Linux Kernel Large Folio Handling Vulnerability in Memory Reclamation Process

A vulnerability in the Linux kernel's memory reclamation process for large folios can lead to a kernel panic. This issue arises in the 'shrink_folio_list()' function, where a hardware-poisoned large folio cannot be properly managed by the 'unmap_poisoned_folio()' function. The problem is particularly relevant for Transparent Huge Pages (THP), as 'try_to_unmap_one()' must be used with the 'TTU_SPLIT_HUGE_PMD' flag to correctly split and manage these pages. If this flag is not used, it can result in a null pointer dereference, and even with the flag, a warning is triggered because the page is not in the swap cache. The vulnerability occurs when the memory reclaim process for large folios intersects with the 'memory_failure()' function, which handles hardware errors. This race condition can cause a null pointer dereference and a subsequent kernel panic.

Impact

The vulnerability can lead to a kernel panic, causing a system crash.

Reproduction

The vulnerability can be reproduced by creating a race condition between the memory reclamation process for large folios and the 'memory_failure()' function. This can be done by triggering a hardware error on a large folio while the system is reclaiming memory, causing the 'unmap_poisoned_folio()' function to fail and trigger a bug due to its inability to handle the large folio.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Stable Patches repository.