Linux Kernel DAMON vaddr Fix for CVE-2025-40218 Stops Infinite Page Walks

The Linux kernel fix tracked as CVE-2025-40218 addresses a subtle but practical correctness bug in DAMON’s virtual-address handling: the vaddr page‑table walker retried pte_offset_map_lock on failure, which could loop forever when the target entry was a PMD migration descriptor and the migration could not proceed. That infinite walk manifested as a soft lockup when DAMON ran concurrently with CPU hotplug operations; the upstream remedy is intentionally small and surgical — stop retrying the page‑table walk in that path because DAMON is a best‑effort monitor and skipping inaccessible pages is acceptable.

Background / Overview​

DAMON (Data Access Monitor) is a kernel subsystem designed to observe how user memory is accessed and to provide best‑effort telemetry used by reclamation and profiling facilities. It walks user page tables to read or clear accessed bits and performs sampling across virtual address ranges to infer working sets and hot pages. Because DAMON runs in potentially concurrent environments and trades accuracy for scalability, its page‑table walking logic is defensive by design — usually tolerating missed pages or transient races. The bug fixed by this CVE arises where that defensive logic crossed an unsafe boundary: the code retried a page‑table mapping operation until success even when the failure mode could be permanent while the walker still owned other locks and the system was mid‑migration. Page‑table helpers such as pte_offset_map_lock are used to obtain a PTE pointer and lock the relevant page table page during a walk. When pte_offset_map_lock fails, existing pagewalker infrastructure can request the callback return ACTION_AGAIN to indicate “retry this address later.” That pattern works for transient failures but can deadlock if the failure is caused by a PMD migration entry that cannot complete until the page‑table walk itself finishes — a circular dependency that can freeze the walker in place. The fix abandons repeated retries inside the DAMON vaddr callback and treats the failure as a skip; for a best‑effort monitor, missing the occasional page is acceptable and far safer than risking an infinite loop and system unresponsiveness.

---

What the vulnerability actually is​

Technical anatomy​

• The vulnerable component: mm/damon/vaddr — DAMON’s virtual‑address operation set implementation.
• Faulting primitive: pte_offset_map_lock, called inside the page‑table walk callback to obtain the PTE and lock it while reading/writing the accessed bits.
• Failure mode: when pte_offset_map_lock fails due to the PTE being a PMD migration entry, the callback returned ACTION_AGAIN so the walker would retry the same PTE.
• Pathology: if migration cannot progress until the page‑table walk finishes, the walker repeatedly retries and never completes the walk, producing a CPU soft lockup (watchdog‑level hang) under concurrent CPU hotplugging or similar races.

Why the loop happens​

The kernel’s page‑table walking machinery assumes that ACTION_AGAIN is an appropriate strategy for transient failures. But PMD migration entries are special: they indicate that the page is in the process of being migrated (for example, by a background migration helper). If the migration itself requires the page‑table walker to finish first, retrying in place produces a self‑referential wait. Repeatedly invoking the callback with ACTION_AGAIN creates an infinite page‑table walk loop, which is the core defect here. The practical symptom is a CPU that appears stuck in kernel space handling the walk, normally visible as soft lockup traces and watchdog timeouts.

---

Why the upstream fix is small and safe​

The kernel patch removes the repeated‑retry behavior from DAMON’s vaddr callback: instead of returning ACTION_AGAIN when pte_offset_map_lock fails, the callback treats the failure as “skip this entry” and continues. That change is consistent with DAMON’s design goal of best‑effort accuracy. Rather than attempt to co‑ordinate a complex migration/retry handshake (which risks further races and more invasive changes), maintainers chose a minimal, low‑risk correction that eliminates the infinite loop while preserving DAMON’s monitoring utility. The patch is small (a handful of lines changed in mm/damon/vaddr.c) and has been propagated into the stable kernel updates.

---

Scope and affected systems​

• Affected component: Linux kernels that include the DAMON vaddr page‑table walker implementation prior to the stable commits that incorporate the fix. The vulnerability is upstream Linux kernel code (not a distribution‑specific binary).
• Typical exposure: local — an adversary needs local access to run workloads that exercise DAMON or to trigger CPU hotplug sequences in combination with DAMON sampling. In practice, most desktop/desktop‑class kernels and many server kernels include DAMON, and some distributions ship kernels that enable its interfaces for performance tooling.
• High‑risk profiles: long‑uptime hosts, multi‑tenant hypervisors, cloud nodes, and embedded devices where CPU topology changes (hotplug) or heavy concurrent memory management occur. These systems are more sensitive because a soft lockup can affect many tenants or long‑running services.

---

Real‑world impact and exploitability​

This defect is an availability issue rather than a confidentiality or integrity vulnerability. The primary observable consequence is a soft lockup or prolonged CPU hang that degrades service and may force reboots. It does not provide a direct path to arbitrary code execution or privilege escalation by itself. Attackers could, however, use this as a denial‑of‑service primitive in environments where they can run untrusted code locally or from within containers/VMs with access to the guest’s page table walking facilities. For multi‑tenant or shared hosts, that makes the defect operationally urgent even without an RCE-level risk. Risk factors that raise priority:

• Systems with untrusted code running under the same kernel (containers, cloud VMs).
• Hosts that rely on long uptimes and have CPU hotplug workflows (scale‑out clusters, power‑managed servers, or nodes that dynamically reconfigure CPU sets).
• Environments where DAMON is actively used by monitoring or reclamation daemons that operate frequently and with broad address ranges.

---

How vendors and trackers have recorded the issue​

The CVE entry for CVE‑2025‑40218 was added to NVD with the upstream‑provided description and references to the kernel stable commits that implement the fix. Independent vulnerability aggregators (CVEDetails, Tenable, OpenCVE, and others) reproduced the description and listed the same references to kernel.org stable commit IDs; the stable patch mailings and spin‑out posts include the patch text and brief rationale. These multiple independent records allow operators to cross‑map the upstream commit to their distribution kernel packages.

---

Patching and remediation guidance​

• Priority: install a kernel package that includes the upstream stable commit referenced in the CVE. For most environments the only complete remediation is to boot a patched kernel.
• How to find the right package:
• Check your distribution’s security tracker/changelog for entries referencing CVE‑2025‑40218 or the upstream commit IDs cited in NVD.
• Use package changelogs or kernel package metadata to confirm the stable commit ID is present before marking systems remediated.
• Staged rollout:
• Pilot the updated kernel on representative hosts (especially those that exercise DAMON or CPU hotplug operations).
• Monitor for regressions and verify that the soft‑lockup behavior no longer occurs under the previously problematic test paths.
• Short‑term mitigations (if immediate patching is impossible):
• Reduce or disable workloads that simultaneously perform CPU hotplug operations and heavy DAMON sampling.
• If DAMON is used via a specific user‑space tool or module, consider disabling that tool until the kernel is patched.
• For cloud providers, schedule reboots into patched images during maintenance windows and prioritize multi‑tenant hosts.

Practical commands for triage and verification:

• Identify kernel version: uname -r.
• Check for kernel changelog entries in /usr/share/doc or package metadata that mention the commit IDs referenced in NVD.
• Monitor kernel logs (dmesg / journalctl -k) for watchdog or soft‑lockup traces that reference mm/damon or pagewalk helpers.

---

Detection and hunting tips​

• Watch kernel logs for signs of soft lockups:
• Repeated watchdog messages or “soft lockup” text for CPUs.
• Traces that include mm/damon/vaddr or page‑table walker functions in the backtrace.
• Correlate incidents with recent CPU topology changes (hotplugging) or maintenance tasks that modify CPU online/offline state.
• If you can reproduce, run DAMON workloads in an isolated test VM and issue CPU hotplug operations; before the patch, this is the observed trigger that produced the infinite walk in field reports. Only run reproducers in a controlled lab — production hosts should not be intentionally caused to hang.

Operational note: Because this is an availability defect, traditional IDS/EDR signatures are unlikely to detect it. Instead, focus on telemetry and kernel logs and treat it as an operations problem to be solved through patching and controlled rollouts.

---

Why the fix is preferred to heavier alternatives​

Kernel maintainers prefer minimal, surgical fixes for correctness bugs that affect concurrency and ordering semantics. Reworking DAMON’s entire page‑table walking strategy to accommodate repeated PMD‑migration cases would be invasive and increase regression risk. The chosen correction — don’t retry on pte_offset_map_lock failure inside DAMON’s vaddr callback — eliminates the risk of the infinite loop while respecting DAMON’s best‑effort guarantees. That makes the patch low‑risk and easy to backport to stable kernel branches, which helps downstream distributions and vendors roll out updates more quickly.

---

Practical checklist for administrators (prioritized)​

• Inventory: identify kernels and hosts where DAMON is enabled or monitored (check kernel config and running modules/tools).
• Map: consult your distribution’s security tracker and NVD for CVE‑2025‑40218 and map to package names.
• Patch: obtain patched kernels from your vendor or distribution and schedule reboots. Validate changelog includes upstream commit references.
• Test: in a pilot, reproduce the previously observed CPU hotplug + DAMON workload to confirm the fix removes the soft lockup.
• Monitor: after rollout, keep an eye on watchdog/soft‑lockup alerts and kernel log anomalies.
• Compensate: where patching is slow, minimize CPU topology changes during periods of heavy DAMON activity and suspend non‑essential monitoring that causes broad page walks.

---

Cross‑verification and source confidence​

The technical description in NVD is mirrored by multiple independent trackers and by the kernel stable patch mailings and spinics patch posts, giving high confidence in the diagnosis and the chosen remedy. NVD’s entry lists the same kernel.org stable commit IDs that were included in the stable patch series posts, and distribution security databases have begun mapping the upstream commits into vendor packages. That cross‑corroboration between the upstream commits and third‑party trackers supports the conclusion that this is a correctness/availability fix with no direct RCE or privilege‑escalation vector. Caveat: exact distribution package mappings (which kernel package version on your distro contains the stable backport) require vendor confirmation. Use your distribution’s official security feed or package changelog to determine the right package; do not assume the upstream commit implicitly implies a specific distro package.

---

Broader operational context and risks​

This CVE is another example of how small, localized kernel correctness lapses in low‑level memory and page‑table code can produce outsized operational effects in multi‑tenant or long‑uptime environments. Even when a bug is not exploitable for code execution, an availability primitive — a reproducible way to hang a CPU or crash a host — is high‑value to attackers aiming to disrupt services. For that reason, organizations with shared hosting, CI/CI runners, or untrusted containers must treat these fixes as urgent. Community advisories for similar kernel defects have repeatedly emphasized rapid deployment of stable backports to reduce blast radius.

---

Final verdict — what operators should do now​

• Treat CVE‑2025‑40218 as an availability bug with real operational impact in multi‑tenant and hotplug‑enabled environments.
• Patch promptly: obtain and install the vendor/distribution kernel packages that include the stable commit(s) referenced by NVD and the kernel stable patch series.
• Validate with a staged rollout and focused tests simulating DAMON workloads and CPU hotplug sequences.
• If immediate patching isn’t possible, reduce concurrent CPU hotplug operations and consider temporarily disabling or reducing the scope of DAMON sampling on sensitive hosts.

The fix is small, conservative, and already present in the upstream stable patches; the practical risk window is the time it takes for distribution kernels to include the backport and for operators to reboot into patched kernels. Cross‑check package changelogs against the upstream stable commit IDs listed in the public advisories before declaring systems remediated.

---

Note on sources and verifiability: the description above is summarized from the upstream kernel patch discussion and multiple independent vulnerability trackers. The National Vulnerability Database (NVD) contains the official CVE text and references the upstream kernel stable commits; independent trackers and stable‑patch mailing lists reproduce the same patch text and rationale. Operator guidance focuses on upstream‑to‑vendor mapping and safe rollout practice; distribution‑specific package names and backport schedules must be confirmed via your vendor’s security advisory or package changelog.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center