Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation

Next message: kernel test robot: "Re: [staging] staging: sm750fb: rename pvMem to vram and pvReg to reg"
Previous message: IBM: "Re: [PATCH v3 RESEND 02/10] KVM: selftests: Add aligned guest physical page allocator"
In reply to: David Howells: "Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation"
Next in thread: David Howells: "Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: ChenXiaoSong

Date: Tue Jun 23 2026 - 21:27:33 EST

Hi David and hongao,

Please refer to my blog for the tracing log and reproduction steps:
https://chenxiaosong.com/en/netfs-uaf-in-netfs_unbuffered_write.html (I will make sure this link is always accessible)

I would appreciate it if you could continue debugging and fixing this issue. As I have many SMB features to implement and review tasks to do.

On 6/24/26 00:10, David Howells wrote:

ChenXiaoSong <chenxiaosong@xxxxxxxxxxxxxxxx> wrote:

After applying this patch, I can still reproduce the use-after-free issue.

Can you get some tracing? I have a suspicion it's a refcount bug.

The following tracepoints would be useful:

echo 1 > /sys/kernel/tracing/events/netfs/netfs_read/enable
echo 1 > /sys/kernel/tracing/events/netfs/netfs_write/enable
echo 1 > /sys/kernel/tracing/events/netfs/netfs_rreq/enable
echo 1 > /sys/kernel/tracing/events/netfs/netfs_sreq/enable
echo 1 > /sys/kernel/tracing/events/netfs/netfs_failure/enable
echo 1 > /sys/kernel/tracing/events/error_report/enable

And if you can capture this, can you compress the resulting trace and send it
to me?

Thanks,
David

--
ChenXiaoSong <chenxiaosong@xxxxxxxxxxxxxxxx>
Chinese Homepage: https://chenxiaosong.com
English Homepage: https://chenxiaosong.com/en