CVE-2026-31597

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349dPatch
• https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006Patch
• https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0Patch
• https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921Patch
• https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2Patch
• https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2Patch