Hi Cengiz,
On Thu, Jul 23, 2020 at 05:17:25PM +0300, Cengiz Can wrote:
> Hello,
>
> I'm trying to help clean up syzkaller submissions and this caught my
> attention and I wanted to get your advice.
>
> With commit: 6209dd9132e8ea5545cffc84483841e88ea8cc5b `kernel_read` was
> modified to use `__kernel_read` by Christoph Hellwig.
>
> One of the syzkaller tests executes following system calls:
>
> open("./file0", O_WRONLY|O_CREAT|O_EXCL|O_DIRECT|0x4, 000) = 5
> open("/dev/char/4:1", O_RDWR) = 6
> mount(NULL, "./file0", "9p", 0,
> "trans=fd,rfdno=0x0000000000000005,wfdno=0x0000000000000006,"
>
> This initiates a `__kernel_read` call from `p9_read_work` (and
> `p9_fd_read`) and since the `file->f_mode` does not contain FMODE_READ
> , a WARN_ON_ONCE is thrown.
>
> ```
> if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))
> return -EINVAL;
> ```
>
> Can you help me understand what's wrong and fix this issue?
> Is it already being worked on?
>
Looks like this was already fixed in linux-next by:
commit a39c46067c845a8a2d7144836e9468b7f072343e
Author: Christoph Hellwig <hch@xxxxxx>
Date: Fri Jul 10 10:57:22 2020 +0200
net/9p: validate fds in p9_fd_open
Let's tell syzbot so that it closes this bug report:
#syz fix: net/9p: validate fds in p9_fd_open
