Re: [PATCH v3] mm: pgtable: protect lockless kernel page table walks with RCU

Next message: Karan Tilak Kumar: "[PATCH v4 03/13] scsi: fnic: Decode firmware role configuration"
Previous message: Ian Rogers: "[PATCH v14 03/19] perf evsel/evlist: Avoid unnecessary #includes"
In reply to: Matthew Wilcox: "Re: [PATCH v3] mm: pgtable: protect lockless kernel page table walks with RCU"
Next in thread: Lorenzo Stoakes: "Re: [PATCH v3] mm: pgtable: protect lockless kernel page table walks with RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David CARLIER

Date: Fri Jun 12 2026 - 14:15:33 EST

On Fri, 12 Jun 2026 at 18:39, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
>
> On Fri, Jun 12, 2026 at 06:23:55PM +0100, David Carlier wrote:
> > ptdump walks the kernel page tables locklessly through
> > walk_kernel_page_table_range_lockless(). It only holds the init_mm
> > mmap lock and the memory hotplug lock, and neither excludes
> > vmalloc/ioremap teardown from freeing kernel PTE pages via
> > pmd_free_pte_page() -> pagetable_free_kernel(). syzbot hit a
> > use-after-free in ptdump_pte_entry() reading a PTE page that was freed
> > underneath the walk.
>
> Does it make sense to walk the iomap / vmap ranges in ptdump? I can't
> really tell if this is something that's useful, or something that nobody
> thought to exclude.

Yes, it's intentional. ptdump_check_wx() walks the whole kernel half
(_PAGE_OFFSET..~0UL on arm64, equivalent on x86) precisely to audit
W+X mappings, and those live
in the module/vmalloc/BPF JIT ranges. The debugfs dump labels the
vmalloc and modules markers for the same reason. Skipping those ranges
would defeat the W^X check,
so the walk has to cover them, which is why it needs the RCU
protection rather than an exclusion.