at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/mm-page_alloc-clear-page-private-in-split_page-for-tail-pages.patch This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days ------------------------------------------------------ From: Mikhail Gavrilov Subject: mm/page_alloc: clear page->private in split_page() for tail pages Date: Fri, 6 Feb 2026 22:40:17 +0500 When vmalloc allocates high-order pages and splits them via split_page(), tail pages may retain stale page->private values from previous use by the buddy allocator. This causes a use-after-free in the swap subsystem. The swap code uses vmalloc_to_page() to get struct page pointers for swap_map, then uses page->private to track swap count continuations. In add_swap_count_ continuation(), the condition "if (!page_private(head))" assumes fresh pages have page->private == 0, but tail pages from split_page() may have non-zero stale values. When page->private accidentally contains a value like SWP_CONTINUED (32), swap_count_continued() incorrectly assumes the continuation list is valid and iterates over uninitialized page->lru, which may contain LIST_POISON values from a previous list_del(), causing a crash: KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860 Fix this by clearing page->private for tail pages in split_page(). Note that we don't touch page->lru to avoid breaking split_free_page() which may have the head page on a list. Link: https://lkml.kernel.org/r/20260206174017.128673-1-mikhail.v.gavrilov@gmail.com Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound") Signed-off-by: Mikhail Gavrilov Cc: Brendan Jackman Cc: Chris Li Cc: Hugh Dickins Cc: Johannes Weiner Cc: Kairui Song Cc: Michal Hocko Cc: Suren Baghdasaryan Cc: Vlastimil Babka Cc: Zi Yan Cc: Signed-off-by: Andrew Morton --- mm/page_alloc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/mm/page_alloc.c~mm-page_alloc-clear-page-private-in-split_page-for-tail-pages +++ a/mm/page_alloc.c @@ -3129,9 +3129,14 @@ void split_page(struct page *page, unsig VM_WARN_ON_PAGE(!page_count(page), page); - for (i = 1; i < (1 << order); i++) + for (i = 1; i < (1 << order); i++) { set_page_refcounted(page + i); - + /* + * Tail pages may have stale page->private from buddy + * allocator or previous use. Clear it. + */ + set_page_private(page + i, 0); + } __split_page(page, order); } EXPORT_SYMBOL_GPL(split_page); _ Patches currently in -mm which might be from mikhail.v.gavrilov@gmail.com are mm-page_alloc-clear-page-private-in-split_page-for-tail-pages.patch+ mm-page_alloc-clear-page-private-in-split_page-for-tail-pages.patch added to mm-unstable branchAndrew Morton undefinedmm-commits@vger.kernel.org,ziy@nvidia.com,vbabka@suse.cz,surenb@google.com,stable@vger.kernel.org,ryncsn@gmail.com,mhocko@suse.com,jackmanb@google.com,hughd@google.com,hannes@cmpxchg.org,chrisl@kernel.org,mikhail.v.gavrilov@gmail.com,akpm@linux-foundation.org undefined undefined undefined undefined undefined undefined undefined undefined undefined undefined undefined undefined