Hi, please let us know when you've made all the changes to the PR and it's ready to be reviewed.

Hi, this PR is ready for review. I am currently addressing an issue with success rates in the repro environment.

Hey @mingi

Could you also check those magic numbers, and add a cit of clarity on how they're calculated or why the're selected in code comments:

#define SPRAY_SIZE 520        // Why 520? Which cache?
#define NETEM_10MS 156250     // How is this calculated?

usleep(50*1000);              // Why 50ms? Waiting for what kernel function?

for(int i = 0 ; i < 10; i++)  // Why spray 10 times?

#define RCU_READ_LOCK_NESTING_OFF 0x474  // Offset in which structure?

Hi @artmetla

#define SPRAY_SIZE 520 // Why 520? Which cache?

Objects are allocated in the kmalloc-1024 cache.

#define NETEM_10MS 156250 // How is this calculated?

This is calculated as PSCHED_NS2TICKS(10000000). I removed it because this exploit does not require NetEM latency.

usleep(50*1000); // Why 50ms? Waiting for what kernel function?

Waiting for qdisc_put(). 50 ms is enough time to wait for call_rcu().

for(int i = 0 ; i < 10; i++) // Why spray 10 times?

The freed object is reclaimed immediately. So, spraying a small number of objects is enough.

#define RCU_READ_LOCK_NESTING_OFF 0x474 // Offset in which structure?

struct task_struct