HIGH
ocfs2 Fault Handler UAF
CVE-2026-31597
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call dereferences it -- a use-after-free. Fix this by saving ip_blkno as a plain integer before calling filemap_fault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.
02KernelScan AI Analysis
Risk summary
This vulnerability allows local attackers to cause use-after-free conditions in the OCFS2 filesystem's memory mapping code. When page faults occur on memory-mapped OCFS2 files and race with munmap operations, the kernel may dereference freed memory, potentially leading to system crashes or privilege escalation. The issue affects systems using OCFS2 filesystems where users can perform memory mapping operations.
Vulnerability analysis
Summary: Use-after-free vulnerability in ocfs2_fault() when filemap_fault() returns VM_FAULT_RETRY
Root Cause: The ocfs2_fault() function saves a pointer to the vm_area_struct (vma) at the beginning, then calls filemap_fault(). When filemap_fault() returns VM_FAULT_RETRY, it may have dropped the mmap_lock, allowing a concurrent munmap() to free the vma via RCU. The saved vma pointer becomes dangling, and the subsequent trace_ocfs2_fault() call dereferences it, causing a use-after-free.
Attack Surface: Local attack surface requiring the ability to trigger memory-mapped file operations on OCFS2 filesystems. The vulnerability is triggered through normal file system operations (mmap/munmap) that can race with page fault handling.
Fix Mechanism: The fix saves the ip_blkno value as a plain integer before calling filemap_fault(), and removes the vma parameter from the trace event. Since ip_blkno is copied by value before any locks can be dropped, it remains valid regardless of what happens to the vma or inode afterward.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 36539c4d536f |
| 5.15 | 5.15.209 | 35c2c05261d6 |
| 6.1 | 6.1.175 | 3f5e74b5db93 |
| 6.12 | 6.12.83 | 4cf2768a0291 |
| 6.18 | 6.18.24 | d45ff441b416 |
| 6.19 | 6.19.14 | 76a602fdbb78 |
| 6.6 | 6.6.136 | 6f072daefcab |
| 7.0 | 7.0.1 | 925bf22c1b82 |
| mainline | 7.1-rc1 | 7de554cabf16 |