Commit 5a8da7e979 for qemu.org

commit 5a8da7e979f1f56b1cab82c2354833f309f1a78f
Author: sin99xx <sin99xx@proton.me>
Date:   Wed May 20 19:11:25 2026 +0200

    9pfs: fix missing rename lock in v9fs_co_readdir_many (CVE-2026-48004)

    v9fs_co_readdir_many() dispatches do_readdir_many() to a worker thread
    that reads V9fsFidState's path.data without holding a rename lock.

    A concurrent rename request, e.g. of its parent dir, causes the FID's
    absolute path to be altered by freeing the old path string and
    assigning a new one. This causes a heap-use-after-free race condition
    while do_readdir_many() is still accessing the old object.

    This allows a DoS by an unprivileged guest user.

    Fix this by wrapping the worker thread dispatch block within a pair of
    v9fs_path_read_lock() and v9fs_path_unlock() calls, like it's done at
    other places.

    Fixes: 2149675b195f ("9pfs: add new function v9fs_co_readdir_many()")
    Fixes: CVE-2026-48004
    Reported-by: sin99xx <sin99xx@proton.me>
    Signed-off-by: sin99xx <sin99xx@proton.me>
    [Christian Schoenebeck: add commit log message]
    Link: https://lore.kernel.org/qemu-devel/E1wPkYi-000adH-4E@kylie.crudebyte.com
    Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

diff --git a/hw/9pfs/codir.c b/hw/9pfs/codir.c
index bce7dd96e9..5568399343 100644
--- a/hw/9pfs/codir.c
+++ b/hw/9pfs/codir.c
@@ -220,13 +220,16 @@ int coroutine_fn v9fs_co_readdir_many(V9fsPDU *pdu, V9fsFidState *fidp,
                                       bool dostat)
 {
     int err = 0;
+    V9fsState *s = pdu->s;

     if (v9fs_request_cancelled(pdu)) {
         return -EINTR;
     }
+    v9fs_path_read_lock(s);
     v9fs_co_run_in_worker({
         err = do_readdir_many(pdu, fidp, entries, offset, maxsize, dostat);
     });
+    v9fs_path_unlock(s);
     return err;
 }