ghsa-q3h5-vmhj-94j6
Vulnerability from github
Published
2025-12-24 12:30
Modified
2025-12-24 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

nbd: defer config put in recv_work

There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF

Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF

Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared.

However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup.

Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave.

In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock):

path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work

path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0

Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-68372"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T11:16:00Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: defer config put in recv_work\n\nThere is one uaf issue in recv_work when running NBD_CLEAR_SOCK and\nNBD_CMD_RECONFIGURE:\n  nbd_genl_connect     // conf_ref=2 (connect and recv_work A)\n  nbd_open\t       // conf_ref=3\n  recv_work A done     // conf_ref=2\n  NBD_CLEAR_SOCK       // conf_ref=1\n  nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)\n  close nbd\t       // conf_ref=1\n  recv_work B\n    config_put         // conf_ref=0\n    atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nOr only running NBD_CLEAR_SOCK:\n  nbd_genl_connect   // conf_ref=2\n  nbd_open \t     // conf_ref=3\n  NBD_CLEAR_SOCK     // conf_ref=2\n  close nbd\n    nbd_release\n      config_put     // conf_ref=1\n  recv_work\n    config_put \t     // conf_ref=0\n    atomic_dec(\u0026config-\u003erecv_threads); -\u003e UAF\n\nCommit 87aac3a80af5 (\"nbd: call nbd_config_put() before notifying the\nwaiter\") moved nbd_config_put() to run before waking up the waiter in\nrecv_work, in order to ensure that nbd_start_device_ioctl() would not\nbe woken up while nbd-\u003etask_recv was still uncleared.\n\nHowever, in nbd_start_device_ioctl(), after being woken up it explicitly\ncalls flush_workqueue() to make sure all current works are finished.\nTherefore, there is no need to move the config put ahead of the wakeup.\n\nMove nbd_config_put() to the end of recv_work, so that the reference is\nheld for the whole lifetime of the worker thread. This makes sure the\nconfig cannot be freed while recv_work is still running, even if clear\n+ reconfigure interleave.\n\nIn addition, we don\u0027t need to worry about recv_work dropping the last\nnbd_put (which causes deadlock):\n\npath A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):\n  connect  // nbd_refs=1 (trigger recv_work)\n  open nbd // nbd_refs=2\n  NBD_CLEAR_SOCK\n  close nbd\n    nbd_release\n      nbd_disconnect_and_put\n        flush_workqueue // recv_work done\n      nbd_config_put\n        nbd_put // nbd_refs=1\n      nbd_put // nbd_refs=0\n        queue_work\n\npath B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):\n  connect  // nbd_refs=2 (trigger recv_work)\n  open nbd // nbd_refs=3\n  NBD_CLEAR_SOCK // conf_refs=2\n  close nbd\n    nbd_release\n      nbd_config_put // conf_refs=1\n      nbd_put // nbd_refs=2\n  recv_work done // conf_refs=0, nbd_refs=1\n  rmmod // nbd_refs=0\n\nDepends-on: e2daec488c57 (\"nbd: Fix hungtask when nbd_config_put\")",
  "id": "GHSA-q3h5-vmhj-94j6",
  "modified": "2025-12-24T12:30:30Z",
  "published": "2025-12-24T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68372"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.