From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
To: linux-mm@kvack.org
Cc: akpm@linux-foundation.org, vbabka@suse.cz, chrisl@kernel.org,
kasong@tencent.com, hughd@google.com, ryncsn@gmail.com,
Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH] mm/page_alloc: clear page->private in split_page() for tail pages
Date: Fri, 6 Feb 2026 22:40:17 +0500 [thread overview]
Message-ID: <20260206174017.128673-1-mikhail.v.gavrilov@gmail.com> (raw)
In-Reply-To: <CABXGCs03XcXt5GDae7d74ynC6P6G2gLw3ZrwAYvSQ3PwP0mGXA@mail.gmail.com>
When vmalloc allocates high-order pages and splits them via split_page(),
tail pages may retain stale page->private values from previous use by the
buddy allocator.
This causes a use-after-free in the swap subsystem. The swap code uses
vmalloc_to_page() to get struct page pointers for swap_map, then uses
page->private to track swap count continuations. In add_swap_count_
continuation(), the condition "if (!page_private(head))" assumes fresh
pages have page->private == 0, but tail pages from split_page() may have
non-zero stale values.
When page->private accidentally contains a value like SWP_CONTINUED (32),
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru, which may contain LIST_POISON
values from a previous list_del(), causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private for tail pages in split_page(). Note
that we don't touch page->lru to avoid breaking split_free_page() which
may have the head page on a list.
Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound")
Cc: stable@vger.kernel.org
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
---
mm/page_alloc.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index cbf758e27aa2..3604a00e2118 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -3122,8 +3122,14 @@ void split_page(struct page *page, unsigned int order)
VM_BUG_ON_PAGE(PageCompound(page), page);
VM_BUG_ON_PAGE(!page_count(page), page);
- for (i = 1; i < (1 << order); i++)
+ for (i = 1; i < (1 << order); i++) {
set_page_refcounted(page + i);
+ /*
+ * Tail pages may have stale page->private from buddy
+ * allocator or previous use. Clear it.
+ */
+ set_page_private(page + i, 0);
+ }
split_page_owner(page, order, 0);
pgalloc_tag_split(page_folio(page), order, 0);
split_page_memcg(page, order);
--
2.53.0
next parent reply other threads:[~2026-02-06 17:40 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CABXGCs03XcXt5GDae7d74ynC6P6G2gLw3ZrwAYvSQ3PwP0mGXA@mail.gmail.com>
2026-02-06 17:40 ` Mikhail Gavrilov [this message]
2026-02-06 18:08 ` Zi Yan
2026-02-06 18:21 ` Mikhail Gavrilov
2026-02-06 18:29 ` Zi Yan
2026-02-06 18:33 ` Zi Yan
2026-02-06 19:58 ` Zi Yan
2026-02-06 20:49 ` Zi Yan
2026-02-06 22:16 ` Mikhail Gavrilov
2026-02-06 22:37 ` Mikhail Gavrilov
2026-02-06 23:06 ` Zi Yan
2026-02-07 3:28 ` Zi Yan
2026-02-07 14:25 ` Mikhail Gavrilov
2026-02-07 14:32 ` Zi Yan
2026-02-07 15:03 ` Mikhail Gavrilov
2026-02-07 15:06 ` Zi Yan
2026-02-07 15:37 ` [PATCH v2] mm/page_alloc: clear page->private in free_pages_prepare() Mikhail Gavrilov
2026-02-07 16:12 ` Zi Yan
2026-02-07 17:36 ` [PATCH v3] " Mikhail Gavrilov
2026-02-07 22:02 ` David Hildenbrand (Arm)
2026-02-07 22:08 ` David Hildenbrand (Arm)
2026-02-09 11:17 ` Vlastimil Babka
2026-02-09 15:46 ` David Hildenbrand (Arm)
2026-02-09 16:00 ` Zi Yan
2026-02-09 16:03 ` David Hildenbrand (Arm)
2026-02-09 16:05 ` Zi Yan
2026-02-09 16:06 ` David Hildenbrand (Arm)
2026-02-09 16:08 ` Zi Yan
2026-02-07 23:00 ` Zi Yan
2026-02-09 16:16 ` David Hildenbrand (Arm)
2026-02-09 16:20 ` David Hildenbrand (Arm)
2026-02-09 16:33 ` Zi Yan
2026-02-09 17:36 ` David Hildenbrand (Arm)
2026-02-09 17:44 ` Zi Yan
2026-02-09 19:39 ` David Hildenbrand (Arm)
2026-02-09 19:42 ` Zi Yan
2026-02-10 1:20 ` Baolin Wang
2026-02-10 2:12 ` Zi Yan
2026-02-10 2:25 ` Baolin Wang
2026-02-10 2:32 ` Zi Yan
2026-02-09 19:46 ` David Hildenbrand (Arm)
2026-02-09 11:11 ` [PATCH v2] " Vlastimil Babka
2026-02-06 18:24 ` [PATCH] mm/page_alloc: clear page->private in split_page() for tail pages Kairui Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260206174017.128673-1-mikhail.v.gavrilov@gmail.com \
--to=mikhail.v.gavrilov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=chrisl@kernel.org \
--cc=hughd@google.com \
--cc=kasong@tencent.com \
--cc=linux-mm@kvack.org \
--cc=ryncsn@gmail.com \
--cc=stable@vger.kernel.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox