[{"id":3677770,"web_url":"http://patchwork.ozlabs.org/comment/3677770/","msgid":"<2feeb396883d9223862e036b76092a1f@manguebit.org>","list_archive_url":null,"date":"2026-04-15T16:55:37","subject":"Re: [PATCH] netfs: Fix early put of sink folio in netfs_read_gaps()","submitter":{"id":91025,"url":"http://patchwork.ozlabs.org/api/people/91025/","name":"Paulo Alcantara","email":"pc@manguebit.org"},"content":"David Howells <dhowells@redhat.com> writes:\n\n> Fix netfs_read_gaps() to release the sink page it uses after waiting for\n> the request to complete.  The way the sink page is used is that an\n> ITER_BVEC-class iterator is created that has the gaps from the target folio\n> at either end, but has the sink page tiled over the middle so that a single\n> read op can fill in both gaps.\n>\n> The bug was found by KASAN detecting a UAF on the generic/075 xfstest in\n> the cifsd kernel thread that handles reception of data from the TCP socket:\n>\n>  BUG: KASAN: use-after-free in _copy_to_iter+0x48a/0xa20\n>  Write of size 885 at addr ffff888107f92000 by task cifsd/1285\n>  CPU: 2 UID: 0 PID: 1285 Comm: cifsd Not tainted 7.0.0 #6 PREEMPT(lazy)\n>  Call Trace:\n>   dump_stack_lvl+0x5d/0x80\n>   print_report+0x17f/0x4f1\n>   kasan_report+0x100/0x1e0\n>   kasan_check_range+0x10f/0x1e0\n>   __asan_memcpy+0x3c/0x60\n>   _copy_to_iter+0x48a/0xa20\n>   __skb_datagram_iter+0x2c9/0x430\n>   skb_copy_datagram_iter+0x6e/0x160\n>   tcp_recvmsg_locked+0xce0/0x1130\n>   tcp_recvmsg+0xeb/0x300\n>   inet_recvmsg+0xcf/0x3a0\n>   sock_recvmsg+0xea/0x100\n>   cifs_readv_from_socket+0x3a6/0x4d0 [cifs]\n>   cifs_read_iter_from_socket+0xdd/0x130 [cifs]\n>   cifs_readv_receive+0xaad/0xb10 [cifs]\n>   cifs_demultiplex_thread+0x1148/0x1740 [cifs]\n>   kthread+0x1cf/0x210\n>\n> Fixes: ee4cdf7ba857 (\"netfs: Speed up buffered reading\")\n> Reported-by: Steve French <sfrench@samba.org>\n> Signed-off-by: David Howells <dhowells@redhat.com>\n> cc: Paulo Alcantara <pc@manguebit.org>\n> cc: Matthew Wilcox <willy@infradead.org>\n> cc: netfs@lists.linux.dev\n> cc: linux-fsdevel@vger.kernel.org\n> ---\n>  fs/netfs/buffered_read.c |    6 +++---\n>  1 file changed, 3 insertions(+), 3 deletions(-)\n\nReviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>","headers":{"Return-Path":"\n <linux-cifs+bounces-10839-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=manguebit.org header.i=@manguebit.org header.a=rsa-sha256\n header.s=dkim header.b=fkn9Czsk;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10839-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=manguebit.org header.i=@manguebit.org\n header.b=\"fkn9Czsk\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=143.255.12.172","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=manguebit.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=manguebit.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwnw61bH3z1yHc\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 03:20:22 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 1168832CA6DD\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 16:57:33 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id AD16B3E7163;\n\tWed, 15 Apr 2026 16:55:58 +0000 (UTC)","from mx1.manguebit.org (mx1.manguebit.org [143.255.12.172])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A2D53ED128;\n\tWed, 15 Apr 2026 16:55:56 +0000 (UTC)","from pc by mx1.manguebit.org with local (Exim 4.99.1)\n\tid 1wD3Wd-00000000E9c-1YgW;\n\tWed, 15 Apr 2026 13:55:39 -0300"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776272158; cv=none;\n b=I8xQpZiOR6mUt5aTR/6ORHolT4xJ1n+SAXudms5MiU9T+OPCvuT8mVQKAlRdNW32MqvR7udtNz7lv0sGeT6m4CUNtiVVLO+eH+O/OB3AS40EPxtTUUYKhjpF47XZ9oUX+7jqTkBZPeu9beUr3q/jaAFQO/tSU8T/7TAuP00XoG0=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776272158; c=relaxed/simple;\n\tbh=3zdXh2dalBTKnUssNKrWJ6LbV+aO+DH6lNBP0AFCs8Q=;\n\th=Message-ID:From:To:Cc:Subject:In-Reply-To:References:Date:\n\t MIME-Version:Content-Type;\n b=OXUhDCkNCPvmx9CdO3Na8xtWbbSpE/61sl134fbQzCzgbyERaTFKHc7DbZsj8sXublTfG8hrokJs6roS4+RCwKxJ1/RQGgYRAiyiD2aJjZIcUG5Sg6v626+qOQh8iDeTSpdeq7KdjtAk12NtNxt8R8BCGBsZFDpymX/s4UVKbbM=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=manguebit.org;\n spf=pass smtp.mailfrom=manguebit.org;\n dkim=pass (2048-bit key) header.d=manguebit.org header.i=@manguebit.org\n header.b=fkn9Czsk; arc=none smtp.client-ip=143.255.12.172","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=manguebit.org; s=dkim; h=Content-Type:MIME-Version:Date:References:\n\tIn-Reply-To:Subject:Cc:To:From:Message-ID:Sender:Reply-To:\n\tContent-Transfer-Encoding:Content-ID:Content-Description;\n\tbh=G0wxnBD19pxGllyq/0BhmejPLNCG8kCLWDn3dt7AqoM=; b=fkn9Czsk2ZH8Z1eJ/BOFUprGgJ\n\tyHBzJKBeMIgd1M7DXqNXTjQdfFiD09lkxQhjyiJ4T217VB1TY6QfxIrUJGAS43sj88Z9+GBxHpzYV\n\tBWQDvIuZEiOXGp5fJT6D02R1Qqsx3jaRhvXPoKLAo3OMcvNGGMJhjmB/m8yceNvoXcMWnCrXQ2Zr5\n\tGLEiiNNTx9WDd/qmRVRkxj2//UOGcGRlxfIP/faLEhv/CPHvZtUT8xjnUXcwCaPHax5/tFF70Sjyl\n\tVPObTljCkHhmYBGnd+U3ei/UFhiMSARHG33EuRBoO+RWo6XGbVebCgkhtdVaEiuQzoOWETbO7IW7L\n\teGWfNcdg==;","Message-ID":"<2feeb396883d9223862e036b76092a1f@manguebit.org>","From":"Paulo Alcantara <pc@manguebit.org>","To":"David Howells <dhowells@redhat.com>, Christian Brauner\n <christian@brauner.io>","Cc":"David Howells <dhowells@redhat.com>, netfs@lists.linux.dev,\n linux-afs@lists.infradead.org, linux-cifs@vger.kernel.org,\n ceph-devel@vger.kernel.org, linux-fsdevel@vger.kernel.org,\n linux-kernel@vger.kernel.org, Matthew Wilcox <willy@infradead.org>","Subject":"Re: [PATCH] netfs: Fix early put of sink folio in netfs_read_gaps()","In-Reply-To":"<261128.1776251770@warthog.procyon.org.uk>","References":"<261128.1776251770@warthog.procyon.org.uk>","Date":"Wed, 15 Apr 2026 13:55:37 -0300","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain"}}]