On Sat, Jul 08, 2023 at 03:27:42AM +0900, Hyeonggon Yoo wrote: > Hmm, was it UAF because it references wrong field ->mapping, > instead of swapper address space? Ooh, I know this one! When a folio is in use as an anonymous page, ->mapping has the bottom two bits set to 01b. The rest of the pointer is actually a pointer to an anon_vma. It's entirely plausible that an anon page might have had its anon_vma freed by the time the folio is on the inactive list, and on its way to being recycled (eg it was unmapped). I'm not terribly familiar with the lifetime rules of the anon_vma, but I doubt that a folio still being in RAM would pin it if it has been unmapped.