Home

Description

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-24 | Updated 2026-04-27 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

614a9e849ca6ea24843795251cb30af525d5336b (git) before 6f072daefcab1d84ce37c073645615f63be91006
affected

614a9e849ca6ea24843795251cb30af525d5336b (git) before 4cf2768a0291a0cdd0dae801ea0eafa3878a349d
affected

614a9e849ca6ea24843795251cb30af525d5336b (git) before d45ff441b416d4aa1af72b1db23d959601c04da2
affected

614a9e849ca6ea24843795251cb30af525d5336b (git) before 76a602fdbb78dd05b2da06f74a988cebc97e82d0
affected

614a9e849ca6ea24843795251cb30af525d5336b (git) before 925bf22c1b823e231b1baea761fe8a1512e442f2
affected

614a9e849ca6ea24843795251cb30af525d5336b (git) before 7de554cabf160e331e4442e2a9ad874ca9875921
affected

Default status
affected

2.6.39
affected

Any version before 2.6.39
unaffected

6.6.136 (semver)
unaffected

6.12.83 (semver)
unaffected

6.18.24 (semver)
unaffected

6.19.14 (semver)
unaffected

7.0.1 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/6f072daefcab1d84ce37c073645615f63be91006

git.kernel.org/...c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d

git.kernel.org/...c/d45ff441b416d4aa1af72b1db23d959601c04da2

git.kernel.org/...c/76a602fdbb78dd05b2da06f74a988cebc97e82d0

git.kernel.org/...c/925bf22c1b823e231b1baea761fe8a1512e442f2

git.kernel.org/...c/7de554cabf160e331e4442e2a9ad874ca9875921

cve.org (CVE-2026-31597)

nvd.nist.gov (CVE-2026-31597)

Download JSON