From: Baolu Lu <baolu.lu@linux.intel.com>
To: David Hildenbrand <david@redhat.com>,
Dave Hansen <dave.hansen@intel.com>,
syzbot ci <syzbot+cid009622971eb4566@syzkaller.appspotmail.com>,
akpm@linux-foundation.org, apopple@nvidia.com, bp@alien8.de,
dave.hansen@linux.intel.com, iommu@lists.linux.dev,
jannh@google.com, jean-philippe@linaro.org, jgg@nvidia.com,
joro@8bytes.org, kevin.tian@intel.com, liam.howlett@oracle.com,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
lorenzo.stoakes@oracle.com, luto@kernel.org, mhocko@kernel.org,
mingo@redhat.com, peterz@infradead.org, robin.murphy@arm.com,
rppt@kernel.org, security@kernel.org, stable@vger.kernel.org,
tglx@linutronix.de, urezki@gmail.com, vasant.hegde@amd.com,
vbabka@suse.cz, will@kernel.org, willy@infradead.org,
x86@kernel.org, yi1.lai@intel.com
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot ci] Re: Fix stale IOTLB entries for kernel address space
Date: Mon, 20 Oct 2025 13:34:22 +0800 [thread overview]
Message-ID: <13d660ea-9bff-47dc-9cd7-ae74869edc5a@linux.intel.com> (raw)
In-Reply-To: <d1a6c65c-6518-4227-8ec3-f2af4f7724ad@redhat.com>
On 10/18/25 01:10, David Hildenbrand wrote:
> On 16.10.25 10:00, Baolu Lu wrote:
>> On 10/16/25 00:25, Dave Hansen wrote:
>>> Here's the part that confuses me:
>>>
>>> On 10/14/25 13:59, syzbot ci wrote:
>>>> page last free pid 5965 tgid 5964 stack trace:
>>>> reset_page_owner include/linux/page_owner.h:25 [inline]
>>>> free_pages_prepare mm/page_alloc.c:1394 [inline]
>>>> __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906
>>>> pmd_free_pte_page+0xa1/0xc0 arch/x86/mm/pgtable.c:783
>>>> vmap_try_huge_pmd mm/vmalloc.c:158 [inline]
>>> ...
>>>
>>> So, vmap_try_huge_pmd() did a pmd_free_pte_page(). Yet, somehow, the PMD
>>> stuck around so that it *could* be used after being freed. It _looks_
>>> like pmd_free_pte_page() freed the page, returned 0, and made
>>> vmap_try_huge_pmd() return early, skipping the pmd pmd_set_huge().
>>>
>>> But I don't know how that could possibly happen.
>>
>> The reported issue is only related to this patch:
>>
>> - [PATCH v6 3/7] x86/mm: Use 'ptdesc' when freeing PMD pages
>>
>> It appears that the pmd_ptdesc() helper can't be used directly here in
>> this patch. pmd_ptdesc() retrieves the page table page that the PMD
>> entry resides in:
>>
>> static inline struct page *pmd_pgtable_page(pmd_t *pmd)
>> {
>> unsigned long mask = ~(PTRS_PER_PMD * sizeof(pmd_t) - 1);
>> return virt_to_page((void *)((unsigned long) pmd & mask));
>> }
>>
>> static inline struct ptdesc *pmd_ptdesc(pmd_t *pmd)
>> {
>> return page_ptdesc(pmd_pgtable_page(pmd));
>> }
>>
>> while, in this patch, we need the page descriptor that a pmd entry
>> points to.
>
> Ah. But that's just pointing at a leaf page table, right?
Yes, that points to a leaf page table.
These two helpers are called in vmap_try_huge_pmd/pud() to clean up the
low-level page tables and make room for pmd/pud_set_huge(). The huge
page entry case shouldn't go through these paths; otherwise, the code is
already broken.
Thanks,
baolu
next prev parent reply other threads:[~2025-10-20 5:38 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-14 13:04 [PATCH v6 0/7] Fix stale IOTLB entries for kernel address space Lu Baolu
2025-10-14 13:04 ` [PATCH v6 1/7] mm: Add a ptdesc flag to mark kernel page tables Lu Baolu
2025-10-16 19:26 ` David Hildenbrand
2025-10-14 13:04 ` [PATCH v6 2/7] mm: Actually mark kernel page table pages Lu Baolu
2025-10-14 13:04 ` [PATCH v6 3/7] x86/mm: Use 'ptdesc' when freeing PMD pages Lu Baolu
2025-10-14 23:19 ` Dave Hansen
2025-10-15 5:19 ` Baolu Lu
2025-10-16 19:33 ` David Hildenbrand
2025-10-14 13:04 ` [PATCH v6 4/7] mm: Introduce pure page table freeing function Lu Baolu
2025-10-14 13:04 ` [PATCH v6 5/7] x86/mm: Use pagetable_free() Lu Baolu
2025-10-14 13:04 ` [PATCH v6 6/7] mm: Introduce deferred freeing for kernel page tables Lu Baolu
2025-10-16 19:35 ` David Hildenbrand
2025-10-17 1:29 ` Baolu Lu
2025-10-14 13:04 ` [PATCH v6 7/7] iommu/sva: Invalidate stale IOTLB entries for kernel address space Lu Baolu
2025-10-14 20:59 ` [syzbot ci] Re: Fix " syzbot ci
2025-10-15 16:25 ` Dave Hansen
2025-10-16 8:00 ` Baolu Lu
2025-10-17 17:05 ` Dave Hansen
2025-10-17 17:10 ` David Hildenbrand
2025-10-20 5:34 ` Baolu Lu [this message]
2025-10-20 14:26 ` David Hildenbrand
2025-10-15 0:43 ` [PATCH v6 0/7] " Andrew Morton
2025-10-15 5:38 ` Baolu Lu
2025-10-15 15:55 ` Dave Hansen
2025-10-17 1:42 ` Baolu Lu
2025-10-17 14:01 ` Jason Gunthorpe
2025-10-17 17:28 ` Dave Hansen
2025-10-17 17:31 ` Dave Hansen
2025-10-17 17:54 ` Jason Gunthorpe
2025-10-17 18:26 ` Vinicius Costa Gomes
2025-10-22 5:06 ` Baolu Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=13d660ea-9bff-47dc-9cd7-ae74869edc5a@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=apopple@nvidia.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=iommu@lists.linux.dev \
--cc=jannh@google.com \
--cc=jean-philippe@linaro.org \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=liam.howlett@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=luto@kernel.org \
--cc=mhocko@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=robin.murphy@arm.com \
--cc=rppt@kernel.org \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+cid009622971eb4566@syzkaller.appspotmail.com \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=urezki@gmail.com \
--cc=vasant.hegde@amd.com \
--cc=vbabka@suse.cz \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=yi1.lai@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.