Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation

Next message: Bjorn Helgaas: "[GIT PULL] PCI changes for v7.2"
Previous message: Heikki Krogerus: "Re: [PATCH v2 1/3] usb: typec: Add helper to check cable altmode support"
In reply to: David Howells: "Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation"
Next in thread: David Howells: "Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Wed Jun 24 2026 - 06:59:16 EST

Actually, this shows what happened:

a.out-717 : netfs_sreq: R=00000001[13] UPLD RETRY f=210 s=240000 1fac0/20000 s=160 e=-11
a.out-717 : netfs_sreq: R=00000001[13] UPLD SUBMT f=100 s=240000 0/dbfac0 s=192 e=0
a.out-717 : netfs_failure: R=00000001[13] UPLD f=500 s=240000 0/dbfac0 write e=-5
a.out-717 : netfs_rreq: R=00000001 UW PAUSE f=1801
a.out-717 : netfs_sreq: R=00000001[13] UPLD TERM f=500 s=240000 0/dbfac0 s=192 e=-5
a.out-717 : netfs_rreq: R=00000001 UW WAKE-Q f=1805
a.out-717 : netfs_failure: R=00000001[13] UPLD f=400 s=240000 0/dbfac0 write e=-5
a.out-717 : netfs_rreq: R=00000001 UW PAUSE f=1805
a.out-717 : netfs_sreq: R=00000001[13] UPLD TERM f=400 s=240000 0/dbfac0 s=192 e=-5
a.out-717 : netfs_rreq: R=00000001 UW WAKE-Q f=1805
a.out-717 : netfs_sreq: R=00000001[13] UPLD FREE f=400 s=240000 0/dbfac0 s=192 e=-5

There are two calls to netfs_write_subrequest_terminated(). You can see the
IN_PROGRESS bit has been cleared by the second one (f=500 -> f=400).

David