CVE-2025-68372

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: defer config put in recv_work<br /> <br /> There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and<br /> NBD_CMD_RECONFIGURE:<br /> nbd_genl_connect // conf_ref=2 (connect and recv_work A)<br /> nbd_open // conf_ref=3<br /> recv_work A done // conf_ref=2<br /> NBD_CLEAR_SOCK // conf_ref=1<br /> nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)<br /> close nbd // conf_ref=1<br /> recv_work B<br /> config_put // conf_ref=0<br /> atomic_dec(&amp;config-&gt;recv_threads); -&gt; UAF<br /> <br /> Or only running NBD_CLEAR_SOCK:<br /> nbd_genl_connect // conf_ref=2<br /> nbd_open // conf_ref=3<br /> NBD_CLEAR_SOCK // conf_ref=2<br /> close nbd<br /> nbd_release<br /> config_put // conf_ref=1<br /> recv_work<br /> config_put // conf_ref=0<br /> atomic_dec(&amp;config-&gt;recv_threads); -&gt; UAF<br /> <br /> Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the<br /> waiter") moved nbd_config_put() to run before waking up the waiter in<br /> recv_work, in order to ensure that nbd_start_device_ioctl() would not<br /> be woken up while nbd-&gt;task_recv was still uncleared.<br /> <br /> However, in nbd_start_device_ioctl(), after being woken up it explicitly<br /> calls flush_workqueue() to make sure all current works are finished.<br /> Therefore, there is no need to move the config put ahead of the wakeup.<br /> <br /> Move nbd_config_put() to the end of recv_work, so that the reference is<br /> held for the whole lifetime of the worker thread. This makes sure the<br /> config cannot be freed while recv_work is still running, even if clear<br /> + reconfigure interleave.<br /> <br /> In addition, we don&amp;#39;t need to worry about recv_work dropping the last<br /> nbd_put (which causes deadlock):<br /> <br /> path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):<br /> connect // nbd_refs=1 (trigger recv_work)<br /> open nbd // nbd_refs=2<br /> NBD_CLEAR_SOCK<br /> close nbd<br /> nbd_release<br /> nbd_disconnect_and_put<br /> flush_workqueue // recv_work done<br /> nbd_config_put<br /> nbd_put // nbd_refs=1<br /> nbd_put // nbd_refs=0<br /> queue_work<br /> <br /> path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):<br /> connect // nbd_refs=2 (trigger recv_work)<br /> open nbd // nbd_refs=3<br /> NBD_CLEAR_SOCK // conf_refs=2<br /> close nbd<br /> nbd_release<br /> nbd_config_put // conf_refs=1<br /> nbd_put // nbd_refs=2<br /> recv_work done // conf_refs=0, nbd_refs=1<br /> rmmod // nbd_refs=0<br /> <br /> Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")