Re: [syzbot] [mm?] KASAN: use-after-free Read in ptdump_pte_entry (2)

Next message: Wentao Guan: "Re: [PATCH 6.6 000/452] 6.6.143-rc1 review"
Previous message: pr-tracker-bot: "Re: [GIT PULL] lsm/lsm-pr-20260615"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Carlier

Date: Wed Jun 17 2026 - 08:09:14 EST

ptdump walks kernel page tables it does not own. While the walk runs, vmalloc
can promote a range to a huge PMD (vmap_try_huge_pmd), which collapses the
existing PTE table and frees it via pmd_free_pte_page() with no init_mm mmap
lock on x86/riscv/powerpc. So ptdump dereferences a just-freed PTE page, hence
the UAF in ptdump_pte_entry().

The race is pre-existing; 5ba2f0a15564 only widened the window by deferring
the free.

Fix posted (v5): defer the kernel page table free by an RCU grace period and
walk ptdump under rcu_read_lock().
https://lore.kernel.org/linux-mm/20260617115342.156775-1-devnexen@xxxxxxxxx/