CVE-2026-31437

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry<br /> <br /> When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path<br /> in netfs_unbuffered_write() unconditionally calls stream-&gt;prepare_write()<br /> without checking if it is NULL.<br /> <br /> Filesystems such as 9P do not set the prepare_write operation, so<br /> stream-&gt;prepare_write remains NULL. When get_user_pages() fails with<br /> -EFAULT and the subrequest is flagged for retry, this results in a NULL<br /> pointer dereference at fs/netfs/direct_write.c:189.<br /> <br /> Fix this by mirroring the pattern already used in write_retry.c: if<br /> stream-&gt;prepare_write is NULL, skip renegotiation and directly reissue<br /> the subrequest via netfs_reissue_write(), which handles iterator reset,<br /> IN_PROGRESS flag, stats update and reissue internally.