CVE-2025-68372

Summary

In the Linux kernel, the following vulnerability has been resolved:

nbd: defer config put in recv_work

There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF

Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF

Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared.

However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup.

Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear

  • reconfigure interleave.

In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock):

path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work

path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0

Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")

Affected Software

VendorProductVersion RangeStatus
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 198aa230a6f8c1f6af7ed26b29180749c3e79e4daffected
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < d3ba312675911ff9e3fefefd551751e153a9f0a9affected
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 3692884bd6187d89d41eef81e5a9724519fd01c1affected
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509affected
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 6b69593f72e1bfba6ca47ca8d9b619341fded7d6affected
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 443a1721806b6ff6303b5229e9811d68172d622faffected
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 742012f6bf29553fdc460bf646a58df3a7b43d01affected
LinuxLinux87aac3a80af5cbad93e63250e8a1e19095ba0d30 < 9517b82d8d422d426a988b213fdd45c6b417b86daffected
LinuxLinux0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8affected
LinuxLinux2ef6f4bd60411934e3fc2715442c2afe70f84bf3affected
LinuxLinux742fd49cf811ca164489e339b862e3fb8e240a73affected
LinuxLinux14df8724aeeef338172e2a2d6efadc989921ca0faffected
LinuxLinux4.14.204 < 4.15affected
LinuxLinux4.19.155 < 4.20affected
LinuxLinux5.4.75 < 5.5affected
LinuxLinux5.9.5 < 5.10affected
LinuxLinux5.10affected
LinuxLinux0 < 5.10unaffected
LinuxLinux5.10.248 <= 5.10.*unaffected
LinuxLinux5.15.198 <= 5.15.*unaffected
LinuxLinux6.1.160 <= 6.1.*unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.63 <= 6.12.*unaffected
LinuxLinux6.17.13 <= 6.17.*unaffected
LinuxLinux6.18.2 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References