{"id":"AZL-68921","summary":"CVE-2025-40027 affecting package kernel for versions less than 6.6.112.1-2","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix double req put in p9_fd_cancelled\n\nSyzkaller reports a KASAN issue as below:\n\ngeneral protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]\nCPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:__list_del include/linux/list.h:114 [inline]\nRIP: 0010:__list_del_entry include/linux/list.h:137 [inline]\nRIP: 0010:list_del include/linux/list.h:148 [inline]\nRIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734\n\nCall Trace:\n \u003cTASK\u003e\n p9_client_flush+0x351/0x440 net/9p/client.c:614\n p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734\n p9_client_version net/9p/client.c:920 [inline]\n p9_client_create+0xb51/0x1240 net/9p/client.c:1027\n v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408\n v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126\n legacy_get_tree+0x108/0x220 fs/fs_context.c:632\n vfs_get_tree+0x8e/0x300 fs/super.c:1573\n do_new_mount fs/namespace.c:3056 [inline]\n path_mount+0x6a6/0x1e90 fs/namespace.c:3386\n do_mount fs/namespace.c:3399 [inline]\n __do_sys_mount fs/namespace.c:3607 [inline]\n __se_sys_mount fs/namespace.c:3584 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3584\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nThis happens because of a race condition between:\n\n- The 9p client sending an invalid flush request and later cleaning it up;\n- The 9p client in p9_read_work() canceled all pending requests.\n\n Thread 1 Thread 2\n ...\n p9_client_create()\n ...\n p9_fd_create()\n ...\n p9_conn_create()\n ...\n // start Thread 2\n INIT_WORK(&m-\u003erq, p9_read_work);\n p9_read_work()\n ...\n p9_client_rpc()\n ...\n ...\n p9_conn_cancel()\n ...\n spin_lock(&m-\u003ereq_lock);\n ...\n p9_fd_cancelled()\n ...\n ...\n spin_unlock(&m-\u003ereq_lock);\n // status rewrite\n p9_client_cb(m-\u003eclient, req, REQ_STATUS_ERROR)\n // first remove\n list_del(&req-\u003ereq_list);\n ...\n\n spin_lock(&m-\u003ereq_lock)\n ...\n // second remove\n list_del(&req-\u003ereq_list);\n spin_unlock(&m-\u003ereq_lock)\n ...\n\nCommit 74d6a5d56629 (\"9p/trans_fd: Fix concurrency del of req_list in\np9_fd_cancelled/p9_read_work\") fixes a concurrency issue in the 9p filesystem\nclient where the req_list could be deleted simultaneously by both\np9_read_work and p9_fd_cancelled functions, but for the case where req-\u003estatus\nequals REQ_STATUS_RCVD.\n\nUpdate the check for req-\u003estatus in p9_fd_cancelled to skip processing not\njust received requests, but anything that is not SENT, as whatever\nchanged the state from SENT also removed the request from its list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\n[updated the check from status == RECV || status == ERROR to status != SENT]","modified":"2026-04-01T05:21:30.663322Z","published":"2025-10-28T10:15:42Z","upstream":["CVE-2025-40027"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40027"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.112.1-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68921.json"}}],"schema_version":"1.7.5"}