CVE-2025-40218

Vulnerability

Overview

In the Linux kernel, the mm/damon/vaddr implementation calls pte_offset_map_lock() inside the page table walk callback function to read and write page table accessed bits. If pte_offset_map_lock() fails, the code retries by returning ACTION_AGAIN to the page table walker. However, pte_offset_map_lock() can continuously fail when the target is a pmd migration entry, leading to an infinite page table walk loop. This can cause a soft lockup when CPU hotplugging and DAMON are running in parallel [1].

Exploitation

Conditions

No special privileges or network access are required for an attacker to trigger this vulnerability; it occurs during legitimate concurrent operations of CPU hotplugging and DAMON monitoring. The issue is purely a kernel-level denial-of-service condition that arises from the way DAMON handles page table entries during memory management operations. No user interaction is needed beyond having the affected kernel version running with DAMON enabled and CPU hotplug events occurring.

Impact

The vulnerability results in a soft lockup of the system, effectively causing a denial of service (DoS). The system becomes unresponsive, requiring a reboot to recover. This can disrupt critical workloads and potentially lead to data loss if filesystems are not properly synced. The impact is limited to availability; there is no evidence of information disclosure or privilege escalation from this bug.

Mitigation

A patch has been merged into the mainline kernel to address this issue. The fix removes the retry behavior (ACTION_AGAIN) for failed pte_offset_map_lock(), ensuring that the page table walk does not loop infinitely. Because DAMON provides best-effort accuracy, missing access to such pages during migration is acceptable. Users should apply the corresponding stable kernel updates to prevent the soft lockup [1].