Re: [PATCH v3] mm: pgtable: protect lockless kernel page table walks with RCU

Next message: Jonathan Cameron: "Re: [PATCH v3 2/2] iio: proximity: cleanup fixes for vl53l1x-i2c"
Previous message: Cristian Ciocaltea: "Re: [PATCH v7 01/30] drm/fb-helper: Remove unused local variable in hotplug_event()"
In reply to: David Carlier: "[PATCH v3] mm: pgtable: protect lockless kernel page table walks with RCU"
Next in thread: David CARLIER: "Re: [PATCH v3] mm: pgtable: protect lockless kernel page table walks with RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Matthew Wilcox

Date: Fri Jun 12 2026 - 13:40:35 EST

On Fri, Jun 12, 2026 at 06:23:55PM +0100, David Carlier wrote:
> ptdump walks the kernel page tables locklessly through
> walk_kernel_page_table_range_lockless(). It only holds the init_mm
> mmap lock and the memory hotplug lock, and neither excludes
> vmalloc/ioremap teardown from freeing kernel PTE pages via
> pmd_free_pte_page() -> pagetable_free_kernel(). syzbot hit a
> use-after-free in ptdump_pte_entry() reading a PTE page that was freed
> underneath the walk.

Does it make sense to walk the iomap / vmap ranges in ptdump? I can't
really tell if this is something that's useful, or something that nobody
thought to exclude.