On 2024/12/9 15:56, Yu Zhao wrote:
On Mon, Dec 9, 2024 at 12:00 AM Qi Zheng <zhengqi.arch@xxxxxxxxxxxxx> wrote:
[...]
If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing.#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-unstable diff --git a/mm/memory.c b/mm/memory.c index 83fd35c034d7a..28526a4205d1b 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -7023,7 +7023,7 @@ static struct kmem_cache *page_ptl_cachep; void __init ptlock_cache_init(void) { page_ptl_cachep = kmem_cache_create("page->ptl", sizeof(spinlock_t), 0, - SLAB_PANIC, NULL); + SLAB_PANIC|SLAB_TYPESAFE_BY_RCU, NULL);Note that `SLAB_TYPESAFE_BY_RCU` works by freeing the entire slab (the page containing the objects) with RCU, not individual objects. So I don't think this would work. A PTL object can be re-allocated to someone else, and that new user can re-initialize it. So trying to concurrently lock it under RCU read lock would also be use-after-free.
Got it. Thanks for pointing this out! So we should put ptlock_free() into the RCU callback instead of enabling SLAB_TYPESAFE_BY_RCU for page_ptl_cachep.
