Linux Kernel UBIFS Refcount Vulnerability Leading to Page Migration Bug

A vulnerability in the Linux kernel's UBIFS (Unsorted Block Image File System) has been identified, where the reference count of a page is not properly incremented after the page is marked as private. This oversight can lead to a kernel bug during page migration, as the migration process may incorrectly assume that the page is not in use by any other processes. The issue arises because the UBIFS file system fails to increase the page reference count after setting the private flag, causing a race condition between different processes that manage page references.

Impact

Exploitation of this vulnerability can cause a kernel panic due to a reference count error, where the page reference count is incorrectly managed, leading to a 'BUG' in the page migration process.

Reproduction

The vulnerability can be reproduced by writing data to a UBIFS file, which triggers the 'write_begin' function. This function grabs a page and sets it as private without increasing the reference count. Once the page is marked private, it is unlocked and the reference count is decreased, leading to a situation where the page migration process mistakenly believes the page is not in use. The migration process then tries to move the page, causing a reference count mismatch and a kernel bug.