[PATCH] ocfs2: fix use-after-free in ocfs2_inode_lock_full_nested during unmount
From: Jiakai Xu
Date: Fri May 08 2026 - 02:06:38 EST
A race condition exists between filesystem unmount and inode permission
operations. When ocfs2_dismount_volume() frees the ocfs2_super (osb)
structure, concurrent access via OCFS2_SB(inode->i_sb) in
ocfs2_inode_lock_full_nested() can dereference freed memory, causing a
page fault in __pv_queued_spin_lock_slowpath via
ocfs2_is_hard_readonly() -> spin_lock(&osb->osb_lock).
Fix this with two changes:
1. In ocfs2_dismount_volume(): set sb->s_fs_info = NULL before
kfree(osb), so OCFS2_SB() returns NULL instead of a dangling pointer
during the teardown race window.
2. In ocfs2_inode_lock_full_nested(): add a NULL check on osb after
OCFS2_SB(), returning -EIO if the superblock info is already gone.
This ensures the crash path is handled gracefully when the
filesystem is being torn down.
Signed-off-by: Jiakai Xu <xujiakai24@xxxxxxxxxxxxxxxx>
Fixes: ccd979bdbce9f ("OCFS2: The Second Oracle Cluster Filesystem")
---
fs/ocfs2/dlmglue.c | 3 +++
fs/ocfs2/super.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c
index 7283bb2c5a31..cd619958a0a2 100644
--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -2435,6 +2435,9 @@ int ocfs2_inode_lock_full_nested(struct inode *inode,
struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
struct buffer_head *local_bh = NULL;
+ if (!osb)
+ return -EIO;
+
mlog(0, "inode %llu, take %s META lock\n",
(unsigned long long)OCFS2_I(inode)->ip_blkno,
ex ? "EXMODE" : "PRMODE");
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index b875f01c9756..3fd56638e4f0 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -1881,10 +1881,10 @@ static void ocfs2_dismount_volume(struct super_block *sb, int mnt_err)
printk(KERN_INFO "ocfs2: Unmounting device (%s) on (node %s)\n",
osb->dev_str, nodestr);
+ sb->s_fs_info = NULL;
ocfs2_delete_osb(osb);
kfree(osb);
sb->s_dev = 0;
- sb->s_fs_info = NULL;
}
static int ocfs2_setup_osb_uuid(struct ocfs2_super *osb, const unsigned char *uuid,
--
2.34.1