From nobody Sun Jun 14 14:31:20 2026 Received: from mail-dy1-f179.google.com (mail-dy1-f179.google.com [74.125.82.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D48D2246BD5 for ; Fri, 3 Apr 2026 03:53:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775188429; cv=none; b=tktC6xbRQxV2wpAtdmg/Q3uMGGrvU4WLOzGgLPwHKKi/b7Hhtrr0Xq5KE73XwX2f8OmaFd19p+2C9aGLx8yr/SflFGOfI4J0C/uIy4Q+D0UuPDHwcdJFGPWLJXRX+22xmqClF7DMroJdVGtQYxdWW1AiXNGByDmuIx2SVAIPL9Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775188429; c=relaxed/simple; bh=Kq6u8Iu3bu0n+bBK07KN2oI6tH3HoOhAkahw7ULZs0Q=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=PmjC1dlW6ZjtAbU4dwfuV6T3Sd/7i6k4wJGphQfsTobABk+6ybG3kNv2g3n1OvSgkZis87CcFuncgINHNBCQppt3a4ghlV8tKPQ8B/8NIOrq1SC8js5kpMe71lLE7821hIFjYe2V8nS0JVuJcZcuXoKmSdwBzH4lc+6TNhswsxY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=q5KSiwFO; arc=none smtp.client-ip=74.125.82.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="q5KSiwFO" Received: by mail-dy1-f179.google.com with SMTP id 5a478bee46e88-2c98928e4bfso151765eec.2 for ; Thu, 02 Apr 2026 20:53:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775188426; x=1775793226; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+LnRELhx4WGvfyiMv9TNoo2v4m61WEl0oLbVEZ8jYJI=; b=q5KSiwFOQIgeei+XBj6qONsYIl072CgTjb5+uqsvBxBvPP9TGo1L9T23I3pR7WqEHR WbR1bqREUJTxXlKXIOqX3RnNSth8tAnZDvRAXJKNUY/b7Ahq7RRom4uSmym9l5qi9ztV q2aA3ZEes9aYCKbpT8jIuUFP32ly6anM3tvcOhWrLMONZcwlcur/mQNY9oyDSlKPr8PO NH5pMEVQDBXXKyRY3DsT959UlvFlZWqS/0WaUwPbws/aWEihhVGyn6hdk4L+wGzwYlxM pjbLiG2U6rUxBp7xQ1j+kL4L8feYXMpnhPkcYSxlI7CC2QKabjrg/o03/z7bbcRrKD5+ QGhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775188426; x=1775793226; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+LnRELhx4WGvfyiMv9TNoo2v4m61WEl0oLbVEZ8jYJI=; b=lRf3tW0wPBuTcxpQ9PdzSjIKdqkUADCgq4pWMeEqBWJLoVq/zrGQxo/2T7bOxAxC8Z 97e1M7/IadYfaSVaYB0ZDrpJYqFlI/0YYatJc1fnJR05j/KFJHPCkIAHxbtcAS5ozhYK onbvya4gGf8VVy7BVKispc94yhxOMFTzL6usEbTy/FbUaOp9yKtHj4RmrLY55jNZoomI URk4xNoeStIKY7gSYEnFhBytOJMWZNCkTek/I7w7b3qQ4jrHPvsqTcukIxrn9eLbVp93 B6fZL5pPjy2GtPC5/jD7jt8GJbA6CZghH5j5gZfggHukAJLkDT5+SynTz7AGt7wx8MF5 GCQg== X-Forwarded-Encrypted: i=1; AJvYcCXMeMuZ1xzr7u5XhnKbp0cVvazyZHNwdv0vJdQCF8l/tUNGJWSBdvUaNAYNAfVGdM86VXS6cUpg7XLQHW0=@vger.kernel.org X-Gm-Message-State: AOJu0YzjaeqIpCYPuSot59EBI9GUV22DZ2fUS483L9nuq5fb0wgk8SAN 1jAxXRhJLj9vt3kz4HujfQXtzlv39dAlBOwB79ye9nvbsinZN58mYAyR X-Gm-Gg: AeBDies3oGcDfJhpDoU8XwPeZRC0r1JPdVlHzZ5LVmg8S9dw5zM6cVlC29VIeJtIdxb M+k4ha/xidS8hMKgDwZ6QsAoZa5cKdDwUPgsIOy3IOQME8iYRCZzq2zQTjaF4EBNWANxwxShCIA 1f6LpEd7jMzvvtn2GnvKSVkISleFmkwTTeTPFNuVObqHpMcHIrXZVZ3ZGEEFrQGKs2a9Iv48XQS tty6iAPbBBbRQNi2GzNOre6jeuhrPaZXuNCGdCqnv8Tc81FqQbDMoYk1Afo0axKzM3PYjY2YZoo ZBezm+AO0vMw6gz72vnniFRuZJ3DJACTsFkVId1TivcO13Jmy3DVmwfcqLmVWOuDpshKxDeHCrg Un5FV/U/uj/AH4utEzr4BEovMrqUPRS45S7/P/Q1qR0RPw5AWwevIZkcD6d8B2iTbKlpNiTHnHj XJutwykbxM272IQo/a9g== X-Received: by 2002:a05:7300:4347:b0:2c0:c961:4b98 with SMTP id 5a478bee46e88-2cbfc85e0eemr354507eec.7.1775188425702; Thu, 02 Apr 2026 20:53:45 -0700 (PDT) Received: from macbookair ([2600:8802:2a09:a700::c877]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2ca7caeb83dsm6587414eec.22.2026.04.02.20.53.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 20:53:45 -0700 (PDT) From: Tejas Bharambe X-Google-Original-From: Tejas Bharambe To: ocfs2-devel@lists.linux.dev Cc: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, linux-kernel@vger.kernel.org, syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com, akpm@linux-foundation.org, Tejas Bharambe , stable@vger.kernel.org Subject: [PATCH v4] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Date: Thu, 2 Apr 2026 20:53:33 -0700 Message-ID: <20260403035333.136824-1-tejas.bharambe@outlook.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tejas Bharambe filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving the inode reference before calling filemap_fault(), and removing vma from the trace event. The inode remains valid across the lock drop since the file is still open, so the trace can fire in all cases without dereferencing the potentially freed vma. Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Da49010a0e8fcdeea075f Cc: stable@vger.kernel.org Suggested-by: Joseph Qi Signed-off-by: Tejas Bharambe --- fs/ocfs2/mmap.c | 6 +++--- fs/ocfs2/ocfs2_trace.h | 10 ++++------ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c index 50e2faf64c..41c08c5a3d 100644 --- a/fs/ocfs2/mmap.c +++ b/fs/ocfs2/mmap.c @@ -30,7 +30,7 @@ =20 static vm_fault_t ocfs2_fault(struct vm_fault *vmf) { - struct vm_area_struct *vma =3D vmf->vma; + struct inode *inode =3D file_inode(vmf->vma->vm_file); sigset_t oldset; vm_fault_t ret; =20 @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf) ret =3D filemap_fault(vmf); ocfs2_unblock_signals(&oldset); =20 - trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno, - vma, vmf->page, vmf->pgoff); + trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno, + vmf->page, vmf->pgoff); return ret; } =20 diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h index 4b32fb5658..6c2c97a980 100644 --- a/fs/ocfs2/ocfs2_trace.h +++ b/fs/ocfs2/ocfs2_trace.h @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline, =20 TRACE_EVENT(ocfs2_fault, TP_PROTO(unsigned long long ino, - void *area, void *page, unsigned long pgoff), - TP_ARGS(ino, area, page, pgoff), + void *page, unsigned long pgoff), + TP_ARGS(ino, page, pgoff), TP_STRUCT__entry( __field(unsigned long long, ino) - __field(void *, area) __field(void *, page) __field(unsigned long, pgoff) ), TP_fast_assign( __entry->ino =3D ino; - __entry->area =3D area; __entry->page =3D page; __entry->pgoff =3D pgoff; ), - TP_printk("%llu %p %p %lu", - __entry->ino, __entry->area, __entry->page, __entry->pgoff) + TP_printk("%llu %p %lu", + __entry->ino, __entry->page, __entry->pgoff) ); =20 /* End of trace events for fs/ocfs2/mmap.c. */ --=20 2.53.0