CVE-2025-68366

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: defer config unlock in nbd_genl_connect<br /> <br /> There is one use-after-free warning when running NBD_CMD_CONNECT and<br /> NBD_CLEAR_SOCK:<br /> <br /> nbd_genl_connect<br /> nbd_alloc_and_init_config // config_refs=1<br /> nbd_start_device // config_refs=2<br /> set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3<br /> recv_work done // config_refs=2<br /> NBD_CLEAR_SOCK // config_refs=1<br /> close nbd // config_refs=0<br /> refcount_inc -&gt; uaf<br /> <br /> ------------[ cut here ]------------<br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290<br /> nbd_genl_connect+0x16d0/0x1ab0<br /> genl_family_rcv_msg_doit+0x1f3/0x310<br /> genl_rcv_msg+0x44a/0x790<br /> <br /> The issue can be easily reproduced by adding a small delay before<br /> refcount_inc(&amp;nbd-&gt;config_refs) in nbd_genl_connect():<br /> <br /> mutex_unlock(&amp;nbd-&gt;config_lock);<br /> if (!ret) {<br /> set_bit(NBD_RT_HAS_CONFIG_REF, &amp;config-&gt;runtime_flags);<br /> + printk("before sleep\n");<br /> + mdelay(5 * 1000);<br /> + printk("after sleep\n");<br /> refcount_inc(&amp;nbd-&gt;config_refs);<br /> nbd_connect_reply(info, nbd-&gt;index);<br /> }