CVE-2026-52906

In the Linux kernel, the following vulnerability has been resolved:

9p: fix access mode flags being ORed instead of replaced

Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs apply options() applies parsed mount flags with |= onto flags already set by v9fs session init(). For 9P2000.L, session init sets V9FS ACCESS CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode.

This causes v9fs fid lookup() to fall through to the default switch case, using INVALID UID (nobody/65534) instead of current fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations.

Fix by clearing the access mask before applying the user's choice.