Linux Kernel Use-After-Free Vulnerability in Page Pool Management

A use-after-free vulnerability has been identified in the Linux kernel's page pool management, specifically within the 'page_pool_recycle_in_ring' function. This vulnerability allows for a read operation on a memory address that has already been freed, potentially leading to memory corruption or other unintended behavior. The issue arises when the page pool is recycled while still being referenced, creating a race condition that can be exploited.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by enabling the 'CONFIG_PAGE_POOL_STATS' option, which triggers a build warning that can be suppressed by adding a definition for the pool stat macro. Once this is done, the 'page_pool_recycle_in_ring' function can be called in a way that causes the page pool to be freed before all pages have been recycled, creating a use-after-free condition.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed.