Commit 32cae47c33 for qemu.org

commit 32cae47c332f88241632905e0a3abcbb35b019c3
Author: Christian Schoenebeck <qemu_oss@crudebyte.com>
Date:   Tue Jun 16 17:00:11 2026 +0200

    hw/9pfs: fix invalid union access by v9fs_co_fsync()

    The individual FID types (P9_FID_NONE, P9_FID_FILE, P9_FID_DIR, P9_FID_XATTR)
    share union V9fsFidOpenState with FID-type specific fields. Accessing any of
    the union fields must comply with the FID-type to avoid undefined behaviour
    or information disclosure.

    Fix this in v9fs_fsync() and v9fs_wstat() by checking if FID has a valid file
    descriptor before calling v9fs_co_fsync().

    Fixes: 10b468bdc533 ("virtio-9p: Implement TXATTRCREATE")
    Reported-by: Feifan Qian <bea1e@proton.me>
    Link: https://lore.kernel.org/qemu-devel/b583e29d5a0776e41263732c93ac9f0da0a6016d.1781621428.git.qemu_oss@crudebyte.com
    Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index d1ec3c0c14..a2b7335515 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2305,10 +2305,15 @@ static void coroutine_fn v9fs_fsync(void *opaque)
         err = -ENOENT;
         goto out_nofid;
     }
+    if (!fid_has_valid_file_handle(pdu->s, fidp)) {
+        err = -EBADF;
+        goto out;
+    }
     err = v9fs_co_fsync(pdu, fidp, datasync);
     if (!err) {
         err = offset;
     }
+out:
     put_fid(pdu, fidp);
 out_nofid:
     pdu_complete(pdu, err);
@@ -3640,6 +3645,10 @@ static void coroutine_fn v9fs_wstat(void *opaque)
     }
     /* do we need to sync the file? */
     if (donttouch_stat(&v9stat)) {
+        if (!fid_has_valid_file_handle(s, fidp)) {
+            err = -EBADF;
+            goto out;
+        }
         err = v9fs_co_fsync(pdu, fidp, 0);
         goto out;
     }