CISA-2022-49300
Reported by Linux · Published February 26, 2025
In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between nbd_alloc_config() and module removal When nbd module is being removing, nbd_alloc_config() may be called concurrently by nbd_genl_connect(), although try_module_get() will return false, but nbd_alloc_config() doesn't handle it. The race may lead to the leak of nbd_config and its related resources (e.g, recv_workq) and oops in nbd_read_stat() due to the unload of nbd module as shown below: BUG: kernel NULL pointer dereference, address: 0000000000000040 Oops: 0000 [#1] SMP PTI CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: knbd16-recv recv_work [nbd] RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd] Call Trace: recv_work+0x3b/0xb0 [nbd] process_one_work+0x1ed/0x390 worker_thread+0x4a/0x3d0 kthread+0x12a/0x150 ret_from_fork+0x22/0x30 Fixing it by checking the return value of try_module_get() in nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV), assign nbd->config only when nbd_alloc_config() succeeds to ensure the value of nbd->config is binary (valid or NULL). Also adding a debug message to check the reference counter of nbd_config during module removal.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 5ea8d10802ec4c153a6e21eebaf412e2abd29736, 5ea8d10802ec4c153a6e21eebaf412e2abd29736, 5ea8d10802ec4c153a6e21eebaf412e2abd29736 |
| Linux | Linux | 4.12, 0, 4.14.283 |
| Linux | Linux | 5.19, 5ea8d10802ec4c153a6e21eebaf412e2abd29736, 5ea8d10802ec4c153a6e21eebaf412e2abd29736 |
| linux | linux_kernel | 4.12, 4.12, 4.12 |
Timeline
- Feb 26, 2025 CVE Published
- Dec 23, 2025 CVE Updated