CVE-2026-43303: mm/page_alloc: clear page->private in free_pages_prepare()

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: clear page->private in free_pages_prepare()

Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages.  When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.

This causes a use-after-free in the swap subsystem.  The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0.  When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:

  KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
  RIP: 0010:__do_sys_swapoff+0x1151/0x1860

Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.

The Linux kernel CVE team has assigned CVE-2026-43303 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.18 with commit 3b8000ae185cb068adbda5f966a3835053c85fd4 and fixed in 6.18.16 with commit 23b82b7a26182ad840ae67d390d7ec9771e8c00f
	Issue introduced in 5.18 with commit 3b8000ae185cb068adbda5f966a3835053c85fd4 and fixed in 6.19.6 with commit d757c793853ec5483eb41ec2942c300b8fa720fb
	Issue introduced in 5.18 with commit 3b8000ae185cb068adbda5f966a3835053c85fd4 and fixed in 7.0 with commit ac1ea219590c09572ed5992dc233bbf7bb70fef9

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43303
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	mm/page_alloc.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f
	https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb
	https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9