Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2225004/?format=api
{ "id": 2225004, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2225004/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260420083705.1009074-4-dhowells@redhat.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.1/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260420083705.1009074-4-dhowells@redhat.com>", "date": "2026-04-20T08:36:54", "name": "[03/11] netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "dfd8940acda50335a85fa2366de1b26c097d3a25", "submitter": { "id": 59, "url": "http://patchwork.ozlabs.org/api/1.1/people/59/?format=api", "name": "David Howells", "email": "dhowells@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260420083705.1009074-4-dhowells@redhat.com/mbox/", "series": [ { "id": 500568, "url": "http://patchwork.ozlabs.org/api/1.1/series/500568/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=500568", "date": "2026-04-20T08:36:52", "name": "netfs: Further miscellaneous fixes", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500568/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2225004/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2225004/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-cifs+bounces-10926-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=W4BHB2RD;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10926-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.b=\"W4BHB2RD\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=170.10.129.124", "smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=redhat.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=redhat.com" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzf8w2wWpz1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 18:41:20 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 7398F3064EAF\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 08:37:52 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 8403B389469;\n\tMon, 20 Apr 2026 08:37:38 +0000 (UTC)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 071E038B159\n\tfor <linux-cifs@vger.kernel.org>; Mon, 20 Apr 2026 08:37:36 +0000 (UTC)", "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-201-x4HYGNN4MX-KuWrsWdkrPA-1; Mon,\n 20 Apr 2026 04:37:33 -0400", "from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 960F21956065;\n\tMon, 20 Apr 2026 08:37:30 +0000 (UTC)", "from warthog.procyon.org.com (unknown [10.44.48.17])\n\tby mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 7AB033000C15;\n\tMon, 20 Apr 2026 08:37:26 +0000 (UTC)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776674258; cv=none;\n b=GNiWMF1ImtkIRh+za0zOdlpqPovps4gR+PrrV+2YHCnYIgYqGn5fyBjQZmKIEIdpz73u1rxkrQ1qdifWE5y3XIj0z6gCfsmQi0a+apOEmANq8YIIfvWPz+vFlXoTHHJPgDSgb4tXY3YLU873l+xwF0AVN5OS0X5AnnucjF2AMpU=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776674258; c=relaxed/simple;\n\tbh=Mueh1+AhgGs/BauhuJNGcBUyo52NSt02ZynYIE1e/os=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=SkyejPlKgVi0RGZyMqPIgo7pN7G/a4VLo1vvotnLmP2XvknrkKVyBALPklnzKD73wqw9Apf/63kV2p+sQROgcZhiHxEAt2jqbaLwNgdUVLNrpUAWKVvepkk+/LilCSSmiT3FwdEQZNEta1ThOycBqVnGbCFgKeIbDi4hlxxpyUg=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=redhat.com;\n spf=pass smtp.mailfrom=redhat.com;\n dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.b=W4BHB2RD; arc=none smtp.client-ip=170.10.129.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1776674256;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=RxAt8h3Z5s//UgNA1V43SWKyEAFpFt5qMrF31FeEFDE=;\n\tb=W4BHB2RD2e6FO2caVljvNFPhVBTvG7oBavwqe+Yg+oL1065mrIS4sePF2Y1cqFect5Eyte\n\te+UFroh8OydVABvrse0x011VrYUpQQLxqnu9JQG+k206dalugviv2fvFhisQjW3NgfWWm9\n\tnUtBD0DBHlf5rHTpKFqr1LLYiBNtwBg=", "X-MC-Unique": "x4HYGNN4MX-KuWrsWdkrPA-1", "X-Mimecast-MFC-AGG-ID": "x4HYGNN4MX-KuWrsWdkrPA_1776674251", "From": "David Howells <dhowells@redhat.com>", "To": "Christian Brauner <christian@brauner.io>", "Cc": "David Howells <dhowells@redhat.com>,\n\tPaulo Alcantara <pc@manguebit.org>,\n\tnetfs@lists.linux.dev,\n\tlinux-afs@lists.infradead.org,\n\tlinux-cifs@vger.kernel.org,\n\tceph-devel@vger.kernel.org,\n\tlinux-fsdevel@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tViacheslav Dubeyko <Slava.Dubeyko@ibm.com>,\n\tMatthew Wilcox <willy@infradead.org>", "Subject": "[PATCH 03/11] netfs: Fix potential UAF in\n netfs_unlock_abandoned_read_pages()", "Date": "Mon, 20 Apr 2026 09:36:54 +0100", "Message-ID": "<20260420083705.1009074-4-dhowells@redhat.com>", "In-Reply-To": "<20260420083705.1009074-1-dhowells@redhat.com>", "References": "<20260420083705.1009074-1-dhowells@redhat.com>", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.4" }, "content": "netfs_unlock_abandoned_read_pages(rreq) accesses the index of the folios it\nis wanting to unlock and compares that to rreq->no_unlock_folio so that it\ndoesn't unlock a folio being read for netfs_perform_write() or\nnetfs_write_begin().\n\nHowever, given that netfs_unlock_abandoned_read_pages() is called _after_\nNETFS_RREQ_IN_PROGRESS is cleared, the one folio that it's not allowed to\ndereference is the one specified by ->no_unlock_folio as ownership\nimmediately reverts to the caller.\n\nFix this by storing the folio pointer instead and using that rather than\nthe index. Also fix netfs_unlock_read_folio() where the same applies.\n\nFixes: ee4cdf7ba857 (\"netfs: Speed up buffered reading\")\nCloses: https://sashiko.dev/#/patchset/20260414082004.3756080-1-dhowells%40redhat.com\nSigned-off-by: David Howells <dhowells@redhat.com>\ncc: Paulo Alcantara <pc@manguebit.org>\ncc: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>\ncc: Matthew Wilcox <willy@infradead.org>\ncc: netfs@lists.linux.dev\ncc: linux-fsdevel@vger.kernel.org\n---\n fs/netfs/buffered_read.c | 4 ++--\n fs/netfs/read_collect.c | 2 +-\n fs/netfs/read_retry.c | 2 +-\n include/linux/netfs.h | 2 +-\n 4 files changed, 5 insertions(+), 5 deletions(-)", "diff": "diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c\nindex 51caad535438..b4d271538f75 100644\n--- a/fs/netfs/buffered_read.c\n+++ b/fs/netfs/buffered_read.c\n@@ -670,7 +670,7 @@ int netfs_write_begin(struct netfs_inode *ctx,\n \t\tret = PTR_ERR(rreq);\n \t\tgoto error;\n \t}\n-\trreq->no_unlock_folio\t= folio->index;\n+\trreq->no_unlock_folio\t= folio;\n \t__set_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags);\n \n \tret = netfs_begin_cache_read(rreq, ctx);\n@@ -736,7 +736,7 @@ int netfs_prefetch_for_write(struct file *file, struct folio *folio,\n \t\tgoto error;\n \t}\n \n-\trreq->no_unlock_folio = folio->index;\n+\trreq->no_unlock_folio = folio;\n \t__set_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags);\n \tret = netfs_begin_cache_read(rreq, ctx);\n \tif (ret == -ENOMEM || ret == -EINTR || ret == -ERESTARTSYS)\ndiff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c\nindex e5f6665b3341..eae067e3eaa5 100644\n--- a/fs/netfs/read_collect.c\n+++ b/fs/netfs/read_collect.c\n@@ -83,7 +83,7 @@ static void netfs_unlock_read_folio(struct netfs_io_request *rreq,\n \t}\n \n just_unlock:\n-\tif (folio->index == rreq->no_unlock_folio &&\n+\tif (folio == rreq->no_unlock_folio &&\n \t test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags)) {\n \t\t_debug(\"no unlock\");\n \t} else {\ndiff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c\nindex 68fc869513ef..999177426141 100644\n--- a/fs/netfs/read_retry.c\n+++ b/fs/netfs/read_retry.c\n@@ -288,7 +288,7 @@ void netfs_unlock_abandoned_read_pages(struct netfs_io_request *rreq)\n \t\t\tstruct folio *folio = folioq_folio(p, slot);\n \n \t\t\tif (folio && !folioq_is_marked2(p, slot)) {\n-\t\t\t\tif (folio->index == rreq->no_unlock_folio &&\n+\t\t\t\tif (folio == rreq->no_unlock_folio &&\n \t\t\t\t test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO,\n \t\t\t\t\t &rreq->flags)) {\n \t\t\t\t\t_debug(\"no unlock\");\ndiff --git a/include/linux/netfs.h b/include/linux/netfs.h\nindex ba17ac5bf356..62a528f90666 100644\n--- a/include/linux/netfs.h\n+++ b/include/linux/netfs.h\n@@ -252,7 +252,7 @@ struct netfs_io_request {\n \tunsigned long long\tcollected_to;\t/* Point we've collected to */\n \tunsigned long long\tcleaned_to;\t/* Position we've cleaned folios to */\n \tunsigned long long\tabandon_to;\t/* Position to abandon folios to */\n-\tpgoff_t\t\t\tno_unlock_folio; /* Don't unlock this folio after read */\n+\tconst struct folio\t*no_unlock_folio; /* Don't unlock this folio after read */\n \tunsigned int\t\tdirect_bv_count; /* Number of elements in direct_bv[] */\n \tunsigned int\t\tdebug_id;\n \tunsigned int\t\trsize;\t\t/* Maximum read size (0 for none) */\n", "prefixes": [ "03/11" ] }