Linux Kernel VMCI Race Condition Vulnerability in User-Page Management

A race condition vulnerability has been identified in the Linux kernel's VMCI (Virtual Machine Communication Interface) implementation. This issue arises between the 'vmci_host_setup_notify' and 'vmci_ctx_unset_notify' functions, leading to a warning being triggered in the 'try_grab_folio' function. The vulnerability occurs because 'vmci_host_setup_notify' can initiate a page reference using 'get_user_pages_fast', which is not completed before 'vmci_ctx_unset_notify' attempts to release the page, causing a warning about an unbalanced page reference. This race condition can be exploited by manipulating the notification handling in VMCI contexts.

Impact

Exploitation of this vulnerability causes a warning to be generated, indicating a potential issue with page reference management. However, such warnings can often be indicative of deeper problems that could be exploited under the right conditions.

Reproduction

The vulnerability can be reproduced by triggering the 'vmci_host_setup_notify' function, which will call 'get_user_pages_fast' to initialize a notification page reference. While this operation is still in progress, 'vmci_ctx_unset_notify' is called, attempting to release the same page reference. This sequence creates a race condition, as the page reference is freed before 'get_user_pages_fast' has completed, leading to the 'try_grab_folio' warning.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest stable version where this issue has been fixed.