On Wednesday, 11 February 2026 16:44:50 CET Richie Buturla wrote:
> A data race between v9fs_mark_fids_unreclaim() and v9fs_path_copy()
> causes an inconsistent read of fidp->path. In v9fs_path_copy(), the
> path size is set before the data pointer is allocated, creating a
> window where size is non-zero but data is NULL.
>
> v9fs_co_open2() holds a write lock during path modifications,
> but v9fs_mark_fids_unreclaim() was not acquiring a read
> lock, allowing it to race.
>
> Fix by holding the path read lock during FID table iteration.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3300
> Signed-off-by: Richie Buturla <[email protected]>
Another true survivor:
Fixes: 7a46274529 ("hw/9pfs: Add file descriptor reclaim support")
> ---
> hw/9pfs/9p.c | 2 ++
> 1 file changed, 2 insertions(+)
Queued on 9p.next:
https://github.com/cschoenebeck/qemu/commits/9p.next
Thanks!
/Christian
