CVE-2025-68372

There is one uaf issue in recvwork when running NBDCLEARSOCK and NBDCMDRECONFIGURE: nbdgenlconnect // confref=2 (connect and recvwork A) nbdopen // confref=3 recvwork A done // confref=2 NBDCLEARSOCK // confref=1 nbdgenlreconfigure // confref=2 (trigger recvwork B) close nbd // confref=1 recvwork B configput // confref=0 atomicdec(&config->recvthreads); -> UAF

Or only running NBDCLEARSOCK: nbdgenlconnect // confref=2 nbdopen // confref=3 NBDCLEARSOCK // confref=2 close nbd nbdrelease configput // confref=1 recvwork configput // confref=0 atomicdec(&config->recvthreads); -> UAF

Commit 87aac3a80af5 ("nbd: call nbdconfigput() before notifying the waiter") moved nbdconfigput() to run before waking up the waiter in recvwork, in order to ensure that nbdstartdeviceioctl() would not be woken up while nbd->task_recv was still uncleared.

However, in nbdstartdeviceioctl(), after being woken up it explicitly calls flushworkqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup.

Move nbdconfigput() to the end of recvwork, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recvwork is still running, even if clear + reconfigure interleave.

In addition, we don't need to worry about recvwork dropping the last nbdput (which causes deadlock):

path A (netlink with NBDCFLAGDESTROYONDISCONNECT): connect // nbdrefs=1 (trigger recvwork) open nbd // nbdrefs=2 NBDCLEARSOCK close nbd nbdrelease nbddisconnectandput flushworkqueue // recvwork done nbdconfigput nbdput // nbdrefs=1 nbdput // nbdrefs=0 queuework

path B (netlink without NBDCFLAGDESTROYONDISCONNECT): connect // nbdrefs=2 (trigger recvwork) open nbd // nbdrefs=3 NBDCLEARSOCK // confrefs=2 close nbd nbdrelease nbdconfigput // confrefs=1 nbdput // nbdrefs=2 recvwork done // confrefs=0, nbdrefs=1 rmmod // nbdrefs=0

Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbdconfigput")

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68372.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

87aac3a80af5cbad93e63250e8a1e19095ba0d30

Fixed

198aa230a6f8c1f6af7ed26b29180749c3e79e4d

Fixed

d3ba312675911ff9e3fefefd551751e153a9f0a9

Fixed

3692884bd6187d89d41eef81e5a9724519fd01c1

Fixed

1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509

Fixed

6b69593f72e1bfba6ca47ca8d9b619341fded7d6

Fixed

443a1721806b6ff6303b5229e9811d68172d622f

Fixed

742012f6bf29553fdc460bf646a58df3a7b43d01

Fixed

9517b82d8d422d426a988b213fdd45c6b417b86d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8

Last affected

2ef6f4bd60411934e3fc2715442c2afe70f84bf3

Last affected

742fd49cf811ca164489e339b862e3fb8e240a73

Last affected

14df8724aeeef338172e2a2d6efadc989921ca0f

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68372.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.10.0

Fixed

5.10.248

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.198

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.160

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.120

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.63

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.13

Type: ECOSYSTEM
Events: Introduced

6.18.0

Fixed

6.18.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68372.json"