CVE-2025-37949

In the Linux kernel, the following vulnerability has been resolved:

xenbus: Use kref to track req lifetime

Marek reported seeing a NULL pointer fault in the xenbusthread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:wakeupcommon+0x4c/0x180 Call Trace: <TASK> _wakeupcommonlock+0x82/0xd0 processmsg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0

processmsg+0x18e is req->cb(req). req->cb is set to xswakeup(), a thin wrapper around wakeup(), or xenbusdevqueuereply(). It seems like it was xswake_up() in this case.

It seems like req may have woken up the xswaitforreply(), which kfree()ed the req. When xenbusthread resumes, it faults on the zero-ed data.

Linux Device Drivers 2nd edition states: "Normally, a wakeup call can cause an immediate reschedule to happen, meaning that other processes might run before wakeup returns." ... which would match the behaviour observed.

Change to keeping two krefs on each request. One for the caller, and one for xenbusthread. Each will krefput() when finished, and the last will free it.

This use of kref matches the description in Documentation/core-api/kref.rst