7.8

CVE-2026-31597

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,
as documented in mm/filemap.c:

  "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock
  may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."

When this happens, a concurrent munmap() can call remove_vma() and free
the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then
becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call
dereferences it -- a use-after-free.

Fix this by saving ip_blkno as a plain integer before calling
filemap_fault(), and removing vma from the trace event. Since
ip_blkno is copied by value before the lock can be dropped, it
remains valid regardless of what happens to the vma or inode
afterward.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.39 < 6.6.136
LinuxLinux Kernel Version >= 6.7 < 6.12.83
LinuxLinux Kernel Version >= 6.13 < 6.18.24
LinuxLinux Kernel Version >= 6.19 < 6.19.14
LinuxLinux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.027
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d
Patch
https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2
Patch
https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0
Patch
https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2
Patch
https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921
Patch
https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006
Patch
https://git.kernel.org/stable/c/35c2c05261d6f6d84aaa1355afa201d507943e76
https://git.kernel.org/stable/c/36539c4d536f851a3b346a6ebb27b51bc3d77a94
https://git.kernel.org/stable/c/3f5e74b5db9353b01ed50f4de84e75b755f8fbc2