Linux Kernel Anonymous Inode THP Vulnerability Allowing Memory Management Issues

A vulnerability in the Linux kernel's handling of transparent huge pages (THP) for files on anonymous inodes has been identified. This issue arises because the function 'file_thp_enabled()' mistakenly permits THP for certain files created through 'alloc_file_pseudo()'. These files, such as 'guest_memfd' and 'secretmem', do not undergo the normal write access procedures, leaving their write count at zero. When 'CONFIG_READ_ONLY_THP_FOR_FS' is activated, these files are misrepresented as read-only regular files, making them susceptible to THP collapse. The vulnerability can lead to improper memory management, such as kernel crashes or misleading memory failure reports.

Impact

Exploitation of this vulnerability can cause kernel crashes or trigger false memory failure reports, indicating a recovery action for clean unevictable LRU pages.

Reproduction

The vulnerability can be reproduced by creating files on anonymous inodes using 'alloc_file_pseudo()'. With 'CONFIG_READ_ONLY_THP_FOR_FS' enabled, these files will be treated as read-only regular files, allowing THP collapse to occur. This can be observed with 'guest_memfd', where the fault handler does not support large folios, leading to warnings about large folios in the memory management system. Similarly, 'secretmem' can be used to reproduce the issue, as the collapse operation attempts to copy page contents through the direct map, which is not supported for 'secretmem' pages.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.