CVE-2026-31597
ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:
"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.
Fix this by saving ip_blkno as a plain integer before calling
filemap_fault(), and removing vma from the trace event. Since
ip_blkno is copied by value before the lock can be dropped, it
remains valid regardless of what happens to the vma or inode
afterward.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
Linux · LinuxQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://git.kernel.org/stable/c/35c2c05261d6f6d84aaa1355afa201d507943e76https://git.kernel.org/stable/c/36539c4d536f851a3b346a6ebb27b51bc3d77a94https://git.kernel.org/stable/c/3f5e74b5db9353b01ed50f4de84e75b755f8fbc2https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349dhttps://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2