From nobody Mon Jun 15 12:18:50 2026 Received: from mail-dy1-f169.google.com (mail-dy1-f169.google.com [74.125.82.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F3EE2F6184 for ; Fri, 10 Apr 2026 08:04:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775808297; cv=none; b=GeaQXRC51cOhndDFSW+l+7vKTdIJZppAu3lmHexKuMKekRvhQHpPnyN4nQBiQcCJHBEjHxA3dd0M0mLeRyUHS1TNY7PFAxmN+Yah4Ylmxn+miKZnCS4oWIcO4GAoiujUuXQ64xlRY3Msk8PXh4tCEI/rksy/CidJty/xnoPtI44= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775808297; c=relaxed/simple; bh=2vzGcnNhpiIAONLC17Hy6GpLRRZRjPyICSrVDETbAEA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DIVux2KC+hocTq8v0JioANlNXLQ99PWIMyTo1tMpD+ZNEvCQ++L05XTmJ8F/CGGmIoPj8SUBvbyhCCNeobGwqpgN29F3qnDu6B9BZlE7pYJ0dhMcP3U7tFQvPzPZ/o7loii/eM5sR+Zyx6YvLJcpRzAH6HpcFxhp2G0Ax+pFRIY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l17osc7p; arc=none smtp.client-ip=74.125.82.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l17osc7p" Received: by mail-dy1-f169.google.com with SMTP id 5a478bee46e88-2bd801b40dbso71443eec.0 for ; Fri, 10 Apr 2026 01:04:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775808296; x=1776413096; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=cGYShwk/FAKXSlmM6Pq7ffufoxw0zBbsv7DQNDGdeZ4=; b=l17osc7pt4ADANrfkSTQD8KbZulaVpcBgoj7ExxShOHTSE37wxybdZG89RAB/95RP/ Oq8tmKObfMElqafGDNcgQM4MrVrhIiARTTW6g1wJUgXvBqU4iMaRt+YaQmTQqQ3UZID+ Ar2DX1Eqeui2iE52GE95bexqNB49g7MFzd202Tha6NfkqhtectiD5qVgSOphfY8SE2dl lQaWRq/4GxhFa8h893tuu8ZiPuKpCRf4lpdqhXMY/LXX9UJ4gHhQPcqSiSO5z5ZrHc5/ p5/jfF3g/4UyR4OsDif3gBtQqAgeAkPjRYP11dQLIXT0h1wx7DD3VhdS4/oTHKauqF0S 2+HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775808296; x=1776413096; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=cGYShwk/FAKXSlmM6Pq7ffufoxw0zBbsv7DQNDGdeZ4=; b=OjGdpP917/+ApdedPE454aE1FBCA1JTHRDcUtBeofbk35bW+qsf+8vCGP75VhnrIjC DiJItONoXR31RlH9jeI/+KB3YHhLTzP3HCU3AkGR5yhul2bK1OohL8ZHR7J5gDpTjm0h tMi9Kna2rW5P4De6ijIq68w4L02RHOHXC6s965jM2jvW9XtzF4T1C/EfrSimKSZ06pID MrCRpKJUei8W1JeKoGBcQpXn7LRkN8TyJ/RRNUpJ/oHaxhYx4d3LmWCS/e3R6ObNEDKi k0geZW+JFW0F2di1NAfqpWmgndZz+GaxpS9hX9bu2ZhF0z3SBJF5VSLDm2kb8uGGChe2 sduw== X-Forwarded-Encrypted: i=1; AJvYcCUu73KJE1DX99stwIC5sxpOBXB1iLTN77348htOOp7V+SaQ4GJz0iTDZzIVBqINQB9WchDEmUkKkqvQbRI=@vger.kernel.org X-Gm-Message-State: AOJu0YwM2ZrSyRNugBNcwedknctCsHifSLmHbdJJhEpPn1wqb8wzt8T7 aG57yeiIohXLaBCT+I9YRTHQxy1vWB5L1+AUhwMFd4trKeiqzLRD14is X-Gm-Gg: AeBDiet9QIYELA2/hwiQ8xfS8Nw3T/1HsQUdZpDXEEOiULdnIrxBK6LMacUsfxOYHFC 4dmiy8zLnuZtuY3BA0aGrhLOMOt/CA8ST/Kk57qAU5L7q+rC4UFDwvhL8hM6Gy1bA0cF/EpbQR2 r6uDDCHGGrQciesTvx+Bd3EwkmnmYeQv6fJQGGCV220QDy6zn3UMtNTsB9wrr3wiyImT0SpXKJt lyUdcO2B86DLA6jt+3o7lZdb0c7qwcKuqtmbMEKwgmTaVQ0vim6I+R/32om5aWziGQsvz/OCj1Z PoMIlALBqak4PzBV/YxdQIuSr/Np9s/OnMahx1h2G4mA9kaitHodhsRgI9Ru8ubfeYwNEpQWc3/ gpkfEScMYSSARAoh7oKoQ5DO8FFtJ/gTldXYHXODTcqqvfmZu/f47KPDzzXeaHSJL8Z3TXNImqb 7Yb5xf10SZ4V23vO+Z X-Received: by 2002:a05:7300:a984:b0:2c0:c55c:156f with SMTP id 5a478bee46e88-2d5c39f4a6bmr345876eec.4.1775808295434; Fri, 10 Apr 2026 01:04:55 -0700 (PDT) Received: from macbookair ([2600:8802:2a09:a700::2791]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2d55ff826dcsm3103870eec.13.2026.04.10.01.04.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Apr 2026 01:04:54 -0700 (PDT) From: Tejas Bharambe X-Google-Original-From: Tejas Bharambe To: ocfs2-devel@lists.linux.dev Cc: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, linux-kernel@vger.kernel.org, syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com, akpm@linux-foundation.org, stable@vger.kernel.org, Tejas Bharambe Subject: [PATCH v5] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Date: Fri, 10 Apr 2026 01:04:45 -0700 Message-ID: <20260410080445.29422-1-tejas.bharambe@outlook.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tejas Bharambe filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving the inode reference before calling filemap_fault(), and removing vma from the trace event. The inode remains valid across the lock drop since the file is still open, so the trace can fire in all cases without dereferencing the potentially freed vma. Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Da49010a0e8fcdeea075f Cc: stable@vger.kernel.org Suggested-by: Joseph Qi Signed-off-by: Tejas Bharambe --- fs/ocfs2/mmap.c | 7 +++---- fs/ocfs2/ocfs2_trace.h | 10 ++++------ 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c index 50e2faf64c..6c570157ca 100644 --- a/fs/ocfs2/mmap.c +++ b/fs/ocfs2/mmap.c @@ -30,7 +30,8 @@ =20 static vm_fault_t ocfs2_fault(struct vm_fault *vmf) { - struct vm_area_struct *vma =3D vmf->vma; + unsigned long long ip_blkno =3D + OCFS2_I(file_inode(vmf->vma->vm_file))->ip_blkno; sigset_t oldset; vm_fault_t ret; =20 @@ -38,11 +39,9 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf) ret =3D filemap_fault(vmf); ocfs2_unblock_signals(&oldset); =20 - trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno, - vma, vmf->page, vmf->pgoff); + trace_ocfs2_fault(ip_blkno, vmf->page, vmf->pgoff); return ret; } - static vm_fault_t __ocfs2_page_mkwrite(struct file *file, struct buffer_head *di_bh, struct folio *folio) { diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h index 4b32fb5658..6c2c97a980 100644 --- a/fs/ocfs2/ocfs2_trace.h +++ b/fs/ocfs2/ocfs2_trace.h @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline, =20 TRACE_EVENT(ocfs2_fault, TP_PROTO(unsigned long long ino, - void *area, void *page, unsigned long pgoff), - TP_ARGS(ino, area, page, pgoff), + void *page, unsigned long pgoff), + TP_ARGS(ino, page, pgoff), TP_STRUCT__entry( __field(unsigned long long, ino) - __field(void *, area) __field(void *, page) __field(unsigned long, pgoff) ), TP_fast_assign( __entry->ino =3D ino; - __entry->area =3D area; __entry->page =3D page; __entry->pgoff =3D pgoff; ), - TP_printk("%llu %p %p %lu", - __entry->ino, __entry->area, __entry->page, __entry->pgoff) + TP_printk("%llu %p %lu", + __entry->ino, __entry->page, __entry->pgoff) ); =20 /* End of trace events for fs/ocfs2/mmap.c. */ --=20 2.53.0