Re: [PATCH] hw/9pfs: fix missing EOPNOTSUPP on Twstat and Trenameat for fs synth driver

Fri, 20 Feb 2026 07:05:10 -0800 

On Sun, 15 Feb 2026 13:44:50 +0100
Christian Schoenebeck <[email protected]> wrote:

> Renaming files/dirs is only supported by path-based fs drivers. EOPNOTSUPP
> should be returned on any renaming attempt for not path-based fs drivers.
> This was already the case for 9p "Trename" request type. However for 9p
> request types "Trenameat" and "Twstat" this was yet missing.
> 
> So fix this by checking in Twstat and Trenameat request handlers whether
> the fs driver in use is really path based, if not return EOPNOTSUPP and
> abort further handling of the request.
> 
> This fixes a crash with the 9p "synth" fs driver which is not path-based.
> 
> The crash happened because the synth driver stores and expects a raw
> V9fsSynthNode pointer instead of a C-string on V9fsPath.data. So the
> C-string delivered by 9p server to synth fs driver was incorrectly
> casted to a V9fsSynthNode pointer, eventually causing a segfault.
> 

Ouch... yet another path of the synth driver that was never actioned ;-)

> Reported-by: Oliver Chang <[email protected]>
> Fixes: https://issues.oss-fuzz.com/issues/477990727
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3298
> Signed-off-by: Christian Schoenebeck <[email protected]>
> ---

A bit late but

Reviewed-by: Greg Kurz <[email protected]>

>  hw/9pfs/9p.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
> index 02366f43a8..e2713b9eee 100644
> --- a/hw/9pfs/9p.c
> +++ b/hw/9pfs/9p.c
> @@ -3516,6 +3516,12 @@ static void coroutine_fn v9fs_renameat(void *opaque)
>          goto out_err;
>      }
>  
> +    /* if fs driver is not path based, return EOPNOTSUPP */
> +    if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
> +        err = -EOPNOTSUPP;
> +        goto out_err;
> +    }
> +
>      v9fs_path_write_lock(s);
>      err = v9fs_complete_renameat(pdu, olddirfid,
>                                   &old_name, newdirfid, &new_name);
> @@ -3606,6 +3612,11 @@ static void coroutine_fn v9fs_wstat(void *opaque)
>          }
>      }
>      if (v9stat.name.size != 0) {
> +        /* if fs driver is not path based, return EOPNOTSUPP */
> +        if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
> +            err = -EOPNOTSUPP;
> +            goto out;
> +        }
>          v9fs_path_write_lock(s);
>          err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
>          v9fs_path_unlock(s);



-- 
Greg

Reply via email to