Linux Kernel KVM Use-After-Free Vulnerability in TDP MMU Handling

A use-after-free vulnerability has been identified in the Linux kernel's KVM component, specifically within the TDP MMU (Two-Dimensional Page Table Memory Management Unit) handling for x86 architecture. The issue arises when unmapping a range of guest frame numbers (GFNs), as KVM fails to properly invalidate all roots, particularly during mmu_notifier callbacks. This oversight can lead to references being held to freed pages, causing use-after-free errors and other related problems.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a scenario where there is a conflict between the 'set_nx_huge_pages' function and the 'kvm_mmu_notifier_release' function. This can be achieved by modifying KVM to introduce such a collision. Alternatively, the vulnerability exists between the 'kvm_mmu_notifier_invalidate_range_start' function and memory slot updates, where the improper handling of invalid roots can be exploited.