Amazon Linux AMI: CVE-2025-21731: Security patch for kernel (ALAS-2025-1970)

In the Linux kernel, the following vulnerability has been resolved:

nbd: don't allow reconnect after disconnect

Following process can cause nbd_config UAF:

1) grab nbd_config temporarily;

2) nbd_genl_disconnect() flush all recv_work() and release the

initial reference:

nbd_genl_disconnect

nbd_disconnect_and_put

nbd_disconnect

flush_workqueue(nbd->recv_workq)

if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))

nbd_config_put

-> due to step 1), reference is still not zero

3) nbd_genl_reconfigure() queue recv_work() again;

nbd_genl_reconfigure

config = nbd_get_config_unlocked(nbd)

if (!config)

-> succeed

if (!test_bit(NBD_RT_BOUND, ...))

-> succeed

nbd_reconnect_socket

queue_work(nbd->recv_workq, &args->work)

4) step 1) release the reference;

5) Finially, recv_work() will trigger UAF:

recv_work

nbd_config_put(nbd)

-> nbd_config is freed

atomic_dec(&config->recv_threads)

-> UAF

Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so

that nbd_genl_reconfigure() will fail.