Commit 75893c058b for qemu.org

commit 75893c058b21d87d1ec66bbd4e8bf84e1fd616d1
Author: Christian Schoenebeck <qemu_oss@crudebyte.com>
Date:   Tue Jun 16 17:00:11 2026 +0200

    hw/9pfs/local: harden local_fid_fd() on FID types

    local_fid_fd() returns fs->fd for any FID type that is not P9_FID_DIR.

    Since P9_FID_XATTR and P9_FID_NONE share union V9fsFidOpenState, calling
    local_fid_fd() on these types misinterprets xattr state as a file
    descriptor, potentially leading to undefined behaviour or information
    disclosure.

    Even though we are catching these FID type mismatches on protocol level
    in 9p.c already, previous patches proofed this to be error prone.

    So let's add another safety layer in local_fid_fd() that would return -1
    if the FID type would not possess a valid file descriptor, to prevent
    wrong file descriptors from reaching fs backend calls.

    Link: https://lore.kernel.org/qemu-devel/531f6b81bc1bf1a48c3d4afaa60a65db10511041.1781621428.git.qemu_oss@crudebyte.com
    Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 4708e170a4..ee592b62f8 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -775,8 +775,11 @@ static int local_fid_fd(int fid_type, V9fsFidOpenState *fs)
 {
     if (fid_type == P9_FID_DIR) {
         return dirfd(fs->dir.stream);
-    } else {
+    } else if (fid_type == P9_FID_FILE) {
         return fs->fd;
+    } else {
+        errno = EBADF;
+        return -1;
     }
 }