Linux Kernel Habanalabs Driver Vulnerability in Vmalloc-Backed Coherent Memory Mapping

A vulnerability exists in the Linux kernel's handling of vmalloc-backed coherent memory in the Habanalabs driver. When IOMMU is enabled, the function dma_alloc_coherent() with GFP_USER can return addresses from the vmalloc range. If these addresses are mapped without the VM_MIXEDMAP flag, the function vm_insert_page() will encounter a BUG_ON due to the VM_PFNMAP restriction. This vulnerability affects the Linux kernel stable tree and has been addressed by checking for vmalloc addresses and setting the VM_MIXEDMAP flag in the virtual memory area (VMA) before mapping. The fix ensures safe memory mapping, preventing kernel crashes, although the memory remains driver-allocated and inaccessible to userspace.

Impact

The vulnerability could lead to kernel crashes by violating the VM_PFNMAP restriction, causing the system to trigger a BUG_ON error. This disruption can affect system stability and performance.

Reproduction

To reproduce this vulnerability, enable IOMMU and allocate coherent DMA memory with GFP_USER. If the allocated memory address falls within the vmalloc range and is mapped without the VM_MIXEDMAP flag, the system will crash when vm_insert_page() is called, due to the VM_PFNMAP restriction. This can be observed in the Habanalabs driver during the memory mapping process, where the absence of the VM_MIXEDMAP flag leads to a BUG_ON error.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version of the stable Linux kernel where this issue has been addressed.