Linux Kernel KSM Range-Walk Optimization Vulnerability

A vulnerability in the Linux kernel's Kernel Same-page Merging (KSM) feature has been addressed. The issue arose because the function scan_get_next_rmap_item() processed each page address individually within a Virtual Memory Area (VMA) to find pages that could be merged. This approach proved to be very inefficient, especially in large memory areas with mostly unmapped regions, leading to excessive CPU usage by the KSM daemon (ksmd) without effectively merging pages. The vulnerability is present in the Linux kernel stable tree.

Impact

The vulnerability caused the KSM daemon to consume 100% of CPU for extended periods, effectively deadlocking the process and preventing any meaningful page deduplication.

Reproduction

The vulnerability can be reproduced by creating a 32 TiB memory mapping that is mostly unmapped, leaving only a single page populated. This can be done using a C program that utilizes the mmap() function to create the large mapping, populates one page, and then enables KSM. After starting the KSM service, the ksmd process will inefficiently scan the entire 32 TiB space, except for the one mapped page, resulting in a CPU deadlock.

Remediation

The vulnerability has been fixed in the Linux kernel. Users can upgrade to the latest version to apply the patch.