{"id":72503,"date":"2025-10-28T13:45:42","date_gmt":"2025-10-28T10:15:42","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-40027-net-9p-fix-double-req-put-in-p9_fd_cancelled\/"},"modified":"2025-10-28T13:45:42","modified_gmt":"2025-10-28T10:15:42","slug":"cve-2025-40027-net-9p-fix-double-req-put-in-p9_fd_cancelled","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-40027-net-9p-fix-double-req-put-in-p9_fd_cancelled\/","title":{"rendered":"CVE-2025-40027 – net\/9p: fix double req put in p9_fd_cancelled"},"content":{"rendered":"

CVE ID : CVE-2025-40027<\/p>\n

Published : 28. Oktober 2025 10:15 | 29\u00a0Minuten ago<\/p>\n

Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n

net\/9p: fix double req put in p9_fd_cancelled<\/p>\n

Syzkaller reports a KASAN issue as below:<\/p>\n

general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04\/01\/2014
\nRIP: 0010:__list_del include\/linux\/list.h:114 [inline]\nRIP: 0010:__list_del_entry include\/linux\/list.h:137 [inline]\nRIP: 0010:list_del include\/linux\/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9\/0x200 net\/9p\/trans_fd.c:734<\/p>\n

Call Trace:<\/p>\n

p9_client_flush+0x351\/0x440 net\/9p\/client.c:614
\n p9_client_rpc+0xb6b\/0xc70 net\/9p\/client.c:734
\n p9_client_version net\/9p\/client.c:920 [inline]\n p9_client_create+0xb51\/0x1240 net\/9p\/client.c:1027
\n v9fs_session_init+0x1f0\/0x18f0 fs\/9p\/v9fs.c:408
\n v9fs_mount+0xba\/0xcb0 fs\/9p\/vfs_super.c:126
\n legacy_get_tree+0x108\/0x220 fs\/fs_context.c:632
\n vfs_get_tree+0x8e\/0x300 fs\/super.c:1573
\n do_new_mount fs\/namespace.c:3056 [inline]\n path_mount+0x6a6\/0x1e90 fs\/namespace.c:3386
\n do_mount fs\/namespace.c:3399 [inline]\n __do_sys_mount fs\/namespace.c:3607 [inline]\n __se_sys_mount fs\/namespace.c:3584 [inline]\n __x64_sys_mount+0x283\/0x300 fs\/namespace.c:3584
\n do_syscall_x64 arch\/x86\/entry\/common.c:51 [inline]\n do_syscall_64+0x35\/0x80 arch\/x86\/entry\/common.c:81
\n entry_SYSCALL_64_after_hwframe+0x6e\/0xd8<\/p>\n

This happens because of a race condition between:<\/p>\n

– The 9p client sending an invalid flush request and later cleaning it up;
\n– The 9p client in p9_read_work() canceled all pending requests.<\/p>\n

Thread 1 Thread 2
\n …
\n p9_client_create()
\n …
\n p9_fd_create()
\n …
\n p9_conn_create()
\n …
\n \/\/ start Thread 2
\n INIT_WORK(&m->rq, p9_read_work);
\n p9_read_work()
\n …
\n p9_client_rpc()
\n …
\n …
\n p9_conn_cancel()
\n …
\n spin_lock(&m->req_lock);
\n …
\n p9_fd_cancelled()
\n …
\n …
\n spin_unlock(&m->req_lock);
\n \/\/ status rewrite
\n p9_client_cb(m->client, req, REQ_STATUS_ERROR)
\n \/\/ first remove
\n list_del(&req->req_list);
\n …<\/p>\n

spin_lock(&m->req_lock)
\n …
\n \/\/ second remove
\n list_del(&req->req_list);
\n spin_unlock(&m->req_lock)
\n …<\/p>\n

Commit 74d6a5d56629 (“9p\/trans_fd: Fix concurrency del of req_list in
\np9_fd_cancelled\/p9_read_work”) fixes a concurrency issue in the 9p filesystem
\nclient where the req_list could be deleted simultaneously by both
\np9_read_work and p9_fd_cancelled functions, but for the case where req->status
\nequals REQ_STATUS_RCVD.<\/p>\n

Update the check for req->status in p9_fd_cancelled to skip processing not
\njust received requests, but anything that is not SENT, as whatever
\nchanged the state from SENT also removed the request from its list.<\/p>\n

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.<\/p>\n[updated the check from status == RECV || status == ERROR to status != SENT]\n

Severity: 0.0 | NA<\/p>\n

Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

CVE ID : CVE-2025-40027 Published : 28. Oktober 2025 10:15 | 29\u00a0Minuten ago Description : In the Linux kernel, the following vulnerability has been resolved: net\/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-72503","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=72503"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/72503\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=72503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=72503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=72503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}