From nobody Thu Apr 9 16:33:39 2026 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C05430BBA9 for ; Sat, 7 Mar 2026 04:39:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772858398; cv=none; b=DQLo5HwGfoqu5QJkE3qEebIeU+vFswy+4UqCnCXFtP7o4FxUVDnSooDvDBWNrLqn/CV5eFUIIm1zKhSCSfuQ8JdzhCKgI9/2J3krptcHV7rd0RJuyffvWHTYtk5xbPEjMBuEbgg0KLPeFhjO9zsCNNi6PTmQvqih9RTo1GSzX2c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772858398; c=relaxed/simple; bh=4ATwsTz8ziLAyDuWlK4KdVZopPk0DA6HM2567HiDEEc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Fs/sBfVMsdLUjinNwrIpNrEvu9wSOHx0QwphmE+KAObM86b469wWX7eOZK3xtxhXzPrWBV51WizTuU3I1Be/RnsCO3AvQgTqzMPAht8RvXp2YtiflZzKo8+WCNt7zLXFHbZZGGvS+mOp266S4/9zDaaJdRF7wIi8fbOR0gmObQE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZDIaLcM9; arc=none smtp.client-ip=209.85.216.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZDIaLcM9" Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-3597c40a838so2748490a91.1 for ; Fri, 06 Mar 2026 20:39:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772858395; x=1773463195; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=enfq5btaKGYj0ZOezkkWdQHPcpQw23/+zvd7oPjvhzg=; b=ZDIaLcM9BAsQtceDyepqoJQsicRIJ2/U6PmuZBViRb3zfwDKnhTeMOtr6//SKpXoUv MzmHNCJlmj2VTi430UXjrhuT7P1Vhjz/TD/nAuYJaharrSWUenZx6Er1BbjWvh3lfJKa 8J+BtLsLLnve2vaxC39y8uxYCGkkjOXhhQxGiq2+uSuXxYerxgVQLBfMEqOmuRUehotJ OfLYJXEk3Q2hB4YjpiFiKJw3lij9fmtLd1oZnT/9XXa0lijbXBLke3tcTpJNEDzGmpkl SIpmalu2un47YrZs0bi0i8Pwu54oGm+v9rJMdGmKwveEug5lDb1z5Wb2QokkXYsq44lZ 7hVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772858395; x=1773463195; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=enfq5btaKGYj0ZOezkkWdQHPcpQw23/+zvd7oPjvhzg=; b=Zz9tRP5dZud10ze1jpCioENeFoouSyFDgwTZ9GP0N2AtF7ZWPXtuqhD9lYYkB6V9OE bGpVAS2TdaxRwcHnuDCooGTL50Y8vAJuYO47CeXDXtF3oSihbJHzrlDdR8DG6vNa0dlA x4/R+w2/+0R1CIFMC8eNwJEBTNXUxgm1zZ+ld4KJKdFdsifQxo0CjHPLAw7tc42g/YaR eEvrqCAeY6CorkffP5N5TC4WG01RKAjIs+D+3dBDFV/4x58Zrf1nHhz+sJiWL2C3wdVR kzK8lRk3p3av0tzifq0i0kHsPTgSVxOuHfkySnfFqK+CcOWreE5QxMkRvIdNqYsVtCpe FHhg== X-Forwarded-Encrypted: i=1; AJvYcCVrNMAdaucWSqu3sukDAqTyxFrHS/SNQISeXr3wtg4P7w6AkU2YWvVD3CHXuW+aZaLeZzvlGcZyAuyOCfs=@vger.kernel.org X-Gm-Message-State: AOJu0YwdkdTZ4Bxg/ePADl0rfEGFP3t48s1y/nbcxVY4tMDtdIAgcKZP f066P9rm0JJB1dnETFNkJ1131QTugGQxOOS/dM8tvcIOFuASUl/mxYru X-Gm-Gg: ATEYQzw/VaLkZ7WpCwt9Cm1r67F3khO2kXKS59/J/a2lYvofRGKTbQK45H50xO41MLP qISUTx6qOUua3sSSQJ7tYPU24Vyt5xBxw1Qv+RPUFjthXQ7nN+tNM91Se2zxMvbcclW0WEk547J 6vC46v5S8nh5aaTU/tJ1QVRRUdTjAGtxJcHmQ65ljCM1kHeIe2z6bTT18ngkEpyM8+ueSk7iea7 zaGhs3mgJ5XZ8od2UaaNsIly1kC1Ek9FVdhPGwRdwoG/R9Ae38AA/EfWbH0NEwYDM37LPDXNq3n CmitnKSfv/XaoRSvujB85an7yRS3LKqkAcmwuYlqoqO1DcHjMngqnUiGl/mXpTxmxAxEoKDud8f 5r6z+FNhA2dGdgm2Vhf8ObAJu890L4EK3l0F8bXwvUpe2wwh/xc5m1Xij0EAf+cL4u9YaO0ZdpV gM0+6iGeu8zCX8Sjlq5eMDq/BHalFaQ13Th9TmVjnHW2VYp3cDT/6RHaZFl9xUW+pXJ9Gzslrtb jRowTM= X-Received: by 2002:a17:90b:498b:b0:340:be44:dd11 with SMTP id 98e67ed59e1d1-359be3536a4mr4381767a91.27.1772858395271; Fri, 06 Mar 2026 20:39:55 -0800 (PST) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:4191:5f1c:7dc6:bad2]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-359b2d38ab8sm6809244a91.1.2026.03.06.20.39.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Mar 2026 20:39:54 -0800 (PST) From: Deepanshu Kartikey To: dhowells@redhat.com, pc@manguebit.org, brauner@kernel.org Cc: netfs@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com, Deepanshu Kartikey Subject: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry Date: Sat, 7 Mar 2026 10:09:47 +0530 Message-ID: <20260307043947.347092-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189. Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally. Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subreque= sts in strict sequence") Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D7227db0fbac9f348dba0 Signed-off-by: Deepanshu Kartikey --- fs/netfs/direct_write.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c index dd1451bf7543..4d9760e36c11 100644 --- a/fs/netfs/direct_write.c +++ b/fs/netfs/direct_write.c @@ -186,10 +186,18 @@ static int netfs_unbuffered_write(struct netfs_io_req= uest *wreq) stream->sreq_max_segs =3D INT_MAX; =20 netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit); - stream->prepare_write(subreq); =20 - __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags); - netfs_stat(&netfs_n_wh_retry_write_subreq); + if (stream->prepare_write) { + stream->prepare_write(subreq); + __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags); + netfs_stat(&netfs_n_wh_retry_write_subreq); + } else { + struct iov_iter source; + + netfs_reset_iter(subreq); + source =3D subreq->io_iter; + netfs_reissue_write(stream, subreq, &source); + } } =20 netfs_unbuffered_write_done(wreq); --=20 2.43.0