Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation

From: David Howells

Date: Wed Jun 24 2026 - 07:03:37 EST


I suspect the issue is this bit in netfs_unbuffered_write():

for (;;) {
...
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);

if (stream->prepare_write) {
stream->prepare_write(subreq);
__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
netfs_stat(&netfs_n_wh_retry_write_subreq);
} else {
struct iov_iter source;

netfs_reset_iter(subreq);
source = subreq->io_iter;
netfs_reissue_write(stream, subreq, &source); <----
}
}

This doesn't happen with AFS because it has a ->prepare_write() method. Does
this change fix the problem for you?

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 25f8ceb15fad..9f6258da45d6 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -190,12 +190,6 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
stream->prepare_write(subreq);
__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
netfs_stat(&netfs_n_wh_retry_write_subreq);
- } else {
- struct iov_iter source;
-
- netfs_reset_iter(subreq);
- source = subreq->io_iter;
- netfs_reissue_write(stream, subreq, &source);
}
}


David