Linux Kernel Use-After-Free Vulnerability in SKB Coalescing with Page Pool Fragment Recycling

A use-after-free vulnerability has been identified in the Linux kernel's handling of socket buffer (SKB) coalescing when using the page pool for fragment recycling. This issue arises in the hns3 driver during normal receive (RX) operations. The vulnerability occurs when SKBs sharing a reference to the same page fragment are coalesced, leading to an incorrect release of page references. As a result, a page can be freed while still in use by another RX descriptor, causing IOMMU faults or memory corruption.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing IOMMU faults or silently corrupting memory if the IOMMU is disabled.

Reproduction

The vulnerability can be reproduced by handling received packets on a network interface using the hns3 driver. During this process, coalesce SKBs that share a reference to the same page fragment. This can be done by receiving packets on multiple descriptors that allocate different halves of the same page, then coalescing the SKBs associated with those descriptors. Finally, release the coalesced SKBs, which will incorrectly drop page references, leading to a use-after-free condition.