Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1067145ybg;
        Wed, 29 Jul 2020 05:05:59 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyAuFXifPUxq51o5+AmWtahAry4I+ENxwhIW9+zevKwwde7XUW568TQw4p8+znSIyMzCGA0
X-Received: by 2002:a17:906:924d:: with SMTP id c13mr28904185ejx.518.1596024359048;
        Wed, 29 Jul 2020 05:05:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1596024359; cv=none;
        d=google.com; s=arc-20160816;
        b=T1d+3P42/+i6++fdE3JojvSEgJJnL2ZiccU5cGa03+h1whiA1IfxN6Yz7gEdYICYt+
         cwKZl6iKkWVfNAPn7Cj/oQ9CzQTNpa8nU6/+aZfovBOhyoZfvhoNcvkZUwwiTTNPiC6q
         bY1sNYI3JXE6j+xgEYZKNyOwmfAXFHlnaRI3z62xCZWnf1iM6XYdZ7srTMW0+N9ibi8j
         IEWbsh72qXPIicKIRGR8GtoDLI3C6TPuaXACNIwBt4g5+181lnr147zn6TJO9A2zprUx
         zm9O97Cp8P9QCvSxeTjCSCz6O6zykrXpzKHxHY33ESE6k2YusA3PKZGXc+A+262xijC+
         o0zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date;
        bh=9TLJYqYmNOb+xfIUdEziaGhuv5siu/SI6ol3zR96eMQ=;
        b=IXdmFzXHJpJVAVKiGcxCL/eCbItGE5gF/IQKO13iWfa/QptG8ku2SA6WPf4Iee1+dQ
         ii+GgtOFifBsFyx+hx5CSMTQTehlM2Ev/OjDFDWCA4vJMXdqcn1l2fxtI2bHNBpmRO3R
         ezu/y4OF006t2JTANvKNzRUar+CTN9aY8BAoEXxdFtKHusIuv1387nXyNYFdDAjnTxaI
         qmZ97wR6quaoRJew3mUXcVxHghdO38spPRqnMoyHO7CExsxgL/I1Ol0/7pFr9iGOciVf
         MaX2kOy/sSMyUAb/+j88OcE6qZ4vRI5HuwdaXrVXFhDdBTALrtcUU5QpV+rU6fXBfiep
         0y3A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m8si1213020edp.351.2020.07.29.05.05.35;
        Wed, 29 Jul 2020 05:05:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726519AbgG2MC2 (ORCPT <rfc822;dexuan.linux@gmail.com>
        + 99 others); Wed, 29 Jul 2020 08:02:28 -0400
Received: from 18.mo3.mail-out.ovh.net ([87.98.172.162]:52848 "EHLO
        18.mo3.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726341AbgG2MC2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Jul 2020 08:02:28 -0400
X-Greylist: delayed 4206 seconds by postgrey-1.27 at vger.kernel.org; Wed, 29 Jul 2020 08:02:27 EDT
Received: from player731.ha.ovh.net (unknown [10.108.42.83])
        by mo3.mail-out.ovh.net (Postfix) with ESMTP id 909DD25AACE
        for <linux-kernel@vger.kernel.org>; Wed, 29 Jul 2020 08:06:42 +0200 (CEST)
Received: from kaod.org (lns-bzn-46-82-253-208-248.adsl.proxad.net [82.253.208.248])
        (Authenticated sender: groug@kaod.org)
        by player731.ha.ovh.net (Postfix) with ESMTPSA id A82B81493DA7D;
        Wed, 29 Jul 2020 06:06:31 +0000 (UTC)
Authentication-Results: garm.ovh; auth=pass (GARM-103G0054b49c4c4-d057-4c56-8bb1-1a67c11c2913,A40F6FE0CFFE28C23AB4AFBB3D5D665E11D39731) smtp.auth=groug@kaod.org
Date:   Wed, 29 Jul 2020 08:06:30 +0200
From:   Greg Kurz <groug@kaod.org>
To:     Alexey Kardashevskiy <aik@ozlabs.ru>
Cc:     v9fs-developer@lists.sourceforge.net,
        Latchesar Ionkov <lucho@ionkov.net>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Eric Van Hensbergen <ericvh@gmail.com>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Dominique Martinet <asmadeus@codewreck.org>
Subject: Re: [V9fs-developer] [PATCH kernel] 9p/trans_fd: Check file mode at
 opening
Message-ID: <20200729080630.2741f2e5@bahia.lan>
In-Reply-To: <ceaa4de6-e4df-e6b0-8085-7020240c57b4@ozlabs.ru>
References: <20200728124129.130856-1-aik@ozlabs.ru>
        <20200728194235.52660c08@bahia.lan>
        <ceaa4de6-e4df-e6b0-8085-7020240c57b4@ozlabs.ru>
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Ovh-Tracer-Id: 1293096043977742837
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedrieefgddutdefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfgjfhfogggtgfesthejredtredtvdenucfhrhhomhepifhrvghgucfmuhhriicuoehgrhhouhhgsehkrghougdrohhrgheqnecuggftrfgrthhtvghrnhepheekhfdtheegheehjeeludefkefhvdelfedvieehhfekhfdufffhueeuvdfftdfhnecukfhppedtrddtrddtrddtpdekvddrvdehfedrvddtkedrvdegkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehplhgrhigvrhejfedurdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepghhrohhugheskhgrohgurdhorhhgpdhrtghpthhtoheplhhinhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhg
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 29 Jul 2020 09:50:21 +1000
Alexey Kardashevskiy <aik@ozlabs.ru> wrote:

> 
> 
> On 29/07/2020 03:42, Greg Kurz wrote:
> > Hi Alexey,
> > 
> > Working on 9p now ?!? ;-)
> 
> No, I am running syzkaller and seeing things :)
> 

:)

> 
> > Cc'ing Dominique Martinet who appears to be the person who takes care of 9p
> > these days.
> > 
> > On Tue, 28 Jul 2020 22:41:29 +1000
> > Alexey Kardashevskiy <aik@ozlabs.ru> wrote:
> > 
> >> The "fd" transport layer uses 2 file descriptors passed externally
> >> and calls kernel_write()/kernel_read() on these. If files were opened
> >> without FMODE_WRITE/FMODE_READ, WARN_ON_ONCE() will fire.
> >>
> >> This adds file mode checking in p9_fd_open; this returns -EBADF to
> >> preserve the original behavior.
> >>
> > 
> > So this would cause open() to fail with EBADF, which might look a bit
> > weird to userspace since it didn't pass an fd... Is this to have a
> > different error than -EIO that is returned when either rfd or wfd
> > doesn't point to an open file descriptor ?
> 
> This is only to preserve the existing behavior.
> 
> > If yes, why do we care ?
> 
> 
> Without the patch, p9_fd_open() produces a kernel warning which is not
> great by itself and becomes crash with panic_on_warn.
> 

I don't question the patch, just the errno. Why not returning -EIO ?

> 
> 
> > 
> >> Found by syzkaller.
> >>
> >> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
> >> ---
> >>  net/9p/trans_fd.c | 7 ++++++-
> >>  1 file changed, 6 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> >> index 13cd683a658a..62cdfbd01f0a 100644
> >> --- a/net/9p/trans_fd.c
> >> +++ b/net/9p/trans_fd.c
> >> @@ -797,6 +797,7 @@ static int parse_opts(char *params, struct p9_fd_opts *opts)
> >>  
> >>  static int p9_fd_open(struct p9_client *client, int rfd, int wfd)
> >>  {
> >> +	bool perm;
> >>  	struct p9_trans_fd *ts = kzalloc(sizeof(struct p9_trans_fd),
> >>  					   GFP_KERNEL);
> >>  	if (!ts)
> >> @@ -804,12 +805,16 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd)
> >>  
> >>  	ts->rd = fget(rfd);
> >>  	ts->wr = fget(wfd);
> >> -	if (!ts->rd || !ts->wr) {
> >> +	perm = ts->rd && (ts->rd->f_mode & FMODE_READ) &&
> >> +	       ts->wr && (ts->wr->f_mode & FMODE_WRITE);
> >> +	if (!ts->rd || !ts->wr || !perm) {
> >>  		if (ts->rd)
> >>  			fput(ts->rd);
> >>  		if (ts->wr)
> >>  			fput(ts->wr);
> >>  		kfree(ts);
> >> +		if (!perm)
> >> +			return -EBADF;
> >>  		return -EIO;
> >>  	}
> >>  
> > 
>