Linux Kernel Memory Management Vulnerability Leading to Memory Leak

A vulnerability in the Linux kernel's memory management system has been identified, specifically within the virtual memory reclaim process. This issue arises when a dirty swapcache page, which is still being referenced by two users, is isolated by the reclaim process. The page's 'uptodate' flag is cleared, and an attempt to remove it from the least recently used (LRU) list fails. As a result, the page is returned to the LRU list, but will never be freed, causing it to remain in the list indefinitely. When the reclaim process is triggered again, the 'add_to_swap' function encounters a bug because the 'uptodate' flag has been improperly cleared, leading to a kernel error.

Impact

This vulnerability can cause a memory leak, where dirty swapcache pages are not properly freed and remain in the LRU list forever, potentially leading to increased memory usage and degradation of system performance.

Reproduction

The vulnerability can be reproduced by following these steps: First, allow a dirty swapcache page to be isolated by the memory reclaim process. Once the page is isolated, inject a memory failure for that page. This action will clear the 'uptodate' flag and attempt to remove the page from the LRU list, but the removal will fail. The reclaim process will then return the hwpoisoned page to the LRU list. After the process that was using the hwpoisoned page exits, the page will be deleted but not freed, leaving it in the LRU list indefinitely. Finally, trigger the memory reclaim process again, which will attempt to reclaim the hwpoisoned page and encounter a bug due to the 'uptodate' flag being cleared.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the memory reclaim process to skip hwpoisoned pages, ensuring they are properly unmapped and not left in the LRU list.