CVE-2022-49297 Information

Mar 01, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

nbd: fix io hung while disconnecting device

In our tests \qemu-nbd\ triggers a io hung:

INFO: task qemu-nbd:11445 blocked for more than 368 seconds. Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca 884 cho 0 > /proc/sys/kernel/hung_task_timeout_secs\ disables this message. task:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000 Call Trace: __schedule+0x480/0x1050 ? _raw_spin_lock_irqsave+0x3e/0xb0 schedule+0x9c/0x1b0 blk_mq_freeze_queue_wait+0x9d/0xf0 ? ipi_rseq+0x70/0x70 blk_mq_freeze_queue+0x2b/0x40 nbd_add_socket+0x6b/0x270 [nbd] nbd_ioctl+0x383/0x510 [nbd] blkdev_ioctl+0x18e/0x3e0 __x64_sys_ioctl+0xac/0x120 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd8ff706577 RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577 RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0 R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0

\qemu-ndb -d\ will call ioctl ‘NBD_DISCONNECT’ first however following message was found:

block nbd0: Send disconnect failed -32

Which indicate that something is wrong with the server. Then \qemu-nbd -d\ will call ioctl ‘NBD_CLEAR_SOCK’ however ioctl can’t clear requests after commit 2516ab1543fd( bd: only clear the queue on device teardown). And in the meantime request can’t complete through timeout because nbd_xmit_timeout() will always return ‘BLK_EH_RESET_TIMER’ which means such request will never be completed in this situation.

Now that the flag ‘NBD_CMD_INFLIGHT’ can make sure requests won’t complete multiple times switch back to call nbd_clear_sock() in nbd_clear_sock_ioctl() so that inflight requests can be cleared.

Reference

Share on: