Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation
From: ChenXiaoSong
Date: Tue Jun 23 2026 - 07:52:35 EST
Hi hongao and David,
After applying this patch, I can still reproduce the use-after-free issue.
C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=171b697e580000
Note that QEMU should be started with the following virtfs option:
-virtfs ...,mount_tag=syz,...
On 5/30/26 09:14, hongao wrote:
If write subrequest preparation fails, netfs_unbuffered_write() calls
netfs_write_subrequest_terminated() and then reads subreq->error to set
wreq->error.
However, netfs_write_subrequest_terminated() consumes a reference to the
subrequest through netfs_put_subrequest(), so the subrequest may be freed
before netfs_unbuffered_write() reads subreq->error again. This can
trigger a slab-use-after-free.
Save the error locally before terminating the subrequest, and use the
saved value afterwards.
Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
Reported-by: syzbot+3c74b1f0c372e98efc32@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=3c74b1f0c372e98efc32
Signed-off-by: hongao <hongao@xxxxxxxxxxxxx>
---
fs/netfs/direct_write.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 25f8ceb15fad..2d5361702076 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -115,8 +115,9 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
/* Check if (re-)preparation failed. */
if (unlikely(test_bit(NETFS_SREQ_FAILED, &subreq->flags))) {
- netfs_write_subrequest_terminated(subreq, subreq->error);
- wreq->error = subreq->error;
+ ret = subreq->error;
+ wreq->error = ret;
+ netfs_write_subrequest_terminated(subreq, ret);
break;
}
--
ChenXiaoSong <chenxiaosong@xxxxxxxxxxxxxxxx>
Chinese Homepage: https://chenxiaosong.com
English Homepage: https://chenxiaosong.com/en