2395364 – (CVE-2022-50314) CVE-2022-50314 kernel: nbd: Fix hung when signal interrupts nbd_start_device_ioctl()

Bug 2395364 (CVE-2022-50314) - CVE-2022-50314 kernel: nbd: Fix hung when signal interrupts nbd_start_device_ioctl()

Summary: CVE-2022-50314 kernel: nbd: Fix hung when signal interrupts nbd_start_device_...

Keywords:
Status:	NEW
Alias:	CVE-2022-50314
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-15 15:09 UTC by OSIDB Bzimport
Modified:	2025-09-18 23:31 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:09:49 UTC

In the Linux kernel, the following vulnerability has been resolved:

nbd: Fix hung when signal interrupts nbd_start_device_ioctl()

syzbot reported hung task [1].  The following program is a simplified
version of the reproducer:

int main(void)
{
	int sv[2], fd;

	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0)
		return 1;
	if ((fd = open("/dev/nbd0", 0)) < 0)
		return 1;
	if (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0)
		return 1;
	if (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0)
		return 1;
	if (ioctl(fd, NBD_DO_IT) < 0)
		return 1;
	return 0;
}

When signal interrupt nbd_start_device_ioctl() waiting the condition
atomic_read(&config->recv_threads) == 0, the task can hung because it
waits the completion of the inflight IOs.

This patch fixes the issue by clearing queue, not just shutdown, when
signal interrupt nbd_start_device_ioctl().

Comment 1 Jon Moroney 2025-09-15 19:48:40 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091500-CVE-2022-50314-9a10@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.