{"id":"CVE-2024-39463","summary":"9p: add missing locking around taking dentry fid list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\n9p: add missing locking around taking dentry fid list\n\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\n\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\n p9_fid_get linux/./include/net/9p/client.h:262\n v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\n v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\n v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\n v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\n vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\n\nFreed by:\n p9_fid_destroy (inlined)\n p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\n p9_fid_put linux/./include/net/9p/client.h:278\n v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\n v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\n vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\n\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.","modified":"2026-04-02T12:16:59.545081Z","published":"2024-06-25T14:25:02.887Z","related":["MGASA-2024-0263","MGASA-2024-0266","SUSE-SU-2024:2571-1","SUSE-SU-2024:2894-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2902-1","SUSE-SU-2024:2929-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39463.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3bb6763a8319170c2d41c4232c8e7e4c37dcacfb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39463.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39463"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1194/"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"154372e67d4053e56591245eb413686621941333"},{"fixed":"3bb6763a8319170c2d41c4232c8e7e4c37dcacfb"},{"fixed":"cb299cdba09f46f090b843d78ba26b667d50a456"},{"fixed":"f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5"},{"fixed":"fe17ebf22feb4ad7094d597526d558a49aac92b4"},{"fixed":"c898afdc15645efb555acb6d85b484eb40a45409"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39463.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}