CVE-2022-49300

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.14.0+

Description A race condition exists between the nbd alloc config() function and the removal of the nbd module. When the nbd module is being removed, nbd alloc config() may be called concurrently by nbd genl connect(), leading to a potential leak of nbd config and its related resources, such as recv workq. This can cause a kernel NULL pointer dereference and an oops in nbd read stat() due to the unload of the nbd module.

Recommendations For Linux kernel versions prior to 5.14.0+, update to a newer version that includes the fix for the race condition between nbd alloc config() and module removal. As a temporary workaround, consider disabling the nbd module until a patch is available. Restrict access to the nbd module to minimize the risk of exploitation. Avoid using the nbd genl connect() function in conjunction with the nbd alloc config() function until the issue is resolved.