From nobody Sat May 30 18:34:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1779129233; cv=none; d=zohomail.com; s=zohoarc; b=Mfvp765Kd+ZCjDGwB4tW5p//m9sTM5xfTDluH8aPJR7jwVJg3m8EOZ1sQgmLs/XdKHYnuKandX3iz4C6L4CZLv6EK6LKP5XIdpSao7z3Y78/US8o6sn1NBE5W0Rwabnb3Yc+GvOAW+2B76yXEHQJZ6+rx3xgs3N3AK+tD9CE/mg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779129233; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7y4nYDRtPEbRAEWf7KeUH8jL/lEt8hJcinQokaixdsE=; b=CD27f92PqOXiwcUwJjLr/pUDoJn8mjaWHsO3FRFt8KOeFEDKs3mOPqZFqYIOnmNrGQjaFj1NKvigqkanMhNuPYgsNgk7RiolzrQWhbWJvIpIliS3ghODLDWWSbOqDlpqk6WdamdF3m189znE8nN/4+HLCEpovERSTemGUM7KT3Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779129233342170.86622849267735; Mon, 18 May 2026 11:33:53 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wP2mM-0006t0-D0; Mon, 18 May 2026 14:33:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3348c4d683f061c23083bd45994d527be4fb7cbc@kylie.crudebyte.com>) id 1wP2ld-0006P2-67; Mon, 18 May 2026 14:32:56 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <3348c4d683f061c23083bd45994d527be4fb7cbc@kylie.crudebyte.com>) id 1wP2lb-0002cf-Po; Mon, 18 May 2026 14:32:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=7y4nYDRtPEbRAEWf7KeUH8jL/lEt8hJcinQokaixdsE=; b=K+vxQ TVeJl/jCSgJBEf+7ApRvpcdehuot9cE1686gpL3acNetJyMUu00l0/BjGxLq9RY7nsDxXdADGy/PQ lfVEwIkbYqtv4JT9YgvvLoUAJmXg+n/W+Wgtq1sLDvgodJHx3eeNLIn73TOQlT8d81NGJvQwRjkuV M5SW/q1bIcEIJ3k5pme9HAajg8kxSUquk27EPHKd2NkUB4Tq8ItfDhig+1PQe6Sbwxfg+FnWQRlYJ mdcZ1Q+B9sxWdprzKcMz3Axkz/RreL8AgOlUXOSpg6/OqGiKmJ5PTLQNTIHMtFMf6EEBEqmYnuXhd XWG3ZeVDrCwjzskfWP4/EJEj45qdWLSSkq9cIsYaAKw2VeU7M/XJ+7UB9kgGbY3c8mRKEhO4rPlm+ rCZgn355neVwsA9swLkILyrymUzHoc0UsKiVnrdjHb/Ots+NbbYs8kjgnj5W/eIREPvTe3CodBsWZ 3T7pasHDraalK0xAV2t8i/jWYyy0bXk+Qzgw7/iNnhZOjAgBnMeqKMCjGy7XHSww0R0l9xQu9VOK1 ACarbm/1cmSP/FwvMrUh/bqGtxPWOnjWF8mIuz2kek9xQxj7iftNP+Ldb53Wrw/UHe86gW4Pzi67q rFN4R8ihWACryCeDzzBshFqaKRlnsaJy2N/olzLwnsMMlRm4fVWjBsdQ0RF4BM=; Message-ID: <3348c4d683f061c23083bd45994d527be4fb7cbc.1779126034.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 18 May 2026 19:35:36 +0200 Subject: [PATCH 1/6] hw/9pfs: add NULL check in v9fs_path_is_ancestor() To: qemu-devel@nongnu.org, qemu-stable@nongnu.org Cc: Greg Kurz , Jia Jia Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=3348c4d683f061c23083bd45994d527be4fb7cbc@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1779129235485158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Add NULL check for s1->data and s2->data before using them in string operations. This prevents potential crashes when dealing with uninitialized paths. This is just a defensive measure. We are currently never passing NULL to this function. Signed-off-by: Christian Schoenebeck --- hw/9pfs/9p.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index e2713b9eee..e590c414ab 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -241,6 +241,9 @@ int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath, */ static int v9fs_path_is_ancestor(V9fsPath *s1, V9fsPath *s2) { + if (!s1->data || !s2->data) { + return 0; + } if (!strncmp(s1->data, s2->data, s1->size - 1)) { if (s2->data[s1->size - 1] =3D=3D '\0' || s2->data[s1->size - 1] = =3D=3D '/') { return 1; --=20 2.47.3 From nobody Sat May 30 18:34:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1779129156; cv=none; d=zohomail.com; s=zohoarc; b=hI/PKi8Lbmo7AAH45XJ6d5XLdgozBh3rHPMGT3nOckAFimfb2WOiLAuSRhqK4BUHRDjN4TTBxz6+I1VEcDdDUPWGQWuv4NGK0gK4UFSVQyGLXzRFJ1cZjkrrBIJMSm7IoQWuIPKrdOfSDUd64qyx1Ao+FeYuHR5zrWvZoYBMwu4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779129156; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=MfSrrNMocb/kKkoLsE778NJNnbAO0o0xLQ5wR9ZrXCw=; b=E91IR3U+IEFKq+FX7BHzKhYqzmx1DPweHwvbpwbJW6Cuo1isqOaMPdMx3QBm4Pv3fkhb/nEDk/jrKb0bmFNVgiQhS0JCCRKCX8TS/3pcEOAQ3m/0lLng3128OSKBOP67/rrQXc++kuganvsmXAj0/ZQbN4b6BJQPYnwL2RIiVQA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779129156857395.9858101444712; Mon, 18 May 2026 11:32:36 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wP2l3-0006G5-Uq; Mon, 18 May 2026 14:32:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <2d2348d94ff43fbe4cc0aea24fb312c5c15ee809@kylie.crudebyte.com>) id 1wP2l2-0006FE-1T; Mon, 18 May 2026 14:32:04 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <2d2348d94ff43fbe4cc0aea24fb312c5c15ee809@kylie.crudebyte.com>) id 1wP2l0-0002NZ-HK; Mon, 18 May 2026 14:32:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=MfSrrNMocb/kKkoLsE778NJNnbAO0o0xLQ5wR9ZrXCw=; b=a29Kf LFtwF6sp7iPxpsuhECehrQtOjz+eIUZ3O1LgNLO2Bn3gGyyhW93froS3A+1DwobZbXThQ1atPBBpl xtx7DWP83i+4XyZRqaPOSIyMUnB8kRhn05PLjqmvPEUOBdQ/uUJ3Lwgj14QXRS6Ua+Fc7ESN5R48N uJglJMhWI+Kp9WvY8S1BPWAfsIq74Aak3EqZYKNGz6a5HgccbY4iDfW4GZB82cky9xUu+ZNan/QSH RKfHX+fdBhckgq02XGWsLMXIIn2BB72eIJZ1DbzbAp463Unk123j6KTFDFWvsYsSN67f1507pwPtl PGu5SgGyeulKqsi0lCtvrVy79GIYnQKZBBifzV8CzguS9KLkY5f7jUcWj8hpoGxxrnSR7wSR5yEEV wuMImoh54Ivs0GD1Dlco27TZJhsznffVaFzODs25MjEiw5ni01t7oaUMs0KdnzNXevrRjb3ijQ4Ah U9dIZ2eRhEtH/QghRAfwbRCQlu9A0z0Ncy45429KAdb8+vPo1NiabsCJ8Fwu1Dqwy1KfjgmhJ8nsr 63hKvDxzb5rE9GHWpHg8PktVCiFeifQGbXposeRG5nvIwBWfcMvUkcHPLiXdz8YpnYp3vDN3Zz/Fs N6OTePMKChicg5ruR4PeDHakn1EFxZruIwJ4bFFQrEtZvqsYAMm2D5RXwAMd/A=; Message-ID: <2d2348d94ff43fbe4cc0aea24fb312c5c15ee809.1779126034.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 18 May 2026 19:35:53 +0200 Subject: [PATCH 2/6] hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type To: qemu-devel@nongnu.org, qemu-stable@nongnu.org Cc: Greg Kurz , Jia Jia Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=2d2348d94ff43fbe4cc0aea24fb312c5c15ee809@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1779129160746154100 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" - Change V9fsPath.size from uint16_t to size_t to support paths larger than 65536 bytes. - Change v9fs_path_sprintf() return type from void to int to allow error reporting. Signed-off-by: Christian Schoenebeck --- fsdev/file-op-9p.h | 2 +- hw/9pfs/9p.c | 14 +++++++++++--- hw/9pfs/9p.h | 4 ++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h index b85c9934de..e8d0661c4b 100644 --- a/fsdev/file-op-9p.h +++ b/fsdev/file-op-9p.h @@ -112,7 +112,7 @@ struct FsContext { }; =20 struct V9fsPath { - uint16_t size; + size_t size; char *data; }; P9ARRAY_DECLARE_TYPE(V9fsPath); diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index e590c414ab..88894ec9d2 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -203,16 +203,24 @@ void v9fs_path_free(V9fsPath *path) } =20 =20 -void v9fs_path_sprintf(V9fsPath *path, const char *fmt, ...) +int v9fs_path_sprintf(V9fsPath *path, const char *fmt, ...) { va_list ap; + int ret; =20 v9fs_path_free(path); =20 va_start(ap, fmt); - /* Bump the size for including terminating NULL */ - path->size =3D g_vasprintf(&path->data, fmt, ap) + 1; + ret =3D g_vasprintf(&path->data, fmt, ap); va_end(ap); + if (ret < 0) { + error_report_once("9pfs: unusual path formatting failure; " + "invalidating associated FID"); + return -1; + } + /* Bump the size for including terminating NULL */ + path->size =3D ret + 1; + return 0; } =20 void v9fs_path_copy(V9fsPath *dst, const V9fsPath *src) diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h index 65cc45e344..b2df659b0e 100644 --- a/hw/9pfs/9p.h +++ b/hw/9pfs/9p.h @@ -456,8 +456,8 @@ static inline uint8_t v9fs_request_cancelled(V9fsPDU *p= du) void coroutine_fn v9fs_reclaim_fd(V9fsPDU *pdu); void v9fs_path_init(V9fsPath *path); void v9fs_path_free(V9fsPath *path); -void G_GNUC_PRINTF(2, 3) v9fs_path_sprintf(V9fsPath *path, const char *fmt, - ...); +int G_GNUC_PRINTF(2, 3) v9fs_path_sprintf(V9fsPath *path, const char *fmt, + ...); void v9fs_path_copy(V9fsPath *dst, const V9fsPath *src); size_t v9fs_readdir_response_size(V9fsString *name); int v9fs_name_to_path(V9fsState *s, V9fsPath *dirpath, --=20 2.47.3 From nobody Sat May 30 18:34:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1779129204; cv=none; d=zohomail.com; s=zohoarc; b=VrVJ8jh6HrlBnuhykA1eyqk1BHBH/7zIfxOmVRziAPvzylD0fREEjMlkPd4N2KlEl/gwAy55LeH6SXaNG9a2Q+Sb0FSfX+7uB2flcrdzlp/ckhKnammvZ4iKuAH/mhJGmfI3CNkPz6yZqMLg64ug6flotpK8SsAdvTZKlPjhJgI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779129204; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=XKiX0XyHKyBgRAeITQtv9rXyqRpwst1PipAJNZmp62E=; b=T0NARC2hers2cQyVNuz5qpwmEcYmNd0gh7iVsHWZbuyaXGDUUegO8L1of4CqrJ634F61Z1SaQJ5fGKZJDO839ixI+sqRlDQHTcOJ1Jo5TsKn8mUGspkp9VMyWJwFObSSVaZ8u+GdES6BSagFq5v3Ddv8pqqcHqw0ArABEL3OPMk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779129204795968.3983602705923; Mon, 18 May 2026 11:33:24 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wP2m6-0006be-5b; Mon, 18 May 2026 14:33:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wP2l8-0006Kx-R5; Mon, 18 May 2026 14:32:21 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wP2l7-0002Oe-Gi; Mon, 18 May 2026 14:32:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=XKiX0XyHKyBgRAeITQtv9rXyqRpwst1PipAJNZmp62E=; b=FONjU UC6hFyoN+i8wR5v9ZRHYL4xuK0Agp9S/0vZ1S+GXEF++3p3FtM442pGuwHxRFIQTv8wGUeS5AL2qK YP8lTpgNj8cPs83fjH2UY9/TGZ3m9+HP6FzNbuIE2aDQx/876VERnD8l/Je0hAV9npgEp2Tv61dEF DFEqaypU8k/32FYLxihHvKfLuHr12+tlPZVZf+VLcnT3aZ4JUQy52Jfgg4qybPzZbT4K1fY/osqoA RakhbOrUW44hUj1n0vomWi532B+rd4Avw5PE6INXqhH/VjVpXNzLMHJ6jVdFZGJKzs9WvCOTyKRIl s2G66ORpIIHaP1T6eh9vlQ14W6m/lXtwThYLARsiZwQmhPQ7N+jQeZtnjMWpWVFr4PZO9Dzq1recw eAdDdi1c8H1868+ojTrn3YyAlUhCpyzVLih3yBWIScbWef6lQTgBQ42hATNR/cX8Ewt/xtxbKm2aI Sa6IhisSAkPoPqKcNLxGAszkLDl4TBKY4Kel5tlbqo44G0hfyAPUwb3nwlzkn4Zfq+D4ZOPNchOjK QMEhU0htKsQ7Fe9mVMtpabFLF9oqhlioaw/Nml287kd2WGyhjlhzlXzyDvVM1bDrpevrepatu8VGd b+8yf/wNnp9eet0oXWCrr58yHw4iCPVTAhnirNEEn9xqJndlMBlhiVZF5I5/xo=; Message-ID: In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 18 May 2026 19:35:56 +0200 Subject: [PATCH 3/6] hw/9pfs: add error handling to v9fs_fix_path() To: qemu-devel@nongnu.org, qemu-stable@nongnu.org Cc: Greg Kurz , Jia Jia Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=a0592741a918b7cbe751980ec7ec0c03f505924c@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1779129207271154100 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Update v9fs_fix_path() to return int and propagate errors from v9fs_path_sprintf(). This allows callers to detect and handle path formatting failures. Signed-off-by: Christian Schoenebeck --- hw/9pfs/9p.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 88894ec9d2..d704de644f 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -1417,13 +1417,15 @@ static void print_sg(struct iovec *sg, int cnt) } =20 /* Will call this only for path name based fid */ -static void v9fs_fix_path(V9fsPath *dst, V9fsPath *src, int len) +static int v9fs_fix_path(V9fsPath *dst, V9fsPath *src, int len) { V9fsPath str; + int ret; v9fs_path_init(&str); v9fs_path_copy(&str, dst); - v9fs_path_sprintf(dst, "%s%s", src->data, str.data + len); + ret =3D v9fs_path_sprintf(dst, "%s%s", src->data, str.data + len); v9fs_path_free(&str); + return ret; } =20 static inline bool is_ro_export(FsContext *ctx) --=20 2.47.3 From nobody Sat May 30 18:34:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1779129215; cv=none; d=zohomail.com; s=zohoarc; b=iuk2PiJFYC08+rpSrP5rQKRTQ1RpHvVOUHa+lJA8/kO2Tgve0rZuKOiRlNryO7911zXL2LVaxhiyGGwpByxU/Nz9uk5SWSj/+Lt/m9vMEGIf0NUzpFG1qy0uaToGBefgm3ZX/3nBbMTB+wG7B0UX6tSiqPNS4djeo6jfurC5oW4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779129215; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=nRxWZaQWIF566VG4Viq1KZglD+FlmXtv4gAEQLaY6TY=; b=gMDEpEROdpM5/HKKk0w4zJi9hj/Wo/wkkSaQHZzGt4kd742/4AybvG/EONlcLdWqkRKr5WKPItY8n8E0LQ1r25zl1ruuwZ6i+URGHH6YGGjhQVW6R8ifU5sZ1gufVcw7iUzwnPCkisUvqILXjhey9eTwxnJEn+8aZse+Qoo9NOA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779129215689352.5338484170911; Mon, 18 May 2026 11:33:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wP2mG-0006kD-46; Mon, 18 May 2026 14:33:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <1d11dcbfc95b811dcdb48c6d7f3894d0ebd073a2@kylie.crudebyte.com>) id 1wP2lK-0006Lj-0p; Mon, 18 May 2026 14:32:36 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <1d11dcbfc95b811dcdb48c6d7f3894d0ebd073a2@kylie.crudebyte.com>) id 1wP2lC-0002PA-10; Mon, 18 May 2026 14:32:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=nRxWZaQWIF566VG4Viq1KZglD+FlmXtv4gAEQLaY6TY=; b=kPmx7 IS2t2T4ndZnaPvnjEnyzDTbDNVddGM8MejIImqyyYJJiNcbTezbY2ZDbRN/8HtKrlfoKf2sGHN7Zk 6OnVU7/jcFotJdoi7xFSnJNbcak340JyzdMXkGRTw4M61j83OUjj1BNPMGAWpLXOCKrnhk1FNUa4M KLfIJ4ZWMoUigVapTZGJAP6jW+yOaMGR4BPhVucgXV+wb4LR8W+nvzwJYy3a/behK+/t90TRkjF0q sWAD1XV6lNZK9fL9gyG8pRCJj4sWnUGNomDieeqS94HmE6w8gvsjZ/t7tLQuVS/SH7Rz704v1Ulf3 7JPK9J7S97DKsu2yW5j+ON/uxe5crlEhh8H3QUzB3ImnCCIt8KS1ieND8wR2fXoeu+m/Ee+FelSVQ 50rmQzkpEdp60uCe/PbuvQJoDbRh5fnQ31zWhCky+rfLLNGvVoMtVUFSh+WZpSQxii0VlHHoGd6+V GS1LYmEDkWRH90yYNF0z5RlVjyC9OtH/LnvnQRXIUOBB0p5RZIhNxXj+VicXCBryuCo025UIA43Xv XmmPwg6AKW209MwKxtsQGpe/u3GybJv1j4NRBC+ov3FsMY1Ny5t67HnsDowUxcZFQe9/MfJTsloMC +Zqdl92sTyyYbe8CXMHKN0y7bwz2mROZeFSbB6vSTLj7LYKgOHeADbcVBMJ3b4=; Message-ID: <1d11dcbfc95b811dcdb48c6d7f3894d0ebd073a2.1779126034.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 18 May 2026 19:35:59 +0200 Subject: [PATCH 4/6] hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors To: qemu-devel@nongnu.org, qemu-stable@nongnu.org Cc: Greg Kurz , Jia Jia Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=1d11dcbfc95b811dcdb48c6d7f3894d0ebd073a2@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1779129217443158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" This patch mitigates issues with very large absolute paths. - Add error handling to all v9fs_path_sprintf() calls in local_name_to_path() - Update callers of v9fs_fix_path() to check return values. - When path formatting fails, clunk the affected FIDs to prevent use of invalid paths. - Use g_autofree for temporary variables to simplify code. Even though paths are usually limited to PATH_MAX (typically 4k) on guest, this limitation can be circumvented by using *at() functions on guest and creating very deep directory structures. This was a problem for QEMU 9p server, as it currently tracks the absolute path for each FID internally that always requires assembly of a (potentially ver large) absolute path. A true long-term fix would be getting rid of storing an absolute path for each FID internally. However that would likely be a massive change with uncertain implications. This patch therefore just mitigates the problem by immediately clunking (i.e. closing) all FIDs whose path exceed a limit that we could handle. As this only accounts to very unusual large absolute paths not ever been reported on (sane) production machines, this is currently considered an acceptable mitigation that should only (counter)affect malicious attempts. Fixes: 2f008a8c97e2 ("hw/9pfs: Use the correct signed type ...") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3358 Signed-off-by: Christian Schoenebeck --- hw/9pfs/9p-local.c | 23 ++++++++++++++++------- hw/9pfs/9p.c | 18 +++++++++++++----- 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 24cb1da90a..aa48306b0e 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1261,26 +1261,35 @@ static int local_name_to_path(FsContext *ctx, V9fsP= ath *dir_path, } else if (!strcmp(name, "..")) { if (!strcmp(dir_path->data, ".")) { /* ".." relative to the root is "." */ - v9fs_path_sprintf(target, "."); + if (v9fs_path_sprintf(target, ".") < 0) { + return -1; + } } else { - char *tmp =3D g_path_get_dirname(dir_path->data); + g_autofree char *tmp =3D g_path_get_dirname(dir_path->data= ); /* Symbolic links are resolved by the client. We can assume * that ".." relative to "foo/bar" is equivalent to "foo" */ - v9fs_path_sprintf(target, "%s", tmp); - g_free(tmp); + if (v9fs_path_sprintf(target, "%s", tmp) < 0) { + return -1; + } } } else { assert(!strchr(name, '/')); - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); + if (v9fs_path_sprintf(target, "%s/%s", dir_path->data, name) <= 0) { + return -1; + } } } else if (!strcmp(name, "/") || !strcmp(name, ".") || !strcmp(name, "..")) { /* This is the root fid */ - v9fs_path_sprintf(target, "."); + if (v9fs_path_sprintf(target, ".") < 0) { + return -1; + } } else { assert(!strchr(name, '/')); - v9fs_path_sprintf(target, "./%s", name); + if (v9fs_path_sprintf(target, "./%s", name) < 0) { + return -1; + } } return 0; } diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index d704de644f..b4314d2549 100644 --- a/hw/9pfs/9p.c +++ b/hw/9pfs/9p.c @@ -3325,12 +3325,14 @@ static int coroutine_fn v9fs_complete_rename(V9fsPD= U *pdu, V9fsFidState *fidp, goto out; } } else { - char *dir_name =3D g_path_get_dirname(fidp->path.data); + g_autofree char *dir_name =3D g_path_get_dirname(fidp->path.data); V9fsPath dir_path; =20 v9fs_path_init(&dir_path); - v9fs_path_sprintf(&dir_path, "%s", dir_name); - g_free(dir_name); + err =3D v9fs_path_sprintf(&dir_path, "%s", dir_name); + if (err < 0) { + goto out; + } =20 err =3D v9fs_co_name_to_path(pdu, &dir_path, name->data, &new_path= ); v9fs_path_free(&dir_path); @@ -3351,7 +3353,10 @@ static int coroutine_fn v9fs_complete_rename(V9fsPDU= *pdu, V9fsFidState *fidp, while (g_hash_table_iter_next(&iter, &fid, (gpointer *) &tfidp)) { if (v9fs_path_is_ancestor(&fidp->path, &tfidp->path)) { /* replace the name */ - v9fs_fix_path(&tfidp->path, &new_path, strlen(fidp->path.data)= ); + if (v9fs_fix_path(&tfidp->path, &new_path, + strlen(fidp->path.data)) < 0) { + clunk_fid(s, tfidp->fid); + } } } out: @@ -3448,7 +3453,10 @@ static int coroutine_fn v9fs_fix_fid_paths(V9fsPDU *= pdu, V9fsPath *olddir, while (g_hash_table_iter_next(&iter, &fid, (gpointer *) &tfidp)) { if (v9fs_path_is_ancestor(&oldpath, &tfidp->path)) { /* replace the name */ - v9fs_fix_path(&tfidp->path, &newpath, strlen(oldpath.data)); + if (v9fs_fix_path(&tfidp->path, &newpath, + strlen(oldpath.data)) < 0) { + clunk_fid(s, tfidp->fid); + } } } out: --=20 2.47.3 From nobody Sat May 30 18:34:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1779129179; cv=none; d=zohomail.com; s=zohoarc; b=j+ZFOiBHlTwjli5ozMe4DNShnAmK7W6KkbtFIZxuCLOre3jLHFkBMbJBHE/zdfUGLkJU5osAJirH0rLjBTifCAIWDl/kN4wPkkL/7A89+f0f/fTezmnSfyIpnnWdSg3/xs8iMLfLbS//V1yBQ5f/6vllri+tGvcw8XaXLJ9IHHQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779129179; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=XoyYoo89AyoQKbQdczMsvDAvQaW1Tggzuljl0HV6HPM=; b=l37cob1ZAi5XZzyAowQ/mmpQXvu+k23eAzfvLyB6opxPkfAGkHdPX/GAJdQLWiLfN2FxKKomB9zpAHgw5XMozMNZjNd63ah5d/OjIsN6/QbRaYvuyuSfYswOwI5sd/1F2fp758+jK3bybf01AUCuZ59CJUPbv4j7bi76njXGgbg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779129179252285.9743989195896; Mon, 18 May 2026 11:32:59 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wP2lM-0006Hp-Id; Mon, 18 May 2026 14:32:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <96cf23eea1204b34443218fe76bd4a5eaf9163e8@kylie.crudebyte.com>) id 1wP2l5-0006HN-Ci; Mon, 18 May 2026 14:32:07 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <96cf23eea1204b34443218fe76bd4a5eaf9163e8@kylie.crudebyte.com>) id 1wP2l3-0002O5-Qx; Mon, 18 May 2026 14:32:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=XoyYoo89AyoQKbQdczMsvDAvQaW1Tggzuljl0HV6HPM=; b=m/YRb JQO6EA+VMQ3e90+efYlgFGQDUqYw7rKMOID8auiNeFqIaPMfpgoGPaZBwZ3S2YCDQeRhHpdjygC+F BsKEsr+KBDd0lVhzoG18vA04on1PcXq7wDR7fefUW3riZdvaTSnyYW3Cqj6L8gG82pMV5tKIQTbqI Sbea2ZqmXq/dPRQJJo4K+UoGUlUyxNxF8lEwONj464PhS5Tan8WaYvRLrcqNCK8HSDkwKtI2R6dAu rqP27V7JF6BFLPVmiaYag0jeiOkeCskuAulcjrEMoDMD0y+2G27pbJg3Dt2GuGMy5KuBAjaGFR70V /34+cpPXqHD4X9gprDLkXLQdeSKVrcoKsGcewRUFsileY0zmW1oeqnJwU91Zwq+IJgNP5DifL4T15 fmZCMO8DcWgNlIrO12lBNJEQQIKjCbF5MHkWyrUJFyjoQxL96Xcng/HlGoKjUBqP7dtijMRvcHapd 7/sC/yKmGHS9eSi92VNVTqY0I0NDkWKkoqSy1Iuu1hWoYLWKkcoQe5Y5uKpHdYUajkafkcuP8+WAr K+q9L/ZB9gmw47Aod29Do//0RucxUXfDUpugTcC0f3kAraK23EqU+b/bRR5sjybyBUq1OFzg3i4bR B/kGftf8BbVnrglPeuk67jvwo5A5Kv30+NgLDNUaM50QeHT8zAO61Ta1mJetIs=; Message-ID: <96cf23eea1204b34443218fe76bd4a5eaf9163e8.1779126034.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 18 May 2026 19:36:01 +0200 Subject: [PATCH 5/6] tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset To: qemu-devel@nongnu.org, qemu-stable@nongnu.org Cc: Greg Kurz , Jia Jia , Fabiano Rosas , Laurent Vivier , Paolo Bonzini Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=96cf23eea1204b34443218fe76bd4a5eaf9163e8@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1779129182025158500 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Add a function to reset the virtqueue descriptor pool state without reinitializing the device. This is useful for tests that issue a high number of requests and are limited by the simplified virtio test driver's descriptor tracking, which decrements num_free but never increments it back. The function is safe for synchronous test code where requests are sent and completed before the next request is issued. Signed-off-by: Christian Schoenebeck Acked-by: Fabiano Rosas --- tests/qtest/libqos/virtio.c | 23 +++++++++++++++++++++++ tests/qtest/libqos/virtio.h | 2 ++ 2 files changed, 25 insertions(+) diff --git a/tests/qtest/libqos/virtio.c b/tests/qtest/libqos/virtio.c index 010ff40834..ccbb325222 100644 --- a/tests/qtest/libqos/virtio.c +++ b/tests/qtest/libqos/virtio.c @@ -464,6 +464,29 @@ bool qvirtqueue_get_buf(QTestState *qts, QVirtQueue *v= q, uint32_t *desc_idx, return true; } =20 +/* + * qvirtqueue_reset_pool: + * @vq: The virtqueue to reset + * + * Reset the descriptor pool state without reinitializing the device. + * This is useful for tests that issue a high number of requests and + * are limited by the simplified virtio test driver's descriptor tracking, + * which decrements num_free but never increments it back. + * + * This is only safe for synchronous test code where requests are + * sent and completed before the next request is issued. Do not use + * with asynchronous code where multiple requests may be in-flight. + * + * Note: This only resets the available descriptor pool (free_head, + * num_free). The used ring position (last_used_idx) is NOT reset + * and should continue to track consumed responses across iterations. + */ +void qvirtqueue_reset_pool(QVirtQueue *vq) +{ + vq->free_head =3D 0; + vq->num_free =3D vq->size; +} + void qvirtqueue_set_used_event(QTestState *qts, QVirtQueue *vq, uint16_t i= dx) { g_assert(vq->event); diff --git a/tests/qtest/libqos/virtio.h b/tests/qtest/libqos/virtio.h index e238f1726f..f17be0b9b6 100644 --- a/tests/qtest/libqos/virtio.h +++ b/tests/qtest/libqos/virtio.h @@ -150,6 +150,8 @@ void qvirtqueue_kick(QTestState *qts, QVirtioDevice *d,= QVirtQueue *vq, bool qvirtqueue_get_buf(QTestState *qts, QVirtQueue *vq, uint32_t *desc_id= x, uint32_t *len); =20 +void qvirtqueue_reset_pool(QVirtQueue *vq); + void qvirtqueue_set_used_event(QTestState *qts, QVirtQueue *vq, uint16_t i= dx); =20 void qvirtio_start_device(QVirtioDevice *vdev); --=20 2.47.3 From nobody Sat May 30 18:34:19 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=crudebyte.com ARC-Seal: i=1; a=rsa-sha256; t=1779129217; cv=none; d=zohomail.com; s=zohoarc; b=YBzkKUnT1HjMoMhpa5FhHtdygF7uR4N+SKT5Q1+U/5hkKavje/mRaBl07UgOkcsld/ERbH98D539b2G2q+rQoqX4g4aOnKOlCd1Nd65ZdMQ1qBUNFb8PTDdegN6uBpaH5oE8R3vYZRWB3jHJj9MHpM9v/p/B0l1xQucsdtisyZs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779129217; h=Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=p/F1BCg5h9kR2piod5kuo35i5pYgag2fdNeBSD44JP8=; b=RP9EIkA0gnd3VxTp4KYsxB+RfLXKCGgsfNwWQ817O8QL7X8AnAZaTeQKVyfLH6syg7JEzDqCE1O1N9FbNb0UaQEnE1BY/C7JWxoYmVh/aQSnTWnTP11asV35Ml8S5gmkBYbquqKd7zip5CGMVt7qdMH4csSokxbuSWO/V2PGz9s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1779129217094459.07429232585775; Mon, 18 May 2026 11:33:37 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wP2mS-00072D-0P; Mon, 18 May 2026 14:33:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <933552b2cfc2c442fac7f4e68c777dce20ee8d7e@kylie.crudebyte.com>) id 1wP2lg-0006QK-Qr; Mon, 18 May 2026 14:32:56 -0400 Received: from kylie.crudebyte.com ([5.189.157.229]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <933552b2cfc2c442fac7f4e68c777dce20ee8d7e@kylie.crudebyte.com>) id 1wP2lf-0002h4-0c; Mon, 18 May 2026 14:32:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Cc:To:Subject:Date:From:References:In-Reply-To: Message-ID:Content-Type:Content-Transfer-Encoding:MIME-Version:Content-ID: Content-Description; bh=p/F1BCg5h9kR2piod5kuo35i5pYgag2fdNeBSD44JP8=; b=K4X4y tyfshaKHEArazQ42gWpFHYZ0PEKr8M73XsDxnzfUo4zghrwv3nhgws9/tygsQj5tzxIGgnNlTsuPC y1KKHe9JGCSM7YPz0Kp2KcCt4W57q00TKlbXSotzcMSXRyvBGQMNknHmRGtlAevPQiDDWVL0IRDFV kJglyVkQRRvXCGqbDf9a3T8A96TzYv53UNbOJVo3eIymPyYeszcz8+BzzHIKrpGA3m3artnkOv4iU c3pbEmKwuV676evQTbJo0wGWhsxojiAEnvleozRMqWmA7FmvLSJVhn8v32Ge3tqMd2zk+p8NcXD2X G+uBMeZ7urle1UIgUK8O002oreSghfM0N4r82H0w7enwjsfsu3CZ0NGdGR6NuT6W4Nj+qsETfj3sU wHTAKrFBr8W6GkiM8HK8Ooa2aspJXBDl+0nYi4P3kon4vzzyqLlXdfs+T/B6ImYxEKpGplnmGZssy hVUoQZxxoC4U6MGAksqPyeQ4gZzAIg5Y9dAAaVpoZ0vbnpUwEbdkytqCHtxMs8lkY5Jftwu//GYC7 GZHzM0ceHKHHc8CFfwa5N85JDzPfrf1uBQGqowB68fz2/ztjwvfoLywBGhUAtpyxndzLE+XNRlAsN LvGGA+xuTmpPy+2B/RImhJWZDQ2VE+b7G9sqGS3ppdgGhvPk/xjOMT6b5UTCPs=; Message-ID: <933552b2cfc2c442fac7f4e68c777dce20ee8d7e.1779126034.git.qemu_oss@crudebyte.com> In-Reply-To: References: From: Christian Schoenebeck Date: Mon, 18 May 2026 19:36:03 +0200 Subject: [PATCH 6/6] tests/9pfs: add deep absolute path test To: qemu-devel@nongnu.org, qemu-stable@nongnu.org Cc: Greg Kurz , Jia Jia Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=5.189.157.229; envelope-from=933552b2cfc2c442fac7f4e68c777dce20ee8d7e@kylie.crudebyte.com; helo=kylie.crudebyte.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @crudebyte.com) X-ZM-MESSAGEID: 1779129219261154100 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Add fs_deep_absolute_path test that creates a deep directory structure with an absolute path length exceeding 16-bit range (i.e. >65536) to verify the previous buffer overflow fix. This is a slow test (may take several seconds) and therefore registered as "slow" test and not running by default. Use -m slow to run this test. Link: https://gitlab.com/qemu-project/qemu/-/issues/3358 Signed-off-by: Christian Schoenebeck --- tests/qtest/virtio-9p-test.c | 69 ++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/tests/qtest/virtio-9p-test.c b/tests/qtest/virtio-9p-test.c index ac38ccf595..1c69d41e33 100644 --- a/tests/qtest/virtio-9p-test.c +++ b/tests/qtest/virtio-9p-test.c @@ -14,6 +14,7 @@ =20 #include "qemu/osdep.h" #include "qemu/module.h" +#include "libqos/virtio.h" #include "libqos/virtio-9p-client.h" =20 #define twalk(...) v9fs_twalk((TWalkOpt) __VA_ARGS__) @@ -752,6 +753,72 @@ static void fs_use_after_unlink(void *obj, void *data, g_assert_cmpint(attr.size, =3D=3D, 2001); } =20 +/* https://gitlab.com/qemu-project/qemu/-/issues/3358 */ +static void fs_deep_absolute_path(void *obj, void *data, + QGuestAllocator *t_alloc) +{ + QVirtio9P *v9p =3D obj; + v9fs_set_allocator(t_alloc); + + if (!g_test_slow()) { + g_test_skip("This is a slow test, run with -m slow"); + return; + } + + GString *path =3D g_string_new("/"); + char name[256]; + uint32_t current_fid =3D 0; + + tattach({ .client =3D v9p }); + + /* Create deep directory structure until absolute path length + * exceeds 16-bit range. + */ + while (path->len <=3D 65536) { + /* use 255-byte name (NAME_MAX) to reduce iterations to ~257 */ + memset(name, 'A', 255); + name[255] =3D '\0'; + + /* create the directory relative to current FID */ + tmkdir({ + .client =3D v9p, + .dfid =3D current_fid, + .name =3D name + }); + + /* just for locally tracking the current path length */ + g_string_append(path, name); + g_string_append(path, "/"); + + /* acquire new FID for the newly created directory */ + char *wnames[] =3D { name }; + current_fid =3D twalk({ + .client =3D v9p, + .fid =3D current_fid, + .nwname =3D 1, + .wnames =3D wnames + }).newfid; + + /* Reset descriptor pool to avoid exhaustion. The simplified + * virtio test driver does never free descriptors back to the pool + * after use, so we must manually reset it for the required high + * amount of 9p requests here. + */ + qvirtqueue_reset_pool(v9p->vq); + } + + /* check if the deepest directory is accessible */ + v9fs_attr attr =3D {}; + tgetattr({ + .client =3D v9p, + .fid =3D current_fid, + .request_mask =3D P9_GETATTR_BASIC, + .rgetattr.attr =3D &attr + }); + + g_string_free(path, TRUE); +} + static void cleanup_9p_local_driver(void *data) { /* remove previously created test dir when test is completed */ @@ -819,6 +886,8 @@ static void register_virtio_9p_test(void) &opts); qos_add_test("local/use_after_unlink", "virtio-9p", fs_use_after_unlin= k, &opts); + qos_add_test("local/deep_absolute_path", "virtio-9p", + fs_deep_absolute_path, &opts); } =20 libqos_init(register_virtio_9p_test); --=20 2.47.3