Re: [syzbot ci] Re: Fix stale IOTLB entries for kernel address space

Next message: Konrad Dybcio: "[PATCH net-next v5] dt-bindings: net: qcom: ethernet: Add interconnect properties"
Previous message: Ira Weiny: "Re: [PATCH v11 13/21] KVM: selftests: Add helpers to init TDX memory and finalize VM"
In reply to: syzbot ci: "[syzbot ci] Re: Fix stale IOTLB entries for kernel address space"
Next in thread: Andrew Morton: "Re: [PATCH v6 0/7] Fix stale IOTLB entries for kernel address space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Hansen

Date: Wed Oct 15 2025 - 12:25:59 EST

Here's the part that confuses me:

On 10/14/25 13:59, syzbot ci wrote:
> page last free pid 5965 tgid 5964 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1394 [inline]
> __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906
> pmd_free_pte_page+0xa1/0xc0 arch/x86/mm/pgtable.c:783
> vmap_try_huge_pmd mm/vmalloc.c:158 [inline]
...

So, vmap_try_huge_pmd() did a pmd_free_pte_page(). Yet, somehow, the PMD
stuck around so that it *could* be used after being freed. It _looks_
like pmd_free_pte_page() freed the page, returned 0, and made
vmap_try_huge_pmd() return early, skipping the pmd pmd_set_huge().

But I don't know how that could possibly happen.