{"id":"CVE-2024-39486","summary":"drm/drm_file: Fix pid refcounting race","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/drm_file: Fix pid refcounting race\n\n\u003cmaarten.lankhorst@linux.intel.com\u003e, Maxime Ripard\n\u003cmripard@kernel.org\u003e, Thomas Zimmermann \u003ctzimmermann@suse.de\u003e\n\nfilp-\u003epid is supposed to be a refcounted pointer; however, before this\npatch, drm_file_update_pid() only increments the refcount of a struct\npid after storing a pointer to it in filp-\u003epid and dropping the\ndev-\u003efilelist_mutex, making the following race possible:\n\nprocess A               process B\n=========               =========\n                        begin drm_file_update_pid\n                        mutex_lock(&dev-\u003efilelist_mutex)\n                        rcu_replace_pointer(filp-\u003epid, \u003cpid B\u003e, 1)\n                        mutex_unlock(&dev-\u003efilelist_mutex)\nbegin drm_file_update_pid\nmutex_lock(&dev-\u003efilelist_mutex)\nrcu_replace_pointer(filp-\u003epid, \u003cpid A\u003e, 1)\nmutex_unlock(&dev-\u003efilelist_mutex)\nget_pid(\u003cpid A\u003e)\nsynchronize_rcu()\nput_pid(\u003cpid B\u003e)   *** pid B reaches refcount 0 and is freed here ***\n                        get_pid(\u003cpid B\u003e)   *** UAF ***\n                        synchronize_rcu()\n                        put_pid(\u003cpid A\u003e)\n\nAs far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y\nbecause it requires RCU to detect a quiescent state in code that is not\nexplicitly calling into the scheduler.\n\nThis race leads to use-after-free of a \"struct pid\".\nIt is probably somewhat hard to hit because process A has to pass\nthrough a synchronize_rcu() operation while process B is between\nmutex_unlock() and get_pid().\n\nFix it by ensuring that by the time a pointer to the current task's pid\nis stored in the file, an extra reference to the pid has been taken.\n\nThis fix also removes the condition for synchronize_rcu(); I think\nthat optimization is unnecessary complexity, since in that case we\nwould usually have bailed out on the lockless check above.","modified":"2026-04-16T04:38:15.131673634Z","published":"2024-07-06T09:25:21.514Z","related":["SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39486.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0acce2a5c619ef1abdee783d7fea5eac78ce4844"},{"type":"WEB","url":"https://git.kernel.org/stable/c/16682588ead4a593cf1aebb33b36df4d1e9e4ffa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4f2a129b33a2054e62273edd5a051c34c08d96e9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39486.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39486"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"031ddd28008971cce0b5626379b910d0a05fb4dd"},{"fixed":"16682588ead4a593cf1aebb33b36df4d1e9e4ffa"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1c7a387ffef894b1ab3942f0482dac7a6e0a909c"},{"fixed":"0acce2a5c619ef1abdee783d7fea5eac78ce4844"},{"fixed":"4f2a129b33a2054e62273edd5a051c34c08d96e9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39486.json"}}],"schema_version":"1.7.5"}