CVE-2025-40218

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/vaddr: do not repeat pte_offset_map_lock() until success

DAMON's virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. This is for reading and writing page table accessed bits. If pte_offset_map_lock() fails, it retries by returning the page table walk callback function with ACTION_AGAIN.

pte_offset_map_lock() can continuously fail if the target is a pmd migration entry, though. Hence it could cause an infinite page table walk if the migration cannot be done until the page table walk is finished. This indeed caused a soft lockup when CPU hotplugging and DAMON were running in parallel.

Avoid the infinite loop by simply not retrying the page table walk. DAMON is promising only a best-effort accuracy, so missing access to such pages is no problem.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux7780d04046a2288ab85d88bedacc60fa4fad9971 < 677ebfe5d00f94adec0c0204f6e6e2a82d3f77bfaffected
LinuxLinux7780d04046a2288ab85d88bedacc60fa4fad9971 < ac42320ec873bfe726141069cfdd90ee5bc4e885affected
LinuxLinux7780d04046a2288ab85d88bedacc60fa4fad9971 < 0ccd91cf749536d41307a07e60ec14ab0dbf21f5affected
LinuxLinux7780d04046a2288ab85d88bedacc60fa4fad9971 < b93af2cc8e036754c0d9970d9ddc47f43cc94b9faffected
LinuxLinux6.5affected
LinuxLinux0 < 6.5unaffected
LinuxLinux6.6.113 <= 6.6.*unaffected
LinuxLinux6.12.54 <= 6.12.*unaffected
LinuxLinux6.17.4 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References