Home

Description

In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] <TASK> [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] </TASK> [ 27.052465] Modules linked in: [ 27.052471] ---[ end trace 0000000000000000 ]---

PUBLISHED Reserved 2026-05-01 | Published 2026-05-06 | Updated 2026-05-07 | Assigner Linux

Product status

Default status
unaffected

c15fe55d14b3b4ded5af2a3260877460a6ffb8ad (git) before a5d00dff97118a32fcf5fec7a4c3f864c4620c4e
affected

c15fe55d14b3b4ded5af2a3260877460a6ffb8ad (git) before 59e7707492576bdbfa8c1dbe7d90791df31e4773
affected

c15fe55d14b3b4ded5af2a3260877460a6ffb8ad (git) before bf841d43f7a33d75675ba7f4e214ac1c67913065
affected

c15fe55d14b3b4ded5af2a3260877460a6ffb8ad (git) before ce8ded2e61f47747e31eeefb44dc24a2160a7e32
affected

be03c4fe72384366fd4077a70966bd3b8fc49013 (git)
affected

1ab4de11232e83b875b071aa44d1155634ca8a1e (git)
affected

7cc9dbae8a5f73bd555130384ea256018d28f283 (git)
affected

3e0359f151ac151abe3fa71040e450ed69cb824b (git)
affected

8d3fc907d060c4fb33203e616a395a22083b6566 (git)
affected

4f0e9244770f5b75a16d8c0929063cd336926764 (git)
affected

5f6a8974e9ef317fe63f88bab1f33070195dd147 (git)
affected

Default status
affected

6.3
affected

Any version before 6.3
unaffected

6.12.75 (semver)
unaffected

6.18.16 (semver)
unaffected

6.19.6 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e

git.kernel.org/...c/59e7707492576bdbfa8c1dbe7d90791df31e4773

git.kernel.org/...c/bf841d43f7a33d75675ba7f4e214ac1c67913065

git.kernel.org/...c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32

cve.org (CVE-2026-43249)

nvd.nist.gov (CVE-2026-43249)

Download JSON