Linux Kernel Userptr Notifier vs Folio Deadlock Vulnerability

A deadlock vulnerability has been identified in the Linux kernel's Direct Rendering Manager (DRM) user pointer handling. The issue arises when the core kernel's page migration process holds locks on memory folios and simultaneously interacts with their mappings. These mappings are connected to user pointers, triggering notifier callbacks that require additional locking. This scenario can create a deadlock if the migration process and the notifier callback contend for folio locks at the same time. Fortunately, the notifier lock is not essential for marking pages as accessed or dirty, as this should have already been handled by the HMM fault. The vulnerability has been addressed by removing the unnecessary locking.

Impact

Exploitation of this vulnerability can lead to a deadlock situation, where the folio locks are held up by the notifier lock, causing a standstill in the kernel's processing.