Linux Kernel Race Condition Vulnerability in Shmem Swap Handling

A race condition vulnerability has been identified in the Linux kernel's handling of swap entries for shared memory (shmem). This issue arises because the mechanism for freeing shmem swap entries does not properly manage the order of these entries. The vulnerability exists in the Linux kernel stable tree, specifically in the memory management (mm) subsystem, within the shmem component. The problem occurs when the system retrieves the order of a swap entry without adequate lock protection, potentially leading to the deletion of data beyond the intended boundary. This can happen if a large folio is added, swapped out, and then the same entry is reused, allowing the swap entry to be incorrectly processed.

Impact

The vulnerability can cause data corruption by truncating information beyond the designated limits, as well as leading to system hangs and kernel panics, particularly when the ZSWAP feature is under stress testing.

Reproduction

The vulnerability can be reproduced by enabling the ZSWAP feature and performing stress tests that involve swapping large folios in and out of shared memory. This will trigger the race condition by allowing the swap entry order to be read and modified without proper synchronization, causing the swapoff command to hang and the kernel to panic.

Remediation

Users can apply the patch available in the Linux kernel Git repository to address this vulnerability. Instructions for downloading the patched version can be found in the repository.