Linux Kernel Userfaultfd Move Vulnerability Leading to Kernel BUG

A vulnerability in the Linux kernel's memory management component has been identified, specifically within the userfaultfd_move function. This issue arises when the function encounters a PTE (Page Table Entry) that is a swap entry, which can still reference a folio in the swap cache. The vulnerability creates a race condition that can lead to a kernel BUG. When the swap PTE is moved to a destination address, it may cause a mismatch during folio migration, triggering a kernel error. This vulnerability can be reproduced by manipulating PTE entries and accessing the destination address before the swap cache is cleared, resulting in a mismatch that the kernel cannot handle.

Impact

Exploitation of this vulnerability causes a kernel BUG, leading to a crash or instability in the system.

Reproduction

The vulnerability can be reproduced by adding a folio to the swap cache, converting the PTE to a swap entry, and then moving the swap PTE to a new destination address before the swap cache is cleared. This creates a race condition that the kernel's memory management cannot resolve, causing a BUG during the add_rmap operation.