CVE-2025-40353

Vulnerability

Description

The arm64 copy_highpage() function in the Linux kernel assumes that the destination page is newly allocated and not MTE-tagged (i.e., PG_mte_tagged unset). It includes a WARN_ON_ONCE to detect if the page is already tagged. However, after commit 060913999d7a ("mm: migrate: support poisoned recover from migrate folio"), folio_mc_copy() is called before __folio_migrate_mapping(). If the latter fails with -EAGAIN, the copy is retried on the same destination page. Since the first copy already set PG_mte_tagged, the second copy triggers the warning spuriously.

Exploitation and

Attack Surface

This is a kernel bug that manifests as a spurious warning message during folio migration retries. No special privileges or network access are required to trigger it; it occurs during normal memory migration operations, such as when handling poisoned pages. The warning is not exploitable for privilege escalation or code execution, but it can cause unnecessary noise in kernel logs and may lead to system instability if the warning is treated as a panic on some configurations.

Impact

The primary impact is a false positive kernel warning that can flood system logs and potentially cause a denial-of-service condition if the warning is configured to trigger a kernel panic (e.g., via panic_on_warn). The bug does not introduce a memory corruption or security bypass; it is a correctness issue in the MTE tagging logic.

Mitigation

The fix replaces the WARN_ON_ONCE with a comment, acknowledging that the page may already be tagged. The patch has been applied to the stable kernel trees as commits [1] and [2]. Users should update to a kernel version containing these commits to eliminate the spurious warnings.