Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
From: Andrew Morton
Date: Thu Apr 02 2026 - 00:21:35 EST
On Thu, 2 Apr 2026 11:47:12 +0800 Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> wrote:
>
>
> On 4/2/26 11:08 AM, tejas bharambe wrote:
> > filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> > as documented in mm/filemap.c:
> >
> > "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
> > may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
> >
> > When this happens, a concurrent munmap() can call remove_vma() and free
> > the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> > becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> > dereferences it -- a use-after-free.
> >
> > Fix this by saving the inode reference before calling filemap_fault(),
> > and removing vma from the trace event. The inode remains valid across
> > the lock drop since the file is still open, so the trace can fire in
> > all cases without dereferencing the potentially freed vma.
> >
> > Reported-by: syzbot+a49010a0e8fcdeea075f@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> > Suggested-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
> > Signed-off-by: Tejas Bharambe <tejas.bharambe@xxxxxxxxxxx>
>
> Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
Cool.
I think a cc:stable is needed?
The code looks like it dates back to 2011, so Fixes: isn't needed.
A process thing: as far as I know, the -stable maintainers will
automatically gather any patch which has a Fixes:. But they've been
asked not to do that for MM patches, so there's a risk they'll see an
ocfs2 patch is from my tree and not backport it. I like to add
a cc:stable just to be sure.
Also, because this one doesn't have a Fixes: it might not be grabbed by
the -stable trees. An explicit cc:stable again removes doubt.
But that's just my late night waffling which can be ignored. For every
single patch I always consider cc:stable so other people don't have to ;)