From nobody Mon Mar 2 08:45:03 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1772287138; cv=none; d=zohomail.com; s=zohoarc; b=jnWd7/NpBN6YDUV50PQ97JIsag+gCbFh1ORpOPB4U42I9+MkVdVnvr32N+PjzYpPh7d4KtVbBubdNCRsibFp1CCQMx3PzsE0oUVQV93QPx8mFfTMHbxA3cUPlq4yDtQBkb/42NV6ElUOc9C8XxDgg35pcNBP7Kd81OX2BMYyiw0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772287138; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=i/Jg908mrivzRqiEPGYRuTaV6Lws96n4J+9fVnVFW2A=; b=WJ99LB0wvSRj1/OHQik4hqPg21FncpgJfzMqhABPCMupeCS/CFf26HMRXzJ8kl4hZhvQ7GvAJlyFANRmLnmr4uuUfPypvE7ImR3HVAJ+IkV3qYzwZ2f21B0DRiUxGNxlGsbfPgiy4pixbrYRPk6hX6tjwiB2TWTDzMle10HmCAk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772287138916893.7123618045393; Sat, 28 Feb 2026 05:58:58 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vwKpo-0003AJ-3E; Sat, 28 Feb 2026 08:58:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vwKpm-00039m-2X for qemu-devel@nongnu.org; Sat, 28 Feb 2026 08:58:18 -0500 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vwKpk-0003Mu-I3 for qemu-devel@nongnu.org; Sat, 28 Feb 2026 08:58:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=i/Jg908mrivzRqiEPGYRuTaV6Lws96n4J+9fVnVFW2A=; b=pqUiy Jk2lPcOFUx7FYEmhajnz37zqBZs6ic5GLvrTGWGHuuOfz9FKmr/Mn0SfeUCsJzCs3v12pIl3NJ0Pr 4YSNRPALCtBWvImCHQpLklahFTnU/gIP2K7fWn9CsPcaFg6S+hPUAN1WdifznBZBBVTFXAMOl3kBc uX8g3gbTlcylg0JF+oDJsl81NbqLIKDL580JoGHPovfAV1S+XvLAmFXQDoAyVEopOVZhRcuXtuDuL E5aRfxW6i+L/R87g/elANa7aU/IrVMqZIVKNT3fQrIHVxpkkr50cMCl8GG8XncNfbYGT+57QuBUj9 BMxErBBKHS7FWM6VFC7S/W9EqBMc2nxt0u0b04DkpcCB7wbAotaIniHTX0fBcjTOpcrGI5Db/b0h3 ggqt03I6j3tctI/HUr54sXX/3v9iZqfdGR2g544Cjv7Z+7clOmsaXbWPyA561wfSOnVb1eoJN5x0f XKp8noS7Gl4VLlteC4NF52Lv3HxXgyCTXRTdMtARa6jqrN/vfwBCbwoHoc2Rttrzg7otULWehcCtA JyiXUm8KKpHSyF+Ean8gDF3/i0Dp6ZYjJLQbXvq9J0us8SF549Ax63mwrp4349+wH2fqIBl+JvvvE v5GgUwi/heS2J/RfDY8/WfJbohGDZRfaUEaWSTwagmr6LlivV7xbuJrnJHwTuQ=; Message-ID: In-Reply-To: References: From: Christian Schoenebeck Date: Sat, 28 Feb 2026 14:30:06 +0100 Subject: [PULL 1/2] hw/9pfs: fix data race in v9fs_mark_fids_unreclaim() To: qemu-devel@nongnu.org, Peter Maydell Cc: Greg Kurz , Richie Buturla Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=c96f6d2398a9dc068fa82088ea43020a52e2b26d@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.966, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.722, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1772287141170158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Richie Buturla A data race between v9fs_mark_fids_unreclaim() and v9fs_path_copy() causes an inconsistent read of fidp->path. In v9fs_path_copy(), the path size is set before the data pointer is allocated, creating a window where size is non-zero but data is NULL. v9fs_co_open2() holds a write lock during path modifications, but v9fs_mark_fids_unreclaim() was not acquiring a read lock, allowing it to race. Fix by holding the path read lock during FID table iteration. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3300 Signed-off-by: Richie Buturla Link: https://lore.kernel.org/qemu-devel/20260211154450.254338-1-richie@lin= ux.ibm.com/ Fixes: 7a46274529 ("hw/9pfs: Add file descriptor reclaim support") Signed-off-by: Christian Schoenebeck --- hw/9pfs/9p.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 6fbe604ce8..02366f43a8 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -560,6 +560,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPD= U *pdu, V9fsPath *path) sizeof(V9fsFidState *), 1); gint i; =20 + v9fs_path_read_lock(s); g_hash_table_iter_init(&iter, s->fids); =20 /* @@ -580,6 +581,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPD= U *pdu, V9fsPath *path) g_array_append_val(to_reopen, fidp); } } + v9fs_path_unlock(s); =20 for (i =3D 0; i < to_reopen->len; i++) { fidp =3D g_array_index(to_reopen, V9fsFidState*, i); --=20 2.47.3 From nobody Mon Mar 2 08:45:03 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1772287138; cv=none; d=zohomail.com; s=zohoarc; b=B/Qg1oy+ydirIdwcJbsCpp8R+vR0ccq8TipdMa35yf1ozYW/0lV2c4cYIWDhQ5+zte2x9ad81woQ5y9PDntOew2Q3KoyL5snJf06LHAamNA3DUiPwSwN40eRvt61De8Bq6VisHFNLJB5++HYCEhYSQsMe47cwM6+uuooc7rZejw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772287138; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=cFd9n5rfW9WJFmXOWVXBIQCFB1oYPWrSUubyVp4X3+Q=; b=dRmleiFmLx6qsijp5or/YW6Pv+rZrsZJJc6JQ3SyYRdC+7WTF51UnSDKOb8y7so6GDEtWFD+qrkUmBED9uBZwX8K+2BYqA/GzZNWlY8v+qUqlBPbWCq2dbsnyEIh+AvnJA7/a0S9/eO3nV8Ez7EtD5SHTFeTCQCmbtVLkVDrNbk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772287138804573.0720217866569; Sat, 28 Feb 2026 05:58:58 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vwKpq-0003AX-GJ; Sat, 28 Feb 2026 08:58:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vwKpo-0003AO-Vx for qemu-devel@nongnu.org; Sat, 28 Feb 2026 08:58:21 -0500 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vwKpn-0003NA-F1 for qemu-devel@nongnu.org; Sat, 28 Feb 2026 08:58:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=cFd9n5rfW9WJFmXOWVXBIQCFB1oYPWrSUubyVp4X3+Q=; b=ogRFH DRAV136W+t2UOWynEm0vEj8utD8q1uBw8TUL2LiFHahvaDDPRSRDdY9Wdt9lW6RqOQUunEll+Z+s+ CwhNU5GVAgYRbJv4EJwaFiT4okvLNHwr4o3SubokLEnGfG5G4UWwxi+Gq+PCqKanqjI9YldfqA56I sY87oG4YFLTt90DNFQLhSeL0XbZB7nc2MkzIFPYcwrErADmX4n5T8aoKIpncEjQcoMxIMzmcVTjEg I7H8ttdUp+cFUMJ/ui3xCY8ZK3coFqaULUXXXE4EPTC2a5lwQp7b6xz55HZ3h9ebxTM2DS1cv44B3 76ui7S8no3Qkd8xdTdmn4rQJutN/37z3xHCx906sIAPI1nhVUiVeRD/qsgnf7gAlrtIWXbnct5v6y XjTC2GAPDDiQ0jGLzj/4o8GXpaCwwpu/5sFLx80o6uveVFgFf/80zic8CMYv29V1cFtNLG3NigBIT PPiXQDYBvdmeLci329jg7mO+H/ifrSeTLkQGZNdH6QVDGSs5V37u0NJtnu3UQycuUO6Ea0EB3EzrB dAi6P8qzDyJjYi1f3ZiqsgEmyud8bo07fjR13tQdjfaLpt93ra1RayMTQoO+BTPbSBsBeu83MZErV ezuMxXsGJjlOPYv1+W5m10Um7QQc1bqpBWyA1ES93KhZ/Tp+/ZV/bWWwe4AHQ0=; Message-ID: In-Reply-To: References: From: Christian Schoenebeck Date: Sat, 28 Feb 2026 14:30:06 +0100 Subject: [PULL 2/2] hw/9pfs: fix missing EOPNOTSUPP on Twstat and Trenameat for fs synth driver To: qemu-devel@nongnu.org, Peter Maydell Cc: Greg Kurz , Oliver Chang Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=b72d15f47cbd2fc93580f33fa86a7e23595a68dd@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.966, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.722, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1772287141180158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Renaming files/dirs is only supported by path-based fs drivers. EOPNOTSUPP should be returned on any renaming attempt for not path-based fs drivers. This was already the case for 9p "Trename" request type. However for 9p request types "Trenameat" and "Twstat" this was yet missing. So fix this by checking in Twstat and Trenameat request handlers whether the fs driver in use is really path based, if not return EOPNOTSUPP and abort further handling of the request. This fixes a crash with the 9p "synth" fs driver which is not path-based. The crash happened because the synth driver stores and expects a raw V9fsSynthNode pointer instead of a C-string on V9fsPath.data. So the C-string delivered by 9p server to synth fs driver was incorrectly casted to a V9fsSynthNode pointer, eventually causing a segfault. Reported-by: Oliver Chang Fixes: https://issues.oss-fuzz.com/issues/477990727 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3298 Signed-off-by: Christian Schoenebeck Reviewed-by: Greg Kurz Link: https://lore.kernel.org/qemu-devel/E1vrbaP-000Gqb-B3@kylie.crudebyte.= com/ --- hw/9pfs/9p.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 02366f43a8..e2713b9eee 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3516,6 +3516,12 @@ static void coroutine_fn v9fs_renameat(void *opaque) goto out_err; } =20 + /* if fs driver is not path based, return EOPNOTSUPP */ + if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) { + err =3D -EOPNOTSUPP; + goto out_err; + } + v9fs_path_write_lock(s); err =3D v9fs_complete_renameat(pdu, olddirfid, &old_name, newdirfid, &new_name); @@ -3606,6 +3612,11 @@ static void coroutine_fn v9fs_wstat(void *opaque) } } if (v9stat.name.size !=3D 0) { + /* if fs driver is not path based, return EOPNOTSUPP */ + if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) { + err =3D -EOPNOTSUPP; + goto out; + } v9fs_path_write_lock(s); err =3D v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); v9fs_path_unlock(s); --=20 2.47.3