CVE-2025-40218

DAMON's virtual address space operation set implementation (vaddr) calls pteoffsetmaplock() inside the page table walk callback function. This is for reading and writing page table accessed bits. If pteoffsetmaplock() fails, it retries by returning the page table walk callback function with ACTION_AGAIN.

pteoffsetmap_lock() can continuously fail if the target is a pmd migration entry, though. Hence it could cause an infinite page table walk if the migration cannot be done until the page table walk is finished. This indeed caused a soft lockup when CPU hotplugging and DAMON were running in parallel.

Avoid the infinite loop by simply not retrying the page table walk. DAMON is promising only a best-effort accuracy, so missing access to such pages is no problem.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40218.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7780d04046a2288ab85d88bedacc60fa4fad9971

Fixed

677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf

Fixed

ac42320ec873bfe726141069cfdd90ee5bc4e885

Fixed

0ccd91cf749536d41307a07e60ec14ab0dbf21f5

Fixed

b93af2cc8e036754c0d9970d9ddc47f43cc94b9f

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40218.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.6.113

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.54

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40218.json"