From: Christian Schoenebeck <linux_oss@crudebyte.com>
To: ericvh@kernel.org, lucho@ionkov.net, asmadeus@codewreck.org,
Pierre Barre <pierre@barre.sh>
Cc: v9fs@lists.linux.dev, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, sandeen@redhat.com
Subject: Re: [PATCH] 9p: fix access mode flags being ORed instead of replaced
Date: Thu, 09 Apr 2026 16:51:07 +0200 [thread overview]
Message-ID: <2406037.ElGaqSPkdT@weasel> (raw)
In-Reply-To: <0ddc72da-d196-4f01-8755-0086f670e779@app.fastmail.com>
On Thursday, 2 April 2026 12:03:12 CEST Pierre Barre wrote:
> Since commit 1f3e4142c0eb ("9p: convert to the new mount API"),
> v9fs_apply_options() applies parsed mount flags with |= onto flags
> already set by v9fs_session_init(). For 9P2000.L, session_init sets
> V9FS_ACCESS_CLIENT as the default, so when the user mounts with
> "access=user", both bits end up set. Access mode checks compare
> against exact values, so having both bits set matches neither mode.
>
> This causes v9fs_fid_lookup() to fall through to the default switch
> case, using INVALID_UID (nobody/65534) instead of current_fsuid()
> for all fid lookups. Root is then unable to chown or perform other
> privileged operations.
>
> Fix by clearing the access mask before applying the user's choice.
>
> Fixes: 1f3e4142c0eb ("9p: convert to the new mount API")
> Signed-off-by: Pierre Barre <pierre@barre.sh>
> ---
> fs/9p/v9fs.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
> index 057487efaaeb..05a5e1c4df35 100644
> --- a/fs/9p/v9fs.c
> +++ b/fs/9p/v9fs.c
> @@ -413,7 +413,11 @@ static void v9fs_apply_options(struct v9fs_session_info
> *v9ses, /*
> * Note that we must |= flags here as session_init already
> * set basic flags. This adds in flags from parsed options.
> + * Access flags are mutually exclusive, so clear any access
> + * bits set by session_init before applying the user's choice.
That phrase is a bit suboptimal, because V9FS_ACCESS_ANY is actually a bit
combination of single, user and client. But OK, I currently don't have a
better phrase for it since the access fields have to be replaced altogether.
As for the actual behaviour change; makes sense to me:
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
> */
> + if (ctx->session_opts.flags & V9FS_ACCESS_MASK)
> + v9ses->flags &= ~V9FS_ACCESS_MASK;
> v9ses->flags |= ctx->session_opts.flags;
> #ifdef CONFIG_9P_FSCACHE
> v9ses->cachetag = ctx->session_opts.cachetag;
> --
> 2.51.0
next prev parent reply other threads:[~2026-04-09 15:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 10:03 [PATCH] 9p: fix access mode flags being ORed instead of replaced Pierre Barre
2026-04-02 10:10 ` Pierre Barre
2026-04-09 8:12 ` Pierre Barre
2026-04-09 14:51 ` Christian Schoenebeck [this message]
2026-04-16 2:53 ` Dominique Martinet
2026-04-16 6:42 ` Pierre Barre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2406037.ElGaqSPkdT@weasel \
--to=linux_oss@crudebyte.com \
--cc=asmadeus@codewreck.org \
--cc=ericvh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucho@ionkov.net \
--cc=pierre@barre.sh \
--cc=sandeen@redhat.com \
--cc=stable@vger.kernel.org \
--cc=v9fs@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.