Re: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation
From: David Howells
Date: Wed Jun 24 2026 - 07:03:37 EST
I suspect the issue is this bit in netfs_unbuffered_write():
for (;;) {
...
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
if (stream->prepare_write) {
stream->prepare_write(subreq);
__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
netfs_stat(&netfs_n_wh_retry_write_subreq);
} else {
struct iov_iter source;
netfs_reset_iter(subreq);
source = subreq->io_iter;
netfs_reissue_write(stream, subreq, &source); <----
}
}
This doesn't happen with AFS because it has a ->prepare_write() method. Does
this change fix the problem for you?
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 25f8ceb15fad..9f6258da45d6 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -190,12 +190,6 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
stream->prepare_write(subreq);
__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
netfs_stat(&netfs_n_wh_retry_write_subreq);
- } else {
- struct iov_iter source;
-
- netfs_reset_iter(subreq);
- source = subreq->io_iter;
- netfs_reissue_write(stream, subreq, &source);
}
}
David