From nobody Sun Jun 21 17:17:59 2026 Received: from mail-dy1-f170.google.com (mail-dy1-f170.google.com [74.125.82.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C4F53126D6 for ; Thu, 2 Apr 2026 04:02:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775102566; cv=none; b=BJccP/wTKDsJUgrh1upZBjQpfK6tyEtQ/8xTecAyAC1Sj5yMGU5l7ujwkqTOhPA9DBD+Bq3KtaIm3F2aGoP2+NG/Vavd3ns4iLg6pj/6Ghjjy91mjh+k54WvZzjOol3uWV0eDMweckqLkI2dm1D2CXO9nXL88UOwK2cYeXqEYVE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775102566; c=relaxed/simple; bh=vTlAbLy1Mk70Jbn1+QJ64phbGPYmNJ6bLMqM5nJNjeM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=OFWkFAkL8dBLNBVg3zcUcNCD2W89sOqjZSWujIq1wbNw2Zdb50OUHDcNe97JiFRmuusfHpsbBgIgBuOg3eTWePcoNKZuEXI0MUbntSs9RclFk8R5Wa9VZvQYlawoXS0NOHGFRB2ujwfFw8k2mQxgzUC5hNTtcTYAec7xrsNxX/E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PQhNa1FE; arc=none smtp.client-ip=74.125.82.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PQhNa1FE" Received: by mail-dy1-f170.google.com with SMTP id 5a478bee46e88-2c645e399ffso21726eec.3 for ; Wed, 01 Apr 2026 21:02:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775102563; x=1775707363; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=3FoTxz190yE2mGB6TsBP35CTMcFrPN7xt52Vks8P14U=; b=PQhNa1FEyVG34MgA9Bi3647/3OyEVCYMfnFzCyVJu86hXbj2PdhritnKag/wCCHMBN 7tj2VGALkp4y1Jcb1eJ9CDSNUm0g8HOzkpqcTC9av6mGTIKHXHLnrTaETJ8gaXRQ4M0L 9djmNdNfw667zW+WQVou4rD7EYridykTyCNI/UVNPi5BIELvotU+BT16iqdNI8izSqI0 XRknB3epyYt1DFT8ZJgQR6K+y+VV3JFfKi1voCgAeDsQZhthz6Snaht/e5+C6sDgHpou h89fJMHrFp1vA7ZDC1LTVI4viX2zEsIQyi1XRKE5DLbGjsM0VmKkedDltUnmBTUQBW4d CIEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775102563; x=1775707363; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=3FoTxz190yE2mGB6TsBP35CTMcFrPN7xt52Vks8P14U=; b=bXQUwngU6jInManAhCGNaYEmFaSKFR3cQ6ebgy9q+YMiUIDrEusXoFaopJidfmJcpC YolQnwIcZ/dpc/fRenb2LyHHeVyvJFaVsHfy3ttN33M1k35ooo50qaB+gLANiHyO8Ls+ H4DpvEYTLG/N7lit8k9uIvLadwKZIzSoeiBrh8auHudM6g6DaYgD6ATOhprly21IkQHk EvYuB2KWw6vR34rS+DII96QFPNdsGd61WVaIQ4+VZB4eTEyWv8LcHnYv804hM+KvPt5j KRVoCgCllb8wARB3wlZoHDOS+yu1FEOCIFkXOA33po/l2zHHzyyab+08t60BG2RghZ2E Bp/Q== X-Forwarded-Encrypted: i=1; AJvYcCVe8lFauXkIlhmxbw9WGDpar/KYn1ZdJu66Y18UnR/XiLhRvDrLbWECl+2I5S682+m9DwKBeCR55allnEM=@vger.kernel.org X-Gm-Message-State: AOJu0YzcuJG6OGB2OJnNwkxfA1cBI9+r2Uqo/Lyo4RlJ1c4+JwAis+yS N52i4cU6ZoDRNFJp1VAVktmISKj60lIurnzunQdscuHs3EMnTUjIcjnz4PMTEvtk6EI= X-Gm-Gg: ATEYQzys8xOtjHkQ/RJJswgLqe3jcydWlqPQ73ZW0B/cL/yp2QWIy2mCBDdSs0zYyh/ JfSMtZ7Bq3ig3nAVd1EVs/La3VZS2w0wlisNuvoxhkkLTdgZHLcGDGLoEeBBPdGzN8vzcvD3E8i kiDfbIXwAcgwK7IySgowuNuMblTQa8e1wAl2s8xF/qYaiWJjxzLyVCLzVx1n1oLYq7Thi7/hGby zanzrUA9pCc0Vx7LyzalJzfs2JA678mXbyPHPkbp17vFuXVuxnaK4+szZTv52w5KGYfYXuGZh+S C0uLVdi3IRA65YoEbujWV2uHfM7G7KSPZk7PbwQmlyvsvQJkY+YI/qYCoxXsaqRujLmVQRJDCx+ ZdMjbtq/fAJZ03rdhyTJOntnak2AHYTfuJ6hSTFQqcJNRTim+dB77Xfnq39Wd2jLqR+mrl1LNgy tgzCw9U5RUkmzuzUWGCQ== X-Received: by 2002:a05:7301:6895:b0:2c0:c55c:156f with SMTP id 5a478bee46e88-2c9327a4552mr1292372eec.4.1775102563262; Wed, 01 Apr 2026 21:02:43 -0700 (PDT) Received: from macbookair ([2600:8802:2a09:a700::7048]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2ca7c20c0c2sm1581909eec.17.2026.04.01.21.02.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Apr 2026 21:02:42 -0700 (PDT) From: Tejas Bharambe X-Google-Original-From: Tejas Bharambe To: ocfs2-devel@lists.linux.dev Cc: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, linux-kernel@vger.kernel.org, syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com, Tejas Bharambe Subject: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Date: Wed, 1 Apr 2026 21:02:34 -0700 Message-ID: <20260402040234.92432-1-tejas.bharambe@outlook.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving the inode reference before calling filemap_fault(), and removing vma from the trace event. The inode remains valid across the lock drop since the file is still open, so the trace can fire in all cases without dereferencing the potentially freed vma. Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Da49010a0e8fcdeea075f Suggested-by: Joseph Qi Signed-off-by: Tejas Bharambe --- fs/ocfs2/mmap.c | 6 +++--- fs/ocfs2/ocfs2_trace.h | 10 ++++------ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c index 50e2faf64c..41c08c5a3d 100644 --- a/fs/ocfs2/mmap.c +++ b/fs/ocfs2/mmap.c @@ -30,7 +30,7 @@ =20 static vm_fault_t ocfs2_fault(struct vm_fault *vmf) { - struct vm_area_struct *vma =3D vmf->vma; + struct inode *inode =3D file_inode(vmf->vma->vm_file); sigset_t oldset; vm_fault_t ret; =20 @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf) ret =3D filemap_fault(vmf); ocfs2_unblock_signals(&oldset); =20 - trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno, - vma, vmf->page, vmf->pgoff); + trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno, + vmf->page, vmf->pgoff); return ret; } =20 diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h index 4b32fb5658..6c2c97a980 100644 --- a/fs/ocfs2/ocfs2_trace.h +++ b/fs/ocfs2/ocfs2_trace.h @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline, =20 TRACE_EVENT(ocfs2_fault, TP_PROTO(unsigned long long ino, - void *area, void *page, unsigned long pgoff), - TP_ARGS(ino, area, page, pgoff), + void *page, unsigned long pgoff), + TP_ARGS(ino, page, pgoff), TP_STRUCT__entry( __field(unsigned long long, ino) - __field(void *, area) __field(void *, page) __field(unsigned long, pgoff) ), TP_fast_assign( __entry->ino =3D ino; - __entry->area =3D area; __entry->page =3D page; __entry->pgoff =3D pgoff; ), - TP_printk("%llu %p %p %lu", - __entry->ino, __entry->area, __entry->page, __entry->pgoff) + TP_printk("%llu %p %lu", + __entry->ino, __entry->page, __entry->pgoff) ); =20 /* End of trace events for fs/ocfs2/mmap.c. */ --=20 2.53.0