Linux Kernel 9P File System Double Request Deletion Vulnerability

A vulnerability in the Linux kernel's 9P file system implementation can lead to a double deletion of request entries, causing a general protection fault. This issue arises from a race condition where one thread cancels pending requests while another thread attempts to process them, leading to a potential wild memory access. The vulnerability was discovered using Syzkaller, a fuzzing tool, and affects Linux kernel versions prior to 6.1.134.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to a non-canonical memory address, leading to a wild memory access. This can disrupt normal kernel operations and potentially cause a denial of service.

Reproduction

The vulnerability can be reproduced by mounting a 9P file system and then sending an invalid flush request while simultaneously canceling all pending requests. This can be automated with a fuzzer like Syzkaller, which has already demonstrated the issue.

Remediation

Users can upgrade to Linux kernel version 6.1.134 or later, where this vulnerability has been fixed.