15 Oct
2025
15 Oct
'25
4:25 p.m.
Here's the part that confuses me:
On 10/14/25 13:59, syzbot ci wrote:
page last free pid 5965 tgid 5964 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1394 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906 pmd_free_pte_page+0xa1/0xc0 arch/x86/mm/pgtable.c:783 vmap_try_huge_pmd mm/vmalloc.c:158 [inline]
...
So, vmap_try_huge_pmd() did a pmd_free_pte_page(). Yet, somehow, the PMD stuck around so that it *could* be used after being freed. It _looks_ like pmd_free_pte_page() freed the page, returned 0, and made vmap_try_huge_pmd() return early, skipping the pmd pmd_set_huge().
But I don't know how that could possibly happen.