Unverified Commit dbe55697 authored by David Howells's avatar David Howells Committed by Christian Brauner
Browse files

netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages() 

netfs_unlock_abandoned_read_pages(rreq) accesses the index of the folios it
is wanting to unlock and compares that to rreq->no_unlock_folio so that it
doesn't unlock a folio being read for netfs_perform_write() or
netfs_write_begin().

However, given that netfs_unlock_abandoned_read_pages() is called _after_
NETFS_RREQ_IN_PROGRESS is cleared, the one folio that it's not allowed to
dereference is the one specified by ->no_unlock_folio as ownership
immediately reverts to the caller.

Fix this by storing the folio pointer instead and using that rather than
the index.  Also fix netfs_unlock_read_folio() where the same applies.

Fixes: ee4cdf7b ("netfs: Speed up buffered reading")
Closes: https://sashiko.dev/#/patchset/20260414082004.3756080-1-dhowells%40redhat.com


Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-20-dhowells@redhat.com


cc: Paulo Alcantara <pc@manguebit.org>
cc: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
cc: Matthew Wilcox <willy@infradead.org>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 5046a34f

fs/netfs/buffered_read.c

+2 −2
Original line number Diff line number Diff line
@@ -670,7 +670,7 @@ int netfs_write_begin(struct netfs_inode *ctx, 
		ret = PTR_ERR(rreq);

		goto error;

	}

	rreq->no_unlock_folio	= folio->index;

	rreq->no_unlock_folio	= folio;

	__set_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags);



	ret = netfs_begin_cache_read(rreq, ctx);
@@ -736,7 +736,7 @@ int netfs_prefetch_for_write(struct file *file, struct folio *folio, 
		goto error;

	}



	rreq->no_unlock_folio = folio->index;

	rreq->no_unlock_folio = folio;

	__set_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags);

	ret = netfs_begin_cache_read(rreq, ctx);

	if (ret == -ENOMEM || ret == -EINTR || ret == -ERESTARTSYS)

fs/netfs/read_collect.c

+1 −1
Original line number Diff line number Diff line
@@ -83,7 +83,7 @@ static void netfs_unlock_read_folio(struct netfs_io_request *rreq, 
	}



just_unlock:

	if (folio->index == rreq->no_unlock_folio &&

	if (folio == rreq->no_unlock_folio &&

	    test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, &rreq->flags)) {

		_debug("no unlock");

	} else {

fs/netfs/read_retry.c

+1 −1
Original line number Diff line number Diff line
@@ -292,7 +292,7 @@ void netfs_unlock_abandoned_read_pages(struct netfs_io_request *rreq) 
			struct folio *folio = folioq_folio(p, slot);



			if (folio && !folioq_is_marked2(p, slot)) {

				if (folio->index == rreq->no_unlock_folio &&

				if (folio == rreq->no_unlock_folio &&

				    test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO,

					     &rreq->flags)) {

					_debug("no unlock");

include/linux/netfs.h

+1 −1
Original line number Diff line number Diff line
@@ -252,7 +252,7 @@ struct netfs_io_request { 
	unsigned long long	collected_to;	/* Point we've collected to */

	unsigned long long	cleaned_to;	/* Position we've cleaned folios to */

	unsigned long long	abandon_to;	/* Position to abandon folios to */

	pgoff_t			no_unlock_folio; /* Don't unlock this folio after read */

	const struct folio	*no_unlock_folio; /* Don't unlock this folio after read */

	unsigned int		direct_bv_count; /* Number of elements in direct_bv[] */

	unsigned int		debug_id;

	unsigned int		rsize;		/* Maximum read size (0 for none) */