Linux Kernel Folio Locking Vulnerability in Migration Entry Handling

A vulnerability exists in the Linux kernel's management of folio structures during the handling of migration entries, particularly on arm64 servers. The issue arises in the 'softleaf_to_folio()' function, where a folio retrieved from a migration entry is not properly locked. This oversight can lead to a race condition when splitting transparent huge pages (mTHP) and concurrently zapping non-present page table entries. The root cause is a missing memory barrier in 'softleaf_to_folio()', which should synchronize the visibility of page flags before a folio is modified. As a result, the 'zap_nonpresent_ptes()' function may access a migration entry containing a tail page pointer, leading to an unlocked folio being modified, which triggers a warning in the virtual memory management system.

Impact

Exploitation of this vulnerability can cause a folio to be incorrectly modified without the necessary locks, disrupting the integrity of the memory management system and potentially leading to further complications in page handling.

Reproduction

The vulnerability can be reproduced by initiating a deferred split scan of transparent huge pages while simultaneously zapping non-present page table entries. This race condition will cause the 'softleaf_to_folio()' function to retrieve a folio that is not locked, allowing for an unprotected modification of the folio's state.

Remediation

The vulnerability has been addressed by adding the missing memory barrier synchronization in the 'softleaf_to_folio()' and 'softleaf_to_page()' functions when handling migration entries. Users should upgrade to the latest patched version of the Linux kernel.