In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix use-after-free in ocfs2fault() when VMFAULT_RETRY
filemapfault() may drop the mmaplock before returning VMFAULTRETRY, as documented in mm/filemap.c:
"If our return value has VMFAULTRETRY set, it's because the mmaplock may be dropped before doing I/O or by lockfoliomaybedrop_mmap()."
When this happens, a concurrent munmap() can call removevma() and free the vmareastruct via RCU. The saved 'vma' pointer in ocfs2fault() then becomes a dangling pointer, and the subsequent traceocfs2fault() call dereferences it -- a use-after-free.
Fix this by saving ipblkno as a plain integer before calling filemapfault(), and removing vma from the trace event. Since ip_blkno is copied by value before the lock can be dropped, it remains valid regardless of what happens to the vma or inode afterward.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31597.json"
}