Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp567787ybg; Tue, 28 Jul 2020 13:01:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzHtu3mprHl3F21b37K1JMMfi3fh+mE1vdlggUtuY2x+f1x1cyHj3TR3DrwweF0g9CHjgjw X-Received: by 2002:a17:907:42cc:: with SMTP id nz20mr20666297ejb.429.1595966515809; Tue, 28 Jul 2020 13:01:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595966515; cv=none; d=google.com; s=arc-20160816; b=VHVPXHlwvZLHIA9l7wrsGU6Jbk0dEznVuCLz+5YlSXo/I34NlLwL17YDeE4cEqEZJ4 yQHmgc87BDQmJvzqlaJl/SQn8mtIwE3cDfiCQp+Y14OsYyYbAoJmoR6zUbkANIebJ/sy nvcGf639sTSxMbNAlp7sjD5NUtenT2gBaO/uijJYTbmc1fqm5RwB5U5izjcAYqoDkPGN KOodQBhiHDvF3GcwKsNZ2TG8pPaGx5WrNiAIeC8jgCBJYNf20NXRNMUlzhQdaBNuTI52 tdhCYvs/KYCdK0LUc+CnZNd3e07c5ygvS4eXkkEEp1tmm5gd+YBaN/CFhpjfvy9SBwE+ BOSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=CkiwDbi0vmPNOlcv1O6PN91/63E+P1S+o6nR3behU/0=; b=BVNb28OyU8Qt/+grHQUY3nrGTF/Dd03fIRSLBsN1cUU2l52COFrrmYn9jCtRYiAJRE FhoPjzPk5XhvVhRd0eT1yEgLqWqNOWyNfXKYrMHPCCnbcpQLH43wnA0h1vpkppOlCfmT jiDfQR6ikKvJSs5BFylXHPmoM+uDfe3GNK07ZktskGmBPWrwlXiEowV4zmfOq7gQ0g+Z 7SaU33+iRfxcKfYBxX2WoFJZazO6OcKoYjGN5+fN5L7spzAXMmIwBasajC/M3iB/MNT4 Rd/W5RtWqDtRVLdQ7vWZBq1pIv63G3xu3W0r+nRIIVQJ/qM+5NaWoCa1sD1GWED9Kd8e iqtw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cx20si7718690edb.568.2020.07.28.13.01.33; Tue, 28 Jul 2020 13:01:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732035AbgG1Rt6 (ORCPT + 99 others); Tue, 28 Jul 2020 13:49:58 -0400 Received: from 5.mo179.mail-out.ovh.net ([46.105.43.140]:47194 "EHLO 5.mo179.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728398AbgG1Rt5 (ORCPT ); Tue, 28 Jul 2020 13:49:57 -0400 X-Greylist: delayed 428 seconds by postgrey-1.27 at vger.kernel.org; Tue, 28 Jul 2020 13:49:56 EDT Received: from player756.ha.ovh.net (unknown [10.108.42.83]) by mo179.mail-out.ovh.net (Postfix) with ESMTP id 0489F1734A7 for ; Tue, 28 Jul 2020 19:42:46 +0200 (CEST) Received: from kaod.org (lns-bzn-46-82-253-208-248.adsl.proxad.net [82.253.208.248]) (Authenticated sender: groug@kaod.org) by player756.ha.ovh.net (Postfix) with ESMTPSA id 1FCAC13EFFD15; Tue, 28 Jul 2020 17:42:35 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-97G002e93d7dbd-e9bf-43f9-bbae-e865b5c28c99,96196EA346850768E7E70500A314E772A5EF2CEB) smtp.auth=groug@kaod.org Date: Tue, 28 Jul 2020 19:42:35 +0200 From: Greg Kurz To: Alexey Kardashevskiy Cc: v9fs-developer@lists.sourceforge.net, Latchesar Ionkov , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Van Hensbergen , Jakub Kicinski , "David S. Miller" , Dominique Martinet Subject: Re: [V9fs-developer] [PATCH kernel] 9p/trans_fd: Check file mode at opening Message-ID: <20200728194235.52660c08@bahia.lan> In-Reply-To: <20200728124129.130856-1-aik@ozlabs.ru> References: <20200728124129.130856-1-aik@ozlabs.ru> X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Ovh-Tracer-Id: 7175923058598975989 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedriedvgdduudegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfgjfhfogggtgfesthejredtredtvdenucfhrhhomhepifhrvghgucfmuhhriicuoehgrhhouhhgsehkrghougdrohhrgheqnecuggftrfgrthhtvghrnhepheekhfdtheegheehjeeludefkefhvdelfedvieehhfekhfdufffhueeuvdfftdfhnecukfhppedtrddtrddtrddtpdekvddrvdehfedrvddtkedrvdegkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehplhgrhigvrhejheeirdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepghhrohhugheskhgrohgurdhorhhgpdhrtghpthhtoheplhhinhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhg Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Alexey, Working on 9p now ?!? ;-) Cc'ing Dominique Martinet who appears to be the person who takes care of 9p these days. On Tue, 28 Jul 2020 22:41:29 +1000 Alexey Kardashevskiy wrote: > The "fd" transport layer uses 2 file descriptors passed externally > and calls kernel_write()/kernel_read() on these. If files were opened > without FMODE_WRITE/FMODE_READ, WARN_ON_ONCE() will fire. > > This adds file mode checking in p9_fd_open; this returns -EBADF to > preserve the original behavior. > So this would cause open() to fail with EBADF, which might look a bit weird to userspace since it didn't pass an fd... Is this to have a different error than -EIO that is returned when either rfd or wfd doesn't point to an open file descriptor ? If yes, why do we care ? > Found by syzkaller. > > Signed-off-by: Alexey Kardashevskiy > --- > net/9p/trans_fd.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c > index 13cd683a658a..62cdfbd01f0a 100644 > --- a/net/9p/trans_fd.c > +++ b/net/9p/trans_fd.c > @@ -797,6 +797,7 @@ static int parse_opts(char *params, struct p9_fd_opts *opts) > > static int p9_fd_open(struct p9_client *client, int rfd, int wfd) > { > + bool perm; > struct p9_trans_fd *ts = kzalloc(sizeof(struct p9_trans_fd), > GFP_KERNEL); > if (!ts) > @@ -804,12 +805,16 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) > > ts->rd = fget(rfd); > ts->wr = fget(wfd); > - if (!ts->rd || !ts->wr) { > + perm = ts->rd && (ts->rd->f_mode & FMODE_READ) && > + ts->wr && (ts->wr->f_mode & FMODE_WRITE); > + if (!ts->rd || !ts->wr || !perm) { > if (ts->rd) > fput(ts->rd); > if (ts->wr) > fput(ts->wr); > kfree(ts); > + if (!perm) > + return -EBADF; > return -EIO; > } >