For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: hongao@uniontech.com

From 57d3537f407aaf4229abc9b78513c6222cbfb799 Mon Sep 17 00:00:00 2001
From: hongao <hongao@uniontech.com>
Date: Sat, 30 May 2026 09:08:24 +0800
Subject: [PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed
 preparation

#syz test

If write subrequest preparation fails, netfs_unbuffered_write() calls
netfs_write_subrequest_terminated() and then reads subreq->error to set
wreq->error.

However, netfs_write_subrequest_terminated() consumes a reference to the
subrequest through netfs_put_subrequest(), so the subrequest may be freed
before netfs_unbuffered_write() reads subreq->error again.  This can
trigger a slab-use-after-free.

Save the error locally before terminating the subrequest, and use the
saved value afterwards.

Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
Reported-by: syzbot+3c74b1f0c372e98efc32@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3c74b1f0c372e98efc32

Signed-off-by: hongao <hongao@uniontech.com>
---
 fs/netfs/direct_write.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 25f8ceb15fad..2d5361702076 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -115,8 +115,9 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
 
 		/* Check if (re-)preparation failed. */
 		if (unlikely(test_bit(NETFS_SREQ_FAILED, &subreq->flags))) {
-			netfs_write_subrequest_terminated(subreq, subreq->error);
-			wreq->error = subreq->error;
+			ret = subreq->error;
+			wreq->error = ret;
+			netfs_write_subrequest_terminated(subreq, ret);
 			break;
 		}
 
-- 
2.51.0