Linux Kernel Device Page Migration Vulnerability in HMM Selftests

A use-after-free vulnerability has been identified in the Linux kernel's handling of device private pages during the release of certain file operations. This issue arises in the 'test_hmm' library, specifically within the 'dmirror_fops_release' function. When this function is called, it frees the 'dmirror' structure without first migrating device private pages back to system memory. As a result, these pages are left with a dangling pointer to the freed structure. If a fault occurs on these pages later, such as during a core dump, it can lead to a kernel panic by dereferencing the stale pointer. This vulnerability was reported while running the HMM kernel self-tests on arm64, where a test failure caused a similar fault, triggering the panic.

Impact

The vulnerability can be exploited to cause a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by running the HMM kernel self-tests on an arm64 system. The test 'mm/ksft_hmm.sh' will trigger the use-after-free condition by causing a fault on the stale device private pages, which have been left dangling after the 'dmirror_fops_release' function is executed.

Remediation

The vulnerability has been addressed in the Linux kernel stable tree. Users can apply the latest updates from the Linux kernel stable repository to mitigate this issue.