In the Linux kernel, the following vulnerability has been resolved:

arm64: mte: Do not warn if the page is already tagged in copy_highpage()

The arm64 copy_highpage() assumes that the destination page is newly
allocated and not MTE-tagged (PG_mte_tagged unset) and warns
accordingly. However, following commit 060913999d7a ("mm: migrate:
support poisoned recover from migrate folio"), folio_mc_copy() is called
before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the
copy will be done again to the same destination page. Since
copy_highpage() already set the PG_mte_tagged flag, this second copy
will warn.

Replace the WARN_ON_ONCE(page already tagged) in the arm64
copy_highpage() with a comment.
Comment 1 Alexander B 2025-12-17 01:16:18 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025121636-CVE-2025-40353-fb93@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.