CVE-2022-49297: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49297 is a vulnerability in the Linux kernel's Network Block Device (NBD) component that causes an I/O hang condition while disconnecting devices. The vulnerability was discovered in the Linux kernel's NBD implementation and was publicly disclosed in February 2025 (NVD).

The vulnerability manifests when using 'qemu-nbd' and triggers an I/O hang where tasks can be blocked for extended periods (over 368 seconds in test cases). The issue occurs during the device disconnection process when the NBDDISCONNECT ioctl is called, resulting in a 'Send disconnect failed -32' error. The root cause is related to the inability to clear requests after a previous commit (2516ab1543fd) that modified queue clearing behavior. Additionally, requests cannot complete through timeout because nbdxmittimeout() always returns 'BLKEHRESETTIMER', leading to permanently stuck requests (Kernel Commit).

When exploited, this vulnerability can cause system resources to become unresponsive, as tasks can be blocked indefinitely. This primarily affects systems using NBD devices, particularly in environments where QEMU-NBD is utilized for block device operations (NVD).

The issue has been fixed by modifying the nbdclearsockioctl() function to call nbdclearsock() instead of sockshutdown(). This change allows inflight requests to be properly cleared, preventing the hang condition. The fix utilizes the NBDCMDINFLIGHT flag to ensure requests won't complete multiple times (Kernel Commit).