CVE-2022-49300

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: fix race between nbd_alloc_config() and module removal<br /> <br /> When nbd module is being removing, nbd_alloc_config() may be<br /> called concurrently by nbd_genl_connect(), although try_module_get()<br /> will return false, but nbd_alloc_config() doesn&amp;#39;t handle it.<br /> <br /> The race may lead to the leak of nbd_config and its related<br /> resources (e.g, recv_workq) and oops in nbd_read_stat() due<br /> to the unload of nbd module as shown below:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000040<br /> Oops: 0000 [#1] SMP PTI<br /> CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> Workqueue: knbd16-recv recv_work [nbd]<br /> RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd]<br /> Call Trace:<br /> recv_work+0x3b/0xb0 [nbd]<br /> process_one_work+0x1ed/0x390<br /> worker_thread+0x4a/0x3d0<br /> kthread+0x12a/0x150<br /> ret_from_fork+0x22/0x30<br /> <br /> Fixing it by checking the return value of try_module_get()<br /> in nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV),<br /> assign nbd-&gt;config only when nbd_alloc_config() succeeds to ensure<br /> the value of nbd-&gt;config is binary (valid or NULL).<br /> <br /> Also adding a debug message to check the reference counter<br /> of nbd_config during module removal.