* [to-be-updated] mm-page_alloc-clear-page-private-in-split_page-for-tail-pages.patch removed from -mm tree
@ 2026-02-08 1:56 Andrew Morton
0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2026-02-08 1:56 UTC (permalink / raw)
To: mm-commits, ziy, vbabka, surenb, stable, ryncsn, mhocko, jackmanb,
hughd, hannes, chrisl, mikhail.v.gavrilov, akpm
The quilt patch titled
Subject: mm/page_alloc: clear page->private in split_page() for tail pages
has been removed from the -mm tree. Its filename was
mm-page_alloc-clear-page-private-in-split_page-for-tail-pages.patch
This patch was dropped because an updated version will be issued
------------------------------------------------------
From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Subject: mm/page_alloc: clear page->private in split_page() for tail pages
Date: Fri, 6 Feb 2026 22:40:17 +0500
When vmalloc allocates high-order pages and splits them via split_page(),
tail pages may retain stale page->private values from previous use by the
buddy allocator.
This causes a use-after-free in the swap subsystem. The swap code uses
vmalloc_to_page() to get struct page pointers for swap_map, then uses
page->private to track swap count continuations. In add_swap_count_
continuation(), the condition "if (!page_private(head))" assumes fresh
pages have page->private == 0, but tail pages from split_page() may have
non-zero stale values.
When page->private accidentally contains a value like SWP_CONTINUED (32),
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru, which may contain LIST_POISON
values from a previous list_del(), causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private for tail pages in split_page(). Note
that we don't touch page->lru to avoid breaking split_free_page() which
may have the head page on a list.
Link: https://lkml.kernel.org/r/20260206174017.128673-1-mikhail.v.gavrilov@gmail.com
Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Chris Li <chrisl@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kairui Song <ryncsn@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
mm/page_alloc.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/mm/page_alloc.c~mm-page_alloc-clear-page-private-in-split_page-for-tail-pages
+++ a/mm/page_alloc.c
@@ -3129,9 +3129,14 @@ void split_page(struct page *page, unsig
VM_WARN_ON_PAGE(!page_count(page), page);
- for (i = 1; i < (1 << order); i++)
+ for (i = 1; i < (1 << order); i++) {
set_page_refcounted(page + i);
-
+ /*
+ * Tail pages may have stale page->private from buddy
+ * allocator or previous use. Clear it.
+ */
+ set_page_private(page + i, 0);
+ }
__split_page(page, order);
}
EXPORT_SYMBOL_GPL(split_page);
_
Patches currently in -mm which might be from mikhail.v.gavrilov@gmail.com are
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-08 1:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-08 1:56 [to-be-updated] mm-page_alloc-clear-page-private-in-split_page-for-tail-pages.patch removed from -mm tree Andrew Morton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox