Commit c3aa2491cd for qemu.org

commit c3aa2491cd2cd89e2f484d32f323ee447e782984
Author: Christian Schoenebeck <qemu_oss@crudebyte.com>
Date:   Tue Jun 16 17:00:11 2026 +0200

    hw/9pfs: fix invalid union access by v9fs_co_fstat()

    The individual FID types (P9_FID_NONE, P9_FID_FILE, P9_FID_DIR, P9_FID_XATTR)
    share union V9fsFidOpenState with FID-type specific fields. Accessing any of
    the union fields must comply with the FID-type to avoid undefined behaviour
    or information disclosure.

    Fix this in v9fs_lock() and v9fs_getlock() by checking if FID has a valid
    file descriptor before calling v9fs_co_fstat().

    Fixes: 10b468bdc533 ("virtio-9p: Implement TXATTRCREATE")
    Link: https://lore.kernel.org/qemu-devel/4b33cd1aaa2551efda220a6f651e3660d27f4746.1781621428.git.qemu_oss@crudebyte.com
    Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index a2b7335515..3119f01117 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3908,6 +3908,10 @@ static void coroutine_fn v9fs_lock(void *opaque)
         err = -ENOENT;
         goto out_nofid;
     }
+    if (!fid_has_valid_file_handle(pdu->s, fidp)) {
+        err = -EBADF;
+        goto out;
+    }
     err = v9fs_co_fstat(pdu, fidp, &stbuf);
     if (err < 0) {
         goto out;
@@ -3953,6 +3957,10 @@ static void coroutine_fn v9fs_getlock(void *opaque)
         err = -ENOENT;
         goto out_nofid;
     }
+    if (!fid_has_valid_file_handle(pdu->s, fidp)) {
+        err = -EBADF;
+        goto out;
+    }
     err = v9fs_co_fstat(pdu, fidp, &stbuf);
     if (err < 0) {
         goto out;