Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation

Next message: Konrad Dybcio: "Re: [PATCH] dt-bindings: arm: qcom,ids: Add SoC ID for Snapdragon SDA 850"
Previous message: Krzysztof Kozlowski: "Re: [PATCH] dt-bindings: arm: qcom,ids: Add SoC ID for Snapdragon SDA 850"
Next in thread: David Howells: "Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Wed Jun 24 2026 - 03:38:18 EST

This excerpt would seem to show how the problem comes about:

a.out-717 : netfs_sreq: R=00000001[13] UPLD PREP f=000 s=240000 0/0 s=192 e=0
a.out-717 : netfs_sreq: R=00000001[13] UPLD SUBMT f=100 s=240000 0/20000 s=192 e=0
a.out-717 : netfs_sreq: R=00000001[13] UPLD TERM f=310 s=240000 1fac0/20000 s=160 e=0
a.out-717 : netfs_rreq: R=00000001 UW WAKE-Q f=1801
a.out-717 : netfs_rreq: R=00000001 UW DONE-QUIESCE f=1801
a.out-717 : netfs_sreq: R=00000001[13] UPLD RETRY f=210 s=240000 1fac0/20000 s=160 e=-11
a.out-717 : netfs_sreq: R=00000001[13] UPLD SUBMT f=100 s=240000 0/dbfac0 s=192 e=0
a.out-717 : netfs_failure: R=00000001[13] UPLD f=500 s=240000 0/dbfac0 write e=-5

It looks like there are two issues: firstly, why does the upload stop short?
Presumably that's forced by the test. Secondly, I think it has miscalculated
the subreq size in the retry, hence the EIO.

David