Re: [PATCH v4] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

Next message: Dmitry Baryshkov: "Re: [PATCH 2/2] arm64: dts: qcom: milos: Add IMEM node"
Previous message: Dmitry Baryshkov: "Re: [PATCH v2 5/7] arm64: dts: qcom: milos: Add WCN6755 WiFi node"
In reply to: Tejas Bharambe: "[PATCH v4] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Fri Apr 03 2026 - 15:33:44 EST

On Thu, 2 Apr 2026 20:53:33 -0700 Tejas Bharambe <thbharam@xxxxxxxxx> wrote:

> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> as documented in mm/filemap.c:
>
> "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
> may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
>
> When this happens, a concurrent munmap() can call remove_vma() and free
> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> dereferences it -- a use-after-free.
>
> Fix this by saving the inode reference before calling filemap_fault(),
> and removing vma from the trace event. The inode remains valid across
> the lock drop since the file is still open, so the trace can fire in
> all cases without dereferencing the potentially freed vma.

There's one question from the Sashiko AI reviewbot:
https://sashiko.dev/#/patchset/20260403035333.136824-1-tejas.bharambe@xxxxxxxxxxx