[PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[tejas bharambe]

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

  "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving the inode reference before calling filemap_fault(),
and removing vma from the trace event. The inode remains valid across
the lock drop since the file is still open, so the trace can fire in
all cases without dereferencing the potentially freed vma.

Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
---
 fs/ocfs2/mmap.c        |  4 ++--
 fs/ocfs2/ocfs2_trace.h | 10 ++++------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
index 50e2faf64c..7a4be91d6a 100644
--- a/fs/ocfs2/mmap.c
+++ b/fs/ocfs2/mmap.c
@@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 	ret = filemap_fault(vmf);
 	ocfs2_unblock_signals(&oldset);
 
-	trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
-			  vma, vmf->page, vmf->pgoff);
+	trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
+			  vmf->page, vmf->pgoff);
 	return ret;
 }
 
diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
index 4b32fb5658..6c2c97a980 100644
--- a/fs/ocfs2/ocfs2_trace.h
+++ b/fs/ocfs2/ocfs2_trace.h
@@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
 
 TRACE_EVENT(ocfs2_fault,
 	TP_PROTO(unsigned long long ino,
-		 void *area, void *page, unsigned long pgoff),
-	TP_ARGS(ino, area, page, pgoff),
+		 void *page, unsigned long pgoff),
+	TP_ARGS(ino, page, pgoff),
 	TP_STRUCT__entry(
 		__field(unsigned long long, ino)
-		__field(void *, area)
 		__field(void *, page)
 		__field(unsigned long, pgoff)
 	),
 	TP_fast_assign(
 		__entry->ino = ino;
-		__entry->area = area;
 		__entry->page = page;
 		__entry->pgoff = pgoff;
 	),
-	TP_printk("%llu %p %p %lu",
-		  __entry->ino, __entry->area, __entry->page, __entry->pgoff)
+	TP_printk("%llu %p %lu",
+		  __entry->ino, __entry->page, __entry->pgoff)
 );
 
 /* End of trace events for fs/ocfs2/mmap.c. */
-- 
2.53.0

Re: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Joseph Qi]

On 4/1/26 12:20 PM, tejas bharambe wrote:
> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> as documented in mm/filemap.c:
> 
>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
> 
> When this happens, a concurrent munmap() can call remove_vma() and free
> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> dereferences it -- a use-after-free.
> 
> Fix this by saving the inode reference before calling filemap_fault(),
> and removing vma from the trace event. The inode remains valid across
> the lock drop since the file is still open, so the trace can fire in
> all cases without dereferencing the potentially freed vma.
> 
> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
> ---
>  fs/ocfs2/mmap.c        |  4 ++--
>  fs/ocfs2/ocfs2_trace.h | 10 ++++------
>  2 files changed, 6 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
> index 50e2faf64c..7a4be91d6a 100644
> --- a/fs/ocfs2/mmap.c
> +++ b/fs/ocfs2/mmap.c
> @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>  	ret = filemap_fault(vmf);
>  	ocfs2_unblock_signals(&oldset);
>  
> -	trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
> -			  vma, vmf->page, vmf->pgoff);
> +	trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,

It seems you've missed defining 'inode' at first.

Joseph

> +			  vmf->page, vmf->pgoff);
>  	return ret;
>  }
>  
> diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
> index 4b32fb5658..6c2c97a980 100644
> --- a/fs/ocfs2/ocfs2_trace.h
> +++ b/fs/ocfs2/ocfs2_trace.h
> @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
>  
>  TRACE_EVENT(ocfs2_fault,
>  	TP_PROTO(unsigned long long ino,
> -		 void *area, void *page, unsigned long pgoff),
> -	TP_ARGS(ino, area, page, pgoff),
> +		 void *page, unsigned long pgoff),
> +	TP_ARGS(ino, page, pgoff),
>  	TP_STRUCT__entry(
>  		__field(unsigned long long, ino)
> -		__field(void *, area)
>  		__field(void *, page)
>  		__field(unsigned long, pgoff)
>  	),
>  	TP_fast_assign(
>  		__entry->ino = ino;
> -		__entry->area = area;
>  		__entry->page = page;
>  		__entry->pgoff = pgoff;
>  	),
> -	TP_printk("%llu %p %p %lu",
> -		  __entry->ino, __entry->area, __entry->page, __entry->pgoff)
> +	TP_printk("%llu %p %lu",
> +		  __entry->ino, __entry->page, __entry->pgoff)
>  );
>  
>  /* End of trace events for fs/ocfs2/mmap.c. */

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[tejas bharambe]

Hi Joseph,

Sorry missed the inode declaration during rebasing. Here is v3:

From b316cc0fdfa4e6a3702b8402bd613863226e1561 Mon Sep 17 00:00:00 2001
From: Tejas Bharambe <tejas.bharambe@outlook.com>
Date: Tue, 31 Mar 2026 20:45:28 -0700
Subject: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when
 VM_FAULT_RETRY

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

  "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving the inode reference before calling filemap_fault(),
and removing vma from the trace event. The inode remains valid across
the lock drop since the file is still open, so the trace can fire in
all cases without dereferencing the potentially freed vma.

Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
---
 fs/ocfs2/mmap.c        |  6 +++---
 fs/ocfs2/ocfs2_trace.h | 10 ++++------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
index 50e2faf64c..41c08c5a3d 100644
--- a/fs/ocfs2/mmap.c
+++ b/fs/ocfs2/mmap.c
@@ -30,7 +30,7 @@

 static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 {
-       struct vm_area_struct *vma = vmf->vma;
+       struct inode *inode = file_inode(vmf->vma->vm_file);
        sigset_t oldset;
        vm_fault_t ret;

@@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
        ret = filemap_fault(vmf);
        ocfs2_unblock_signals(&oldset);

-       trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
-                         vma, vmf->page, vmf->pgoff);
+       trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
+                         vmf->page, vmf->pgoff);
        return ret;
 }

diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
index 4b32fb5658..6c2c97a980 100644
--- a/fs/ocfs2/ocfs2_trace.h
+++ b/fs/ocfs2/ocfs2_trace.h
@@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,

 TRACE_EVENT(ocfs2_fault,
        TP_PROTO(unsigned long long ino,
-                void *area, void *page, unsigned long pgoff),
-       TP_ARGS(ino, area, page, pgoff),
+                void *page, unsigned long pgoff),
+       TP_ARGS(ino, page, pgoff),
        TP_STRUCT__entry(
                __field(unsigned long long, ino)
-               __field(void *, area)
                __field(void *, page)
                __field(unsigned long, pgoff)
        ),
        TP_fast_assign(
                __entry->ino = ino;
-               __entry->area = area;
                __entry->page = page;
                __entry->pgoff = pgoff;
        ),
-       TP_printk("%llu %p %p %lu",
-                 __entry->ino, __entry->area, __entry->page, __entry->pgoff)
+       TP_printk("%llu %p %lu",
+                 __entry->ino, __entry->page, __entry->pgoff)
 );

 /* End of trace events for fs/ocfs2/mmap.c. */
--
2.53.0


Thanks,
Tejas




________________________________________
From: Joseph Qi <joseph.qi@linux.alibaba.com>
Sent: Wednesday, April 1, 2026 1:29 AM
To: tejas bharambe <tejas.bharambe@outlook.com>
Cc: mark@fasheh.com <mark@fasheh.com>; jlbec@evilplan.org <jlbec@evilplan.org>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com <syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com>; ocfs2-devel@lists.linux.dev <ocfs2-devel@lists.linux.dev>
Subject: Re: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY



On 4/1/26 12:20 PM, tejas bharambe wrote:
> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> as documented in mm/filemap.c:
>
>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
>
> When this happens, a concurrent munmap() can call remove_vma() and free
> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> dereferences it -- a use-after-free.
>
> Fix this by saving the inode reference before calling filemap_fault(),
> and removing vma from the trace event. The inode remains valid across
> the lock drop since the file is still open, so the trace can fire in
> all cases without dereferencing the potentially freed vma.
>
> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
> ---
>  fs/ocfs2/mmap.c        |  4 ++--
>  fs/ocfs2/ocfs2_trace.h | 10 ++++------
>  2 files changed, 6 insertions(+), 8 deletions(-)
>
> diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
> index 50e2faf64c..7a4be91d6a 100644
> --- a/fs/ocfs2/mmap.c
> +++ b/fs/ocfs2/mmap.c
> @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>        ret = filemap_fault(vmf);
>        ocfs2_unblock_signals(&oldset);
>
> -     trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
> -                       vma, vmf->page, vmf->pgoff);
> +     trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,

It seems you've missed defining 'inode' at first.

Joseph

> +                       vmf->page, vmf->pgoff);
>        return ret;
>  }
>
> diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
> index 4b32fb5658..6c2c97a980 100644
> --- a/fs/ocfs2/ocfs2_trace.h
> +++ b/fs/ocfs2/ocfs2_trace.h
> @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
>
>  TRACE_EVENT(ocfs2_fault,
>        TP_PROTO(unsigned long long ino,
> -              void *area, void *page, unsigned long pgoff),
> -     TP_ARGS(ino, area, page, pgoff),
> +              void *page, unsigned long pgoff),
> +     TP_ARGS(ino, page, pgoff),
>        TP_STRUCT__entry(
>                __field(unsigned long long, ino)
> -             __field(void *, area)
>                __field(void *, page)
>                __field(unsigned long, pgoff)
>        ),
>        TP_fast_assign(
>                __entry->ino = ino;
> -             __entry->area = area;
>                __entry->page = page;
>                __entry->pgoff = pgoff;
>        ),
> -     TP_printk("%llu %p %p %lu",
> -               __entry->ino, __entry->area, __entry->page, __entry->pgoff)
> +     TP_printk("%llu %p %lu",
> +               __entry->ino, __entry->page, __entry->pgoff)
>  );
>
>  /* End of trace events for fs/ocfs2/mmap.c. */

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Joseph Qi]

Please resend it in a new thread.

Joseph

On 4/1/26 8:55 PM, tejas bharambe wrote:
> Hi Joseph,
> 
> Sorry missed the inode declaration during rebasing. Here is v3:
> 
> From b316cc0fdfa4e6a3702b8402bd613863226e1561 Mon Sep 17 00:00:00 2001
> From: Tejas Bharambe <tejas.bharambe@outlook.com>
> Date: Tue, 31 Mar 2026 20:45:28 -0700
> Subject: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when
>  VM_FAULT_RETRY
> 
> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> as documented in mm/filemap.c:
> 
>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
> 
> When this happens, a concurrent munmap() can call remove_vma() and free
> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> dereferences it -- a use-after-free.
> 
> Fix this by saving the inode reference before calling filemap_fault(),
> and removing vma from the trace event. The inode remains valid across
> the lock drop since the file is still open, so the trace can fire in
> all cases without dereferencing the potentially freed vma.
> 
> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
> ---
>  fs/ocfs2/mmap.c        |  6 +++---
>  fs/ocfs2/ocfs2_trace.h | 10 ++++------
>  2 files changed, 7 insertions(+), 9 deletions(-)
> 
> diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
> index 50e2faf64c..41c08c5a3d 100644
> --- a/fs/ocfs2/mmap.c
> +++ b/fs/ocfs2/mmap.c
> @@ -30,7 +30,7 @@
> 
>  static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>  {
> -       struct vm_area_struct *vma = vmf->vma;
> +       struct inode *inode = file_inode(vmf->vma->vm_file);
>         sigset_t oldset;
>         vm_fault_t ret;
> 
> @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>         ret = filemap_fault(vmf);
>         ocfs2_unblock_signals(&oldset);
> 
> -       trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
> -                         vma, vmf->page, vmf->pgoff);
> +       trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
> +                         vmf->page, vmf->pgoff);
>         return ret;
>  }
> 
> diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
> index 4b32fb5658..6c2c97a980 100644
> --- a/fs/ocfs2/ocfs2_trace.h
> +++ b/fs/ocfs2/ocfs2_trace.h
> @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
> 
>  TRACE_EVENT(ocfs2_fault,
>         TP_PROTO(unsigned long long ino,
> -                void *area, void *page, unsigned long pgoff),
> -       TP_ARGS(ino, area, page, pgoff),
> +                void *page, unsigned long pgoff),
> +       TP_ARGS(ino, page, pgoff),
>         TP_STRUCT__entry(
>                 __field(unsigned long long, ino)
> -               __field(void *, area)
>                 __field(void *, page)
>                 __field(unsigned long, pgoff)
>         ),
>         TP_fast_assign(
>                 __entry->ino = ino;
> -               __entry->area = area;
>                 __entry->page = page;
>                 __entry->pgoff = pgoff;
>         ),
> -       TP_printk("%llu %p %p %lu",
> -                 __entry->ino, __entry->area, __entry->page, __entry->pgoff)
> +       TP_printk("%llu %p %lu",
> +                 __entry->ino, __entry->page, __entry->pgoff)
>  );
> 
>  /* End of trace events for fs/ocfs2/mmap.c. */
> --
> 2.53.0
> 
> 
> Thanks,
> Tejas
> 
> 
> 
> 
> ________________________________________
> From: Joseph Qi <joseph.qi@linux.alibaba.com>
> Sent: Wednesday, April 1, 2026 1:29 AM
> To: tejas bharambe <tejas.bharambe@outlook.com>
> Cc: mark@fasheh.com <mark@fasheh.com>; jlbec@evilplan.org <jlbec@evilplan.org>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com <syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com>; ocfs2-devel@lists.linux.dev <ocfs2-devel@lists.linux.dev>
> Subject: Re: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
> 
> 
> 
> On 4/1/26 12:20 PM, tejas bharambe wrote:
>> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
>> as documented in mm/filemap.c:
>>
>>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
>>
>> When this happens, a concurrent munmap() can call remove_vma() and free
>> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
>> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
>> dereferences it -- a use-after-free.
>>
>> Fix this by saving the inode reference before calling filemap_fault(),
>> and removing vma from the trace event. The inode remains valid across
>> the lock drop since the file is still open, so the trace can fire in
>> all cases without dereferencing the potentially freed vma.
>>
>> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
>> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
>> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
>> ---
>>  fs/ocfs2/mmap.c        |  4 ++--
>>  fs/ocfs2/ocfs2_trace.h | 10 ++++------
>>  2 files changed, 6 insertions(+), 8 deletions(-)
>>
>> diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
>> index 50e2faf64c..7a4be91d6a 100644
>> --- a/fs/ocfs2/mmap.c
>> +++ b/fs/ocfs2/mmap.c
>> @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>>        ret = filemap_fault(vmf);
>>        ocfs2_unblock_signals(&oldset);
>>
>> -     trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
>> -                       vma, vmf->page, vmf->pgoff);
>> +     trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
> 
> It seems you've missed defining 'inode' at first.
> 
> Joseph
> 
>> +                       vmf->page, vmf->pgoff);
>>        return ret;
>>  }
>>
>> diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
>> index 4b32fb5658..6c2c97a980 100644
>> --- a/fs/ocfs2/ocfs2_trace.h
>> +++ b/fs/ocfs2/ocfs2_trace.h
>> @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
>>
>>  TRACE_EVENT(ocfs2_fault,
>>        TP_PROTO(unsigned long long ino,
>> -              void *area, void *page, unsigned long pgoff),
>> -     TP_ARGS(ino, area, page, pgoff),
>> +              void *page, unsigned long pgoff),
>> +     TP_ARGS(ino, page, pgoff),
>>        TP_STRUCT__entry(
>>                __field(unsigned long long, ino)
>> -             __field(void *, area)
>>                __field(void *, page)
>>                __field(unsigned long, pgoff)
>>        ),
>>        TP_fast_assign(
>>                __entry->ino = ino;
>> -             __entry->area = area;
>>                __entry->page = page;
>>                __entry->pgoff = pgoff;
>>        ),
>> -     TP_printk("%llu %p %p %lu",
>> -               __entry->ino, __entry->area, __entry->page, __entry->pgoff)
>> +     TP_printk("%llu %p %lu",
>> +               __entry->ino, __entry->page, __entry->pgoff)
>>  );
>>
>>  /* End of trace events for fs/ocfs2/mmap.c. */

[PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[tejas bharambe]

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

  "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving the inode reference before calling filemap_fault(),
and removing vma from the trace event. The inode remains valid across
the lock drop since the file is still open, so the trace can fire in
all cases without dereferencing the potentially freed vma.

Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
---
 fs/ocfs2/mmap.c        |  6 +++---
 fs/ocfs2/ocfs2_trace.h | 10 ++++------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
index 50e2faf64c..41c08c5a3d 100644
--- a/fs/ocfs2/mmap.c
+++ b/fs/ocfs2/mmap.c
@@ -30,7 +30,7 @@
 
 static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 {
-	struct vm_area_struct *vma = vmf->vma;
+	struct inode *inode = file_inode(vmf->vma->vm_file);
 	sigset_t oldset;
 	vm_fault_t ret;
 
@@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 	ret = filemap_fault(vmf);
 	ocfs2_unblock_signals(&oldset);
 
-	trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
-			  vma, vmf->page, vmf->pgoff);
+	trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
+			  vmf->page, vmf->pgoff);
 	return ret;
 }
 
diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
index 4b32fb5658..6c2c97a980 100644
--- a/fs/ocfs2/ocfs2_trace.h
+++ b/fs/ocfs2/ocfs2_trace.h
@@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
 
 TRACE_EVENT(ocfs2_fault,
 	TP_PROTO(unsigned long long ino,
-		 void *area, void *page, unsigned long pgoff),
-	TP_ARGS(ino, area, page, pgoff),
+		 void *page, unsigned long pgoff),
+	TP_ARGS(ino, page, pgoff),
 	TP_STRUCT__entry(
 		__field(unsigned long long, ino)
-		__field(void *, area)
 		__field(void *, page)
 		__field(unsigned long, pgoff)
 	),
 	TP_fast_assign(
 		__entry->ino = ino;
-		__entry->area = area;
 		__entry->page = page;
 		__entry->pgoff = pgoff;
 	),
-	TP_printk("%llu %p %p %lu",
-		  __entry->ino, __entry->area, __entry->page, __entry->pgoff)
+	TP_printk("%llu %p %lu",
+		  __entry->ino, __entry->page, __entry->pgoff)
 );
 
 /* End of trace events for fs/ocfs2/mmap.c. */
-- 
2.53.0

[PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[tejas bharambe]

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

  "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving the inode reference before calling filemap_fault(),
and removing vma from the trace event. The inode remains valid across
the lock drop since the file is still open, so the trace can fire in
all cases without dereferencing the potentially freed vma.

Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
---
 fs/ocfs2/mmap.c        |  6 +++---
 fs/ocfs2/ocfs2_trace.h | 10 ++++------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
index 50e2faf64c..41c08c5a3d 100644
--- a/fs/ocfs2/mmap.c
+++ b/fs/ocfs2/mmap.c
@@ -30,7 +30,7 @@
 
 static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 {
-	struct vm_area_struct *vma = vmf->vma;
+	struct inode *inode = file_inode(vmf->vma->vm_file);
 	sigset_t oldset;
 	vm_fault_t ret;
 
@@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 	ret = filemap_fault(vmf);
 	ocfs2_unblock_signals(&oldset);
 
-	trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
-     vma, vmf->page, vmf->pgoff);
+	trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
+     vmf->page, vmf->pgoff);
 	return ret;
 }
 
diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
index 4b32fb5658..6c2c97a980 100644
--- a/fs/ocfs2/ocfs2_trace.h
+++ b/fs/ocfs2/ocfs2_trace.h
@@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
 
 TRACE_EVENT(ocfs2_fault,
 	TP_PROTO(unsigned long long ino,
-   void *area, void *page, unsigned long pgoff),
-	TP_ARGS(ino, area, page, pgoff),
+   void *page, unsigned long pgoff),
+	TP_ARGS(ino, page, pgoff),
 	TP_STRUCT__entry(
   __field(unsigned long long, ino)
-  __field(void *, area)
   __field(void *, page)
   __field(unsigned long, pgoff)
 	),
 	TP_fast_assign(
   __entry->ino = ino;
-  __entry->area = area;
   __entry->page = page;
   __entry->pgoff = pgoff;
 	),
-	TP_printk("%llu %p %p %lu",
-    __entry->ino, __entry->area, __entry->page, __entry->pgoff)
+	TP_printk("%llu %p %lu",
+    __entry->ino, __entry->page, __entry->pgoff)
 );
 
 /* End of trace events for fs/ocfs2/mmap.c. */
--
2.53.0

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Joseph Qi]

On 4/2/26 11:10 AM, tejas bharambe wrote:
> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> as documented in mm/filemap.c:
> 
>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
> 
> When this happens, a concurrent munmap() can call remove_vma() and free
> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> dereferences it -- a use-after-free.
> 
> Fix this by saving the inode reference before calling filemap_fault(),
> and removing vma from the trace event. The inode remains valid across
> the lock drop since the file is still open, so the trace can fire in
> all cases without dereferencing the potentially freed vma.
> 
> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
> ---
>  fs/ocfs2/mmap.c        |  6 +++---
>  fs/ocfs2/ocfs2_trace.h | 10 ++++------
>  2 files changed, 7 insertions(+), 9 deletions(-)
> 
> diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
> index 50e2faf64c..41c08c5a3d 100644
> --- a/fs/ocfs2/mmap.c
> +++ b/fs/ocfs2/mmap.c
> @@ -30,7 +30,7 @@
>  
>  static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>  {
> -	struct vm_area_struct *vma = vmf->vma;
> +	struct inode *inode = file_inode(vmf->vma->vm_file);
>  	sigset_t oldset;
>  	vm_fault_t ret;
>  
> @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>  	ret = filemap_fault(vmf);
>  	ocfs2_unblock_signals(&oldset);
>  
> -	trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
> -     vma, vmf->page, vmf->pgoff);
> +	trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
> +     vmf->page, vmf->pgoff);

Seems malformed?

>  	return ret;
>  }
>  
> diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
> index 4b32fb5658..6c2c97a980 100644
> --- a/fs/ocfs2/ocfs2_trace.h
> +++ b/fs/ocfs2/ocfs2_trace.h
> @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
>  
>  TRACE_EVENT(ocfs2_fault,
>  	TP_PROTO(unsigned long long ino,
> -   void *area, void *page, unsigned long pgoff),
> -	TP_ARGS(ino, area, page, pgoff),
> +   void *page, unsigned long pgoff),
> +	TP_ARGS(ino, page, pgoff),
>  	TP_STRUCT__entry(
>    __field(unsigned long long, ino)
> -  __field(void *, area)
>    __field(void *, page)
>    __field(unsigned long, pgoff)
>  	),
>  	TP_fast_assign(
>    __entry->ino = ino;
> -  __entry->area = area;
>    __entry->page = page;
>    __entry->pgoff = pgoff;
>  	),
> -	TP_printk("%llu %p %p %lu",
> -    __entry->ino, __entry->area, __entry->page, __entry->pgoff)
> +	TP_printk("%llu %p %lu",
> +    __entry->ino, __entry->page, __entry->pgoff)

Ditto.

>  );
>  
>  /* End of trace events for fs/ocfs2/mmap.c. */
> --
> 2.53.0
> 

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Joseph Qi]

On 4/2/26 11:08 AM, tejas bharambe wrote:
> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> as documented in mm/filemap.c:
> 
>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
> 
> When this happens, a concurrent munmap() can call remove_vma() and free
> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> dereferences it -- a use-after-free.
> 
> Fix this by saving the inode reference before calling filemap_fault(),
> and removing vma from the trace event. The inode remains valid across
> the lock drop since the file is still open, so the trace can fire in
> all cases without dereferencing the potentially freed vma.
> 
> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>

Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> ---
>  fs/ocfs2/mmap.c        |  6 +++---
>  fs/ocfs2/ocfs2_trace.h | 10 ++++------
>  2 files changed, 7 insertions(+), 9 deletions(-)
> 
> diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
> index 50e2faf64c..41c08c5a3d 100644
> --- a/fs/ocfs2/mmap.c
> +++ b/fs/ocfs2/mmap.c
> @@ -30,7 +30,7 @@
>  
>  static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>  {
> -	struct vm_area_struct *vma = vmf->vma;
> +	struct inode *inode = file_inode(vmf->vma->vm_file);
>  	sigset_t oldset;
>  	vm_fault_t ret;
>  
> @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>  	ret = filemap_fault(vmf);
>  	ocfs2_unblock_signals(&oldset);
>  
> -	trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
> -			  vma, vmf->page, vmf->pgoff);
> +	trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
> +			  vmf->page, vmf->pgoff);
>  	return ret;
>  }
>  
> diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
> index 4b32fb5658..6c2c97a980 100644
> --- a/fs/ocfs2/ocfs2_trace.h
> +++ b/fs/ocfs2/ocfs2_trace.h
> @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
>  
>  TRACE_EVENT(ocfs2_fault,
>  	TP_PROTO(unsigned long long ino,
> -		 void *area, void *page, unsigned long pgoff),
> -	TP_ARGS(ino, area, page, pgoff),
> +		 void *page, unsigned long pgoff),
> +	TP_ARGS(ino, page, pgoff),
>  	TP_STRUCT__entry(
>  		__field(unsigned long long, ino)
> -		__field(void *, area)
>  		__field(void *, page)
>  		__field(unsigned long, pgoff)
>  	),
>  	TP_fast_assign(
>  		__entry->ino = ino;
> -		__entry->area = area;
>  		__entry->page = page;
>  		__entry->pgoff = pgoff;
>  	),
> -	TP_printk("%llu %p %p %lu",
> -		  __entry->ino, __entry->area, __entry->page, __entry->pgoff)
> +	TP_printk("%llu %p %lu",
> +		  __entry->ino, __entry->page, __entry->pgoff)
>  );
>  
>  /* End of trace events for fs/ocfs2/mmap.c. */

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[tejas bharambe]

Well!!! outlook issues. I am resending it from gmail account using git send-email.
________________________________________
From: Joseph Qi <joseph.qi@linux.alibaba.com>
Sent: Wednesday, April 1, 2026 8:32 PM
To: tejas bharambe <tejas.bharambe@outlook.com>
Cc: mark@fasheh.com <mark@fasheh.com>; jlbec@evilplan.org <jlbec@evilplan.org>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com <syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com>; ocfs2-devel@lists.linux.dev <ocfs2-devel@lists.linux.dev>
Subject: Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY



On 4/2/26 11:10 AM, tejas bharambe wrote:
> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> as documented in mm/filemap.c:
>
>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
>
> When this happens, a concurrent munmap() can call remove_vma() and free
> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> dereferences it -- a use-after-free.
>
> Fix this by saving the inode reference before calling filemap_fault(),
> and removing vma from the trace event. The inode remains valid across
> the lock drop since the file is still open, so the trace can fire in
> all cases without dereferencing the potentially freed vma.
>
> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
> ---
>  fs/ocfs2/mmap.c        |  6 +++---
>  fs/ocfs2/ocfs2_trace.h | 10 ++++------
>  2 files changed, 7 insertions(+), 9 deletions(-)
>
> diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
> index 50e2faf64c..41c08c5a3d 100644
> --- a/fs/ocfs2/mmap.c
> +++ b/fs/ocfs2/mmap.c
> @@ -30,7 +30,7 @@
>
>  static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>  {
> -     struct vm_area_struct *vma = vmf->vma;
> +     struct inode *inode = file_inode(vmf->vma->vm_file);
>       sigset_t oldset;
>       vm_fault_t ret;
>
> @@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
>       ret = filemap_fault(vmf);
>       ocfs2_unblock_signals(&oldset);
>
> -     trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
> -     vma, vmf->page, vmf->pgoff);
> +     trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
> +     vmf->page, vmf->pgoff);

Seems malformed?

>       return ret;
>  }
>
> diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
> index 4b32fb5658..6c2c97a980 100644
> --- a/fs/ocfs2/ocfs2_trace.h
> +++ b/fs/ocfs2/ocfs2_trace.h
> @@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
>
>  TRACE_EVENT(ocfs2_fault,
>       TP_PROTO(unsigned long long ino,
> -   void *area, void *page, unsigned long pgoff),
> -     TP_ARGS(ino, area, page, pgoff),
> +   void *page, unsigned long pgoff),
> +     TP_ARGS(ino, page, pgoff),
>       TP_STRUCT__entry(
>    __field(unsigned long long, ino)
> -  __field(void *, area)
>    __field(void *, page)
>    __field(unsigned long, pgoff)
>       ),
>       TP_fast_assign(
>    __entry->ino = ino;
> -  __entry->area = area;
>    __entry->page = page;
>    __entry->pgoff = pgoff;
>       ),
> -     TP_printk("%llu %p %p %lu",
> -    __entry->ino, __entry->area, __entry->page, __entry->pgoff)
> +     TP_printk("%llu %p %lu",
> +    __entry->ino, __entry->page, __entry->pgoff)

Ditto.

>  );
>
>  /* End of trace events for fs/ocfs2/mmap.c. */
> --
> 2.53.0
>

[PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Tejas Bharambe]

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

  "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving the inode reference before calling filemap_fault(),
and removing vma from the trace event. The inode remains valid across
the lock drop since the file is still open, so the trace can fire in
all cases without dereferencing the potentially freed vma.

Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
---
 fs/ocfs2/mmap.c        |  6 +++---
 fs/ocfs2/ocfs2_trace.h | 10 ++++------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/fs/ocfs2/mmap.c b/fs/ocfs2/mmap.c
index 50e2faf64c..41c08c5a3d 100644
--- a/fs/ocfs2/mmap.c
+++ b/fs/ocfs2/mmap.c
@@ -30,7 +30,7 @@
 
 static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 {
-	struct vm_area_struct *vma = vmf->vma;
+	struct inode *inode = file_inode(vmf->vma->vm_file);
 	sigset_t oldset;
 	vm_fault_t ret;
 
@@ -38,8 +38,8 @@ static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
 	ret = filemap_fault(vmf);
 	ocfs2_unblock_signals(&oldset);
 
-	trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno,
-			  vma, vmf->page, vmf->pgoff);
+	trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
+			  vmf->page, vmf->pgoff);
 	return ret;
 }
 
diff --git a/fs/ocfs2/ocfs2_trace.h b/fs/ocfs2/ocfs2_trace.h
index 4b32fb5658..6c2c97a980 100644
--- a/fs/ocfs2/ocfs2_trace.h
+++ b/fs/ocfs2/ocfs2_trace.h
@@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline,
 
 TRACE_EVENT(ocfs2_fault,
 	TP_PROTO(unsigned long long ino,
-		 void *area, void *page, unsigned long pgoff),
-	TP_ARGS(ino, area, page, pgoff),
+		 void *page, unsigned long pgoff),
+	TP_ARGS(ino, page, pgoff),
 	TP_STRUCT__entry(
 		__field(unsigned long long, ino)
-		__field(void *, area)
 		__field(void *, page)
 		__field(unsigned long, pgoff)
 	),
 	TP_fast_assign(
 		__entry->ino = ino;
-		__entry->area = area;
 		__entry->page = page;
 		__entry->pgoff = pgoff;
 	),
-	TP_printk("%llu %p %p %lu",
-		  __entry->ino, __entry->area, __entry->page, __entry->pgoff)
+	TP_printk("%llu %p %lu",
+		  __entry->ino, __entry->page, __entry->pgoff)
 );
 
 /* End of trace events for fs/ocfs2/mmap.c. */
-- 
2.53.0

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Andrew Morton]

On Thu, 2 Apr 2026 11:47:12 +0800 Joseph Qi <joseph.qi@linux.alibaba.com> wrote:

> 
> 
> On 4/2/26 11:08 AM, tejas bharambe wrote:
> > filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
> > as documented in mm/filemap.c:
> > 
> >   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
> >   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
> > 
> > When this happens, a concurrent munmap() can call remove_vma() and free
> > the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
> > becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
> > dereferences it -- a use-after-free.
> > 
> > Fix this by saving the inode reference before calling filemap_fault(),
> > and removing vma from the trace event. The inode remains valid across
> > the lock drop since the file is still open, so the trace can fire in
> > all cases without dereferencing the potentially freed vma.
> > 
> > Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
> > Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> > Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
> 
> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>

Cool.

I think a cc:stable is needed?

The code looks like it dates back to 2011, so Fixes: isn't needed.


A process thing: as far as I know, the -stable maintainers will
automatically gather any patch which has a Fixes:.  But they've been
asked not to do that for MM patches, so there's a risk they'll see an
ocfs2 patch is from my tree and not backport it.  I like to add
a cc:stable just to be sure.

Also, because this one doesn't have a Fixes: it might not be grabbed by
the -stable trees.  An explicit cc:stable again removes doubt.

But that's just my late night waffling which can be ignored.  For every
single patch I always consider cc:stable so other people don't have to ;)

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Andrew Morton]

On Wed,  1 Apr 2026 21:02:34 -0700 Tejas Bharambe <thbharam@gmail.com> wrote:

> From: Tejas Bharambe <thbharam@gmail.com>
>
> ...
>
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>

These are different!  Which would you prefer for upstreaming?  I'll assume
@outlook.com.

To eliminate confusion you can include an explicit From: line at
start-of-changelog and this will override the From: in the email
headers.

Re: [PATCH v3] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[Joseph Qi]

On 4/2/26 12:17 PM, Andrew Morton wrote:
> On Thu, 2 Apr 2026 11:47:12 +0800 Joseph Qi <joseph.qi@linux.alibaba.com> wrote:
> 
>>
>>
>> On 4/2/26 11:08 AM, tejas bharambe wrote:
>>> filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
>>> as documented in mm/filemap.c:
>>>
>>>   "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
>>>   may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."
>>>
>>> When this happens, a concurrent munmap() can call remove_vma() and free
>>> the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
>>> becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
>>> dereferences it -- a use-after-free.
>>>
>>> Fix this by saving the inode reference before calling filemap_fault(),
>>> and removing vma from the trace event. The inode remains valid across
>>> the lock drop since the file is still open, so the trace can fire in
>>> all cases without dereferencing the potentially freed vma.
>>>
>>> Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f
>>> Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
>>> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
>>
>> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> 
> Cool.
> 
> I think a cc:stable is needed?
> 
> The code looks like it dates back to 2011, so Fixes: isn't needed.
> 
> 
> A process thing: as far as I know, the -stable maintainers will
> automatically gather any patch which has a Fixes:.  But they've been
> asked not to do that for MM patches, so there's a risk they'll see an
> ocfs2 patch is from my tree and not backport it.  I like to add
> a cc:stable just to be sure.
> 
> Also, because this one doesn't have a Fixes: it might not be grabbed by
> the -stable trees.  An explicit cc:stable again removes doubt.
> 
> But that's just my late night waffling which can be ignored.  For every
> single patch I always consider cc:stable so other people don't have to ;)

Yes, cc stable is preferred here.

Thanks,
Joseph

Re: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[kernel test robot]

Hi tejas,

kernel test robot noticed the following build errors:

[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v7.0-rc6]
[cannot apply to next-20260403]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/tejas-bharambe/ocfs2-fix-use-after-free-in-ocfs2_fault-when-VM_FAULT_RETRY/20260403-161805
base:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link:    https://lore.kernel.org/r/JH0PR06MB66325344CF84BBC38B2973C38950A%40JH0PR06MB6632.apcprd06.prod.outlook.com
patch subject: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
config: x86_64-kexec (https://download.01.org/0day-ci/archive/20260403/202604031809.3cnzRidc-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260403/202604031809.3cnzRidc-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604031809.3cnzRidc-lkp@intel.com/

All errors (new ones prefixed by >>):

>> fs/ocfs2/mmap.c:41:28: error: use of undeclared identifier 'inode'
      41 |         trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
         |                                   ^
   1 error generated.


vim +/inode +41 fs/ocfs2/mmap.c

    29	
    30	
    31	static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
    32	{
    33		struct vm_area_struct *vma = vmf->vma;
    34		sigset_t oldset;
    35		vm_fault_t ret;
    36	
    37		ocfs2_block_signals(&oldset);
    38		ret = filemap_fault(vmf);
    39		ocfs2_unblock_signals(&oldset);
    40	
  > 41		trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
    42				  vmf->page, vmf->pgoff);
    43		return ret;
    44	}
    45	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[kernel test robot]

Hi tejas,

kernel test robot noticed the following build errors:

[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v6.16-rc1]
[cannot apply to next-20260403]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/tejas-bharambe/ocfs2-fix-use-after-free-in-ocfs2_fault-when-VM_FAULT_RETRY/20260403-161805
base:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link:    https://lore.kernel.org/r/JH0PR06MB66325344CF84BBC38B2973C38950A%40JH0PR06MB6632.apcprd06.prod.outlook.com
patch subject: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
config: x86_64-rhel-9.4-func (https://download.01.org/0day-ci/archive/20260403/202604031948.fsuptUtV-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260403/202604031948.fsuptUtV-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604031948.fsuptUtV-lkp@intel.com/

All error/warnings (new ones prefixed by >>):

   fs/ocfs2/mmap.c: In function 'ocfs2_fault':
>> fs/ocfs2/mmap.c:41:35: error: 'inode' undeclared (first use in this function)
      41 |         trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
         |                                   ^~~~~
   fs/ocfs2/mmap.c:41:35: note: each undeclared identifier is reported only once for each function it appears in
>> fs/ocfs2/mmap.c:33:32: warning: unused variable 'vma' [-Wunused-variable]
      33 |         struct vm_area_struct *vma = vmf->vma;
         |                                ^~~


vim +/inode +41 fs/ocfs2/mmap.c

    29	
    30	
    31	static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
    32	{
  > 33		struct vm_area_struct *vma = vmf->vma;
    34		sigset_t oldset;
    35		vm_fault_t ret;
    36	
    37		ocfs2_block_signals(&oldset);
    38		ret = filemap_fault(vmf);
    39		ocfs2_unblock_signals(&oldset);
    40	
  > 41		trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
    42				  vmf->page, vmf->pgoff);
    43		return ret;
    44	}
    45	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[kernel test robot]

Hi tejas,

kernel test robot noticed the following build errors:

[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v7.0-rc6]
[cannot apply to next-20260403]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/tejas-bharambe/ocfs2-fix-use-after-free-in-ocfs2_fault-when-VM_FAULT_RETRY/20260403-161805
base:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link:    https://lore.kernel.org/r/JH0PR06MB66325344CF84BBC38B2973C38950A%40JH0PR06MB6632.apcprd06.prod.outlook.com
patch subject: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
config: m68k-defconfig (https://download.01.org/0day-ci/archive/20260404/202604040621.obNS19yW-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260404/202604040621.obNS19yW-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604040621.obNS19yW-lkp@intel.com/

All error/warnings (new ones prefixed by >>):

   fs/ocfs2/mmap.c: In function 'ocfs2_fault':
>> fs/ocfs2/mmap.c:41:35: error: 'inode' undeclared (first use in this function)
      41 |         trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
         |                                   ^~~~~
   fs/ocfs2/mmap.c:41:35: note: each undeclared identifier is reported only once for each function it appears in
>> fs/ocfs2/mmap.c:33:32: warning: unused variable 'vma' [-Wunused-variable]
      33 |         struct vm_area_struct *vma = vmf->vma;
         |                                ^~~


vim +/inode +41 fs/ocfs2/mmap.c

    29	
    30	
    31	static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
    32	{
  > 33		struct vm_area_struct *vma = vmf->vma;
    34		sigset_t oldset;
    35		vm_fault_t ret;
    36	
    37		ocfs2_block_signals(&oldset);
    38		ret = filemap_fault(vmf);
    39		ocfs2_unblock_signals(&oldset);
    40	
  > 41		trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
    42				  vmf->page, vmf->pgoff);
    43		return ret;
    44	}
    45	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

[kernel test robot]

Hi tejas,

kernel test robot noticed the following build errors:

[auto build test ERROR on brauner-vfs/vfs.all]
[also build test ERROR on linus/master v7.0-rc6]
[cannot apply to next-20260403]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/tejas-bharambe/ocfs2-fix-use-after-free-in-ocfs2_fault-when-VM_FAULT_RETRY/20260403-161805
base:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git vfs.all
patch link:    https://lore.kernel.org/r/JH0PR06MB66325344CF84BBC38B2973C38950A%40JH0PR06MB6632.apcprd06.prod.outlook.com
patch subject: [PATCH v2] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
config: x86_64-randconfig-161-20260404 (https://download.01.org/0day-ci/archive/20260404/202604040729.Vs91c7q4-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
smatch: v0.5.0-9004-gb810ac53
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260404/202604040729.Vs91c7q4-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604040729.Vs91c7q4-lkp@intel.com/

All errors (new ones prefixed by >>):

>> fs/ocfs2/mmap.c:41:28: error: use of undeclared identifier 'inode'
      41 |         trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
         |                                   ^
   1 error generated.


vim +/inode +41 fs/ocfs2/mmap.c

    29	
    30	
    31	static vm_fault_t ocfs2_fault(struct vm_fault *vmf)
    32	{
    33		struct vm_area_struct *vma = vmf->vma;
    34		sigset_t oldset;
    35		vm_fault_t ret;
    36	
    37		ocfs2_block_signals(&oldset);
    38		ret = filemap_fault(vmf);
    39		ocfs2_unblock_signals(&oldset);
    40	
  > 41		trace_ocfs2_fault(OCFS2_I(inode)->ip_blkno,
    42				  vmf->page, vmf->pgoff);
    43		return ret;
    44	}
    45	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki