Linux Kernel FUSE Subsystem Use-After-Free Vulnerability in Readahead Handling

A use-after-free vulnerability has been identified in the Linux kernel's FUSE (Filesystem in Userspace) subsystem, specifically related to how readahead operations are managed. The issue arises from a change made in a previous commit that altered the readahead logic to use folios, which dropped the reference on the folio once it was locked. This modification created a problem for splice pipe responses, where the old folio is removed and replaced with a new one. The assumption that a reference was held on the folio for the spliced pages is no longer valid, leading to the use-after-free condition. The vulnerability has been addressed by reverting to the previous readahead method, which maintains the folio reference for the entire duration of the readpages call, ensuring proper management of folio references during splicing operations.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.