Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2228996/?format=api
{ "id": 2228996, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2228996/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260427154639.180684-17-dhowells@redhat.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/1.1/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260427154639.180684-17-dhowells@redhat.com>", "date": "2026-04-27T15:46:31", "name": "[v4,16/22] netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "dfd8940acda50335a85fa2366de1b26c097d3a25", "submitter": { "id": 59, "url": "http://patchwork.ozlabs.org/api/1.1/people/59/?format=api", "name": "David Howells", "email": "dhowells@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260427154639.180684-17-dhowells@redhat.com/mbox/", "series": [ { "id": 501682, "url": "http://patchwork.ozlabs.org/api/1.1/series/501682/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=501682", "date": "2026-04-27T15:46:15", "name": "netfs: Miscellaneous fixes", "version": 4, "mbox": "http://patchwork.ozlabs.org/series/501682/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2228996/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2228996/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-cifs+bounces-11172-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=ZClL2hr3;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=linux-cifs+bounces-11172-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.b=\"ZClL2hr3\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=170.10.129.124", "smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=redhat.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=redhat.com" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g47W70hqxz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 01:57:39 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 6076830F26C2\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 15:50:47 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7F1183D812C;\n\tMon, 27 Apr 2026 15:48:07 +0000 (UTC)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id F3B3E3D7D8F\n\tfor <linux-cifs@vger.kernel.org>; Mon, 27 Apr 2026 15:48:05 +0000 (UTC)", "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-321-Z6d3-rsPMmqEEZ6z9RTFzA-1; Mon,\n 27 Apr 2026 11:48:02 -0400", "from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 4870419560BB;\n\tMon, 27 Apr 2026 15:48:00 +0000 (UTC)", "from warthog.procyon.org.com (unknown [10.44.32.126])\n\tby mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 078451800348;\n\tMon, 27 Apr 2026 15:47:56 +0000 (UTC)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777304887; cv=none;\n b=RaPR/OugEyYAhwM4nSSRINvM3kct2rqvbDc6lnq5CIXmkBCKeFmK3kkNUfJjqmKMS13X2Ayvbh7KAj7T9FW0ZrMA09AIIbN2id9XgbHmlV8R3Z0FvaboMsVqddV7fcasHyHBwin57g9hwrJmO05MD/Xzf+LW5zydpXGEEBJwATY=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777304887; c=relaxed/simple;\n\tbh=umEY6z5FzhVe9OfppsXVNGpeV9bgYr7l964IDKNxAUQ=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=G4fxYhC8FWjE4UlrZkr7uAJ+TCYC5Vc9cJ4TNPs9V4GpACacnVoBR+upsJbAA6JvkaFu2RNAW5JN16cGK7l0ItcCQ3RinI4oM57Js4HNlIdVyPYl2GSS9RrLJtMsOESkDOz372fvyNtcFv8oT++xmPgM7Nt0FBT+S+40AHxsYWc=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=redhat.com;\n spf=pass smtp.mailfrom=redhat.com;\n dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.b=ZClL2hr3; arc=none smtp.client-ip=170.10.129.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1777304885;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=zeNaf4Kz9zRtxWGIdVhluWxRyogCAQk408/i+Kq5848=;\n\tb=ZClL2hr3Dg3hs8LMrVeGHek7XMVSR8l5akYE/z6kzpViJClFnxRnthkrvGEyVkIaam4MdE\n\tgjl/LMPFlFTxoGVL4Q5Qbduo/4biWWJFaWPvrTCk388H1kqFFEgPxJBhp0FbuiIVvmooiU\n\tRiUa2z7MjxMOd1aRj6hzrHplksFFCmw=", "X-MC-Unique": "Z6d3-rsPMmqEEZ6z9RTFzA-1", "X-Mimecast-MFC-AGG-ID": "Z6d3-rsPMmqEEZ6z9RTFzA_1777304880", "From": "David Howells <dhowells@redhat.com>", "To": "Christian Brauner <christian@brauner.io>", "Cc": "David Howells <dhowells@redhat.com>,\n\tPaulo Alcantara <pc@manguebit.org>,\n\tnetfs@lists.linux.dev,\n\tlinux-afs@lists.infradead.org,\n\tlinux-cifs@vger.kernel.org,\n\tceph-devel@vger.kernel.org,\n\tlinux-fsdevel@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tViacheslav Dubeyko <Slava.Dubeyko@ibm.com>,\n\tMatthew Wilcox <willy@infradead.org>", "Subject": "[PATCH v4 16/22] netfs: Fix potential UAF in\n netfs_unlock_abandoned_read_pages()", "Date": "Mon, 27 Apr 2026 16:46:31 +0100", "Message-ID": "<20260427154639.180684-17-dhowells@redhat.com>", "In-Reply-To": "<20260427154639.180684-1-dhowells@redhat.com>", "References": "<20260427154639.180684-1-dhowells@redhat.com>", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.93" }, "content": "netfs_unlock_abandoned_read_pages(rreq) accesses the index of the folios it\nis wanting to unlock and compares that to rreq->no_unlock_folio so that it\ndoesn't unlock a folio being read for netfs_perform_write() or\nnetfs_write_begin().\n\nHowever, given that netfs_unlock_abandoned_read_pages() is called _after_\nNETFS_RREQ_IN_PROGRESS is cleared, the one folio that it's not allowed to\ndereference is the one specified by ->no_unlock_folio as ownership\nimmediately reverts to the caller.\n\nFix this by storing the folio pointer instead and using that rather than\nthe index. Also fix netfs_unlock_read_folio() where the same applies.\n\nFixes: ee4cdf7ba857 (\"netfs: Speed up buffered reading\")\nCloses: https://sashiko.dev/#/patchset/20260414082004.3756080-1-dhowells%40redhat.com\nSigned-off-by: David Howells <dhowells@redhat.com>\ncc: Paulo Alcantara <pc@manguebit.org>\ncc: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>\ncc: Matthew Wilcox <willy@infradead.org>\ncc: netfs@lists.linux.dev\ncc: linux-fsdevel@vger.kernel.org\n---\n fs/netfs/buffered_read.c | 4 ++--\n fs/netfs/read_collect.c | 2 +-\n fs/netfs/read_retry.c | 2 +-\n include/linux/netfs.h | 2 +-\n 4 files changed, 5 insertions(+), 5 deletions(-)", "diff": "diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c\nindex 71ab81b3f609..ec576d840594 100644\n--- a/fs/netfs/buffered_read.c\n+++ b/fs/netfs/buffered_read.c\n@@ -675,7 +675,7 @@ int netfs_write_begin(struct netfs_inode *ctx,\n \t\tret = PTR_ERR(rreq);\n \t\tgoto error;\n \t}\n-\trreq->no_unlock_folio\t= folio->index;\n+\trreq->no_unlock_folio\t= folio;\n \t__set_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags);\n \n \tret = netfs_begin_cache_read(rreq, ctx);\n@@ -741,7 +741,7 @@ int netfs_prefetch_for_write(struct file *file, struct folio *folio,\n \t\tgoto error;\n \t}\n \n-\trreq->no_unlock_folio = folio->index;\n+\trreq->no_unlock_folio = folio;\n \t__set_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags);\n \tret = netfs_begin_cache_read(rreq, ctx);\n \tif (ret == -ENOMEM || ret == -EINTR || ret == -ERESTARTSYS)\ndiff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c\nindex f6b87a22c290..5847796b54ec 100644\n--- a/fs/netfs/read_collect.c\n+++ b/fs/netfs/read_collect.c\n@@ -83,7 +83,7 @@ static void netfs_unlock_read_folio(struct netfs_io_request *rreq,\n \t}\n \n just_unlock:\n-\tif (folio->index == rreq->no_unlock_folio &&\n+\tif (folio == rreq->no_unlock_folio &&\n \t test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags)) {\n \t\t_debug(\"no unlock\");\n \t} else {\ndiff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c\nindex 6e5e0da88290..92ed17a83c3d 100644\n--- a/fs/netfs/read_retry.c\n+++ b/fs/netfs/read_retry.c\n@@ -290,7 +290,7 @@ void netfs_unlock_abandoned_read_pages(struct netfs_io_request *rreq)\n \t\t\tstruct folio *folio = folioq_folio(p, slot);\n \n \t\t\tif (folio && !folioq_is_marked2(p, slot)) {\n-\t\t\t\tif (folio->index == rreq->no_unlock_folio &&\n+\t\t\t\tif (folio == rreq->no_unlock_folio &&\n \t\t\t\t test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO,\n \t\t\t\t\t &rreq->flags)) {\n \t\t\t\t\t_debug(\"no unlock\");\ndiff --git a/include/linux/netfs.h b/include/linux/netfs.h\nindex 59f35d2eeb2e..eaf75543b64c 100644\n--- a/include/linux/netfs.h\n+++ b/include/linux/netfs.h\n@@ -252,7 +252,7 @@ struct netfs_io_request {\n \tunsigned long long\tcollected_to;\t/* Point we've collected to */\n \tunsigned long long\tcleaned_to;\t/* Position we've cleaned folios to */\n \tunsigned long long\tabandon_to;\t/* Position to abandon folios to */\n-\tpgoff_t\t\t\tno_unlock_folio; /* Don't unlock this folio after read */\n+\tconst struct folio\t*no_unlock_folio; /* Don't unlock this folio after read */\n \tunsigned int\t\tdirect_bv_count; /* Number of elements in direct_bv[] */\n \tunsigned int\t\tdebug_id;\n \tunsigned int\t\trsize;\t\t/* Maximum read size (0 for none) */\n", "prefixes": [ "v4", "16/22" ] }