p9_fd_open just fgets file descriptors passed in from userspace, but
doesn't verify that they are valid for read or writing. This gets
cought down in the VFS when actually attemping a read or write, but a
new warning added in linux-next upsets syzcaller.
Fix this by just verifying the fds early on.
Reported-by: syzbot+e6f77e16ff68b2434...@syzkaller.appspotmail.com
Signed-off-by: Christoph Hellwig <h...@lst.de>
---
net/9p/trans_fd.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 13cd683a658ab6..1cd8ea0e493617 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -803,20 +803,28 @@ static int p9_fd_open(struct p9_client *client, int rfd,
int wfd)
return -ENOMEM;
ts->rd = fget(rfd);
+ if (!ts->rd)
+ goto out_free_ts;
+ if (!(ts->rd->f_mode & FMODE_READ))
+ goto out_put_wr;
ts->wr = fget(wfd);
- if (!ts->rd || !ts->wr) {
- if (ts->rd)
- fput(ts->rd);
- if (ts->wr)
- fput(ts->wr);
- kfree(ts);
- return -EIO;
- }
+ if (!ts->wr)
+ goto out_put_rd;
+ if (!(ts->wr->f_mode & FMODE_WRITE))
+ goto out_put_wr;
client->trans = ts;
client->status = Connected;
return 0;
+
+out_put_wr:
+ fput(ts->wr);
+out_put_rd:
+ fput(ts->rd);
+out_free_ts:
+ kfree(ts);
+ return -EIO;
}
static int p9_socket_open(struct p9_client *client, struct socket *csocket)
--
2.26.2
