Linux Kernel RCU Stall Vulnerability in KASAN Vmalloc Cleanup

A vulnerability in the Linux kernel's memory management can lead to RCU (Read-Copy-Update) stalls when CONFIG_PAGE_OWNER is enabled. During the vmalloc cleanup process, KASAN (Kernel Address Sanitizer) shadow pages are freed, causing significant stack unwinding that requires RCU read locks. If a large purge list is processed without rescheduling, the task can monopolize the CPU for over 10 seconds, resulting in RCU stalls and potential Out-Of-Memory (OOM) conditions. This issue arises in the function 'purge_vmap_node()', specifically within 'kasan_release_vmalloc_node()', where the iteration through numerous vmap_area entries and the freeing of their corresponding shadow pages leads to RCU stall warnings.

Impact

The vulnerability can cause RCU stalls, disrupting the normal scheduling and execution of tasks, and can lead to Out-Of-Memory conditions, where the system runs out of available memory resources.

Reproduction

To reproduce this vulnerability, enable the CONFIG_PAGE_OWNER option in the Linux kernel. Then, during the vmalloc cleanup phase, KASAN shadow pages will be freed. This process will trigger a stack unwinding that requires RCU read locks. If the cleanup handles a large purge list without rescheduling, it can cause the task to hold the CPU for an extended period, leading to RCU stalls and possible OOM conditions.

Remediation

The vulnerability has been addressed by adding periodic 'cond_resched()' calls within the 'kasan_release_vmalloc_node()' function. This allows RCU grace periods to complete, enables other tasks to run, and lets the scheduler preempt when necessary. The fix is included in the Linux kernel stable tree.