Linux Kernel Memory Hotplug Lock Vulnerability in Page Table Dumping

A vulnerability in the Linux kernel's memory management can lead to issues when the kernel page tables are dumped. This problem arises because the ptdump (page table dump) code can interfere with concurrent modifications to the kernel's page tables. While racing conditions involving leaf entries may only cause the dump to log outdated or inconsistent information, the situation becomes more problematic when intermediate levels of the page table are freed. In such cases, the dump code may access memory that has been released and possibly reallocated, leading to dereferencing invalid addresses and causing various potential issues. To mitigate this, platforms like arm64, riscv, and s390 have implemented a memory hotplug lock during the page table dumping process via the sysfs interface. However, the current ptdump implementation on these platforms does not properly handle the memory hotplug lock, leaving a window for race conditions that could be exploited.

Impact

Failing to properly manage the memory hotplug lock can lead to race conditions, where the ptdump code may access invalid memory addresses. This could cause the system to dereference bogus addresses, potentially leading to various problems, such as memory corruption or crashes.

Reproduction

The vulnerability can be reproduced by dumping the kernel page tables on an affected platform (arm64, riscv, or s390) without the proper memory hotplug lock, allowing for concurrent modifications to the page tables. This can be done by manually triggering a memory hot removal while simultaneously dumping the page tables, creating a race condition that the vulnerability exploits.

Remediation

The vulnerability has been addressed by moving the memory hotplug lock into the ptdump code paths for the affected platforms, ensuring that the page table dumping process is properly synchronized and does not interfere with concurrent modifications.