lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025022625-CVE-2022-49297-2edb@gregkh>
Date: Wed, 26 Feb 2025 03:00:29 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49297: nbd: fix io hung while disconnecting device

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

nbd: fix io hung while disconnecting device

In our tests, "qemu-nbd" triggers a io hung:

INFO: task qemu-nbd:11445 blocked for more than 368 seconds.
      Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:qemu-nbd        state:D stack:    0 pid:11445 ppid:     1 flags:0x00000000
Call Trace:
 <TASK>
 __schedule+0x480/0x1050
 ? _raw_spin_lock_irqsave+0x3e/0xb0
 schedule+0x9c/0x1b0
 blk_mq_freeze_queue_wait+0x9d/0xf0
 ? ipi_rseq+0x70/0x70
 blk_mq_freeze_queue+0x2b/0x40
 nbd_add_socket+0x6b/0x270 [nbd]
 nbd_ioctl+0x383/0x510 [nbd]
 blkdev_ioctl+0x18e/0x3e0
 __x64_sys_ioctl+0xac/0x120
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fd8ff706577
RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577
RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f
RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0
R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d
R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0

"qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following
message was found:

block nbd0: Send disconnect failed -32

Which indicate that something is wrong with the server. Then,
"qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear
requests after commit 2516ab1543fd("nbd: only clear the queue on device
teardown"). And in the meantime, request can't complete through timeout
because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which
means such request will never be completed in this situation.

Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't
complete multiple times, switch back to call nbd_clear_sock() in
nbd_clear_sock_ioctl(), so that inflight requests can be cleared.

The Linux kernel CVE team has assigned CVE-2022-49297 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.14.283 with commit 67e403136a0e1a55fef6a05f103a3979a39ad3fd
	Fixed in 4.19.247 with commit 62d227f67a8c25d5e16f40e5290607f9306d2188
	Fixed in 5.4.198 with commit 69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd
	Fixed in 5.10.122 with commit f72df77600a43e59b3189e53b47f8685739867d3
	Fixed in 5.15.47 with commit c4ba982bd5084fa659ef518aaf159e4dab02ecda
	Fixed in 5.17.15 with commit 54b06dc2a206b4d67349bb56b92d4bd32700b7b1
	Fixed in 5.18.4 with commit 141318e62db87105b0103fccc59c9c5940da248d
	Fixed in 5.19 with commit 09dadb5985023e27d4740ebd17e6fea4640110e5

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49297
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/block/nbd.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/67e403136a0e1a55fef6a05f103a3979a39ad3fd
	https://git.kernel.org/stable/c/62d227f67a8c25d5e16f40e5290607f9306d2188
	https://git.kernel.org/stable/c/69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd
	https://git.kernel.org/stable/c/f72df77600a43e59b3189e53b47f8685739867d3
	https://git.kernel.org/stable/c/c4ba982bd5084fa659ef518aaf159e4dab02ecda
	https://git.kernel.org/stable/c/54b06dc2a206b4d67349bb56b92d4bd32700b7b1
	https://git.kernel.org/stable/c/141318e62db87105b0103fccc59c9c5940da248d
	https://git.kernel.org/stable/c/09dadb5985023e27d4740ebd17e6fea4640110e5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ