Linux Kernel Zsmalloc Race Condition Vulnerability During Page Migration

A vulnerability in the Linux kernel's zsmalloc memory management can lead to race conditions between the asynchronous zspage free process and page migration. The issue arises because the zspage free worker attempts to lock a zspage's entire page list without accounting for concurrent page migrations. This can cause the locking function to reference pages that have already migrated away, leading to unsafe dereferencing of page pointers. The vulnerability allows for data races that could be exploited to cause memory corruption.

Impact

The vulnerability can cause memory corruption by allowing the zspage locking function to reference migrated pages, leading to unsafe dereferencing of page pointers. This could potentially be exploited to manipulate memory in a way that causes undefined behavior or crashes.

Remediation

The vulnerability has been addressed by modifying the zspage locking function to synchronize with page migrations, using a migration read lock to prevent races.