Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation
From: Christian Brauner
Date: Tue Jun 23 2026 - 06:28:43 EST
On 2026-05-30 09:14 +0800, hongao wrote:
> If write subrequest preparation fails, netfs_unbuffered_write() calls
> netfs_write_subrequest_terminated() and then reads subreq->error to set
> wreq->error.
>
> However, netfs_write_subrequest_terminated() consumes a reference to the
> subrequest through netfs_put_subrequest(), so the subrequest may be freed
> before netfs_unbuffered_write() reads subreq->error again. This can
> trigger a slab-use-after-free.
>
> Save the error locally before terminating the subrequest, and use the
> saved value afterwards.
>
> Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
> Reported-by: syzbot+3c74b1f0c372e98efc32@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=3c74b1f0c372e98efc32
>
> Signed-off-by: hongao <hongao@xxxxxxxxxxxxx>
> ---
David?