lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025102841-CVE-2025-40027-8088@gregkh>
Date: Tue, 28 Oct 2025 10:32:42 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40027: net/9p: fix double req put in p9_fd_cancelled

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net/9p: fix double req put in p9_fd_cancelled

Syzkaller reports a KASAN issue as below:

general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__list_del include/linux/list.h:114 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
RIP: 0010:list_del include/linux/list.h:148 [inline]
RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734

Call Trace:
 <TASK>
 p9_client_flush+0x351/0x440 net/9p/client.c:614
 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
 p9_client_version net/9p/client.c:920 [inline]
 p9_client_create+0xb51/0x1240 net/9p/client.c:1027
 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
 legacy_get_tree+0x108/0x220 fs/fs_context.c:632
 vfs_get_tree+0x8e/0x300 fs/super.c:1573
 do_new_mount fs/namespace.c:3056 [inline]
 path_mount+0x6a6/0x1e90 fs/namespace.c:3386
 do_mount fs/namespace.c:3399 [inline]
 __do_sys_mount fs/namespace.c:3607 [inline]
 __se_sys_mount fs/namespace.c:3584 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:3584
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

This happens because of a race condition between:

- The 9p client sending an invalid flush request and later cleaning it up;
- The 9p client in p9_read_work() canceled all pending requests.

      Thread 1                              Thread 2
    ...
    p9_client_create()
    ...
    p9_fd_create()
    ...
    p9_conn_create()
    ...
    // start Thread 2
    INIT_WORK(&m->rq, p9_read_work);
                                        p9_read_work()
    ...
    p9_client_rpc()
    ...
                                        ...
                                        p9_conn_cancel()
                                        ...
                                        spin_lock(&m->req_lock);
    ...
    p9_fd_cancelled()
    ...
                                        ...
                                        spin_unlock(&m->req_lock);
                                        // status rewrite
                                        p9_client_cb(m->client, req, REQ_STATUS_ERROR)
                                        // first remove
                                        list_del(&req->req_list);
                                        ...

    spin_lock(&m->req_lock)
    ...
    // second remove
    list_del(&req->req_list);
    spin_unlock(&m->req_lock)
  ...

Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
client where the req_list could be deleted simultaneously by both
p9_read_work and p9_fd_cancelled functions, but for the case where req->status
equals REQ_STATUS_RCVD.

Update the check for req->status in p9_fd_cancelled to skip processing not
just received requests, but anything that is not SENT, as whatever
changed the state from SENT also removed the request from its list.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

[updated the check from status == RECV || status == ERROR to status != SENT]

The Linux kernel CVE team has assigned CVE-2025-40027 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.15 with commit afd8d65411551839b7ab14a539d00075b2793451 and fixed in 5.15.195 with commit c1db864270eb7fea94a9ef201da0c9dc1cbab7b8
	Issue introduced in 3.15 with commit afd8d65411551839b7ab14a539d00075b2793451 and fixed in 6.1.156 with commit 0e0097005abc02c9f262370674f855625f4f3fb4
	Issue introduced in 3.15 with commit afd8d65411551839b7ab14a539d00075b2793451 and fixed in 6.6.111 with commit 284e67a93b8c48952b6fc82129a8d3eb9dc73b06
	Issue introduced in 3.15 with commit afd8d65411551839b7ab14a539d00075b2793451 and fixed in 6.12.52 with commit 716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6
	Issue introduced in 3.15 with commit afd8d65411551839b7ab14a539d00075b2793451 and fixed in 6.16.12 with commit 448db01a48e1cdbbc31c995716a5dac1e52ba036
	Issue introduced in 3.15 with commit afd8d65411551839b7ab14a539d00075b2793451 and fixed in 6.17.2 with commit 94797b84cb9985022eb9cb3275c9497fbc883bb6
	Issue introduced in 3.15 with commit afd8d65411551839b7ab14a539d00075b2793451 and fixed in 6.18-rc1 with commit 674b56aa57f9379854cb6798c3bbcef7e7b51ab7

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-40027
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/9p/trans_fd.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c1db864270eb7fea94a9ef201da0c9dc1cbab7b8
	https://git.kernel.org/stable/c/0e0097005abc02c9f262370674f855625f4f3fb4
	https://git.kernel.org/stable/c/284e67a93b8c48952b6fc82129a8d3eb9dc73b06
	https://git.kernel.org/stable/c/716dceb19a9f8ff6c9d3aee5a771a93d6a47a0b6
	https://git.kernel.org/stable/c/448db01a48e1cdbbc31c995716a5dac1e52ba036
	https://git.kernel.org/stable/c/94797b84cb9985022eb9cb3275c9497fbc883bb6
	https://git.kernel.org/stable/c/674b56aa57f9379854cb6798c3bbcef7e7b51ab7

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ