{"id":"CVE-2022-49300","summary":"nbd: fix race between nbd_alloc_config() and module removal","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between nbd_alloc_config() and module removal\n\nWhen nbd module is being removing, nbd_alloc_config() may be\ncalled concurrently by nbd_genl_connect(), although try_module_get()\nwill return false, but nbd_alloc_config() doesn't handle it.\n\nThe race may lead to the leak of nbd_config and its related\nresources (e.g, recv_workq) and oops in nbd_read_stat() due\nto the unload of nbd module as shown below:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000040\n  Oops: 0000 [#1] SMP PTI\n  CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n  Workqueue: knbd16-recv recv_work [nbd]\n  RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd]\n  Call Trace:\n   recv_work+0x3b/0xb0 [nbd]\n   process_one_work+0x1ed/0x390\n   worker_thread+0x4a/0x3d0\n   kthread+0x12a/0x150\n   ret_from_fork+0x22/0x30\n\nFixing it by checking the return value of try_module_get()\nin nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV),\nassign nbd-\u003econfig only when nbd_alloc_config() succeeds to ensure\nthe value of nbd-\u003econfig is binary (valid or NULL).\n\nAlso adding a debug message to check the reference counter\nof nbd_config during module removal.","modified":"2026-03-20T12:22:20.003966Z","published":"2025-02-26T02:10:35.594Z","related":["SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1194-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1263-1","SUSE-SU-2025:1293-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49300.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/122e4adaff2439f1cc18cc7e931980fa7560df5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/165cf2e0019fa6cedc75b456490c41494c34abb4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2573f2375b64280be977431701ed5d33b75b9ad0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2888fa41985f93ed0a6837cfbb06bcbfd7fa2314"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71c142f910da44421213ade601bcbd23ceae19fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a7da4ced236ce6637fe70f14ca18e718d4bf9e9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c55b2b983b0fa012942c3eb16384b2b722caa810"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d09525720dd5201756f698bee1076de9aefd4602"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49300.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49300"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5ea8d10802ec4c153a6e21eebaf412e2abd29736"},{"fixed":"165cf2e0019fa6cedc75b456490c41494c34abb4"},{"fixed":"2573f2375b64280be977431701ed5d33b75b9ad0"},{"fixed":"8a7da4ced236ce6637fe70f14ca18e718d4bf9e9"},{"fixed":"122e4adaff2439f1cc18cc7e931980fa7560df5c"},{"fixed":"71c142f910da44421213ade601bcbd23ceae19fa"},{"fixed":"2888fa41985f93ed0a6837cfbb06bcbfd7fa2314"},{"fixed":"d09525720dd5201756f698bee1076de9aefd4602"},{"fixed":"c55b2b983b0fa012942c3eb16384b2b722caa810"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49300.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}