xen-kernel -- use after free in FIFO event channel code

The Xen Project reports:

When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer. Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.
A malicious guest administrator can crash the host, leading to a
DoS. Arbitrary code execution (and therefore privilege escalation),
and information leaks, cannot be excluded.