Renaming files/dirs is only supported by path-based fs drivers. EOPNOTSUPP
should be returned on any renaming attempt for not path-based fs drivers.
This was already the case for 9p "Trename" request type. However for 9p
request types "Trenameat" and "Twstat" this was yet missing.

So fix this by checking in Twstat and Trenameat request handlers whether
the fs driver in use is really path based, if not return EOPNOTSUPP and
abort further handling of the request.

This fixes a crash with the 9p "synth" fs driver which is not path-based.

The crash happened because the synth driver stores and expects a raw
V9fsSynthNode pointer instead of a C-string on V9fsPath.data. So the
C-string delivered by 9p server to synth fs driver was incorrectly
casted to a V9fsSynthNode pointer, eventually causing a segfault.

Reported-by: Oliver Chang <ochang@google.com>
Fixes: https://issues.oss-fuzz.com/issues/477990727
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3298
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
---
 hw/9pfs/9p.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 02366f43a8..e2713b9eee 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3516,6 +3516,12 @@ static void coroutine_fn v9fs_renameat(void *opaque)
         goto out_err;
     }
 
+    /* if fs driver is not path based, return EOPNOTSUPP */
+    if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
+        err = -EOPNOTSUPP;
+        goto out_err;
+    }
+
     v9fs_path_write_lock(s);
     err = v9fs_complete_renameat(pdu, olddirfid,
                                  &old_name, newdirfid, &new_name);
@@ -3606,6 +3612,11 @@ static void coroutine_fn v9fs_wstat(void *opaque)
         }
     }
     if (v9stat.name.size != 0) {
+        /* if fs driver is not path based, return EOPNOTSUPP */
+        if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
+            err = -EOPNOTSUPP;
+            goto out;
+        }
         v9fs_path_write_lock(s);
         err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
         v9fs_path_unlock(s);
-- 
2.47.3

On Sun, 15 Feb 2026 13:44:50 +0100
Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:

> Renaming files/dirs is only supported by path-based fs drivers. EOPNOTSUPP
> should be returned on any renaming attempt for not path-based fs drivers.
> This was already the case for 9p "Trename" request type. However for 9p
> request types "Trenameat" and "Twstat" this was yet missing.
> 
> So fix this by checking in Twstat and Trenameat request handlers whether
> the fs driver in use is really path based, if not return EOPNOTSUPP and
> abort further handling of the request.
> 
> This fixes a crash with the 9p "synth" fs driver which is not path-based.
> 
> The crash happened because the synth driver stores and expects a raw
> V9fsSynthNode pointer instead of a C-string on V9fsPath.data. So the
> C-string delivered by 9p server to synth fs driver was incorrectly
> casted to a V9fsSynthNode pointer, eventually causing a segfault.
> 

Ouch... yet another path of the synth driver that was never actioned ;-)

> Reported-by: Oliver Chang <ochang@google.com>
> Fixes: https://issues.oss-fuzz.com/issues/477990727
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3298
> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> ---

A bit late but

Reviewed-by: Greg Kurz <groug@kaod.org>

>  hw/9pfs/9p.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
> index 02366f43a8..e2713b9eee 100644
> --- a/hw/9pfs/9p.c
> +++ b/hw/9pfs/9p.c
> @@ -3516,6 +3516,12 @@ static void coroutine_fn v9fs_renameat(void *opaque)
>          goto out_err;
>      }
>  
> +    /* if fs driver is not path based, return EOPNOTSUPP */
> +    if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
> +        err = -EOPNOTSUPP;
> +        goto out_err;
> +    }
> +
>      v9fs_path_write_lock(s);
>      err = v9fs_complete_renameat(pdu, olddirfid,
>                                   &old_name, newdirfid, &new_name);
> @@ -3606,6 +3612,11 @@ static void coroutine_fn v9fs_wstat(void *opaque)
>          }
>      }
>      if (v9stat.name.size != 0) {
> +        /* if fs driver is not path based, return EOPNOTSUPP */
> +        if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
> +            err = -EOPNOTSUPP;
> +            goto out;
> +        }
>          v9fs_path_write_lock(s);
>          err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
>          v9fs_path_unlock(s);



-- 
Greg

On Sunday, 15 February 2026 13:44:50 CET Christian Schoenebeck wrote:
> Renaming files/dirs is only supported by path-based fs drivers. EOPNOTSUPP
> should be returned on any renaming attempt for not path-based fs drivers.
> This was already the case for 9p "Trename" request type. However for 9p
> request types "Trenameat" and "Twstat" this was yet missing.
> 
> So fix this by checking in Twstat and Trenameat request handlers whether
> the fs driver in use is really path based, if not return EOPNOTSUPP and
> abort further handling of the request.
> 
> This fixes a crash with the 9p "synth" fs driver which is not path-based.
> 
> The crash happened because the synth driver stores and expects a raw
> V9fsSynthNode pointer instead of a C-string on V9fsPath.data. So the
> C-string delivered by 9p server to synth fs driver was incorrectly
> casted to a V9fsSynthNode pointer, eventually causing a segfault.
> 
> Reported-by: Oliver Chang <ochang@google.com>
> Fixes: https://issues.oss-fuzz.com/issues/477990727
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3298
> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> ---
>  hw/9pfs/9p.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)

Queued on 9p.next:
https://github.com/cschoenebeck/qemu/commits/9p.next

Thanks!

/Christian