From 0fd76f1be20d19ac593138ceec502cb044c909bd Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 25 Feb 2026 08:57:45 -0500 Subject: 9p: fix memory leak in v9fs_init_fs_context error path Move the assignments of fc->ops and fc->fs_private to right after the kzalloc, before any fallible operations. Previously these were assigned at the end of the function, after the kstrdup calls for uname and aname. If either kstrdup failed, the error path would set fc->need_free but leave fc->ops NULL, so put_fs_context() would never call v9fs_free_fc() to free the allocated context and any already-duplicated strings. Fixes: 1f3e4142c0eb ("9p: convert to the new mount API") Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Sasha Levin Message-ID: <20260225135745.351984-1-sashal@kernel.org> Signed-off-by: Dominique Martinet --- fs/9p/vfs_super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'fs') diff --git a/fs/9p/vfs_super.c b/fs/9p/vfs_super.c index 0a1c4f7cb001..431f24938a1d 100644 --- a/fs/9p/vfs_super.c +++ b/fs/9p/vfs_super.c @@ -312,6 +312,9 @@ static int v9fs_init_fs_context(struct fs_context *fc) if (!ctx) return -ENOMEM; + fc->ops = &v9fs_context_ops; + fc->fs_private = ctx; + /* initialize core options */ ctx->session_opts.afid = ~0; ctx->session_opts.cache = CACHE_NONE; @@ -345,9 +348,6 @@ static int v9fs_init_fs_context(struct fs_context *fc) ctx->rdma_opts.timeout = P9_RDMA_TIMEOUT; ctx->rdma_opts.privport = false; - fc->ops = &v9fs_context_ops; - fc->fs_private = ctx; - return 0; error: fc->need_free = 1; -- cgit v1.2.3 From da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9 Mon Sep 17 00:00:00 2001 From: Pierre Barre Date: Thu, 2 Apr 2026 12:03:12 +0200 Subject: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode. This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations. Fix by clearing the access mask before applying the user's choice. Fixes: 1f3e4142c0eb ("9p: convert to the new mount API") Signed-off-by: Pierre Barre Reviewed-by: Christian Schoenebeck Message-ID: <0ddc72da-d196-4f01-8755-0086f670e779@app.fastmail.com> Cc: stable@vger.kernel.org Signed-off-by: Dominique Martinet --- fs/9p/v9fs.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'fs') diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c index 057487efaaeb..acda42499ca9 100644 --- a/fs/9p/v9fs.c +++ b/fs/9p/v9fs.c @@ -413,7 +413,11 @@ static void v9fs_apply_options(struct v9fs_session_info *v9ses, /* * Note that we must |= flags here as session_init already * set basic flags. This adds in flags from parsed options. + * Default access flags must be cleared if session options + * changes them to avoid mangling the setting. */ + if (ctx->session_opts.flags & V9FS_ACCESS_MASK) + v9ses->flags &= ~V9FS_ACCESS_MASK; v9ses->flags |= ctx->session_opts.flags; #ifdef CONFIG_9P_FSCACHE v9ses->cachetag = ctx->session_opts.cachetag; -- cgit v1.2.3