Linux Kernel Shmem Folio Migration Vulnerability Leading to Xarray Corruption

A vulnerability in the Linux kernel's memory management migration process can cause corruption in the Xarray multi-index entries. This issue arises when a shmem folio, which can exist in either page cache or swap cache but not both simultaneously, is incorrectly handled during migration. The problem occurs in the folio migration mapping function, where the wrong method is used to determine how many Xarray entries need to be updated. This miscalculation can corrupt the Xarray entries, as it improperly alters the status of sibling entries. The vulnerability could potentially be exploited in userspace, according to available references.

Impact

Exploitation of this vulnerability can lead to memory management errors, specifically Xarray multi-index entry corruption, which could disrupt the proper handling of memory folios and potentially cause further issues in memory management or application stability.

Reproduction

The vulnerability can be reproduced by creating a shmem folio that is placed in swap cache, then triggering the folio migration process. The incorrect handling of the folio's mapping state during this process will cause the Xarray entry corruption.