Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

From: Joseph Qi

Date: Thu Apr 02 2026 - 03:10:12 EST



On 4/2/26 12:17 PM, Andrew Morton wrote:
> On Thu, 2 Apr 2026 11:47:12 +0800 Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> wrote:
>
>>
>>
>> On 4/2/26 11:08 AM, tejas bharambe wrote:
>>> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
>>> as documented in mm/filemap.c:
>>>
>>> "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>>> may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
>>>
>>> When this happens, a concurrent munmap() can call remove_vma() and free
>>> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
>>> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
>>> dereferences it -- a use-after-free.
>>>
>>> Fix this by saving the inode reference before calling filemap_fault(),
>>> and removing vma from the trace event. The inode remains valid across
>>> the lock drop since the file is still open, so the trace can fire in
>>> all cases without dereferencing the potentially freed vma.
>>>
>>> Reported-by: syzbot+a49010a0e8fcdeea075f@xxxxxxxxxxxxxxxxxxxxxxxxx
>>> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
>>> Suggested-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
>>> Signed-off-by: Tejas Bharambe <tejas.bharambe@xxxxxxxxxxx>
>>
>> Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
>
> Cool.
>
> I think a cc:stable is needed?
>
> The code looks like it dates back to 2011, so Fixes: isn't needed.
>
>
> A process thing: as far as I know, the -stable maintainers will
> automatically gather any patch which has a Fixes:. But they've been
> asked not to do that for MM patches, so there's a risk they'll see an
> ocfs2 patch is from my tree and not backport it. I like to add
> a cc:stable just to be sure.
>
> Also, because this one doesn't have a Fixes: it might not be grabbed by
> the -stable trees. An explicit cc:stable again removes doubt.
>
> But that's just my late night waffling which can be ignored. For every
> single patch I always consider cc:stable so other people don't have to ;)

Yes, cc stable is preferred here.

Thanks,
Joseph