Linux Kernel Maple Tree Vulnerability Leading to Null Pointer Dereference

A vulnerability in the Linux kernel's maple tree implementation can cause a null pointer dereference. This issue arises because the MA_STATE_PREALLOC flag, which is intended to manage memory allocations, is not properly handled. When this flag is set, it prevents necessary allocations from occurring, leading to a situation where subsequent requests for memory are ignored. This problem is exacerbated by certain driver actions in Linux kernel version 6.6, which can disrupt virtual memory area (VMA) management, causing a WARN_ON() alert followed by a null pointer dereference.

Impact

Exploitation of this vulnerability triggers a WARN_ON() warning followed by a null pointer dereference, causing a crash or instability in the system.

Reproduction

The vulnerability can be reproduced by triggering a WARN_ON() condition related to the MA_STATE_PREALLOC flag in the maple tree allocation management. This can be done by making allocation requests that are larger than the current available nodes, while the preallocation flag is set, preventing the necessary allocations from occurring. The issue will manifest as a null pointer dereference when the system attempts to process these ignored allocation requests, particularly during VMA merge retries in the mmap_region() function, due to drivers modifying VMA flags.